Introduction

This Cybersecurity and IT Policy is designed to ensure the protection of information assets and technology infrastructure in compliance with applicable laws and regulations in both the United States and the United Kingdom.

It serves as a comprehensive guide to safeguarding data and preventing breaches, while ensuring legal compliance with regulations including GDPR (UK/EU) and the Cybersecurity Act of 2015 (US).

This document outlines Oii’s approach to security and handling sensitive data throughout the lifecycle of a supply chain modelling project, including Azure-based infrastructure and the Goldiilocks platform.

Governance and Compliance

• GDPR: Lawful, transparent processing of EU/UK personal data
• Data Protection Act 2018: UK-specific GDPR implementation
• Computer Misuse Act 1990: Protection against unauthorized system access

Responsibility and Approval

Data Protection Officer: Bob Rogers, PhD, CPTO of Oii

All security policy and infrastructure changes are reviewed by leadership and approved by the Data Protection Officer.

Risk Management and Security Controls

Access Control

Role-based access control (RBAC) ensures only authorized personnel can access sensitive systems.

Data Security Classes

• Public: Marketing materials and public content
• Confidential: Internal business data
• Secret: Customer data and highly sensitive information

Goldiilocks Platform User Security

Setup and Access

• Each portal is provisioned per organization
• Access via HTTPS (SSL) only
• Domains are not publicly listed

Onboarding New Users

1. Email confirmation
2. Password setup
3. 2FA setup (email or mobile)

Session Management

• Session timeout: 30 minutes
• Password renewal every 90 days
• Account lock after 5 failed attempts

Multi-Factor Authentication (MFA)

MFA is enforced using SMS-based authentication.

Password Policy Customisation

• Minimum 8 characters
• Optional complexity levels
• Password history enforcement

User Management

• Access granted by privileged users only
• Least-privilege principle enforced
• Roles and permissions adjustable

Termination of Accounts

Accounts are revoked via admin confirmation and soft-deleted for audit history.

Data Encryption

• At Rest: AES-256 encryption
• Key Management: Azure Key Vault with annual rotation

Network Security

• Firewall traffic control
• Secure Azure Virtual Network
• IP restriction capabilities

Vulnerability Management

• Routine vulnerability scans
• Penetration testing
• Sentry monitoring tools

Data Backup

All critical data is securely backed up and encrypted using AES-256.

Secure Development

Software follows OWASP standards and is tested before production deployment.

Azure Infrastructure

• Dedicated compute and storage
• Encrypted blob storage
• Secure PostgreSQL databases

Logging and Auditing

• User activity logging
• Server-level monitoring
• Periodic reviews

Data Privacy

• Data minimization
• Retention policies
• Data subject rights (GDPR)
• No third-party processing

Incident Response

• Incident Response Plan (IRP)
• GDPR breach notification within 72 hours
• Post-incident review

Employee Training

• Mandatory onboarding training
• Phishing simulations
• Compliance audits

Monitoring and Improvement

• Continuous monitoring
• Security audits
• Annual policy review

Compliance and Enforcement

• Corrective actions for violations
• Legal consequences under GDPR and US law

Conclusion

This policy ensures Oii maintains a high standard of security and compliance. Through strong access control, encryption, monitoring, and employee awareness, the organization mitigates cybersecurity risks and meets regulatory requirements.