Security Policy

1. Introduction

All our operational data resides on Windows, Microsoft 365, Zoom and Wix.com. This Security Policy outlines the measures and procedures in place to safeguard all stored and processed data. The policy is designed to ensure confidentiality, integrity, and availability of data and compliance with best practices. 

​

2. Scope

This policy applies to all users, systems, and processes involved in managing data stored at Toni-Marie Consulting (TMC). It includes emails, files, documents, calendars, and any other data utilized within the IT estate. 

​

3. Data Protection Measures

We are committed to safeguarding all data through the following measures: 

• Encryption: Data is encrypted both in transit and at rest using industry-standard encryption protocols. 

• Access Control: Strict access controls are implemented to ensure that only authorized personnel can access data. 

• Multi-Factor Authentication (MFA): All accounts are secured with MFA to protect against unauthorized access.

 

3.1 Windows Security Guidelines 

• Ensure all Windows devices are running the latest supported version with up-to-date security patches. 

• Enable and maintain Windows Defender or an equivalent antivirus software on all devices. 

• Implement BitLocker encryption for sensitive data on company-owned devices. 

• Use strong passwords or Windows Hello for secure device logins. 

• Enable automatic locking after inactivity to prevent unauthorized access. 

​​

3.2 Microsoft 365 Security Guidelines 

• Activate multi-factor authentication (MFA) for all Microsoft 365 accounts. 

• Restrict external sharing of documents by default; enable only as needed and monitor shared access. 

• Microsoft Defender for Office 365‎ is used to protect against potentially malicious messages, like phishing and malware attacks. 

• Use Data Loss Prevention (DLP) policies to protect sensitive data within emails and files. 

• Regularly audit and manage access permissions for all shared resources. 

• BYOD devices are restricted from downloading data to the local device. 

• Data residency is restricted to the United Kingdom and the European Union. 

​​

3.3 Zoom Security Guidelines 

• Use waiting rooms or passcodes for all meetings to prevent unauthorized access. 

• Require hosts to approve attendees before joining meetings. 

• Prohibit participants from sharing their screens unless explicitly permitted by the host. 

• Recording data is stored on Zoom only and set to the US location. 

• Regularly update the Zoom application to the latest version. 

​​

3.4 Wix.com Security Guidelines 

• Use HTTPS for all websites to ensure secure connections. 

• Regularly update website plugins or extensions and remove unused features. 

• Implement role-based access control for website management accounts. 

• Back up website data regularly and verify the integrity of backup copies. 

• Protect customer data by adhering to GDPR and other relevant data protection laws. 

• Our website Privacy Policy can be viewed here  

 

3.5 Third Party Services

TMC works with third party services to provide core infrastructure and support processes.

 

Microsoft 365 

• Location: UK, USA

• Services: Collaboration, SharePoint, OneDrive, emails, CoPilot and Office applications 

• Data Protection policy: https://docs.microsoft.com/en-gb/legal/gdpr 

• Compliance https://learn.microsoft.com/en-us/compliance/regulatory/offering-home 

 

Zoom

• Location: UK, USA 

• Services: Video Conferencing 

• Data Protection policy: https://zoom.us/gdpr 

 

Wix.com

• Location: UK, USA 

• Services: Web Hosting 

• Data Protection policy: https://www.wix.com/about/terms-of-use 

​​​​​​

4. User Responsibilities

To maintain data security, all users are required to: 

• Use strong, unique passwords and update them regularly. 

• Report any suspicious activity immediately to, Mike Lowney, the TMC Data Protection Officer, via info@tonimarieconsulting.com 

• Adhere to all organizational security guidelines and policies. 

• Adhere to the TMC Acceptable Use Policy  

 

5. Backup and Recovery

Regular backups of Microsoft 365 data are conducted to ensure that data can be recovered in the event of accidental deletion, cyberattacks, or other incidents. These backups are securely stored and regularly tested for reliability. 

 

6. Monitoring and Incident Response 

• Monitoring: All data activity on Microsoft 365 is monitored for anomalies and potential security threats. 

• Incident Response: In the event of a security incident, our Incident Response Team will act promptly to mitigate damage, notify affected users, and implement corrective measures. 

 

8. Compliance

Our security practices comply with applicable laws and regulations, including GDPR and other industry standards. 

 

9. Policy Review and Updates

This security policy is reviewed and updated regularly to align with new security threats, technologies, and legal requirements. 

 

10. Contact Information

For any questions or concerns regarding this Security Policy, please contact Mike Lowney on info@tonimarieconsulting.com