Security Guidelines

Introduction
This page highlights some ‘good practice’ guidelines in order to help keep your Tagmin account secure. Regardless of the applications you use, many data breaches arise from the theft or loss of a device, poor passwords and outdated (or non existent!) security polices – please therefore read through this page carefully. It’s also important you refer back to this information regularly – as you assess, define, implement and develop your data protection and security policies as a business.

If you have any questions please email agents@tagmin.com or refer to our support articles and videos within the Help tab (once logged into Tagmin).

Equipment
Agencies use computers for a huge proportion of their work, so your computer is one of your most valuable business assets. Tagmin recommends investing in computer equipment, and a strong internet connection, to allow you to work at your best. Tagmin is browser based so, as long as you’re online, it will work on even the slowest of computers – but as computers are so central to an agent’s life, the higher the number of RAM (memory) and the better the processor and internet connection, the faster your computer will be and the easier your day. Also, bear in mind older computers that are unable to upgrade to the latest operating system, may not be able to use the latest most secure browser version – which is a security risk for your business.

Different types of users
There are two types of Tagmin user. Superusers and Standard users. You informed us which of your accounts should be superusers when you applied, but you should keep this under constant review. Superusers can dictate what areas a standard user can see – and therefore what data they have access to. Superusers can see everything. To set what a standard user can see, a superuser should go to Preferences then User accounts – then select the user concerned. Simply un-tick the tabs you do not want the  standard user to see. Inline with your agency’s data protection obligations, what you store (and give your team access to) should be reviewed regularly – and access should be stopped if they do not need access to the data, or if they leave the company or are away on leave.

Things to think about when it comes to your Tagmin users:

  • Does your team know who their Tagmin superusers are? And are they correctly assigned? If you don’t know if you’re a superuser, click on preferences and if you see a user accounts tab, then you are a superuser. If you are a standard user then find out who your superuser is.
  • Superusers need to know their status, responsibilities and privileges and standard users need to know who their superusers are, so they know who to go to when needed.
  • Superusers should set what all standard users can see in Tagmin – including any new users – and these settings should be checked regularly and updated as needed.
  • Superusers should set if a standard user should not be able to use the app version of Tagmin.
  • It’s your agency’s responsibility to ensure all your passwords, not just for Tagmin, are strong ones and updated regularly – as part of your wider security policy.
  • You can add two step authentication to your Tagmin login – so every time you login you have to put in a code provided by your smartphone – to set this up go to preferences, then your Preferences. Superusers can enforce this for all users.
  • Update your existing data protection policies and procedures. Make sure Tagmin is now added into these policies – for example, if a laptop is stolen you will have a policy in place to ensure a staff member’s email account can be locked even out of hours, or the password changed – securing your Tagmin accounts should now be included in such policies.
  • Lock accounts when people are on leave and not using Tagmin.
  • You can lock a user so they can only use Tagmin from a certain IP address (location/connection) if needed – contact us to set this up.
  • Setting the fields your clients (talent) can see is important, as it means you can hide the fields that could hold data you don’t need – do they don’t fill in data you don’t need to hold.
  • Set what personal data appears on invoices and hide them if necessary. 


Basic advice on data protection
The ICO (Information Commissioner’s Office) recommends an approach to data protection that uses a set of security controls that complement each other. If you experience a data breach they want you to be able to demonstrate that you have policies in place to protect your data.

  • The ICO says: “The older your computer’s operating system, the less likely it is to be able to run the  newest security updates and latest (most secure) versions of your browser.” As Tagmin is web based we recommend running it on the latest operating system, with the latest version of your Browser on it.
  • The ICO says: “A brute force password attack is a common method of attack, perhaps even by casual users chancing their luck. You need to enforce strong passwords and limit the number of failed login attempts.” Tagmin implements a minimum standard for passwords. Tagmin also blocks your account when 5 wrong login attempts are made – this includes if your browser is ‘remembering’ the wrong username or password.
  • The ICO says: “Restrict access to your system to users and sources you trust. It is more secure to limit access so that all users have their own username and password.” Tagmin can provide as many logins as you require. Tagmin also lets you update your password as often as you would like and strongly advise you update these regularly. Don’t forget that if someone has access to your email, they can send password reminders or reset links for any online service you use, not just Tagmin – so strong email security is also very important.
  • The ICO says: “Each user should use an account that has permissions appropriate to the job they are carrying out at the time.” Tagmin helps you to achieve this by providing Tagmin superusers the option to limit what menu options and tabs are visible to Tagmin standard users.
  • The ICO says: “You should have anti-virus and anti-malware products regularly scanning your network to prevent or detect threats. You will also need to make sure they are kept up-to-date and that it is switched on and monitoring the files that it should be. You should also make sure you receive and act upon any alerts issued by the malware protection. If your system is a few years old, you should review the protection you have in place to make sure that it is still adequate.” This advice relates to your
    computers as a whole and it’s important you follow it.
  • The ICO says: “The physical security of equipment is important to consider as devices containing personal data could be stolen in a break-in or lost whilst away from the office. You should ensure that personal data on your systems is protected against these types of threats.” Tagmin allows you to lock an account at any point. But this will only work if your team know who their superusers are, and the superusers know how to do it, time should be provided for them to learn and practice this.
  • The ICO says: “You also need to ensure that the same level of security is applied to personal data on devices being used away from the office. Many data breaches arise from the theft or loss of a device (eg laptop, mobile phone or USB drive). Allowing untrusted devices to connect to your network or using work devices on untrusted networks outside your office can also put personal data at risk. Some mobile devices support a remote disable or wipe facility. This allows you to send a signal to a lost or
    stolen device to locate it and, if necessary, securely delete all data.” Tagmin provides a range of features to help here – including switching your agency to a login page that does not have a ‘remember me’ option. We also offer the option to limit a user to only being able to login to their Tagmin account from your office’s internet connection (IP address) for certain, or all, users.
  • What the ICO says on staff training: “Your employees may have a limited knowledge of cyber security, but they could be your final line of defence against an attack. Accidental disclosure or human error is also a leading cause of breaches of personal data. This can be caused by simply sending an email to the incorrect recipient or opening an email attachment containing malware. Employees at all levels need to be aware of what their roles and responsibilities are. Train your staff to recognise threats such as phishing emails and other malware or alerting them to the risks involved in posting information relating to your business activities on social networks. You should encourage general security awareness within your organisation. A security aware culture is likely to identify security risks. Check your security software messages, access control logs and other reporting systems you have in place on a regular basis. You should also act on any alerts that are issued by these monitoring services. Make sure you can check what software or services are running on your network. Make sure you can identify if there is something there which should not be. Run regular vulnerability scans and penetration tests to scan your computers for known vulnerabilities – make sure you address any vulnerabilities identified.”
  • What the ICO says on what data to keep: “The DPA says that personal data should be accurate, up-to-date and kept for no longer than is necessary. Over time you may have collected large amounts of personal data. Some of this data may be out-of-date and inaccurate or no longer useful.” As you are a data controller you will have your own policies on this. You can remove and delete data in Tagmin if needed. If you need to bulk delete data, please get in touch with us. We securely destroy all versions of the backups we make of your tagmin data after 30 days.


Support
Keeping an IT network safe and secure requires time and resources. There are a range of organisations offering advice and guidance appropriate to your business – we list a few here to support you in your responsibilities:

Get Safe Online (www.getsafeonline.org)
A joint initiative between the government, law enforcement, leading businesses and the public
sector to provide computer users and small businesses with free, independent, user-friendly
advice that will allow them to use the internet

Cyber Street (www.cyberstreetwise.com)
Cyber Street is a cross-government campaign, funded by the National Cyber Security Programme, and delivered in partnership with the private and voluntary sectors.

Cyber Essentials (www.gov.uk/government/publications/cyber-essentials-scheme-overview)
The Cyber Essentials scheme provides businesses small and large with clarity on good basic
cyber security practice.