Voyages Encore Travel Inc. (“Encore”) is committed to safeguarding the confidentiality, integrity and availability of all physical and electronic information assets of the organization to ensure that regulatory, operational and contractual requirements are fulfilled.
Encore and its management support and are committed to achieving compliance with applicable PII protection legislation and/or regulations and with the contractual terms agreed between the organization and its partners, its subcontractors and its applicable third parties (customers, suppliers etc.).
The overall goals for information security at Encore cover a wide range of security topics and express Management’s general intent for the practice of information security across the organization. This policy may not cover every topic in detail but sets out objectives that must be met by specific processes, controls, supporting documentation, controls in operation, and records of compliance.
This policy applies to all Encore information that has been categorized as Secret, Confidential, or Internal, as defined in the Data Classification Policy. This includes information entrusted to Encore by customers and suppliers.
This policy applies to all employees and third-party consultants and contractors, under legal agreement, and entrusted with Encore information.
This policy applies to all information systems, computing devices, applications, databases, hardware, and software, whether hosted and administered by Encore and/or designated third party service providers, which are used to conduct Encore business and processes, store, and /or transmit Encore information.
Read, Understand, and Comply with this policy.
Employees are responsible for reporting incidents and possible breaches of security directly to the Service Desk (servicedesk.encore.ca)
Any questions related to this policy can be directed to the Service Desk.
Provide direction and management support to employees with information security responsibilities.
Analyze security incidents and recommend, initiate and/or track corrective actions as applicable.
Review reports on Security Program implementation status and assessments.
Provide guidance and oversight for the BCP and Disaster Recovery Planning ("DRP").
Participate actively in risk assessment exercises and defining risk mitigation strategies.
Approve Encore's Information Security Policies and any policy changes to align with business requirements and defining risk mitigation strategies.
Sign off on Certificates of Destruction.
The Director of IT has the same responsibilities as Members of the Steering Committee, as well as:
Approve and enforce compliance with this policy.
Approve the use of group, shared and generic user account IDs (including specific Admin accounts).
Approve the purchase and installation of IT equipment and the software for IT equipment.
Assign information security responsibilities and ensure compliance with the program.
Oversee Information Security Program implementation and security improvement initiatives.
Provide security awareness training and conduct periodic information security training.
Conduct periodic Information Security Program assessments and communicate the results to the Members of the Steering Committee.
Identify subject matter expertise to enhance information security defenses.
Oversee the overall Risk Program, Security Awareness Program, and Asset Management.
Delegate responsibility for network patches, which will include:
Defined time allowed to implement security patches.
Ability to handle and implement emergency patches.
Applicability to Operating System and server software such as application server and database software.
Manage and review this policy at least annually.
This includes all policies and procedures within the Information Security Framework.
Define and align the scope of the Information Security Program with Encore's business requirements and security best practices.
Ensure that applicable encryption for protecting regular backups is applied.
Ensure that all contractual partners and contracted consultants sign a non-disclosure agreement prior to accessing the network.
Collect evidence as required.
Answer all questions or comments related to this policy.
Ensure this policy is readily available for all employees within the Service Desk.
Encore's approach to information security is risk-based and addresses the likelihood and impact of threats and vulnerabilities to Company data. Encore assesses risk based on data classification, with Confidential data (defined in Section 4.5.2 of this Policy) assigned to the highest risk. Encore applies IT security policies and procedures to Confidential data accordingly.
Encore shall maintain a program to periodically assess, monitor and track risks. This program shall be overseen by the Director of IT and shall include: identification of threats and vulnerabilities, a risk register, risk scoring methodology and risk treatment.
Policies and procedures shall be developed and updated by appropriate staff, reviewed and approved annually or as business needs change by Management, and made available to all relevant audiences during onboarding and via training. Encore will align policies to related documents such as procedures, controls, records, contractual obligations, and laws.
Applicable Personally Identifiable Information (“PII”) protection legislation and/or regulation shall be considered during the development and maintenance of information security policies.
In addition to the general policy management provisions, review of current and historical policies and procedures may be required (e.g. in the cases of customer dispute resolution and investigation by a supervisory authority). Encore shall retain copies of its privacy policies and associated procedures for a period as specified in its retention schedule, outlined in the Data Retention & Disposal Policy. This includes retention of previous versions of these documents when they are updated.
Information security at Encore has been delegated by Management to the Director of IT, who is responsible for overseeing the development of security programs, processes, and procedures over the lifecycle of information security, compliance with this policy, enforcement of standards and regulations, controls and procedures. Encore's information security controls will be reviewed and revised annually by the Director of IT and approved by the Steering Committee.
When required by a Customer, Encore will make information available to demonstrate compliance with its obligations under applicable law and allow for and contribute to audits, as instructed by Customers. In addition, should any Customer instruction infringe on applicable law, the Cyber Security Analyst will notify the Customer.
Screening will be conducted to ensure candidates understand their responsibilities and are suitable for their designated role. Background checks are to be carried out according to relevant laws and regulations. A non-disclosure agreement must be signed by all employees, contractors or others who will have access to any Customer’s member information. In addition, the Acceptable Use Policy and Code of Conduct (both within the Employee Handbook) must be signed, prior to employment.
Management is responsible for enforcing user compliance with IT security policies and procedures. Information security awareness, education and training shall be delivered to employees and contractors during onboarding, and at least annually thereafter. In addition, all employees within Travel Operations receive annual training on specific Customers’ data protection requirements.
Upon termination of employment or contract, all of Encore's physical assets shall be returned, and access to all information systems will be immediately disabled and revoked. For a change of role, access to information assets will be re-evaluated.
Training includes the definition of PII and how to recognize information that is PII. It shall also include awareness of incident reporting, to ensure that relevant staff are aware of the possible consequences to the organization (e.g. legal consequences, loss of business and brand or reputational damage), to the staff member (e.g. disciplinary consequences) and to the PII principal (e.g. physical, material and emotional consequences) of breaching privacy or security rules and procedures, especially those addressing the handling of PII.
Individuals with access to PII are subject to a confidentiality obligation. The confidentiality agreement, whether part of a contract or separate, specifies the length of time the obligations should be adhered to. The confidentiality agreement between the organization, its employees and its agents shall ensure that employees and agents comply with the policy and procedures concerning data handling and protection.
An inventory of all devices connected to Encore’s wired and wireless networks is maintained and updated periodically. Acceptable use of Company physical assets is communicated through the Acceptable Use Policy.
The inventory of physical assets shall include:
Location of device
Data Classification of the data on the asset
Record of asset recovery upon termination of employment or business agreement
Record of disposal of data storage media when it is no longer required
Classification of information shall be used to derive data protection requirements related to loss, value, criticality, and sensitivity to unauthorized disclosure or modification. Technical and physical assets shall inherit the classifications based on the information they process, store, and/or transmit. Handling of information assets will align to the classification category within the Data Classification Policy and Acceptable Use Policy.
Information will be classified as one of four categories:
Secret
Confidential
Internal
Public
This is further outlined in the Data Classification Policy.
Encore will only collect confidential information that is required to perform the services procured by Customers. Should additional Confidential (Non-Public) information be unintentionally provided by the Customer, Encore will either return the information or expunge it from its systems.
Procedures are in place for the management of removable/portable storage media which align to classification and the Acceptable Use Policy. Storage media will be disposed of securely and safely when no longer required, using procedures which meet internal and contractual requirements. Portable media (for example, laptop hard drives) containing confidential information shall be encrypted, where required, by law, regulation, or contractual obligation. Media in transit between authorized information processing and/or storage facilities shall be protected against unauthorized access.
Customer Personal and Confidential information is retained for no longer than necessary to provide the services, unless continued retention of a Customer’s Personal and Confidential Information is required by law. At a Customer’s discretion, the Customer’s Personal and Confidential Information in Encore’s possession or control is returned to the Customer or destroyed upon completion of services or at the Customer’s request. Upon request, a Certificate of Destruction signed by the CTO, and will be provided to the Customer via a Customer Success employee.
No personal information will be migrated from production into a development or test environment. Any confidential data from the production environment used in development or test must be anonymized. Exceptions must be approved by the customer.
PII shall not be used for testing purposes; false or synthetic PII shall be used. Where the use of PII for testing purposes cannot be avoided, technical and organizational measures equivalent to those used in the production environment shall be implemented to minimize the risks. Where such equivalent measures are not feasible, a risk-assessment will be undertaken and used to inform the selection of appropriate mitigating controls.
Encore will consider PII in the information classification scheme. A register of the PII that the organization processes (e.g. type, special categories) will be maintained. It will capture where such PII is stored and the systems through which it can flow.
A formal complaint process for responding to all data protection complaints involving Customer Confidential information will be established by the Cyber Security Analyst. To the extent that Customers must be notified, an employee within the Customer Success team will inform the Customer.
Encore will publish, to its customers how it collects, processes and protects the personal information of its users; and the procedures for initiating queries and complaints related to personal information.
Management will establish and maintain access control rules and restrictions to Company physical and information assets in line with the business justification for access, and applicable laws, regulations and or contractual obligations.
Access to networks and networked services shall be role based and provisioned based on the Principle of Least Privilege (“PoLP”). Access to Secret, Confidential, and Internal data shall be based on explicit authorization.
Users will have unique combinations of usernames and passwords. Group, shared and generic user account IDs shall be restricted wherever use cannot be traced to individual users (except for specific Admin accounts approved by the Director of IT). Privileged access shall be limited to users where role or authority level is appropriate. This will include: internal/external access, media, paper, technology platforms, and backup media.
Management will define a process for the periodic review of access for appropriateness and for the removal or adjustment to access in a timely manner.
Users shall be responsible for any usage of their usernames and passwords. Users must keep their passwords confidential and not disclose them. Users will notify the Service Desk if they require an immediate password change. Password requirements are defined in the Password Policy. Users shall be provided a temporary network password which is required to be changed on first login. User’s account passwords are changed within 48 hours of employment or contract termination.
Encore shall restrict network access to employees, contractors and third-parties that are known to the Company. Encore shall establish set rules for: lockout procedures for unsuccessful access attempts; password complexity; and duration for password resets.
Encore requires all users to submit an IT ticket using the "Authorization While Traveling" preselection prior to traveling if they anticipate requiring network access from an external location during business travel.
Authorized Travel Countries
Network access is automatically permitted from the following pre-approved countries:
Canada
El Salvador
France
India
Mexico
United Kingdom
United States
Risk Assessment for Non-Pre-Approved Countries
For business travel to any country not listed above, IT will conduct a risk assessment to determine if network access can be allowed. This assessment will evaluate:
Cybersecurity threats and known risks in the destination country
Legal and regulatory constraints affecting secure access
Network infrastructure reliability and risk of data interception
Compliance with company data protection requirements
If the risk assessment determines that network access from the destination poses a significant security risk, access will be denied.
Temporary Exemptions for Approved Travel
If the risk assessment approves network access from the requested country, IT will:
Add the user and their workstation to the temporary exemption list for the duration of travel.
Apply necessary security controls, including but not limited to VPN enforcement, multi-factor authentication (MFA) adjustments, or additional monitoring measures.
Failure to submit a travel authorization request may result in denied access to Encore's network from the travel location.
Encore is committed to ensuring the confidentiality of Customer data and will employ cryptographic controls where possible. Data in transit and data at rest (on storage media) will be encrypted, as appropriate with their data classification. Information classified as Secret, Confidential, or Internal must be password protected when shared off the network.
All Encore owned IT equipment and information require protection, and must be placed in a secure physical area. The Cyber Security Analyst is responsible for ensuring that physical access to servers is secure via the Vendor Risk Management Framework.
IT equipment must be protected against environmental threats (fires, flooding, temperature variations, etc.). Suitable fire extinguishing equipment with appropriate alarms shall be present.
Security of equipment and IT assets off premises shall address risks inherent to mobile and tele-networking environments. Users will review and acknowledge all policies within the Employee Handbook. Unattended user equipment should be physically and logically projected to prevent loss, theft, damage, and/or unauthorized use.
Purchase and installation of IT equipment and the software for IT equipment must be approved by the Director of IT, in accordance with the established delegation of authority process. Encore will maintain documentation (i.e. asset listing and network diagram) of the IT systems.
Computer equipment will be safeguarded against virus' and other malicious code. The Cyber Security Analyst will include basic user awareness training in the annual IT Security training and in the onboarding IT Security training.
Management is responsible for ensuring that regular backups are performed. Backup restore procedures will be tested annually. Where encryption is required to protect backups, the Director of IT will ensure this has been applied.
The Director of IT will delegate responsibility for network patches, which will include:
Defined time allowed to implement security patches
Ability to handle and implement emergency patches.
Applicability to Operating System and server software such as application server and database software.
Hardware, operating system and software updates shall be updated timely and documented. Security patches shall be applied at least monthly.
Employees are responsible for following the operating system alerts for patches and updates on their machines.
Vendor supplied software used in operational systems shall be maintained at a level that is supported by the supplier. End of life and unsupported software shall not be used for critical business processes if security vulnerability tracking and patches are no longer available through the vendor. Software patches are applied timely to help remove or reduce information security weaknesses. Physical or logical access will only be given to software vendors or suppliers for support purposes when necessary and with Management approval.
Network controls shall ensure the protection of information transmitted over Encore networks and security of supporting infrastructure. The public facing Production environment is segregated.
Information transfer procedures will protect all information communicated within Encore and to third parties. Electronic messaging, including but not limited to Company email, instant messaging and all forms of electronic data interchange shall be protected from unauthorized access, misuse, modification, relay, and/or denial of service. Any messages sent from Encore that include Secret, Confidential, or Internal information must be protected by encryption in transit.
Definitions of operational requirements for new systems or enhancements to existing systems must contain security and privacy by design requirements. All changes to production environments should comply with defined routines. The implementation of changes to the production environment will be controlled by formal procedures for change management to minimize the risk of damaging information or information systems.
Systems and/or components related to the processing of PII shall be designed following the principles of privacy by design and privacy by default. The organization shall anticipate and facilitate the implementation of relevant controls in particular such that the collection and processing of PII in its systems is limited to what is necessary for the identified purposes of the processing of PII
The same principles of privacy by design and privacy by default shall be applied, if applicable, to outsourced information systems.
Contractual partners and contracted consultants must sign a non-disclosure agreement prior to accessing the network. The Cyber Security Analyst is responsible for ensuring that this is implemented.
Contractual terms will clearly allocate responsibilities between all parties with respect to PII protections.
Incidents are defined as a deviation from normal expectations. All breaches of security, along with the use of information systems contrary to routines, will be treated as incidents. For example, a lost laptop, suspected malware infection or a breach of Secret, Confidential, or Internal information. The type and severity of the incident will dictate the response procedures to be followed.
Encore’s incident lifecycle is as follows:
Initial detection of an incident, either via an email, a call, or a tool alert, will initiate the following incident response procedures:
All incidents will be sent to the Service Desk who will escalate to the Incident Response Team (“IRT”), as appropriate.
The Cyber Security Analyst determines the nature and severity of the incident and then will delegate response activities as appropriate.
Determine scope of the incident (or breach) and to collect information and preserve evidence (if needed)
Contain the issue.
Identify resources at risk (ex. hardware, software, hard copy).
Apply patch, fix, restoration of data, or enable new tool setting (such as firewall rules).
Notify appropriate stakeholders, such as the authorities, clients, vendors, and/or employees. Refer to Sections 4.13.3 and 4.13.4 for specific client and press notification procedures.
The Cyber Security Analyst will then document the incident: what occurred, what and who was impacted, the solution, and any evidence (when needed for legal reasons).
Employees are responsible for reporting incidents and possible breaches of security directly to the Service Desk, who will then notify the IRT, as appropriate. All information security events and incidents will be documented and investigated.
The appropriate Customer relationship manager will notify Customers promptly upon learning that an employee or subcontractor has used personal or confidential information for any reason other than providing services to that Customer or if the Customer’s confidential information has been compromised by a security vulnerability. Encore will take the nature of the information in the incident into account and assist Customers in ensuring compliance with its obligations under applicable law. Further, the Cyber Security Analyst will retain evidence that appropriate action has been taken with employees or subcontractors when this information has been improperly used or compromised.
Encore will not issue any press release or any other public notice that relates to a breach involving Customer Personal or Confidential Information without obtaining Customer approval unless expressed by law or regulatory requirement. The Chief Executive Officer (“CEO”) is the only authorized employee to issue a press release and/or any other public notice.
Encore maintains procedures to address the breach of confidential or sensitive information. The plan includes steps needed to comply to both contractual and legal requirements.
The organization has established responsibilities and procedures for the identification and recording of breaches of PII. These procedures include the responsibilities and procedures related to notification to required parties of PII breaches (including the timing of such notifications) and the disclosure to authorities, taking into account the applicable legislation and/or regulation. Specific regulations regarding breach responses, including notification will be considered to demonstrate compliance with these regulations.
All complaints related to data protection of personal information will be captured and communicated to Customers as they arise.
Encore maintains a Business Continuity Plan (“BCP”) that will include:
Emergency Response: Who is to be contacted, when, and how? What immediate actions must be taken in the event of certain occurrences?
Defined criteria to determine if a system is critical to the operation of the supplier's business.
List critical systems based on the defined criteria that must be targeted for recovery in the event of a disaster.
Defined disaster recovery procedure for each critical system that ensures an engineer who does not know the system could recover the application timely.
Annual testing and review of disaster recovery plans to ensure recovery objectives can be met.
Equipment Replacement: Describe what equipment is required to begin to provide services, list the order in which it is necessary, and note where to purchase the equipment.
Encore will comply with current laws, as well as contractual requirements and will safeguard personal information according to the legal requirements. Where contractually obligated by Customers, Encore will make available all information necessary to demonstrate compliance with the obligations under applicable law and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
The Director of IT has the overall responsibility for information security at Encore, including information security regarding personnel and IT security. In addition, the Director of IT is the owner of this security policy and shall approve subsequent revisions. The Director of IT is responsible and accountable for compliance with applicable Data Protection requirements.
Employees and contractors (“users”) are responsible for complying with this and all other Encore policies and procedures. Questions regarding the administration of various types of information should be posed to the Cyber Security Analyst who then may delegate response to the system owner of the relevant information or to the system administrator.
The Information Security Office acknowledges that under rare circumstances, certain users will need to employ procedures or systems that are not compliant with this policy. All exception requests must be approved in writing by the Director of IT.
Failure to comply with the IT Security Policy may result in disciplinary actions up to and including termination of employment for employees, or termination of contracts for third parties. Legal action may be taken for violations of applicable regulations and laws.
Periodic internal assessments or audits of Encore's Information Security Program are conducted by the Information Security Office. Any identified gaps or findings must be promptly remediated.
“Asset” – means anything that has value to Encore. This includes information, physical assets (such as a computer), information assets (such as Customer data), people (and their qualifications, skills, and experience), and intangibles such as reputations and images.
“Availability” – means the system is available for operation and used as committed or agreed
“Business Continuity Planning” (BCP) – means planning for keeping business operations running, perhaps in another location or using alternative tools and processes following a disruption.
“Confidentiality” – means information that is not made available or disclosed to unauthorized individuals, entities, or processes.
“Disaster Recovery Planning” (DRP) – means planning for restoring normal business operations after a disaster.
“Employee” – means all salaried and hourly paid Employees including the Steering Committee, Contractors, Consultants, Temporaries, Interns, Agents and other workers at Voyages Encore Travel Inc., including all personnel affiliated with third parties. Can be referred to by the pronoun ‘their’, ‘they’ or ‘them’.
"Encore" – for the purpose of this policy, refers to Voyages Encore Travel Inc. and Encore Travel Americas.
“Integrity” – means the accuracy and completeness of an asset is safeguarded.
“Management” – means the Steering Committee.
“Non-disclosure Agreement” (NDA) – means a contract between a person and Voyages Encore Travel Inc. stating that the person will protect confidential information (as defined in the Record Classification and Handling Policy) covered by the contract when this person has been exposed to such information.
“Principle of Least Privilege” (PoLP) – means that a security architecture is designed so that each entity/user is granted the minimum system resources and authorizations that is needed to perform its function.
“Privileged Access Management” (PAM) – means an identity security solution that helps protect organizations against cyberthreats by monitoring, detecting, and preventing unauthorized privileged access to critical resources.
“Root Cause Analysis” (RCA) – means a method of problem solving used for identifying the root causes of faults or problems.
“Steering Committee” – means the Chief Executive Officer; Chief Technology Officer; Head of Strategy, Growth & Corporate Development; Head of Product; Head of Commercial Strategy; and Head of Travel Technology & Operations.
“Their”, “They” or “Them” – means the person or entity previously referred to.