Search...Ctrl+K
This Information Security Policy (Policy) promotes an effective balance between information security practices and business needs. The Policy helps RigConcierge, LLC ("RigConcierge") meet our legal obligations and our users expectations. From time to time, RigConcierge may implement different levels of security controls for different information assets based on risk and other considerations.
You are expected to read, understand, and follow this Policy. However, no single policy can cover all the possible information security issues you may face. You must seek guidance from your manager or other designated RigConcierge resource before taking any actions that create information security risks or otherwise deviate from this Policy's requirements. RigConcierge may treat any failure to seek and follow such guidance as a violation of this Policy.
This Policy is Confidential Information. Do not share this Policy outside RigConcierge unless authorized by the Information Security Coordinator. You may share this Policy with an approved contractor that has access to RigConcierge's information or systems under a non-disclosure agreement or other agreement that addresses confidentiality (see Section 7, Service Providers: Risks and Governance).
RigConcierge follows these guiding principles when developing and implementing information security controls:
(a) RigConcierge strives to protect the confidentiality, integrity, and availability of its information assets and those of its users.
(b) We will comply with applicable information security, privacy, and data protection laws.
(c) We will balance the need for business efficiency with the need to protect sensitive, proprietary, or other confidential information from undue risk.
(d) We will grant access to sensitive, proprietary, or other confidential information only to those with a need to know and at the least level of privilege necessary to perform their assigned functions.
(e) Recognizing that an astute workforce is the best line of defense, we will provide security training opportunities and expert resources to help individuals understand and meet their information security obligations.
This Policy applies across the entire RigConcierge enterprise. This Policy provides detailed information security guidance that you must follow.
This Policy states RigConcierge's information security policy. In many cases, you are personally responsible for taking or avoiding specific actions as the Policy states. In some situations, the Information Security Coordinator, or another RigConcierge resource takes or avoids the stated actions.
From time to time, RigConcierge may approve and make available more detailed or location or business unit-specific policies, procedures, standards, and processes to address specific information security issues. Those additional policies, procedures, standards, and processes are extensions to this Policy. You must comply with them, where applicable, unless you obtain an approved exception.
No single document can cover all the possible information security issues you may face. Balancing our need to protect RigConcierge's information assets with getting work done can also be challenging. Many effective administrative, physical, and technical safeguards are available. Do not make assumptions about the cost or time required to implement them. Ask for help.
You must seek guidance before taking any actions that create information security risks.
(a) For questions about this Policy or technical information security issues contact: Alex MacDonald, as Information Security Coordinator; or
(b) For guidance regarding legal obligations contact: Alex MacDonald.
Except where applicable law provides otherwise, you should have no expectation of privacy when using RigConcierge's network, services or systems, including, but not limited to, transmitting and storing files, data, and messages.
To enforce compliance with RigConcierge's policies and protect RigConcierge's interests, RigConcierge reserves the right to monitor any use of its network, services and systems to the extent permitted by applicable law. By using RigConcierge's systems, you agree to such monitoring. Monitoring may include (but is not necessarily limited to) intercepting and reviewing network traffic, emails, or other messages or data sent or received and inspecting data stored on individual file directories, devices, or other printed or online media.
Various information security laws, regulations, and industry standards apply to RigConcierge and the data we handle. RigConcierge is committed to complying with applicable laws, regulations, and standards.
(a) Personal Information: Data Protection and Breach Notification Laws. Various laws protect individuals' personal information, such as government-assigned numbers, financial account information, and other sensitive data. Many jurisdictions have enacted data breach notification laws that require organizations to notify affected individuals if personal information is lost or accessed by unauthorized parties. Some locations have data protection laws that require organizations to protect personal information using reasonable data security measures or more specific means. These laws may apply to personal information for RigConcierge's employees, users and customers, business partners, and others.
(b) RigConcierge strives to be compliant with industry-standard security frameworks and regulations.
RigConcierge and its leadership recognize the need for a strong information security program.
RigConcierge has designated Alex MacDonald to be its Information Security Coordinator and accountable for all aspects of its information security program. References to the Information Security Coordinator throughout this Policy include the Information Security Coordinator and their designates.
RigConcierge has granted the Information Security Coordinator the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes, as they may deem necessary and appropriate.
On at least an annual basis, the Information Security Coordinator will initiate a review of this Policy, engaging stakeholders such as individual business units, Human Resources, Legal, and other RigConcierge organizations, as appropriate.
RigConcierge recognizes that specific business needs and local situations may occasionally call for an exception to this Policy. Exception requests must be made in writing. The Information Security Coordinator must approve in writing, document, and periodically review all exceptions.
To request an exception, contact Alex MacDonald.
Employees and contractors are obligated to comply with all aspects of this Policy that apply to them. This Policy is not intended to restrict communications or actions protected or required by applicable law.
RigConcierge may treat any attempt to bypass or circumvent security controls as a violation of this Policy. For example, sharing access credentials, including passwords or multifactor authentication means, deactivating anti-malware software, removing or modifying secure configurations, or creating unauthorized network connections are prohibited unless the Information Security Coordinator has granted an exception as described in Section 2.4, Exceptions.
Any violation of this Policy may result in disciplinary action or other sanctions. Sanctions may include suspension, access restrictions, work assignment limitations, or more severe penalties up to and including termination, in accordance with applicable law. If RigConcierge suspects illegal activities, it may report them to the applicable authorities and aid in any investigation or prosecution of the individuals involved.
All employees and contractors must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process. Acknowledgment must be completed on a timely basis following a new hire or as otherwise designated by the Information Security Coordinator. Material changes to this Policy may require additional acknowledgment. RigConcierge will retain acknowledgment records.
RigConcierge has established a three-tier classification scheme to protect information according to risk levels. The information classification scheme allows RigConcierge to select appropriate security controls and balance protection needs with costs and business efficiencies.
All RigConcierge information is classified as (from least to most sensitive): (1) Public Information, (2) Confidential Information, or (3) Highly Confidential Information.
Unless it is marked otherwise or clearly intended to be Public Information, treat all RigConcierge and user information as if it is at least Confidential Information, regardless of its source or form, including online, paper, verbal, or other information.
You must apply security controls appropriate for the assigned information classification level to all information you store, transmit, or otherwise handle. Use classification level markings, where feasible.
Public Information is information that RigConcierge has made available to the general public. Information received from another party (including a user) that is covered under a current, signed non-disclosure agreement must not be classified or treated as Public Information.
(a) Public Information Examples. Some Public Information examples include, but are not limited to: press releases, RigConcierge marketing materials; job announcements; and any information that RigConcierge makes available on its publicly accessible website[s].
Confidential Information is information that may cause harm to RigConcierge, its users, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available. Harms may relate to an individual's privacy, RigConcierge's marketplace position or that of its users, or legal or regulatory liabilities.
(a) Confidential Information Examples. Some Confidential Information examples include, but are not limited to: RigConcierge financial data, user lists, revenue forecasts, program or project plans, and intellectual property; user-provided data, information, and intellectual property (see also, Section 3.3, Highly Confidential Information, regarding personal information); user contracts and contracts with other external parties, including vendors, and other like materials.
(b) Safeguards. You must protect Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks and treat with the utmost care.
Highly Confidential Information is information that may cause serious and potentially irreparable harm to RigConcierge, its users, employees, or other entities or individuals if disclosed or used in an unauthorized manner. Highly Confidential Information is a subset of Confidential Information that requires additional protection.
(a) Highly Confidential Information Examples. Some Highly Confidential Information examples include, but are not limited to: personal information for employees, users, business partners, or others; and sensitive RigConcierge business information, such as budgets, financial results, or strategic plans.
(b) Safeguards. You must protect Highly Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks and as prescribed by applicable laws, regulations, and standards, and handle and treat with the utmost care.
This section describes key safeguards that RigConcierge uses to protect and manage its information technology (IT) environment. You must support their use to the extent that they apply to you.
Install and configure RigConcierge-owned computers and other hardware according to current technical standards and procedures, including anti-malware software, other standard security controls, and approved operating system version and software patches. RigConcierge supports preventive controls to avoid unauthorized activities or access to data, based on risk levels. RigConcierge supports detective controls to timely discover unauthorized activities or access to data, including continuous system monitoring and event management.
(a) Perimeter Controls. Perimeter controls secure RigConcierge's network against external attacks. Use firewalls, configured according to current technical standards and procedures, to separate RigConcierge's trusted network from the internet or internet-facing environments.
RigConcierge may implement additional perimeter controls including intrusion detection and prevention services, data loss prevention software, specific router or other network configurations, or various forms of network monitoring according to risks. Do not create internet connections outside perimeter controls.
(b) Data and Network Segmentation. RigConcierge may use technical controls, such as firewalls, access control lists, or other mechanisms, to segment some data or areas of its network according to risks. Segment Highly Confidential Information from the rest of RigConcierge's network to the extent technically feasible and reasonable (see Section 3.3, Highly Confidential Information). Do not alter network segmentation plans without approval from the Information Security Coordinator.
(c) Encryption. RigConcierge uses encryption to protect Confidential and Highly Confidential Information according to risks. RigConcierge may apply encryption to stored data (data-at-rest) and transmitted data (data-in-transit). Encrypting personal information may lower RigConcierge's liability if a data breach occurs.
Only use generally accepted encryption algorithms and products approved by the Information Security Coordinator. Periodically review encryption products and algorithms for any known risks.
Laws may limit exporting some encryption technologies. Seek guidance from Legal prior to exporting or making any encryption technologies available to individuals outside the U.S.
(i) Encryption Key Management. Encryption algorithms use keys to transform and secure data. Because they allow decryption of the protected data, proper key management is crucial. Select encryption keys to maximize protection levels, to the extent feasible and reasonable. Treat them as Highly Confidential Information.
Ensure that keys are available when needed to support data decryption by using secure storage methods and creating and maintaining secure backups. Track access to keys. Keys should never be known or available to only a single individual. Change encryption keys on a periodic basis according to risks.
(d) Data and Media Disposal. When RigConcierge retires or otherwise removes computing, network, or office equipment (such as printers, copiers, or fax machines) or other information assets that may contain Confidential or Highly Confidential Information from the business, specific steps must be taken to scrub or otherwise render the media unreadable.
Simply deleting files or reformatting disks is not sufficient to prevent data recovery. Either physically destroy media, according to applicable waste disposal regulations, or scrub it using data wiping software that meets generally accepted data destruction standards. For example, see the National Institute of Standards and Technology Special Publication 800-88, Guidelines for Media Sanitization.
Alex MacDonald manages IT operations and related activities at RigConcierge, including development of software and other applications.
Only RigConcierge-supplied or approved software, hardware, and information systems, whether procured or developed, may be installed in RigConcierge's IT environment or connected to RigConcierge's network.
Incident Reporting and Response. The Information Security Coordinator maintains a cyber incident reporting and response process that ensures management notifications are made based on the seriousness of the incident. The Information Security Coordinator investigates all reported or detected incidents and documents the outcome, including any mitigation activities or other remediation steps taken.
Immediately notify Alex MacDonald if you discover a cyber incident or suspect a breach in RigConcierge's information security controls. RigConcierge maintains various forms of monitoring and surveillance to detect cyber incidents, but you may be the first to become aware of a problem. Early detection and response can mitigate damages and minimize further risk to RigConcierge.
Treat any information regarding cyber incidents as Highly Confidential Information and do not share it, internally or externally, without specific authorization.
(a) Cyber Incident Examples. Cyber incidents vary widely and include physical and technical issues. Some examples of cyber incidents that you should report include, but are not limited to:
(i) loss or suspected compromise of user credentials or physical access devices (including passwords, tokens, keys, badges, smart cards, devices containing authenticator software, or other means of identification and authentication);
(ii) suspected malware infections, including viruses, Trojans, spyware, worms, or any anomalous reports or messages from anti-malware software or personal firewalls;
(iii) loss or theft of any device that contains RigConcierge information (other than Public Information), including computers, laptops, tablet computers, smartphones, USB drives, disks, or other storage media;
(iv) suspected entry (hacking) into RigConcierge's network or systems by unauthorized persons;
(v) any breach or suspected breach of Confidential or Highly Confidential Information;
(vi) any attempt by any person to obtain passwords, one-time use codes, or other Confidential or Highly Confidential Information in person or by phone, email, or other means (sometimes called social engineering, or in the case of email, phishing); and
(vii) any other any situation that appears to violate this Policy or otherwise create undue risks to RigConcierge's information assets.
(b) Compromised Devices. If you become aware of a compromised computer or other device immediately notify Alex MacDonald.
The Information Security Coordinator defines and maintains a cyber incident response plan to manage information security incidents. Report all suspected incidents, as described in this Policy, and then defer to the incident response process. Do not impede the incident response process or conduct your own investigation unless the Information Security Coordinator specifically requests or authorizes it.
Applicable law may require RigConcierge to report cyber incidents that result in the exposure or loss of certain kinds of information or that affect certain services or infrastructure to various authorities or affected individuals or organizations, or both. Breaches of Highly Confidential Information (and especially personal information) are the most likely to carry these obligations (see Section 1.5, Regulatory Compliance). The Information Security Coordinator's incident response plan includes a step to review all incidents for any required notifications. Coordinate all external notifications with Legal and the Information Security Coordinator. Do not act on your own or make any external notifications without prior guidance and authorization.
The Information Security Coordinator maintains a service provider risk governance program to oversee service providers that interact with RigConcierge's systems or Confidential or Highly Confidential Information. The service provider risk governance program includes processes to track service providers, evaluate service provider capabilities, and periodically assess service provider risks and compliance with this Policy.
Obtain approval from the Information Security Coordinator before engaging a service provider to perform functions that involve access to RigConcierge's systems or Confidential or Highly Confidential Information.
Service providers that access RigConcierge's systems or Confidential or Highly Confidential Information must agree by contract to comply with applicable laws and this Policy or equivalent information security measures. RigConcierge may require service providers to demonstrate their compliance with applicable laws and this Policy by submitting to independent audits or other forms of review or certification based on risks.
RigConcierge frequently creates, receives, and manages data on behalf of our users. With guidance from the Information Security Coordinator, RigConcierge develops, implements, and maintains an appropriate process and procedures to manage users data intake and protection.
RigConcierge user data intake and protection processes may vary but must include, at minimum, means for (1) identifying user data and any pertinent requirements prior to data intake or creation; (2) maintaining an inventory of user data created or received; and (3) ensuring RigConcierge implements and maintains appropriate information security measures, including proper data and media disposal when RigConcierge no longer has a business need to retain the user (or is no longer permitted to do so by user agreement).
Identify any pertinent user data requirements before data intake or creation according to RigConcierge's user data intake and protection process. Requirements may be contractual or the result of applicable law or regulations, or both (see Section 1.5, Regulatory Compliance).
RigConcierge data intake processes and procedures must provide for secure data transfer. Maintain an inventory of user data that includes, at a minimum:
(a) A description of the user data, including RigConcierge's use purposes;
(b) the location(s) where the data is stored;
(c) who is authorized to access the data (by category or role, if appropriate);
(d) whether the data is Confidential or Highly Confidential Information;
(e) how long the data is to be retained (using criteria, if appropriate); and
(f) any specific contractual or regulatory obligations or other identified data protection or management requirements.
Treat any user-provided personal information as Highly Confidential Information (see Section 3.3, Highly Confidential Information). To minimize risks for user and RigConcierge, engage user in an ongoing dialogue to determine whether business objectives can be met without transferring personal information to RigConcierge.
Protect all user data RigConcierge creates or receives in accordance with this Policy and the data's information classification level, whether Confidential or Highly Confidential Information, in addition to any specific client-identified requirements.
Ensure that any User data or media containing user data is securely disposed of when it is no longer required for RigConcierge business purposes, or as required by user agreement (see Data and Media Disposal). Update the applicable business unit user data inventory accordingly.
RigConcierge supports an ongoing risk governance and risk management action cycle to (1) enforce this Policy; (2) identify and appropriately communicate information security risks; (3) develop risk-based procedures, safeguards, and controls; and (4) verify that safeguards and controls are in place and working properly. The Information Security Coordinator oversees, maintains and is responsible for all aspects of these processes.
This Information Security Policy is effective as of July 13th, 2025.
Original publication.