Effective Date: 3rd Jan 2025

Information Security Policy for Homey

Purpose

The purpose of this Information Security Policy is to establish and maintain the security and confidentiality of Homey’s information assets. The policy ensures compliance with legal, regulatory, and operational requirements and supports the organisation’s commitment to protecting customer, employee, and partner data.

Scope

This policy applies to all Homey employees, contractors, third-party vendors, and stakeholders who access, process, store, or transmit Homey’s information. It covers all forms of data, including physical and digital, across Homey’s systems, applications, and networks.

Policy Statements

1. Information Classification
   • All information must be classified as Public, Confidential, or Restricted.
   • Confidential and Restricted information must be protected based on its sensitivity and potential impact if disclosed.
2. Access Control
   • Access to information and systems will follow the principle of least privilege.
   • User access rights will be reviewed periodically to ensure appropriateness.
   • Multi-factor authentication (MFA) is required for accessing sensitive systems.
3. Data Protection
   • Encryption must be used for data in transit and at rest, where applicable.
   • Regular backups will be performed and stored securely to ensure data recovery.
   • Personal data will be processed in compliance with GDPR and other relevant data protection laws.
4. Physical Security
   • Restricted areas must be protected using access controls (e.g., keycards or biometric systems).
   • Visitors must be logged and escorted in sensitive locations.
5. Incident Management
   • All security incidents must be reported immediately to the IT Security Team.
   • A formal incident response plan will be maintained to ensure swift and effective handling of security events.
6. Risk Management
   • Regular risk assessments will be conducted to identify and mitigate vulnerabilities.
   • Vendors and third-party partners will be evaluated for compliance with Homey’s security standards.
7. Use of Technology
   • Company-provided hardware and software are for authorised use only.
   • Employees must not install unauthorised applications or connect personal devices without prior approval.
8. Training and Awareness
   • Employees will receive mandatory security training during onboarding and at least annually.
   • Phishing simulations and awareness campaigns will be conducted regularly.
9. Monitoring and Compliance
   • Homey reserves the right to monitor systems to detect and prevent unauthorized activity.
   • Compliance with this policy is mandatory, and violations may result in disciplinary action.
10. Policy Review
    • This policy will be reviewed annually or as significant changes occur in the threat landscape, technology, or regulatory requirements.