Page 46 - Ipsos
P. 46
Information Classification: Internal Use
Ipsos Book of Policies & Procedures
- Requesting to the IT Services local team, local Chief Financial Officers or Legal
Counsels, appropriate advice and guidance to ensure information is managed
in compliance with legal, regulatory and contractual requirements;
- Labeling the information;
- Evaluating the business impact of the information (loss of Confidentiality - C,
integrity - I and availability – A);
- Determining the appropriate level of physical/logical access security resulting
from the current policy;
- Specifying any additional security controls and communicating them to the
Custodian. This includes, but is not limited to applicable legislative
requirements, contractual requirements, regulatory and standard requirements;
- Determining the requirements for business contingencies;
- Determining information retention requirements;
- Periodical access review activities related to the information;
- Ensuring an Annual Review of information retention and destruction is carried
out.
In particular, certain asset owners have been identified and are to perform the following tasks and
controls:
Individuals with Ipsos email accounts are responsible for ensuring that:
o Relevant email correspondence relating to studies, projects, clients etc. are stored in
the relevant files so that it is available for review.
o Deleting emails that are no longer required.
o Deleting email records held in their account at the end of the required retention
period.
o For long term storage of documents - To move documents off of email to relevant
work and project areas.
o It is the responsibility of all individuals with Ipsos email accounts to archive relevant
and required emails in the provided email archives. E-mails contained in archives
older than 7 years will be purged.
Study and Project Managers are responsible for ensuring that:
o All data including client confidential data are stored in an appropriate and secured
manner, including on relevant file servers or systems and not in e-mails or
unsecured web reporting portals.
o Their study and project information is stored correctly in the relevant project storage
areas, and in compliance with this policy and any study or project specific legal,
regulatory or contractual requirements.
o That study and project information is reviewed at the end of the project to ensure
only that information required to be retained is archived at the end of the project
o The required records and information are retained and destroyed according to the
schedule, including instructing relevant Operations teams of the need to destroy or
send to them relevant project documents held within their folders.
Page 6 of 22
