CARO ISS Policy and Guidelines

CARO Information System Security Policy and Guidelines

Effective Date: 01/01/2024
Last Updated: 01/01/2024


1. Introduction

At CARO (Care for Assets, Resources, and Obligations), we are committed to safeguarding the privacy and security of the personal and sensitive information we collect. This policy outlines our approach to ensuring data protection and cybersecurity for all information processed by CARO. It covers how we collect, use, store, and protect data in alignment with legal and ethical standards.

2. Purpose

This Information System Security Policy provides guidelines on how CARO protects sensitive information, ensures compliance with relevant legal frameworks, and manages risks associated with data handling. It applies to all employees, volunteers, contractors, and third parties who have access to CARO’s systems.


3. Scope

This policy applies to all:

  • Information collected by CARO, including but not limited to names, emails, phone numbers, electoral district information, and any other sensitive data.
  • CARO’s systems and data processing infrastructure.
  • Employees, contractors, volunteers, and third-party entities that interact with CARO’s systems.

4. Data Collection and Usage Guidelines

  • Transparency: CARO collects personal information such as names, emails, phone numbers, and electoral district details for specific purposes, including participant applications and outreach programs.
  • Consent: All data collection is subject to the explicit consent of individuals. CARO clearly states the purpose of data collection at the time of application or registration.
  • Usage: Data collected will only be used for the purpose specified, which includes administrative tasks, program evaluation, and internal reporting. CARO will not share or sell personal data with third parties unless explicitly stated and approved by the individual.

5. Data Protection Measures

5.1. Data Encryption

  • All sensitive information is encrypted in transit using secure protocols (e.g., HTTPS, SSL) and at rest using advanced encryption algorithms.
  • Encrypted backups are created regularly to ensure data availability in case of any system failures or disasters.

5.2. Access Control

  • Access to personal and sensitive information is restricted to authorized personnel. Employees, volunteers, and contractors must authenticate themselves using multi-factor authentication before accessing the system.
  • Access levels are assigned based on job function, ensuring that individuals only have access to data necessary for their role.

5.3. Secure Data Storage

  • CARO uses secure cloud services and on-premise infrastructure that comply with international data security standards (e.g., ISO 27001, GDPR, etc.) to store personal data.
  • Data retention policies are in place to ensure data is stored only for the necessary duration and securely deleted after its purpose is fulfilled.

5.4. Regular Audits and Compliance

  • CARO conducts regular security audits to ensure compliance with industry best practices and legal standards.
  • Any identified risks are mitigated immediately following our internal risk management procedures.

6. Incident Response and Data Breach Policy

6.1. Incident Response Plan
In the event of a security breach, CARO has a robust incident response plan to:

  • Immediately identify and contain the breach.
  • Notify affected individuals within 72 hours of identifying a breach.
  • Conduct a full investigation to understand the cause and mitigate the risk of future occurrences.

6.2. Reporting
Individuals are encouraged to report any security concerns or potential breaches to the IT department or data protection officer immediately.


7. Data Retention and Deletion Policy

  • Personal data will be retained only for as long as necessary to fulfill its intended purpose or as required by law.
  • Individuals have the right to request the deletion of their data from CARO’s systems at any time. Requests for data deletion will be processed within 30 days of receipt.

8. Compliance and Legal Frameworks

CARO is committed to complying with all relevant data protection laws, including but not limited to:

  • General Data Protection Regulation (GDPR)
  • The California Consumer Privacy Act (CCPA)
  • Local jurisdictional data protection laws
  • Payment Card Industry Data Security Standard (PCI DSS) for any financial information handling.

CARO ensures that all third-party vendors comply with equivalent data protection standards.


9. Training and Awareness

  • All CARO employees, volunteers, and contractors must undergo mandatory information security training to understand their responsibilities in protecting sensitive data.
  • Continuous education on evolving cybersecurity threats and data privacy laws will be provided to ensure all stakeholders remain vigilant and compliant.

10. Policy Review and Updates

This policy is reviewed and updated regularly to align with evolving legal standards and emerging security threats. All updates will be communicated through our official website and internal communication channels.


Contact Information
For any questions, concerns, or requests related to data protection, please contact us at:
Email: hr@carononprofit.org
Phone: +880 16 6012 8918


By following this policy, CARO ensures the highest standards of information security, fostering trust and transparency among our participants and stakeholders.

Approved by: A N M Nuruddin
Executive Director, CARO
Date: 01/01/2024