Client Information Security

Tax Goddess Business Services, PC, IT Policy and Procedure Manual provides the procedures and policies for the selection and use of IT within the organization. These procedures and policies must be followed by all the staff within the organization. The Policy and Procedure Manual also includes guidelines that are used by Tax Goddess Business Services, PC, to administer all the policies within the organization and make sure that the correct procedure is followed. All IT policies are kept current and relevant by Tax Goddess Business Services, PC.

Tax Goddess acknowledges that the data available for knowledge processing is the sole property of respective customer only and Tax Goddess and its staff and contractors are only custodians to take reasonable care for the same. We have built infrastructure so as to provide the most secure environment to shield the customer information and data from unauthorized use and intrusion attacks.

Below you will find various sections of our security documentation for your review.

Purpose of the Policy

The data protection policy of our company represents our commitment to handle our client’s, staff’s  and stakeholder’s information with the utmost confidentiality and care.

We ensure by using this policy that we are transparent and fair in collecting, storing and handling information with respect to the individual rights.

Scope

This policy will be applicable to all the clients, staff, vendors, job candidates, etc. who provide information to us.

Who is covered under the Data Protection Policy?

This policy must be followed by the staff of our organizations and the entities covered under this policy will be consultants, partners, contractors, including all other external entities. Our policy generally refers to any person with whom we provide work, collaborate, or they act for us and may need occasional data access

Policy elements

We must obtain and process information as part of our operations. This information includes any information that makes a person identifiable, offline or online, such as names, addresses, usernames and passwords, digital footprints, pictures, numbers for social security, financial data, etc.

This information is collected by our organization in a transparent manner and only in full collaboration with and knowledge of stakeholders. The following rules apply once this information is available to us.

Our data will be:

1. Up-to-date and accurate.
2. Collected in a fair way for lawful purposes only.
3. Processed by us within the moral and legal boundaries of the organization.
4. Protected by internal or external parties from any unauthorized or illegal access.

Our data will not be:

1. Informally communicated.
2. Transferred to organizations, countries or states with insufficient data protection policies.
3. Distributed to any other party than the parties to which the data owner has agreed.

The company has direct obligations towards the data owners in addition to the methods of handling the data. Specifically, we must:

1. Let people know what all of their data is collected.
2. Let people know how we will actually process their data.
3. Let people know that who has complete access to their data.
4. Let people know that we erase, reduce, modify or correct the incorrect data present in our databases.

Actions

In order to provide data protection we’re committed to the following:

1. We monitor and restrict the access to the confidential and the sensitive data.
2. We develop and follow transparent data collection procedures within the organization.
3. We train our staff following all the online privacy and security measures.
4. We protect our online data from cyberattacks by creating and developing secure networks.
5. We establish clear privacy violations or data misuse reporting procedures.

Disciplinary Consequences

All guidelines outlined in this policy must be followed strictly. Disciplinary and possibly judicial action would result if there was a breach of the data protection guidelines.

Purpose of the Policy

This policy includes guidelines required to purchase the software for the organization to make sure that the software used within the organization is relevant, cost-effective, and safe and, where applicable, can integrate with other technology used within the organization. This policy is applicable to software obtained in a hardware package or as the pre-loaded software.

Procedures

Request for Software

All software including the non-commercial ones (freeware, open-source, etc.) needs to be authorized either by the Company Owner and by the Tech Team before downloading or using it within the organization. All software requests are reviewed through a series of security reviews by our tech team to ensure they meet our minimum safety and security standards.

Purchase of software

• All software purchases must be as per this policy.
• All the software purchases must be approved by the Tech team.
• All the software purchases must either happen direct or from ‘reputable software sellers’.
• All the software purchased must be compatible with the server of the organization along with the other hardware used. Also, all the software purchased must be supported by a guarantee and/or warranty.
• Any of the changes in the above requirements must be authorized by the Tech team.
• All software purchases must adhere to the purchasing policy

Purpose of the Policy

This policy will include guidelines to ensure that the software use is appropriate and that it is used efficiently by all the staff within the organization. In accordance with this Policy, all the freeware and the open source software will be used as per the procedures defined for the commercial software.

Procedures

Software Licensing

• Every staff member within the organization will abide by all the copyrights of the computer software and software license terms and conditions.
• If licensing terms states limited usage of the software with respect to the number of users, computer systems, etc., then the Tech team is responsible to ensure that the software licensing terms and conditions are followed within the organization.
• Tech team is responsible for completing the software licenses audit to ensure that only those appropriate staff are using the software licenses.

Software Installation

• As per the requirement, the supplier should register all the software appropriately.
• The registered owner of all the software will be Tax Goddess Business Services, PC.
• During the working hours, only the company software/apps will be used by the staff on the organization’s hardware.
• It is strictly advised to take authorization from Tech Team to install company-used apps on mobile devices

All software installation is to be carried out by the Tech team.

If a computer system does not have the original copy of the software installed on it, the software upgrade will not be loaded or installed on that system.

Software Usage

• During the working hours, only the software and apps approved by the Tech Team should run on the machine of the staff member.
• The staff shall be provided with directions on any software licensing arrangements, including any limitations to use the software, before actually using the software.
• For all new software, all staff should be trained well. New staff will also be the part of the training as they should be educated to use the existing software. This is the Tech Team’s responsibility.
• While working within the organization, staff should not be allowed to use non-org software and apps.
• The software cannot be used by any staff member for his/her personal work, unless approved by the Owner or VP Operations.

If a  staff member needs to use software at home, an evaluation should be carried out in the first instance to provide a staff member with a portable computer. If the software is found compatible to be used on the personal computer of a staff member, then the Owner needs to authorize the purchase of the separate software, if there are copyright restrictions and licensing on the software. If the software is purchased in such circumstances, the organization shall retain the ownership of the software and it shall be registered by the Tech Team in the software register.

The software which are not authorized will not be allowed to be used within the Organization. This will even include the software that has been owned by an organization’s staff and wanted to use it within the Organization.

It is prohibited to purchase or use the unauthorized copies of the software. Any staff member who purchases or uses unauthorized software shall be referred for further consultation to the owner. Any unlawful software duplication or other copyrighted works shall not be condoned by the Organization and a disciplinary action, if such an event occurs shall be taken by the Owner/VP of Operations/Tech Team.

Breach of Policy

If a staff member will breach this policy, he/she will be referred for further consultation to the owner.

If any staff member inside and organization is aware of a breach under this policy with respect to the use of the software, then he/she should inform the Owner/VP of Operations/Tech team immediately for further actions. If in case the Owner/VP of Operations/Tech team determines that a staff member who was aware of the breach failed to report it to the management then that staff member shall be referred for further consultation to the owner.

Purpose of the Policy

This policy includes guidelines for the management of IT assets and resources within the organization.

• The Tech team is responsible for maintaining and managing all organizational technology service agreements. Any service requirements must first be approved by the owner and processed through all security reviews and standards of the firm.
• The Tech team shall carry out an annual staff workstation audit to ensure that all IT policies are followed within the organization.
• The Tech team should be informed about any of the unspecified technology management requirements.

Purpose of the Policy

This policy holds the guidelines that will be responsible for all the emergency management of the information technology within the Organization.

Procedures

IT Hardware Failure

If any of the hardware inside the organization fails, then the concern should be immediately reported to the Owner/Tech Team.

• In the event of the IT hardware failure, Owner/Tech team will be responsible to take the relevant actions.
• Tech Team will be responsible to regularly undertake tests on planned emergency procedures to make sure that all the procedures are accurate and appropriate. Tech Team will also be responsible to minimize disruption to the operations of the organization.

Virus or other security breaches

The actions listed below must be taken immediately if the information technology of the organization is breached in any case:

• If the information technology of the organization is compromised by any of the possible security breaches including software viruses, then such breaches should be reported immediately to the Owner/Tech Team.
• It is the responsibility of the Tech Team to deal with any sort of security breach within 2 hrs to minimize disruption to the operations of the organization.
• Tax Goddess Business Services, PC has the right and has implemented remote security to allow for the remote wipe phone, emails, smartwatch, and other electronic data for all staff, vendors, and related parties.

Purpose of the Policy

This policy provides guidelines on the security of sensitive or limited data storage within the organization.

• The company is responsible for the security of the physical machine hosting the database to ensure that it is locked, and monitored to prevent theft, access and unauthorized entry. To ensure utmost security, metal protection screens, guard dogs, alarm system, trained guards, etc. is used.
• Our Tech Team ensures that all the unnecessary/unused functions and services of the database are either removed or turned off.
• Our Tech Team also ensures that all the database software is patched to include all current security patches. Tech Team also is responsible to ensure that all the security patch levels are maintained in a timely fashion.
• Tech Team also documents all tools and applications that are required to access the database.

Securing Remote Desktop

The Remote Desktop session of the organization runs on an encrypted channel. The following actions and measures are taken by the Tech Team:

• Using strong password on the accounts that are accessible via Remote Desktop.
• Ensure that the client and server software running on the remote desktop are of the latest version.
• Ensure that all patches / software updates are timely installed and maintained.

Purpose of the Policy

Passwords are the most important aspect when it comes to computer security. All the staff of the Tax Goddess Business Services, PC (including contractors and suppliers with access to Tax Goddess Business Services, PC systems) are responsible for selecting and securing their passwords, using the appropriate steps as described below.

This policy is designed to set the standard for strong password generation, password protection and frequency of change. Below are the guidelines:

Guidelines

• Passwords should not be inserted into electronic communications of any form including email messages. Everything must be shared only through LastPass.
• No longer needed passwords must immediately be deleted or disabled.
• Besides deleting and disabling no longer needed passwords, reporting manager should be notified about the same.
• Passwords are checked via the LastPass security score every 3 months for “weak” scores and are updated to strong passwords per the LastPass Corporate User Accounts requirements

Penalties

Any staff member who will be found breaching the policy will be subject to disciplinary action that can go up to an extent of termination of the employment.

Hiring Selection process

Tax Goddess is committed to employing the best-qualified candidates while engaging in recruitment and selection practices that comply with all applicable employment laws. It is the policy of Tax Goddess to provide equal employment opportunities to all applicants and employees.

Authorization from the Human Resources Manager and the CEO/COO is required to initiate any action for an open position, including recruitment expenditures, advertising, interviewing and offers of employment.

Upon the selection of the final candidate, the HR department will collaborate to develop an appropriate offer of employment (including position title, compensation, etc.).

A verbal and written offer of employment will be extended by the HR department to the selected candidate. To protect both the client and the company, the HR team will draft a comprehensive employment agreement and legal contract regarding the offer which includes significant restrictions and requirements related to client and data security. Hiring for any position within Tax Goddess is dependent upon the successful completion of required security, credit, police / legal, personal references, and other required background checks.

Background Investigations and Reference Checks

Apart from us securing your information using our well-invested technological advancements. We also conduct comprehensive Pre-employment Background checks through our licensed leading vendors on all of the Tax Goddess staff. Detail of some of the more important checks that we perform include:

• Identity and Social Security Verification
• Credit Report
• Annual Criminal History Check
• Education verifications
• Employment history verification and feedback
• Address/Location Verification or site visit

To maintain the highest security and confidentiality levels we perform regular assessments to determine how effective our current security protocols and inspections are in all areas related to data. Employee and Management pieces of security systems training are conducted at the beginning of employment and on an ongoing basis to ensure that every team member is up-to-date on the latest technologies and ensures long-term adherence to data security.

Required Legal Documentation

As a part of the hiring process, Tax Goddess requires all staff to sign:

• Confidentiality Of Information Agreements
• Non Disclosure agreements