Skip to main content

Data Protection & Cyber Security Policy

1. Introduction

Geviton Enterprises Ltd. is committed to safeguarding the confidentiality, integrity, and availability of all information assets, including personal data, proprietary business information, and operational data. In an increasingly digital and interconnected world, robust data protection and cybersecurity measures are paramount to maintaining trust, ensuring business continuity, and complying with legal and regulatory requirements.

2. Scope

This policy applies to all Geviton employees (permanent, temporary, and contract), directors, officers, agents, consultants, and any third-party vendors or partners who have access to, process, store, or transmit Geviton’s information assets or use Geviton’s information systems.

3. Core Principles

Geviton adheres to the following fundamental principles for Data Protection and Cyber Security:

  • Confidentiality: Information is accessible only to authorized individuals, entities, or processes.

  • Integrity: Information is accurate, complete, and protected from unauthorized modification or destruction.

  • Availability: Information and systems are accessible and usable by authorized users when needed.

  • Privacy: Personal data is collected, processed, and stored lawfully, fairly, and transparently, respecting the rights of data subjects.

  • Legal Compliance: Adherence to all applicable data protection and cybersecurity laws and regulations

  • Least Privilege: Access to information and systems is granted only to the extent necessary to perform job functions.

4. Policy Elements and Controls

4.1 Data Protection

  • Data Classification: All information assets are classified based on their sensitivity and criticality (e.g., Public, Internal, Confidential, Restricted). This classification dictates the level of protection required.

  • Data Minimization: Only collect, process, and retain personal data that is necessary for specified, explicit, and legitimate purposes.

  • Purpose Limitation: Personal data is processed only for the purposes for which it was collected or for compatible purposes.

  • Data Retention and Disposal: Establish clear retention periods for all data types. Data must be securely disposed of when no longer needed or legally required.

4.2 Access Control

  • Identity and Access Management (IAM): Implement robust processes for user provisioning, de-provisioning, and access review.

  • Strong Authentication: Require strong, unique passwords for all systems. Multi-Factor Authentication (MFA) is mandatory for critical systems and remote access.

  • Principle of Least Privilege: Grant users only the minimum access rights required to perform their job functions.

  • Role-Based Access Control (RBAC): Implement RBAC to manage access permissions efficiently.

4.3 Endpoint Security

  • Anti-Malware Protection: Deploy and maintain anti-malware software on all endpoints (laptops, desktops, servers,) and ensure it is regularly updated.

  • Device Control: Control the use of removable media (e.g., USB drives) to prevent data exfiltration and malware introduction.

5. Employee Responsibilities

All Geviton employees are responsible for:

  • Adhering to all aspects of this Data Protection and Cyber Security Policy and related procedures.

  • Using strong, unique passwords and changing them regularly as per policy.

  • Being vigilant for phishing, social engineering, and other cyber threats, and reporting suspicious activity immediately.

  • Protecting Geviton's information assets, including personal data, from unauthorized access, use, disclosure, modification, or destruction.

  • Only accessing information and systems they are explicitly authorized to access.

  • Securing their workstations and mobile devices.

6. Compliance and Reporting

  • Incident Reporting: All security incidents, potential breaches, or policy violations must be reported immediately to the IT department or designated security team.

  • Disciplinary Action: Any employee found to be in breach of this policy will face disciplinary action, up to and including termination of employment. Third-party contracts may be terminated.

  • Regulatory Reporting: Geviton will comply with all legal obligations for reporting data breaches to relevant authorities and affected individuals.

7. Review and Update

This Data Protection and Cyber Security Policy will be reviewed and updated regularly, or as needed, to reflect changes in the threat landscape, technological advancements, legal and regulatory requirements, and Geviton’s business environment.

8. Contact

For any questions about this Data Protection and Cyber Security Policy, to report a security incident, or to seek guidance, please contact:

📧 Email: info@geviton.co.ke

📞 Phone: +254740223196

No comments to display

Back to top