Headliners Insight & Strategy Ltd - IT Security Policy
1. Purpose
This policy outlines how Headliners protects its data, devices, and technology systems. As a market research agency handling sensitive client information and personal data, maintaining confidentiality, integrity, and availability of data is essential.
2. Policy Scope
This policy applies to:
- All devices used for business (laptop, mobile phone, tablet)
- All cloud services used to store or process Headliners data (e.g. email, productivity tools, storage platforms)
- All client information, research data including personal data, and project files regardless of format
- Any contractors that may work on behalf of Headliners
3. Responsibilities
The Owner of Headliners is responsible for:
- Maintaining secure devices and software
- Ensuring login credentials to accounts are secure at all times
- Implementing and monitoring the security controls outlined below
- Ensuring client data is handled confidentially and personal data is handled in accordance with data protection legislation
- Reporting any breaches to affected clients and/or the Information Commission promptly
- Keeping this policy up to date
4. Acceptable Use of Technology
All business-related devices must be used responsibly:
- Devices should only be used for business or reasonable personal use that does not compromise security
- Untrusted or pirated software must not be installed
- Business data is not stored on personal social media, personal email, or consumer file-sharing apps unless encrypted and approved for use
5. Access Control
- Strong passwords are used for all business accounts and never shared with anyone else
§ Minimum 10 characters
§ Include a combination of alphanumeric, numeric and special character
- A password manager is used to store and generate secure passwords
- A strong pin code of at least 6 numbers or characters (alphanumeric) must be used
- Multi-factor authentication (MFA) is enabled on all key accounts, including email, cloud storage, productivity platforms, and password manager
- Devices are set to auto-lock after 5 minutes of inactivity
6. Data Classification & Handling
Headliners’ data is classified as:
1. Public – Content intended for public use (website content, marketing copy)
2. Internal – non-sensitive business operations information
3. Confidential – Client project files, interview transcripts, survey data, recordings, strategic documents, and personally identifiable information (PII).
7. Rules for handling confidential data:
- Store only in approved cloud storage
- Data not stored or synched to any personal cloud storage
- Is not shared with third parties unless contractually approved and a confidentiality agreement is in place
- Sensitive files must be encrypted when sending electronically, using secure transfer methods at all time
- Client data is deleted once the retention period ends or upon request
8. Devices & System Security
- All business devices use full disk encryption, antivirus protection, and automatic updates
- Only trusted applications and browser extensions may be installed
- Backups are taken using an external encrypted drive
9. Network Security
- Home/business Wi-Fi networks must use WPA3 or WPA2-AES encryption.
- The Wi-Fi password should be strong and changed every 1–2 years
- Public Wi-Fi must be avoided. To work in public spaces, mobile tether must be used
10. Physical Security
- Devices are never left unattended in public spaces
- Sensitive paper documents must be stored securely and shredded when no longer needed
- Devices must remain stored in a secure home office
11. Backup & Recovery
- Backups are scheduled monthly, encrypted to AES256 bit and held offline
- Recovery timescales 24 hours
12. Incident Response
If a security incident occurs the following steps are taken:
1. Contain the issue – disconnect compromised devices/accounts and change passwords
2. Assess impact – investigate extent of security incident, determine what data has been exposed, implement any mitigation measures to prevent further exposure, advice from relevant consultants such as IT/Data Protection
3. Notify – any affected clients as soon as possible if there is a data breach and the Information Commission/Data Subjects if there is a personal data breach
4. Recover – assess root cause of security issue, improve controls, restore data from backups if necessary
13. Third-Party Services & Tools
Third-party tools must:
- Be security and compliance assessed before use
- Have recognised security certifications or commit to being aligned to recognised security standards e.g. ISO27001/SOC 2
- Not store data outside approved geographic regions without ensuring a lawful transfer mechanism is in place and with client approval (if approval is a contractual requirement)
14. Data Retention & Disposal
- Client data is retained indefinitely unless contractually or otherwise stipulated
- Digital data is securely deleted when no longer required
- Any mobile devices no longer needed are destroyed using a secure WEEE disposal and recycling service
- Physical documents are cross shredded before disposal
15. Legal & Regulatory Compliance
Headliners complies with the UK GDPR, Data Protection Act 2018 and Data (Use & Access) Act 2025 as well as client contractual requirements. Research is carried out in accordance with the Market Research Society Code of Conduct.
16. Policy Version & Review
Version 1.0_Jan 2026
This policy will be reviewed annually or after any key changes to IT security are implemented by the business.