We have over 16+ years of experience.

Global Email Lists

Information Security Policy and Procedures

Last updated: May 14, 2026

Global Email Lists is committed to protecting the confidentiality, integrity and availability of all information assets. This Information Security Policy establishes the framework, principles and procedures that govern the management of information security across our organisation.

1. Purpose and Scope

The purpose of this policy is to establish a comprehensive information security programme that protects all information assets owned, controlled or processed by Global Email Lists. This policy applies to:

  • All employees, contractors, consultants and temporary staff
  • All information systems, networks and applications
  • All data — electronic, paper and verbal — regardless of format or location
  • All third-party service providers with access to our systems or data

2. Information Security Objectives

  • Confidentiality: Ensure that information is accessible only to those authorised to have access.
  • Integrity: Safeguard the accuracy and completeness of information and processing methods.
  • Availability: Ensure that authorised users have access to information and associated assets when required.
  • Compliance: Meet all applicable legal, regulatory and contractual requirements.
  • Resilience: Ensure business continuity and disaster recovery capabilities.

3. Governance Structure

3.1 Information Security Responsibilities

  • Senior Management: Provides strategic direction, resources and oversight for information security. Approves policies and accepts residual risk.
  • IT Security Team: Implements security controls, monitors threats, manages incidents and conducts security assessments.
  • Department Managers: Ensure compliance within their teams and report security concerns.
  • All Staff: Comply with security policies, report incidents and complete mandatory training.

3.2 Policy Review

This policy is reviewed at least annually or following a significant security incident, organisational change or change in applicable regulations.

4. Risk Management

4.1 Risk Assessment

We conduct formal information security risk assessments at least annually and whenever significant changes occur in our environment. Assessments identify threats, vulnerabilities and the potential impact on information assets.

4.2 Risk Treatment

Identified risks are treated through one or more of the following strategies: mitigation (implementing controls), transfer (insurance or outsourcing), avoidance (eliminating the risk source), or acceptance (for risks within tolerance). All treatment decisions are documented and approved by management.

5. Access Control Procedures

  • User Registration: Formal user registration and de-registration process for granting and revoking access to all information systems.
  • Least Privilege: Access rights are assigned based on the minimum permissions necessary for the user’s role.
  • Authentication: Multi-factor authentication (MFA) is required for all systems containing sensitive data.
  • Password Management: Minimum 12-character passwords with complexity requirements. Passwords must be changed every 90 days and may not be reused for 12 cycles.
  • Access Reviews: User access rights are reviewed quarterly. Dormant accounts are disabled after 30 days and deleted after 90 days of inactivity.
  • Privileged Access: Administrative accounts are subject to enhanced monitoring, separate credentials and time-limited elevation.

6. Data Protection Procedures

6.1 Data Classification and Handling

  • Confidential: Encrypted in transit and at rest. Access restricted to authorised personnel. Secure deletion required.
  • Internal: Protected from external access. Shared only within the organisation on a need-to-know basis.
  • Public: No special handling required, but integrity must be maintained.

6.2 Data Retention and Disposal

Data is retained only for the period required by business need or legal obligation. Disposal of electronic data uses secure overwriting or cryptographic erasure. Physical media is shredded or degaussed.

7. Network and System Security

  • Firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) protect all network boundaries
  • Network segmentation isolates sensitive data environments from general-purpose networks
  • All systems are patched within 14 days of critical vulnerability disclosure and 30 days for other vulnerabilities
  • Anti-malware software is deployed on all endpoints with real-time scanning and automatic updates
  • Server hardening follows industry benchmarks (CIS Benchmarks)
  • All remote access uses encrypted VPN connections with MFA

8. Incident Response Procedures

8.1 Incident Classification

  • Critical (P1): Active data breach, ransomware, system compromise — response within 1 hour
  • High (P2): Attempted breach, suspicious activity, malware detection — response within 4 hours
  • Medium (P3): Policy violation, failed access attempts, phishing report — response within 24 hours
  • Low (P4): Minor policy deviation, informational alert — response within 72 hours

8.2 Response Steps

  1. Detection and Reporting: Identify and document the incident. All employees must report suspected incidents immediately to the IT Security Team.
  2. Triage and Classification: Assess severity, scope and potential impact.
  3. Containment: Isolate affected systems to prevent further damage.
  4. Eradication: Remove the root cause of the incident from affected systems.
  5. Recovery: Restore systems and data from clean backups. Verify integrity before returning to production.
  6. Post-Incident Review: Conduct a root-cause analysis within 5 business days. Document lessons learned and update controls as needed.

8.3 Notification

In the event of a data breach affecting personal information, we will notify affected individuals and relevant supervisory authorities within the timeframes required by applicable law (e.g., 72 hours under GDPR, without undue delay under CCPA).

9. Business Continuity and Disaster Recovery

  • Business continuity plans are documented, tested annually and updated following each test or actual incident
  • Critical systems have defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Automated daily backups with geographic redundancy
  • Backup restoration procedures are tested quarterly
  • Failover procedures for critical services ensure minimal downtime

10. Physical Security

  • Access to offices and data centres is controlled by electronic access systems and requires authorised identification
  • Visitors must be signed in, escorted and logged at all times
  • CCTV monitoring at all entry and exit points
  • Clean desk policy enforced — sensitive documents must be secured when unattended
  • Secure disposal of physical media (cross-cut shredding for paper, certified destruction for electronic media)

11. Employee Security

11.1 Pre-Employment

Background verification checks are conducted for all new hires commensurate with the sensitivity of their role.

11.2 Security Awareness Training

All employees complete security awareness training within 30 days of hiring and annually thereafter. Training covers phishing recognition, data handling, password security, physical security, incident reporting and social engineering defence.

11.3 Termination Procedures

Upon termination or role change, all access rights are revoked within 24 hours. Company equipment and data are returned. Exit interviews include a reminder of continuing confidentiality obligations.

12. Third-Party Security

  • All vendors with access to sensitive data undergo a security assessment before engagement
  • Contracts include data protection clauses, confidentiality obligations and incident notification requirements
  • Third-party compliance is reviewed annually
  • Vendor access is limited to the minimum necessary and monitored for anomalies

13. Compliance and Audit

  • Internal security audits are conducted at least annually
  • Compliance with GDPR, CCPA, CAN-SPAM, CASL and other applicable regulations is assessed regularly
  • Audit findings are reported to management with remediation timelines
  • Records of all security activities, assessments and incidents are maintained for a minimum of 3 years

14. Policy Violations

Violations of this Information Security Policy may result in disciplinary action, up to and including termination of employment or contract. Serious violations may be reported to law enforcement authorities.

For related policies, see our Data Security Policy, Privacy Policy and CCPA Privacy Policy.

Contact Us

If you have any questions about this policy, please contact us: