Market Scope Data Security Policy

Market Scope has established a data security policy that is compliant with CIS Critical Security Controls Version 8. We are compliant with 1G1 Implementation Group controls for small to medium sized enterprises as a minimum. We recognize that this is a rapidly changing environment and are committed to monitoring and updating the process on a routine basis.

  1. Market Scope has established and maintains a detailed data processing asset inventory.
  1. All enterprise assets with the potential to store or process data are included in an accurate, detailed, and up-to-date inventory.
  2. The inventory includes end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers.
  3. The inventory includes the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network.
  4. For mobile end-user devices, MDM type tools can support this process where appropriate.
  5. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments.
  6. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure even if they are not under control of the enterprise.
  7. The inventory is reviewed and updated every six months.
  8. When employees resign or leave Market Scope, all data processing equipment is collected and destroyed or stored in a locked cabinet until assigned to another employee.
  1. Market Scope actively manages all software located on its network and all connected assets.
  1. Only Market Scope computers are used for Market Scope work and for connecting to the company server.
  2. Market Scope computers and laptops only have approved software installed including Office 365, Quick Books, Acrobat Reader and Acrobat DC PRO, Windows 10, Windows 11, Chrome, Firefox, Edge, SLACK, Ring Central, WatchGuard VPN with SSL, and Webroot Secure Anywhere.
  3. All Market Scope computers have the latest version of Webroot software running at all times.
  4. Market Scope conducts an inventory of all software installed on the network and assets connected to the network.
  5. Employees are instructed on approved software and any unmanaged software discovered during the annual inventory will be removed.
  1. Market Scope actively manages all data stored on its server and/or in the cloud.
  1. All data must be identified and classified based on its sensitivity and criticality.
  2. Data must be backed up regularly and protected from unauthorized access, modification, or destruction using a combination of password protection, encryption, and remote storage.
  3. Data backup is tested once pr month to assure system is working as planned.
  4. Data must be retained for the minimum period required by law or regulation.
  5. Data must be disposed of securely when it is no longer required.
  6. The following guidelines will be used for protection, storage, and retention of data. Market Scope’s Privacy and Security Officer is responsible for assuring protection and destruction of all data.
Data Group Description Protection Destruction
Work documents Versions and support for Market Scope products Located on password protected servers Interim versions deleted after 3 years. Final version of working documents maintained forever.
Primary Research Data Primary research data including surveys, interviews, and confidential data Encrypted and stored on password protected servers. Interim versions deleted after 3 years. Final version of working documents maintained for 7 years.
Client Specific Data Confidential non-public data shared by clients Stored in the cloud using end-to-end encryption with access limited to employees specifically working on the data Interim versions deleted after 3 years. Final version of working documents maintained for 7 years.
Financial Data Includes all transactions posted to QuickBooks, invoices, checks, payroll records, bank reconciliations, client purchase orders, estimates, and quotes Stored in the cloud with password protection, on local server with password protected files, and in paper-based files stored in a locked cabinet. Final version of working documents maintained for 7 years.
  1. Market Scope has established a standard for software to be used and installed on company-owned computers.
  1. All Market Scope work is performed on Market Scope-owned computers.
  2. Only Market Scope-owned computers have access to Market Scope servers, admin functions on the website, and Market Scope cloud-based data servers.
  3. Market Scope employees only install approved software on their computers. Approved software includes:
  1. Microsoft Windows 10 and Windows 11
  2. Microsoft Office 365 including: Excel, Word, Power Point, Publisher, and Access.
  3. Microsoft Edge browser
  4. Acrobat Reader and Acrobat DC
  5. QuickBooks Desktop and QuickBooks Online
  6. Webroot Anti-Virus
  7. Google Chrome browser
  8. Market-Scope Plus App
  9. Salesforce SLACK App
  10. Ring Central App
  11. WatchGuard VPN with SSL
  1. Employees are asked to verify the configuration of their computers and to provide a file displaying contents of Program files and all exe files on their computers once per year. Responses are reviewed, and non-approved software (if any found) will be removed. Records of the files and actions taken will be maintained.
  2. Market Scope developed software including the website, Market Scope Plus Apple App and Market Scope Plus Android App will include automatic session locking after two minutes of non-usage. Access to Market Scope software will be over HTTPS or other secure protocols. Administrative accounts will be actively managed and limited to active employees with a business need.

  1. Market Scope maintains an inventory of accounts and services used.
  1. This inventory includes account names, administrative users and departments.
  2. Administrative functionality will be limited to administrative accounts and Market Scope authorized users.
  3. Unique passwords are used for all accounts.
  4. Changes in personnel, additions or other changes in administrative users are made contemporaneously.
  5. Account inventory is reviewed on a quarterly basis.
  1. Market Scope establishes, removes, and reviews access to electronic files and enterprise systems.
  1. New employees, employees changing jobs, and terminated employees are assigned access or access is removed to Market Scope servers and cloud-based resources based on their needs by the Director of Operations.
  2. A list of employees and resources access levels are maintained and reviewed quarterly.
  3. and Market Scope Plus apps have (MFA) multi-factor authorization features that require confirmation of user accounts when profile information is changed and administrative accounts for any change.
  1. Market Scope regularly reviews this policy and systems vulnerability in general to ensure that this policy is being followed, that processes are up to date and to identify any new vulnerabilities.
  1. At least once per year, or when major changes are made to any Market Scope system, a formal meeting of all parties involved in maintaining Market Scope systems will be conducted to review the Data Security Policy.
  2. All critical Windows and other licensed software updates will be made when available and at least once per month, all available security patches will be made to Market Scope enterprise systems. A log will be posted on with date and person making such updates.
  1. Market Scope maintains audit logs of important transactions on the website, Market Scope Plus apps and on the Market Scope server.
  1. Audit logs are collected, maintained, and reviewed to ensure that logging is taking place.
  2. Logs will be reviewed quarterly to ensure that there is adequate space allocated for logs and that the logging process complies with this policy.
  1. Market Scope computers will use only Chrome, Edge, or Mozilla web browsers. Employees may use Android versions or Apple Safari versions to check email on their phones or tablets. Web browser options will be set to automatically install all updates. Market Scope has a dedicated email domain using the Google Gmail system. Market Scope employees will only send and receive business email via this system.
  1.  All Market Scope computers and emails are set up in compliance with these policies and new employees will be informed of the policy.
  2. Market Scope computers are for business use and occasional personal use is allowed; however, such personal use is limited to use of an approved browser, approved software, and Gmail email.
  3. Market Scope will activate DNS filtering for Gmail and will track and enter any known malicious DNS addresses for blocking.
  1. Market Scope subscribes to and installs anti-malware software on all company computers.
  1. Market Scope maintains a subscription to Webroot Anti-malware software for each employee. This software is installed with the automatic update feature activated on all Market Scope computers.
  2. Market Scope employees will not use removable media unless required for business reasons and when required will disable Windows autorun option.
  1. Market Scope protects all working files and active business documents with an automated offsite back-up service.
  1. All Market Scope working files and active business documents will be stored on the Market Scope server except for files containing confidential or data protected by privacy laws. Market Scope working files will only be stored on a temporary basis when access to the Market Scope server is unavailable (working remotely without web access) on company desktop or laptop computers. When web access is restored all such data will be saved to the Market Scope server.
  2. The Market Scope server will be backed up using a third-party service each night.
  3.  All confidential or privacy protected data will be stored using end to end encrypted data third party cloud server with off-site data backup features activated.
  1. Market Scope keeps all operating and business systems up to date with all available security patches.
  1. All subscription services authorizing updates are activated on Market Scope computers and connected devices.
  2. The Market Scope server will be taken offline once per month and all available operating systems updates will be installed.
  1. Market Scope maintains a data security awareness program.
  1. All employees will be informed of this policy with an annual review meeting covering the policy in general and any updates. This review will discuss the dangers of connecting and transmitting data over insecure networks and of the company policy for storing and transmitting data.
  2. A Market Scope employee is assigned as Data Security Chief to answer any questions, assist in implementing the policy, and monitor compliance with this policy. All employees are instructed to bring any data security issues to the assigned employee.
  3. All Market Scope employees are immediately informed of changes in the policy, data breaches, or malware attacks.  
  1. Market Scope maintains an inventory of data service providers. This will include data security terms, Market Scope contact, and agreement renewal terms. This inventory will be reviewed quarterly to ensure that all information is current and accurate.
  2. Market Scope has developed an advanced web application and Android and Apple phone apps to support the survey process, to distribute reports to its clients and to market its products. A contract software development engineer wrote and designed this system.
  1. All Market Scope applications are designed with security features built in that conform to this policy and to laws and regulations. Changes in policy, laws and regulations are monitored and any required changes are implemented as soon as possible.
  2. A monthly meeting is conducted to review recent uses of Market Scope applications and to discuss changes required and new features to be added to any Market Scope software. Development priorities are established during this meeting.
  3. A backup copy of all Market Scope software source code and change documentation is saved on a cloud server accessible by Market Scope management as required.
  1. Market Scope monitors all incidents that threaten data security and will for organizing an action plan to address these issues and revising policies to prevent additional incidents.
  1. Market Scope has designated a Data Security Chief responsible for managing any incidents and for maintaining this policy.
  2. All employees will be informed of the policy and how to contact the Data Security Chief when required.
  3. The Data Security Chief will be responsible for maintaining the file with records of any incidents and actions taken.