Security Policy

Introductionon

Purpose

This policy defines the technical controls and security configurations users and Information Technology (IT) administrators are required to implement in order to ensure the integrity and availability of the data environment at COGNITIFF, hereinafter, referred to as the Company. It serves as a central policy document with which all employees and contractors must be familiar and defines actions and prohibitions that all users must follow.  The policy provides IT managers within the Company with policies and guidelines concerning the acceptable use of Company technology equipment, e-mail, Internet connections, voicemail, facsimile, future technology resources and information processing.

The policy requirements and restrictions defined in this document shall apply to network infrastructures, databases, external media, encryption, hardcopy reports, films, slides, models, wireless, telecommunication, conversations, and any other methods used to convey knowledge and ideas across all hardware, software, and data transmission mechanisms.  This policy must be adhered to by all Company employees or temporary workers at all locations and by contractors working with the Company as subcontractors.

Scope

This policy document defines common security requirements for all Company personnel and systems that create, maintain, store, access, process or transmit information. This policy also applies to information resources owned by others, such as contractors of the Company, entities in the private sector, in cases where Company has a legal, contractual or fiduciary duty to protect said resources while in Company custody. In the event of a conflict, the more restrictive measures apply.  This policy covers the Company network system which is comprised of various hardware, software, communication equipment and other devices designed to assist the Company in the creation, receipt, storage, processing, and transmission of information.  This definition includes equipment connected to any Company domain or VLAN, either hardwired or wirelessly, and includes all stand-alone equipment that is deployed by the Company at its office locations or at remote locales.

Applicable Statutes / Regulations

The following is a list of the various agencies/organizations whose laws, mandates, and regulations were incorporated into the various policy statements included in this document:

  • AWS EMEA SARL.

Each of the policies defined in this document is applicable to the task being performed – not just to specific departments or job titles.  

Privacy Officer

The Company has established a Privacy Officer. This Privacy Officer will oversee all ongoing activities related to the development, implementation, and maintenance of the Company privacy policies in accordance with applicable laws.

Confidentiality / Security Team (CST)

The Company has established a Confidentiality / Security Team made up of key personnel whose responsibility it is to identify areas of concern within the Company and act as the first line of defense in enhancing the appropriate security posture.

All members identified within this policy are assigned to their positions by the CEO. The term of each member assigned is at the discretion of the CEO, but generally it is expected that the term will be one year. Members for each year will be assigned at the first meeting of the Quality Council in a new calendar year. This committee will consist of the positions within the Company most responsible for the overall security policy planning of the organization- the CEO, PO, CMO, ISO, and the CIO (where applicable).

The CST will meet quarterly to discuss security issues and to review concerns that arose during the quarter.  The CST will identify areas that should be addressed during annual training and review/update security policies as necessary.

The CST will address security issues as they arise and recommend and approve immediate security actions to be undertaken. It is the responsibility of the CST to identify areas of concern within the Company and act as the first line of defense in enhancing the security posture of the Company.

The CST is responsible for maintaining a log of security concerns or confidentiality issues. This log must be maintained on a routine basis, and must include the dates of an event, the actions taken to address the event, and recommendations for personnel actions, if appropriate. This log will be reviewed during the quarterly meetings.

The Privacy Officer (PO) or other assigned personnel is responsible for maintaining a log of security enhancements and features that have been implemented to further protect all sensitive information and assets held by the Company. This log will also be reviewed during the quarterly meetings.


Employee Responsibilities        

Employee Requirements

The first line of defense in data security is the individual Company user. Company users are responsible for the security of all data which may come to them in whatever format. The Company is responsible for maintaining ongoing training programs to inform all users of these requirements.

Wear Identifying Badge so that it may be easily viewed by others - In order to help maintain building security, all employees should prominently display their employee identification badge. Contractors who may be in Company facilities are provided with different colored identification badges. Other people who may be within Company facilities should be wearing visitor badges and should be chaperoned.

Challenge Unrecognized Personnel - It is the responsibility of all Company personnel to take positive action to provide physical security. If you see an unrecognized person in a restricted Company office location, you should challenge them as to their right to be there. All visitors to Company offices must sign in at the front desk. In addition, all visitors must wear a visitor/contractor badge.  All other personnel must be employees of the Company. Any challenged person who does not respond appropriately should be immediately reported to supervisory staff.

Secure Laptop with a Cable Lock - When out of the office all laptop computers must be secured with the use of a cable lock. Cable locks are provided with all new laptops computers during the original set up. All users will be instructed on their use and a simple user document, reviewed during employee orientation, is included on all laptop computers. Most Company computers will contain sensitive data either of a personnel, or financial nature, and the utmost care should be taken to ensure that this data is not compromised. Laptop computers are unfortunately easy to steal, particularly during the stressful period while traveling. The cable locks are not fool proof, but do provide an additional level of security. Many laptop computers are stolen in snatch and run robberies, where the thief runs through an office or hotel room and grabs all of the equipment he/she can quickly remove. The use of a cable lock helps to thwart this type of event.

Unattended Computers - Unattended computers should be locked by the user when leaving the work area. This feature is discussed with all employees during yearly security training. Company policy states that all computers will have the automatic screen lock function set to automatically activate upon fifteen (15) minutes of inactivity. Employees are not allowed to take any action which would override this setting.

Home Use of Company Corporate Assets - Only computer hardware and software owned by and installed by the Company is permitted to be connected to or installed on Company equipment. Only software that has been approved for corporate use by the Company may be installed on Company equipment. Personal computers supplied by the Company are to be used solely for business purposes. All employees and contractors must read and understand the list of prohibited activities that are outlined below. Modifications or configuration changes are not permitted on computers supplied by the Company for home use.

Retention of Ownership - All software programs and documentation generated or provided by employees, consultants, or contractors for the benefit of the Company are the property of the Company unless covered by a contractual agreement. Nothing contained herein applies to software purchased by Company employees at their own expense.

Prohibited Activities

Personnel are prohibited from the following activities. The list is not inclusive. Other prohibited activities are referenced elsewhere in this document.

  • Crashing an information system. Deliberately crashing an information system is strictly prohibited. Users may not realize that they caused a system crash, but if it is shown that the crash occurred as a result of user action, a repetition of the action by that user may be viewed as a deliberate act.
  • Attempting to break into an information resource or to bypass a security feature. This includes running password-cracking programs or sniffer applications and attempting to circumvent file or other resource permissions.
  • Introducing, or attempting to introduce, computer viruses, Trojan horses, peer-to-peer (“P2P”) or other malicious code into an information system.
  • Exception: Authorized information system support personnel, or others authorized by the Company Privacy Officer, may test the resiliency of a system. Such personnel may test for susceptibility to hardware or software failure, security against hacker attacks, and system infection.
  • Browsing. The willful, unauthorized access or inspection of confidential or sensitive information to which you have not been approved on a “need to know” basis is prohibited. The Company has access to personal information which is protected by regulations which stipulate a “need to know” before approval is granted to view the information. The purposeful attempt to look at or access information to which you have not been granted access by the appropriate approval procedure is strictly prohibited.
  • Personal or Unauthorized Software. Use of personal software is prohibited. All software installed on Company computers must be approved by the Company.
  • Software Use.  Violating or attempting to violate the terms of use or license agreement of any software product used by the Company is strictly prohibited.
  • System Use.  Engaging in any activity for any purpose that is illegal or contrary to the policies, procedures or business interests of the Company is strictly prohibited.

Electronic Communication, E-mail, Internet Usage

As a productivity enhancement tool, The Company encourages the business use of electronic communications. However, all electronic communication systems and all messages generated on or handled by Company owned equipment are considered the property of the Company – not the property of individual users. Consequently, this policy applies to all Company employees and contractors, and covers all electronic communications including, but not limited to, telephones, e-mail, voice mail, instant messaging, Internet, fax, personal computers, and servers.  

Company provided resources, such as individual computer workstations or laptops, computer systems, networks, e-mail, and Internet software and services are intended for business purposes.  However, incidental personal use is permissible if:

  1. it does not consume more than a trivial amount of employee time or resources,

  2. it does not interfere with staff productivity,

  3. it does not preempt any business activity,

  4. it does not violate any of the following:

  5. Copyright violations – This includes the act of pirating software, music, books and/or videos or the use of pirated software, music, books and/or videos and the illegal duplication and/or distribution of information and other intellectual property that is under copyright.

  6. Illegal activities – Use of Company information resources for or in support of illegal purposes as defined by law is strictly prohibited.

  7. Commercial use – Use of Company information resources for personal or commercial profit is strictly prohibited.

  8. Political Activities – All political activities are strictly prohibited on Company premises. The Company encourages all of its employees to vote and to participate in the election process, but these activities must not be performed using Company assets or resources.

  9. Harassment – The Company strives to maintain a workplace free of harassment and that is sensitive to the diversity of its employees.  Therefore, the Company prohibits the use of computers, e-mail, voice mail, instant messaging, texting and the Internet in ways that are disruptive, offensive to others, or harmful to morale.  For example, the display or transmission of sexually explicit images, messages, and cartoons is strictly prohibited.  Other examples of misuse include, but are not limited to, ethnic slurs, racial comments, off-color jokes, or anything that may be construed as harassing, discriminatory, derogatory, defamatory, threatening or showing disrespect for others.

  10. Junk E-mail - All communications using IT resources shall be purposeful and appropriate.  Distributing “junk” mail, such as chain letters, advertisements, or unauthorized solicitations is prohibited.  A chain letter is defined as a letter sent to several persons with a request that each send copies of the letter to an equal number of persons.  Advertisements offer services from someone else to you.  Solicitations are when someone asks you for something.  If you receive any of the above, delete the e-mail message immediately.  Do not forward the e-mail message to anyone.

Generally, while it is NOT the policy of the Company to monitor the content of any electronic communication, the Company is responsible for servicing and protecting the Company’s equipment, networks, data, and resource availability and therefore may be required to access and/or monitor electronic communications from time to time.  Several different methods are employed to accomplish these goals.  For example, an audit or cost analysis may require reports that monitor phone numbers dialed, length of calls, number of calls to / from a specific handset, the time of day, etc.  Other examples where electronic communications may be monitored include, but are not limited to, research and testing to optimize IT resources, troubleshooting technical problems and detecting patterns of abuse or illegal activity.

The Company reserves the right, at its discretion, to review any employee’s files or electronic communications to the extent necessary to ensure all electronic media and services are used in compliance with all applicable laws and regulations as well as Company policies.

Employees should structure all electronic communication with recognition of the fact that the content could be monitored, and that any electronic communication could be forwarded, intercepted, printed or stored by others.  

Report Security Incidents

It is the responsibility of each Company employee or contractor to report perceived security incidents on a continuous basis to the appropriate supervisor or security person. A User is any person authorized to access an information resource. Users are responsible for the day-to-day, hands-on security of that resource. Users are to formally report all security incidents or violations of the security policy immediately to the Privacy Officer Users should report any perceived security incident to either their immediate supervisor, or to their department head, or to any member of the Company CST. Members of the CST are specified above in this document.

Reports of security incidents shall be escalated as quickly as possible. Each member of the Company CST must inform the other members as rapidly as possible. Each incident will be analyzed to determine if changes in the existing security structure are necessary. All reported incidents are logged, and the remedial action indicated. It is the responsibility of the CST to provide training on any procedural changes that may be required as a result of the investigation of an incident.

Security breaches shall be promptly investigated. If criminal action is suspected, the Company Privacy Officer shall contact the appropriate law enforcement and investigative authorities immediately, which may include but is not limited to the police.

Transfer of Sensitive/Confidential Information

When confidential or sensitive information from one individual is received by another individual while conducting official business, the receiving individual shall maintain the confidentiality or sensitivity of the information in accordance with the conditions imposed by the providing individual. All employees must recognize the sensitive nature of data maintained by the Company and hold all data in the strictest confidence. Any purposeful release of data to which an employee may have access is a violation of Company policy and will result in personnel action, and may result in legal action.

Transferring Software and Files between Home and Work

Personal software shall not be used on Company computers or networks.  If a need for specific software exists, submit a request to your supervisor or department head.  Users shall not use Company purchased software on home or on non-Company computers or equipment.

Company proprietary data, including but not limited to personal information, IT Systems information, financial information or human resource data, shall not be placed on any computer that is not the property of the Company without written consent of the respective supervisor or department head.  It is crucial to the Company to protect all data and, in order to do that effectively we must control the systems in which it is contained.  In the event that a supervisor or department head receives a request to transfer Company data to a non-Company Computer System, the supervisor or department head should notify the Privacy Officer or appropriate personnel of the intentions and the need for such a transfer of data.

The Company Wide Area Network (“WAN”) is maintained with a wide range of security protections in place, which include features such as virus protection, e-mail file type restrictions, firewalls, anti-hacking hardware and software, etc. Since the Company does not control non-Company personal computers, the Company cannot be sure of the methods that may or may not be in place to protect Company sensitive information, hence the need for this restriction.

Internet Considerations

Special precautions are required to block Internet (public) access to Company information resources not intended for public access, and to protect confidential Company information when it is to be transmitted over the Internet.

  • The following security and administration issues shall govern Internet usage.

Prior approval of the Company Privacy Officer or appropriate personnel authorized by the Company shall be obtained before:

  • An Internet, or other external network connection, is established;
  • Company information (including notices, memoranda, documentation and software) is made available on any Internet-accessible computer (e.g. web or ftp server) or device;
  • Users may not install or download any software (applications, screen savers, etc.).  If users have a need for additional software, the user is to contact their supervisor;
  • Use shall be consistent with the goals of the Company. The network can be used to market services related to the Company, however use of the network for personal profit or gain is prohibited.
  • Confidential or sensitive data - including credit card numbers, telephone calling card numbers, logon passwords, and other parameters that can be used to access goods or services - shall be encrypted before being transmitted through the Internet.
  • The encryption software used, and the specific encryption keys (e.g. passwords, pass phrases), shall be escrowed with the Company Privacy Officer or appropriate personnel, to ensure they are safely maintained/stored. The use of encryption software and keys, which have not been escrowed as prescribed above, is prohibited, and may make the user subject to disciplinary action.

De-identification / Re-identification of Personal Information

Unless otherwise required, all personal identifying information is removed from all data before it is stored or exchanged.

De-identification is defined as the removal of any information that may be used to identify an individual or of relatives, employers, or household members.

personal information includes:

  • Names
  • Addresses
  • Geograpersonal information subdivisions that would permit the unique identification of an individual
  • All elements of dates directly related to the individual (Dates of birth, marriage, death, etc.)
  • Telephone numbers
  • Facsimile numbers
  • Driver’s license numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Account numbers, certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers
  • Full face photograpersonal information images and any comparable images

Re-identification of confidential information:  A cross-reference code or other means of record identification is used to re-identify data as long as the code is not derived from or related to information about the individual and cannot be translated to identify the individual.  In addition, the code is not disclosed for any other purpose nor is the mechanism for re-identification disclosed.


Identification and Authentication                                

User Logon IDs

Individual users shall have unique logon IDs and passwords. An access control system shall identify each user and prevent unauthorized users from entering or using information resources.  Security requirements for user identification include:

  • Each user shall be assigned a unique identifier.
  • Users shall be responsible for the use and misuse of their individual logon ID.

All user login IDs are audited at least twice yearly and all inactive logon IDs are revoked. The Company Human Resources Department notifies the Security Officer or appropriate personnel upon the departure of all employees and contractors, at which time login IDs are revoked.

The logon ID is locked or revoked after a maximum of three (3) unsuccessful logon attempts which then require the passwords to be reset by the appropriate Administrator.

Users who desire to obtain access to Company systems or networks must have a completed and signed Network Access Form (Appendix C). This form must be signed by the supervisor or department head of each user requesting access.

Passwords

User Account Passwords

User IDs and passwords are required in order to gain access to all Company networks and workstations. All passwords are restricted by a corporate-wide password policy to be of a “Strong” nature. This means that all passwords must conform to restrictions and limitations that are designed to make the password difficult to guess. Users are required to select a password in order to obtain access to any electronic information both at the server level and at the workstation level. When passwords are reset, the user will be automatically prompted to manually change that assigned password.

Password Length – Passwords are required to be a minimum of eight characters.

Content Requirements - Passwords must contain a combination of upper and lower case alphabetic characters, numeric characters, and special characters.

Change Frequency – Passwords must be changed every 90 days.  Compromised passwords shall be changed immediately.

Reuse - The previous twelve passwords cannot be reused.

Restrictions on Sharing Passwords - Passwords shall not be shared, written down on paper, or stored within a file or database on a workstation and must be kept confidential.

Restrictions on Recording Passwords - Passwords are masked or suppressed on all online screens, and are never printed or included in reports or logs. Passwords are stored in an encrypted format.

Confidentiality Agreement

Users of Company information resources shall sign, as a condition for employment, an appropriate confidentiality agreement (Appendix D). The agreement shall include the following statement, or a paraphrase of it:

I understand that any unauthorized use or disclosure of information residing on the Company information resource systems may result in disciplinary action consistent with the policies and procedures of government agencies.

Temporary workers and third-party employees not already covered by a confidentiality agreement shall sign such a document prior to accessing Company information resources.

Confidentiality agreements shall be reviewed when there are changes to contracts or other terms of employment, particularly when contracts are ending or employees are leaving an organization.

Access Control

Information resources are protected by the use of access control systems. Access control systems include both internal (i.e. passwords, encryption, access control lists, constrained user interfaces, etc.) and external (i.e. port protection devices, firewalls, host-based authentication, etc.).

Rules for access to resources (including internal and external telecommunications and networks) have been established by the information/application owner or manager responsible for the resources.  Access is granted only by the completion of a Network Access Request Form (Appendix C). This form can only be initiated by the appropriate department head, and must be signed by the department head and the Security Officer or appropriate personnel.

This guideline satisfies the “need to know” requirements, since the supervisor or department head is the person who most closely recognizes an employee’s need to access data. Users may be added to the information system, network, or other IT systems only upon the signature of the Security Officer or appropriate personnel who is responsible for adding the employee to the network in a manner and fashion that ensures the employee is granted access to data only as specifically requested.

Online banner screens, if used, shall contain statements to the effect that unauthorized use of the system is prohibited and that violators will be subject to criminal prosecution.

Identification and Authentication Requirements

The host security management program shall maintain current user application activity authorizations. Each initial request for a connection or a session is subject to the authorization process previously addressed.

User Login Entitlement Reviews

If an employee changes positions at the Company, employee’s new supervisor or department head shall promptly notify the Information Technology (“IT”) Department of the change of roles by indicating on the Network Access Request Form (Appendix C) both the roles or access that need to be added and the roles or access that need to be removed so that employee has access to the minimum necessary data to effectively perform their new job functions. The effective date of the position change should also be noted on the Form so that the IT Department can ensure that the employee will have appropriate roles, access, and applications for their new job responsibilities. For a limited training period, it may be necessary for the employee who is changing positions to maintain their previous access as well as adding the roles and access necessary for their new job responsibilities.

No less than annually, the IT Manager shall facilitate entitlement reviews with department heads to ensure that all employees have the appropriate roles, access, and software necessary to perform their job functions effectively while being limited to the minimum necessary data to facilitate Regulatory compliance and protect personal data.

Termination of User Logon Account

Upon termination of an employee, whether voluntary or involuntary, employee’s supervisor or department head shall promptly notify the IT Department by indicating “Remove Access” on the employee’s Network Access Request Form (Appendix C) and submitting the Form to the IT Department. If employee’s termination is voluntary and employee provides notice, employee’s supervisor or department head shall promptly notify the IT Department of employee’s last scheduled work day so that their user account(s) can be configured to expire. The employee’s department head shall be responsible for insuring that all keys, ID badges, and other access devices as well as Company equipment and property is returned to the Company prior to the employee leaving the Company on their final day of employment.

No less than quarterly, the IT Manager or their designee shall provide a list of active user accounts for both network and application access, including access to the key IT systems to department heads for review. Department heads shall review the employee access lists within five (5) business days of receipt. If any of the employees on the list are no longer employed by the Company, the department head will immediately notify the IT Department of the employee’s termination status and submit the updated Network Access Request Form (Appendix C).


Network Connectivity

VPN

Access to Company information resources through VPN or devices / software, if available, shall be subject to authorization and authentication by an access control system. Direct inward dialing without passing through the access control system is prohibited.

Systems that allow public access to host computers, including mission-critical servers, warrants additional security at the operating system and application levels. Such systems shall have the capability to monitor activity levels to ensure that public usage does not unacceptably degrade system responsiveness.

VPN privileges are granted only upon the request of a department head with the submission of the Network Access Form and the approval of the Privacy Officer or appropriate personnel.

Telecommunication Equipment

Certain direct link connections may require a dedicated or leased phone line. These facilities are authorized only by the Privacy Officer or appropriate personnel and ordered by the appropriate personnel. Telecommunication equipment and services include but are not limited to the following:

  • phone lines
  • phone head sets
  • softphones
  • conference calling contracts
  • smartphones
  • call routing software
  • call reporting software
  • phone system administration equipment
  • PBX equipment

Permanent Connections

The security of Company systems can be jeopardized from third party locations if security practices and resources are inadequate.  When there is a need to connect to a third party location, a risk analysis should be conducted. The risk analysis should consider the type of access required, the value of the information, the security measures employed by the third party, and the implications for the security of Company systems. The Privacy Officer or appropriate personnel should be involved in the process, design and approval.

Emphasis on Security in Third Party Contracts

Access to Company computer systems or corporate networks should not be granted until a review of the following concerns have been made, and appropriate restrictions or covenants included in a statement of work (“SOW”) with the party requesting access.

  • Applicable sections of the Company Information Security Policy have been reviewed and considered.
  • Policies and standards established in the Company information security program have been enforced.
  • A risk assessment of the additional liabilities that will attach to each of the parties to the agreement.
  • The right to audit contractual responsibilities should be included in the agreement or SOW.
  • Arrangements for reporting and investigating security incidents must be included in the agreement in order to meet the covenants of the local regulatory framework.
  • A description of each service to be made available.
  • Each service, access, account, and/or permission made available should only be the minimum necessary for the third party to perform their contractual obligations.
  • A detailed list of users that have access to Company computer systems must be maintained and auditable.
  • If required under the contract, permission should be sought to screen authorized users.
  • Dates and times when the service is to be available should be agreed upon in advance.
  • Procedures regarding protection of information resources should be agreed upon in advance and a method of audit and enforcement implemented and approved by both parties.
  • The right to monitor and revoke user activity should be included in each agreement.
  • Language on restrictions on copying and disclosing information should be included in all agreements.
  • Responsibilities regarding hardware and software installation and maintenance should be understood and agreement upon in advance.
  • Measures to ensure the return or destruction of programs and information at the end of the contract should be written into the agreement.
  • If physical protection measures are necessary because of contract stipulations, these should be included in the agreement.
  • A formal method to grant and authorized users who will access to the data collected under the agreement should be formally established before any users are granted access.
  • Mechanisms should be in place to ensure that security measures are being followed by all parties to the agreement.
  • Because annual confidentiality training is required under regulations, a formal procedure should be established to ensure that the training takes place, that there is a method to determine who must take the training, who will administer the training, and the process to determine the content of the training established.
  • A detailed list of the security measures which will be undertaken by all parties to the agreement should be published in advance of the agreement.

Firewalls

Authority from the Privacy Officer or appropriate personnel must be received before any employee or contractor is granted access to a Company router or firewall.


Malicious Code - Antivirus Software Installation

Antivirus software is installed on all Company personal computers and servers.  Virus update patterns are updated daily on the Company servers and workstations. Virus update engines and data files are monitored by appropriate administrative staff that is responsible for keeping all virus patterns up to date.

Remote Deployment Configuration - Through an automated procedure, updates and virus patches may be pushed out to the individual workstations and servers on an as needed basis.

Monitoring/Reporting – A record of virus patterns for all workstations and servers on the Company network may be maintained. Appropriate administrative staff is responsible for providing reports for auditing and emergency situations as requested by the Privacy Officer or appropriate personnel.

New Software Distribution

Only software created by Company application staff, if applicable, or software approved by the Privacy Officer or appropriate personnel will be used on internal computers and networks. A list of approved software is maintained in Appendix C. All new software will be tested by appropriate personnel in order to ensure compatibility with currently installed software and network configuration. In addition, appropriate personnel must scan all software for viruses before installation.  This includes shrink-wrapped software procured directly from commercial sources as well as shareware and freeware obtained from electronic bulletin boards, the Internet, or on disks (magnetic or CD-ROM and custom-developed software).

Although shareware and freeware can often be useful sources of work-related programs, the use and/or acquisition of such software must be approved by the Privacy Officer or appropriate personnel. Because the software is often provided in an open distribution environment, special precautions must be taken before it is installed on Company computers and networks.  These precautions include determining that the software does not, because of faulty design, “misbehave” and interfere with or damage Company hardware, software, or data, and that the software does not contain viruses, either originating with the software designer or acquired in the process of distribution.  

All data and program files that have been electronically transmitted to a Company computer or network from another location must be scanned for viruses immediately after being received.  Contact the appropriate Company personnel for instructions for scanning files for viruses.

Every CD-ROM, DVD and USB device is a potential source for a computer virus.  Therefore, every CD-ROM, DVD and USB device must be scanned for virus infection prior to copying information to a Company computer or network.  

Computers shall never be “booted” from a CD-ROM, DVD or USB device received from an outside source.  Users shall always remove any CD-ROM, DVD or USB device from the computer when not in use.  This is to ensure that the CD-ROM, DVD or USB device is not in the computer when the machine is powered on.  A CD-ROM, DVD or USB device infected with a boot virus may infect a computer in that manner, even if the CD_ROM, DVD or USB device is not “bootable”.

Retention of Ownership

All software programs and documentation generated or provided by employees, consultants, or contractors for the benefit of the Company are the property of the Company unless covered by a contractual agreement. Employees developing programs or documentation must sign a statement acknowledging Company ownership at the time of employment. Nothing contained herein applies to software purchased by Company employees at their own expense.


Encryption

Definition

Encryption is the translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as cipher text.

Encryption Key

An encryption key specifies the particular transformation of plain text into cipher text, or vice versa during decryption.

If justified by risk analysis, sensitive data and files shall be encrypted before being transmitted through networks. When encrypted data are transferred between agencies, the agencies shall devise a mutually agreeable procedure for secure key management. In the case of conflict, the Company shall establish the criteria in conjunction with the Privacy Officer or appropriate personnel. The Company employs several methods of secure data transmission.

Specific Protocols and Devices

Wireless Usage Standards and Policy

This policy outlines the processes and procedures for acquiring wireless access privileges, utilizing wireless access, and ensuring the security of Company laptops and mobile devices.

Approval Procedure - In order to be granted the ability to utilize the wireless network interface on your Company laptop or mobile device you will be required to gain the approval of your immediate supervisor or department head and the Privacy Officer or appropriate personnel of the Company.  The Network Access Request Form (found in Appendix A) is used to make such a request. Once this form is completed and approved you will be contacted by appropriate Company personnel to setup your laptop and schedule training.

Software Requirements - The following is a list of minimum software requirements for any Company laptop that is granted the privilege to use wireless access:

  • Windows 10 with Firewall enabled
  • Latest windows updates installed
  • Antivirus software
  • Full Disk Encryption
  • Appropriate VPN Client, if applicable
  • Latest browser updates installed

If your laptop does not have all of these software components, please notify your supervisor or department head so these components can be installed.

Use of Transportable Media

Transportable media included within the scope of this policy includes, but is not limited to, SD cards, DVDs, CD-ROMs, and USB key devices.

The purpose of this policy is to guide employees/contractors of the Company in the proper use of transportable media when a legitimate business requirement exists to transfer data to and from Company networks. Every workstation or server that has been used by either Company employees or contractors is presumed to have sensitive information stored on its hard drive. Therefore procedures must be carefully followed when copying data to or from transportable media to protect sensitive Company data. Since transportable media, by their very design are easily lost, care and protection of these devices must be addressed. Since it is very likely that transportable media will be provided to a Company employee by an external source for the exchange of information, it is necessary that all employees have guidance in the appropriate use of media from other companies.

The use of transportable media in various formats is common Company within the Company. All users must be aware that sensitive data could potentially be lost or compromised when moved outside of Company networks. Transportable media received from an external source could potentially pose a threat to Company networks. Sensitive data includes all human resource data, financial data, Company proprietary information, and personally identifiable information.

Rules governing the use of transportable media include:

  • No sensitive data should ever be stored on transportable media unless the data is maintained in an encrypted format.
  • All USB keys used to store Company data or sensitive data must be an encrypted USB key issued by the Privacy Officer or appropriate personnel.  The use of a personal USB key is strictly prohibited.
  • Users must never connect their transportable media to a workstation that is not issued by the Company.
  • Non-Company workstations and laptops may not have the same security protection standards required by the Company, and accordingly virus patterns could potentially be transferred from the non-Company device to the media and then back to the Company workstation.

Example: Do not copy a work spreadsheet to your USB key and take it home to work on your home PC.

Data may be exchanged between Company workstations/networks and workstations used within the Company. The very nature of data exchange requires that under certain situations data be exchanged in this manner. Examples of necessary data exchange include:

Data provided to auditors via USB key during the course of the audit.

  • It is permissible to connect transferable media from other businesses or individuals into Company workstations or servers as long as the source of the media in on the Company Approved Vendor list (Appendix D).
  • Before initial use and before any sensitive data may be transferred to transportable media, the media must be sent to the Privacy Officer or appropriate personnel to ensure appropriate and approved encryption is used. Copy sensitive data only to the encrypted space on the media. Non-sensitive data may be transferred to the non-encrypted space on the media.
  • Report all loss of transportable media to your supervisor or department head. It is important that the CST team is notified either directly from the employee or contractor or by the supervisor or department head immediately.
  • When an employee leaves the Company, all transportable media in their possession must be returned to the Privacy Officer or appropriate personnel for data erasure that conforms to US Department of Defense standards for data elimination.

The Company utilizes an approved method of encrypted data to ensure that all data is converted to a format that cannot be decrypted. The Privacy Officer or appropriate personnel can quickly establish an encrypted partition on your transportable media.

When no longer in productive use, all Company laptops, workstation, or servers must be wiped of data in a manner which conforms to regulatory requirements. All transportable media must be wiped according to the same standards. Thus all transportable media must be returned to the Privacy Officer or appropriate personnel for data erasure when no longer in use.


Retention / Destruction of Information                

Laws regulate the retention and destruction of information. The Company actively conforms to these laws and follows the strictest regulation if/when a conflict occurs.

Record Retention  - Documents relating to uses and disclosures, authorization forms, business partner contracts, notices of information Company are maintained for a period of 6 years.

Record Destruction - All hardcopy records that require destruction are shredded in compliance with the rules and guidelines outlined in this policy.


Disposal of External Media / Hardware

Disposal of External Media

It must be assumed that any external media in the possession of an employee is likely to contain either protected personal information or other sensitive information. Accordingly, external media (CD-ROMs, DVDs, USB drives) should be disposed of in a method that ensures that there will be no loss of data and that the confidentiality and security of that data will not be compromised.

The following steps must be adhered to:

  • It is the responsibility of each employee to identify media which should be shredded and to utilize this policy in its destruction.
  • External media should never be thrown in the trash.
  • When no longer needed all forms of external media are to be sent to the Privacy Officer or appropriate personnel for proper disposal.

Requirements Regarding Equipment

All equipment to be disposed of will be wiped of all data, and all settings and configurations will be reset to factory defaults. No other settings, configurations, software installation or options will be made.  Asset tags and any other identifying logos or markings will be removed.

Disposition of Excess Equipment

As the older Company computers and equipment are replaced with new systems, the older machines are held in inventory for a wide assortment of uses:

  • Older machines are regularly utilized for spare parts.
  • Older machines are used on an emergency replacement basis.
  • Older machines are used for testing new software.
  • Older machines are used as backups for other production equipment.
  • Older machines are used when it is necessary to provide a second machine for personnel who travel on a regular basis.
  • Older machines are used to provide a second machine for personnel who often work from home.

Change Management

Statement of Policy

To ensure that Company is tracking changes to networks, systems, and workstations including software releases and software vulnerability patching in information systems that contain electronic protected personal information. Change tracking allows the Information Technology (“IT”) Department to efficiently troubleshoot issues that arise due to an update, new implementation, reconfiguration, or other change to the system.

Procedure

  1. The IT staff or other designated Company employee who is updating, implementing, reconfiguring, or otherwise changing the system shall carefully log all changes made to the system.
  2. When changes are tracked within a system, i.e. Windows updates in the Add or Remove Programs component record updates performed and logged by the vendor, they do not need to be logged on the change management tracking log; however, the employee implementing the change will ensure that the change tracking is available for review if necessary.
  3. The employee implementing the change will ensure that all necessary data backups are performed prior to the change.
  4. The employee implementing the change shall also be familiar with the rollback process if the change causes an adverse effect within the system and needs to be removed.

Audit Controls

Statement of Policy

To ensure that Company implements hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain electronic protected personal information.  Audit Controls are technical mechanisms that track and record computer activities.  An audit trail determines if a security violation occurred by providing a chronological series of logged computer events that relate to an operating system, an application, or user activities.

The Company is committed to routinely auditing users’ activities in order to continually assess potential risks and vulnerabilities to data in its possession. As such, the Company will continually assess potential risks and vulnerabilities to data in its possession and develop, implement, and maintain appropriate administrative, physical, and technical security measures in accordance with regulatory requirements.

Procedure  

  1. See policy entitled Information System Activity Review for the administrative safeguards for auditing system activities.
  2. The Information Technology Services shall enable event auditing on all computers that process, transmit, and/or store personal information for purposes of generating audit logs.  Each audit log shall include, at a minimum: user ID, login time and date, and scope of personal data being accessed for each attempted access.  Audit trails shall be stored on a separate computer system to minimize the impact of such auditing on business operations and to minimize access to audit trails.
  3. The Company shall utilize appropriate network-based and host-based intrusion detection systems.  The Information Technology Services shall be responsible for installing, maintaining, and updating such systems.

Information System Activity Review

Statement of Policy

To establish the process for conducting, on a periodic basis, an operational review of system activity including, but not limited to, user accounts, system access, file access, security incidents, audit logs, and access reports. Company shall conduct on a regular basis an internal review of records of system activity to minimize security violations.

Procedure

  1. See policy entitled Audit Controls for a description of the technical mechanisms that track and record activities on Company’s information systems that contain or use personal information.

  2. The Information Technology Services shall be responsible for conducting reviews of Company’s information systems’ activities.  Such person(s) shall have the appropriate technical skills with respect to the operating system and applications to access and interpret audit logs and related information appropriately.

  3. The Security Officer shall develop a report format to capture the review findings.  Such report shall include the reviewer’s name, date and time of performance, and significant findings describing events requiring additional action (e.g., additional investigation, employee training and/or discipline, program adjustments, modifications to safeguards).  To the extent possible, such report shall be in a checklist format.

  4. Such reviews shall be conducted annually.  Audits also shall be conducted if Company has reason to suspect wrongdoing.  In conducting these reviews, the Information Technology Services shall examine audit logs for security-significant events including, but not limited to, the following:

  5. Logins – Scan successful and unsuccessful login attempts.  Identify multiple failed login attempts, account lockouts, and unauthorized access.

  6. File accesses – Scan successful and unsuccessful file access attempts.  Identify multiple failed access attempts, unauthorized access, and unauthorized file creation, modification, or deletion.

  7. Security incidents – Examine records from security devices or system audit logs for events that constitute system compromises, unsuccessful compromise attempts, malicious logic (e.g., viruses, worms), denial of service, or scanning/probing incidents.

  8. User Accounts – Review of user accounts within all systems to ensure users that no longer have a business need for information systems no longer have such access to the information and/or system.

All significant findings shall be recorded using the report format referred to in Section 2 of this policy and procedure.

The Information Technology Services shall forward all completed reports, as well as recommended actions to be taken in response to findings, to the Security Officer for review.  The Security Officer shall be responsible for maintaining such reports.  The Security Officer shall consider such reports and recommendations in determining whether to make changes to Company’s administrative, physical, and technical safeguards.  In the event a security incident is detected through such auditing, such matter shall be addressed pursuant to the policy entitled Employee Responsibilities (Report Security Incidents).


Data Integrity

Statement of Policy

Company shall implement and maintain appropriate electronic mechanisms to corroborate that personal information has not been altered or destroyed in an unauthorized manner.

The purpose of this policy is to protect Company’s personal information from improper alteration or destruction.

Procedure

To the fullest extent possible, Company shall utilize applications with built-in intelligence that automatically checks for human errors.

Company shall acquire appropriate network-based and host-based intrusion detection systems.  The Security Officer shall be responsible for installing, maintaining, and updating such systems.  

To prevent transmission errors as data passes from one computer to another, Company will use encryption, as determined to be appropriate, to preserve the integrity of data.

Company will check for possible duplication of data in its computer systems to prevent poor data integration between different computer systems.

To prevent programming or software bugs, Company will test its information systems for accuracy and functionality before it starts to use them.  Company will update its systems when IT vendors release fixes to address known bugs or problems.

  1. Company will install and regularly update antivirus software on all workstations to detect and prevent malicious code from altering or destroying data.
  2. To prevent exposing magnetic media to a strong magnetic field, workforce members shall keep magnetic media away from strong magnetic fields and heat.  For example, computers should not be left in automobiles during the summer months.

Contingency Plan

Statement of Policy

To establish and implement policies and procedures for responding to an emergency or other occurrence (e.g., fire, vandalism, system failure, natural disaster) that damages systems that contain personal information.

Company is committed to maintaining formal practices for responding to an emergency or other occurrence that damages systems containing personal information.  Company shall continually assess potential risks and vulnerabilities to protect personal information in its possession, and develop, implement, and maintain appropriate administrative, physical, and technical security measures in accordance with regulatory requirements.

Procedure

  1. Data Backup Plan

  2. Company, under the direction of the Security Officer, shall implement a data backup plan to create and maintain retrievable exact copies of personal information.  

  3. At the conclusion of each day, Monday through Friday, an incremental backup of all servers containing personal information shall be backed up to AWS S3 Glacier. On Saturday, a full backup of all servers containing personal information shall be backed up to tape.  Backup media that is no longer in service will be disposed of in accordance with the Disposal of External Media/Hardware policy.

  4. The Security Officer shall monitor storage and removal of backups and ensure all applicable access controls are enforced.

  5. The Security Officer shall test backup procedures on an annual basis to ensure that exact copies of personal information can be retrieved and made available.  Such testing shall be documented by the Security Officer.  To the extent such testing indicates need for improvement in backup procedures, the Security Officer shall identify and implement such improvements in a timely manner.

  6. Disaster Recovery and Emergency Mode Operations Plan

  7. The Security Officer shall be responsible for developing and regularly updating the written disaster recovery and emergency mode operations plan for the purpose of:

  8. Restoring or recovering any loss of personal information and/or systems necessary to make personal information available in a timely manner caused by fire, vandalism, terrorism, system failure, or other emergency; and

  9. Continuing operations during such time information systems are unavailable.  Such written plan shall have a sufficient level of detail and explanation that a person unfamiliar with the system can implement the plan in case of an emergency or disaster.  Copies of the plan shall be maintained on-site and at the off-site locations at which backups are stored or other secure off-site location.

  10. The disaster recovery and emergency mode operation plan shall include the following:

  11. Current copies of the information systems inventory and network configuration developed and updated as part of Company’s risk analysis.

  12. Current copy of the written backup procedures developed and updated pursuant to this policy.

  13. Identification of an emergency response team.  Members of such team shall be responsible for the following:

  14. Determining the impact of a disaster and/or system unavailability on Company’s operations.

  15. In the event of a disaster, securing the site and providing ongoing physical security.

  16. Retrieving lost data.

  17. Identifying and implementing appropriate “work-arounds” during such time information systems are unavailable.

  18. Taking such steps necessary to restore operations.

  19. Procedures for responding to loss of electronic data including, but not limited to retrieval and loading of backup data or methods for recreating data should backup data be unavailable.  The procedures should identify the order in which data is to be restored based on the criticality analysis performed as part of Company’s risk analysis

  20. Telephone numbers and/or e-mail addresses for all persons to be contacted in the event of a disaster, including the following:

  21. Members of the immediate response team,

  22. Facilities at which backup data is stored,

  23. Information systems vendors, and

  24. All current workforce members.

  25. The disaster recovery team shall meet on at least an annual basis to:

  26. Review the effectiveness of the plan in responding to any disaster or emergency experienced by Company;

  27. In the absence of any such disaster or emergency, plan drills to test the effectiveness of the plan and evaluate the results of such drills; and

  28. Review the written disaster recovery and emergency mode operations plan and make appropriate changes to the plan.  The Security Officer shall be responsible for convening and maintaining minutes of such meetings.  The Security Officer also shall be responsible for revising the plan based on the recommendations of the disaster recovery team.


Security Awareness and Training

Statement of Policy

To establish a security awareness and training program for all members of Company’s workforce, including management.  

All workforce members shall receive appropriate training concerning Company’s security policies and procedures.  Such training shall be provided prior to the effective date of regulatory requirements and on an ongoing basis to all new employees. Such training shall be repeated annually for all employees.

Procedure

  1. Security Training Program

  2. The Security Officer shall have responsibility for the development and delivery of initial security training.  All workforce members shall receive such initial training addressing the requirements of regulatory requirements.  Security training shall be provided to all new workforce members as part of the orientation process.  Attendance and/or participation in such training shall be mandatory for all workforce members. The Security Officer shall be responsible for maintaining appropriate documentation of all training activities.    

  3. The Security Officer shall have responsibility for the development and delivery of ongoing security training provided to workforce members in response to environmental and operational changes impacting the security of personal information, e.g., addition of new hardware or software, and increased threats.

  4. Security Reminders

  5. The Security Officer shall generate and distribute to all workforce members routine security reminders on a regular basis. Periodic reminders shall address password security, malicious software, incident identification and response, and access control.  The Security Officer may provide such reminders through formal training, e-mail messages, discussions during staff meetings, screen savers, log-in banners, newsletter/intranet articles, posters, promotional items such as coffee mugs, mouse pads, sticky notes, etc.  The Security Officer shall be responsible for maintaining appropriate documentation of all periodic security reminders.

  6. The Security Officer shall generate and distribute special notices to all workforce members providing urgent updates, such as new threats, hazards, vulnerabilities, and/or countermeasures.

  7. Protection from Malicious Software

  8. As part of the aforementioned Security Training Program and Security Reminders, the Security Officer shall provide training concerning the prevention, detection, containment, and eradication of malicious software.   Such training shall include the following:

  9. Guidance on opening suspicious e-mail attachments, e-mail from unfamiliar senders, and hoax e-mail,

  10. The importance of updating anti-virus software and how to check a workstation or other device to determine if virus protection is current,

  11. Instructions to never download files from unknown or suspicious sources,

  12. Recognizing signs of a potential virus that could sneak past antivirus software or could arrive prior to an update to anti-virus software,

  13. The importance of backing up critical data on a regular basis and storing the data in a safe place,

  14. Damage caused by viruses and worms, and

  15. What to do if a virus or worm is detected.

  16. Password Management

  17. As part of the aforementioned Security Training Program and Security Reminders, the Security Officer shall provide training concerning password management.  Such training shall address the importance of confidential passwords in maintaining computer security, as well as the following requirements relating to passwords:

  18. Passwords must be changed every 90 days.

  19. A user cannot reuse the last 12 passwords.

  20. Passwords must be at least eight characters and contain upper case letters, lower case letters, numbers, and special characters.

  21. Commonly used words, names, initials, birthdays, or phone numbers should not be used as passwords.

  22. A password must be promptly changed if it is suspected of being disclosed, or known to have been disclosed.

  23. Passwords must not be disclosed to other workforce members (including anyone claiming to need a password to “fix” a computer or handle an emergency situation) or individuals, including family members.

  24. Passwords must not be written down, posted, or exposed in an insecure manner such as on a notepad or posted on the workstation.

  25. Employees should refuse all offers by software and/or Internet sites to automatically login the next time that they access those resources.

  26. Any employee who is directed by the Security Officer to change his/her password to conform to the aforementioned standards shall do so immediately.


Security Management Process

Statement of Policy

To ensure Company conducts an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of personal information held by Company.

Company shall conduct an accurate and thorough risk analysis to serve as the basis for Company’s regulatory requirements compliance efforts.  Company shall re-assess the security risks to its personal information and evaluate the effectiveness of its security measures and safeguards as necessary in light of changes to business practices and technological advancements.

Procedure

  1. The Security Officer shall be responsible for coordinating Company’s risk analysis.  The Security Officer shall identify appropriate persons within the organization to assist with the risk analysis.

  2. The risk analysis shall proceed in the following manner:

  3. Document Company’s current information systems.

  4. Update/develop information systems inventory.  List the following information for all hardware (i.e., network devices, workstations, printers, scanners, mobile devices) and software (i.e., operating system, various applications, interfaces):  date acquired, location, vendor, licenses, maintenance schedule, and function.  Update/develop network diagram illustrating how organization’s information system network is configured.

  5. Update/develop facility layout showing location of all information systems equipment, power sources, telephone jacks, and other telecommunications equipment, network access points, fire and burglary alarm equipment, and storage for hazardous materials.

  6. For each application identified, identify each licensee (i.e., authorized user) by job title and describe the manner in which authorization is granted.

  7. For each application identified:

  8. Describe the data associated with that application.

  9. Determine whether the data is created by the organization or received from a third party.  If data is received from a third party, identify that party and the purpose and manner of receipt.

  10. Determine whether the data is maintained within the organization only or transmitted to third parties.  If data is transmitted to a third party, identify that party and the purpose and manner of transmission.

  11. Define the criticality of the application and related data as high, medium, or low.  Criticality is the degree of impact on the organization if the application and/or related data were unavailable for a period of time.

  12. Define the sensitivity of the data as high, medium, or low.  Sensitivity is the nature of the data and the harm that could result from a breach of confidentiality or security incident.

  13. For each application identified, identify the various security controls currently in place and locate any written policies and procedures relating to such controls.

  14. Identify and document threats to the confidentiality, integrity, and availability (referred to as “threat agents”) of personal information created, received, maintained, or transmitted by Company.  Consider the following:

  15. Natural threats, e.g., earthquakes, storm damage.

  16. Environmental threats, e.g., fire and smoke damage, power outage, utility problems.

  17. Human threats

  18. Accidental acts, e.g., input errors and omissions, faulty application programming or processing procedures, failure to update/upgrade software/security devices, lack of adequate financial and human resources to support necessary security controls

  19. Inappropriate activities, e.g., inappropriate conduct, abuse of privileges or rights, workplace violence, waste of corporate assets, harassment

  20. Illegal operations and intentional attacks, e.g., eavesdropping, snooping, fraud, theft, vandalism, sabotage, blackmail

  21. External attacks, e.g., malicious cracking, scanning, demon dialing, virus introduction

  22. Identify and document vulnerabilities in Company’s information systems.  A vulnerability is a flaw or weakness in security policies and procedures, design, implementation, or controls that could be accidentally triggered or intentionally exploited, resulting in unauthorized access to personal information, modification of personal information, denial of service, or repudiation (i.e., the inability to identify the source and hold some person accountable for an action).  To accomplish this task, conduct a self-analysis utilizing the standards and implementation specifications to identify vulnerabilities.

  23. Determine and document probability and criticality of identified risks.

  24. Assign probability level, i.e., likelihood of a security incident involving identified risk.

  25. “Very Likely” (3) is defined as having a probable chance of occurrence.

  26. “Likely” (2) is defined as having a significant chance of occurrence.

  27. “Not Likely” (1) is defined as a modest or insignificant chance of occurrence.

  28. Assign criticality level.

  29. “High” (3) is defined as having a catastropersonal informationc impact on the company including a significant number of records which may have been lost or compromised.

  30. “Medium” (2) is defined as having a significant impact including a moderate number of records within the company which may have been lost or compromised.

  31. “Low” (1) is defined as a modest or insignificant impact including the loss or compromise of some records.

  32. Determine risk score for each identified risk.  Multiply the probability score and criticality score.  Those risks with a higher risk score require more immediate attention.

  33. Identify and document appropriate security measures and safeguards to address key vulnerabilities.  To accomplish this task, review the vulnerabilities you have identified in relation to the standards and implementation specifications.  Focus on those vulnerabilities with high risk scores, as well as specific security measures and safeguards required by the Security Rule.

  34. Develop and document an implementation strategy for critical security measures and safeguards.

  35. Determine timeline for implementation.

  36. Determine costs of such measures and safeguards and secure funding.

  37. Assign responsibility for implementing specific measures and safeguards to appropriate person(s).

  38. Make necessary adjustments based on implementation experiences.

  39. Document actual completion dates.

  40. Evaluate effectiveness of measures and safeguards following implementation and make appropriate adjustments.

  41. The Security Officer shall be responsible for identifying appropriate times to conduct follow-up evaluations and coordinating such evaluations.  The Security Officer shall identify appropriate persons within the organization to assist with such evaluations. Such evaluations shall be conducted upon the occurrence of one or more of the following events: changes in the regulatory framework; laws or regulations affecting the security of personal information; changes in technology, environmental processes, or business processes that may affect data security; or the occurrence of a serious security incident. Follow-up evaluations shall include the following:

  42. Inspections, reviews, interviews, and analysis to assess adequacy of administrative and physical safeguards.  Such evaluation shall include interviews to assess employee compliance; after-hours walk-through inspections to assess physical security, password protection (i.e., not posted), and workstation sessions terminated (i.e., employees logged out); review of latest security policies and procedures for correctness and completeness; and inspection and analysis of training, incident, and media logs for compliance.

  43. Analysis to assess adequacy of controls within the network, operating systems and applications.  As appropriate, Company shall engage outside vendors to evaluate existing physical and technical security measures and make recommendations for improvement


Emergency Operations Procedures

Purpose

To provide procedures for continued service when IT systems are unavailable due to planned or unexpected outages.

Procedures

Notification:

The Information Systems or Technology Manager shall notify Company management as soon as practicable in the event of:

  • planned downtime of IT systems,
  • unexpected outage of IT systems, and
  • resumption of IT services following an outage such that normal operations may resume.

System Restoration:

All efforts are made to immediately resume normal system functioning. The IT department follows internal procedures for service restoration, including troubleshooting, diagnostics and recovery.


Emergency Access “Break the Glass”

Policy Summary

The Company has formal, documented emergency access procedure enabling authorized workforce members to obtain required personal information during an emergency. The Company has a formal, documented emergency access procedure enabling Company workforce members to access the minimum personal information necessary to effectively and efficiently provide service or recover data in the event of a major emergency.

Purpose

This policy reflects Company commitment to have emergency access procedure enabling authorized workforce members to obtain required personal information during an emergency.

Definitions   

Electronic protected information (personal information) means individually identifiable personal information that is:

  • Transmitted by electronic media
  • Maintained in electronic media

Electronic media means:

1. Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or

2. Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet, extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

Information system means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

Workforce member means employees, volunteers, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. This includes full and part time employees, affiliates, associates, volunteers, and staff from third party entities who provide service to the covered entity.

Policy

1. The Company has formal, documented emergency access procedure enabling authorized workforce members to obtain required personal information during an emergency. The procedure includes:

  • Identifying and defining which the Company workforce members authorized to access personal information during an emergency.
  • Identifying and defining manual and automated methods to be used by authorized Company workforce members to access personal information during an emergency.
  • Identify and define appropriate logging and auditing that must occur when authorized Company workforce members access personal information during an emergency.
  1. The Company has a formal, documented emergency access procedure enabling Company workforce members to access the minimum personal information necessary to serve clients in the event of an emergency. Such access must be authorized by appropriate Company management or designated personnel.

3. Regular training and awareness on the emergency access procedure is provided to all Company workforce members.

4. All appropriate Company workforce members have access to a current copy of the procedure and an appropriate number of current copies of the procedure should be kept off-site.

Scope/Applicability

This policy is applicable to all divisions and workforce members that use or disclose Electronic Protected Personal Information for any purposes. This policy’s scope includes all electronic protected personal information, as described in definitions below.

Policy Authority/Enforcement

The Company Security Officer is responsible for monitoring and enforcement of this policy.

 Procedures

Mechanism to Provide Emergency Access to personal information

  1. This process will bypass formal access procedures and is limited to emergencies.  

  2. The CEO or department head may make requests for emergency access in writing.

  3. The request should contain:

  4. The individual being granted the emergency access,

  5. Job title

  6. Reason for emergency access

  7. Date and time granted access

  8. The name of the individual granting access.  

  9. The Security Officer, or designated person, records information about emergency users and the emergency access rights assigned to them.

  10. The system administrator and Security Officer have created 2 administrator accounts solely for the purpose of emergency access.  These accounts should be obviously named, such as breakglass01 and breakglass02 to allow for easy tracking of actions. These accounts and passwords are stored in the company safe.

  11. The emergency access will be tracked and documented based on capabilities of .  The tracking documentation will be reviewed by the Security Officer to determine that emergency access was appropriate.

  12. At the conclusion of the event that precipitated the granting of emergency access, the Security Officer ensures the breakglass accounts are disabled, and new ones created in anticipation of the next emergency.  

  13. Any inappropriate use of emergency access will be treated as a security incident, and may subject an employee to disciplinary action, up to and including termination.  

  14. Documentation concerning emergency access will be retained and maintained for at least six years from the date of creation.

Note:

When using a specific user account that provides full access to all personal information (an administrator account) consider the following:

  • Creating an extremely complicated password (but one an employee will be able to enter while under the stress of an emergency situation).
  • Securing the password.
  • Periodically changing the password.

Enforcement

Please refer to IS-2.0 Sanction Policy for details regarding disciplinary action against employees, contractors, or any individuals who violate this policy.


Breach Notification Procedures

Purpose

To outline the process for notifying affected individuals of a breach of protected information under the privacy protection regulations.

Scope

This applies to all employees, volunteers, and other individuals working under contractual agreements with the Company.

Definitions

State Breach – Unauthorized acquisition or reasonable belief of unauthorized acquisition of Personal information that compromises the security, confidentiality, or integrity of the Personal information.

Personal information – Personal information has many definitions including definitions by statute which may vary from country to country.  Most generally, Personal information is a combination of data elements which could uniquely identify an individual.  Please review applicable data breach statutes to determine what definition of Personal information is applicable for purposes of the document.

Personally Identifiable Information (PII) – Information in any form that consists of a combination of an individual’s name and one or more of the following: Social Security Number, driver’s license or ID, account numbers, credit card numbers, debit card numbers, personal code, security code, password, personal ID number, photograph, fingerprint, or other information which could be used to identify an individual.

Private Information – Information protected by the privacy regulations, Personally Identifiable Information, Personal information and Protected Information collectively.

Procedure

Reporting a Possible Breach

  1. Any employee who becomes aware of a possible breach of privacy involving Private Information in the custody or control of the Company will immediately inform their supervisor/manager, and the Privacy Officer.

  2. Notification should occur immediately upon discovery of a possible breach or before the end of your shift if other duties interfere, however, in no case should notification occur later than twenty-four (24) hours after discovery.

  3. The supervisor/manager will verify the circumstances of the possible breach and inform the Privacy Officer and the division Administrator/Director within twenty-four (24) hours of the initial report.

  4. You may call the Privacy Officer directly at +49 0160 47 20276

  5. Provide the Privacy Officer with as much detail as possible.  

  6. Be responsive to requests for additional information from the Privacy Officer.  

  7. Be aware that the Privacy Officer has an obligation to follow up on any reasonable belief that Private Information has been compromised.

  8. The Privacy Officer, in conjunction with the Company’s Legal Counsel, will decide whether or not to notify the CEO as appropriate by taking into consideration the seriousness and scope of the breach and/or to notify the Company’s that may be affected by the breach.

  9. If the breach Affects Atlassian or Atlassian customers, the Privacy Officer immediately notified Atlassian by opening an ‘Add-On Security Incident’ ticket under the following URL:   https://ecosystem.atlassian.net/secure/CreateIssue.jspa?pid=17070&issuetype=11400

Containing the Breach

  1. The Privacy Officer will take the following steps to limit the scope and effect of the breach.

  2. Work with department(s) to immediately contain the breach.  Examples include, but are not limited to:

  3. Stopping the unauthorized practice

  4. Recovering the records, if possible

  5. Shutting down the system that was breached

  6. Mitigating the breach, if possible

  7. Correcting weaknesses in security practices

  8. Notifying the appropriate authorities including the local Police Department if the breach involves, or may involve, any criminal activity

Investigating and Evaluating the Risks Associated with the Breach

  1. To determine what other steps are immediately necessary, the Privacy Officer in collaboration with the Company’s Legal Counsel and affected department(s) and administration, will investigate the circumstances of the breach.

  2. A team will review the results of the investigation to determine root cause(es), evaluate risks, and develop a resolution plan.

  3. The Privacy Breach Assessment tool will help aid the investigation.

  4. The Privacy Officer, in collaboration with the Company’s Legal Counsel, will consider several factors in determining whether to notify individuals affected by the breach including, but not limited to:

  5. Contractual obligations

  6. Legal obligations – the Company’s Legal Counsel should complete a separate legal assessment of the potential breach and provide the results of the assessment to the Privacy Officer and the rest of the breach response team

  7. Risk of identity theft or fraud because of the type of information lost such as social security number, banking information, identification numbers

  8. Risk of physical harm if the loss puts an individual at risk of stalking or harassment

  9. Risk of hurt, humiliation, or damage to reputation when the information includes disciplinary records

  10. Number of individuals affected

Notification

  1. The Privacy Officer will work with the department(s) involved, the Company’s Legal Counsel and appropriate leadership to decide the best approach for notification and to determine what may be required by law.

  2. If required by law, notification of individuals affected by the breach will occur as soon as possible following the breach.

  3. Affected individuals must be notified without reasonable delay, but in no case later than sixty (60) calendar days after discovery, unless instructed otherwise by law enforcement or other applicable laws.

  4. Notices must be in plain language and include basic information, including:

  5. What happened

  6. Types of personal information involved

  7. Steps individuals should take

  8. Steps covered entity is taking

  9. Contact Information

  10. Notices should be sent by first-class mail or if individual agrees electronic mail. If insufficient or out-of-date contact information is available, then a substitute notice is required as specified below.

  11. If law enforcement authorities have been contacted, those authorities will assist in determining whether notification may be delayed in order not to impede a criminal investigation.

  12. The required elements of notification vary depending on the type of breach and which law is implicated.  As a result, the Company’s Privacy Officer and Legal Counsel should work closely to draft any notification that is distributed.

  13. Indirect notification such as website information, posted notices, media will generally occur only where direct notification could cause further harm, or contact information is lacking.

  14. If a breach affects five-hundred (500) or more individuals, or contact information is insufficient, the Company will notify a prominent media outlet that is appropriate for the size of the location with affected individuals, and notice will be provided in the form of a press release.

  15. Using multiple methods of notification in certain cases may be the most effective approach.

Business associates must notify the Company if they incur or discover a breach of unsecured personal information.

  1. Notices must be provided without reasonable delay and in no case later than sixty (60) days after discovery of the breach.
  2. Business associates must cooperate with the Company in investigating and mitigating the breach.

Prevention

  1. Once immediate steps are taken to mitigate the risks associated with the breach, the Privacy Officer will investigate the cause of the breach.  

  2. If necessary, this will include a security audit of physical, organizational, and technological measures.

  3. This may also include a review of any mitigating steps taken.

  4. The Privacy Officer will assist the responsible department to put into effect adequate safeguards against further breaches.

  5. Procedures will be reviewed and updated to reflect the lessons learned from the investigation and regularly thereafter.

  6. The resulting plan will also include audit recommendations, if appropriate.

Compliance and Enforcement

All managers and supervisors are responsible for enforcing these procedures. Employees who violate these procedures are subject to discipline up to and including termination in accordance with the Company’s Sanction Policy.

Attachments

Appendix E: Privacy Breach Assessment

Related Policies

IS-2.0 Sanction Policy