Information Security Policy
1. Introduction: Polycy Foundation and Regulatory Compliance
This Information Security Policy (Policy) promotes an effective balance between information security practices and business needs. The Policy helps Hive Pro Inc., (the “Company”) meet our legal obligations and our customers’/clients’ expectations. From time to time, the Company may implement different levels of security controls for different information assets, based on risk and other considerations.
You are expected to read, understand, and follow this Policy. However, no single policy can cover all the possible information security issues you may face. You must seek guidance from your manager or other designated the Company resource before taking any actions that create information security risks or otherwise deviating from this Policy’s requirements. The Company may treat any failure to seek and follow such guidance as a violation of this Policy.
1.1 This Policy is Confidential Information. You are not authorized share this policy unless authorized by the Information Security Coordinator. Guiding Principles. The Company follows these guiding principles when developing and implementing information security controls:
- the Company strives to protect the confidentiality, integrity, and availability of its information assets and those of its customers/clients.
- We will comply with applicable privacy and data protection laws.
- We will balance the need for business efficiency with the need to protect sensitive, proprietary, or other confidential information from undue risk.
- We will grant access to sensitive, proprietary, or other confidential information only to those with a need to know and at the least level of privilege necessary to perform their assigned functions.
1.2 Scope. This Policy applies across the entire the Company enterprise.
This Policy states the Company’s information security policy. In many cases, you are personally responsible for taking or avoiding specific actions as the Policy states. In some situations, the Information Security Coordinator, IT, or another the Company resource takes or avoids the stated actions.
From time to time, the Company may approve and make available more detailed or location or business unit-specific policies, procedures, standards, and processes to address specific information security issues. Those additional policies, procedures, standards, and processes are extensions to this Policy. You must comply with them, where applicable, unless you obtain an approved exception.
1.3 Resources. No single document can cover all the possible information security issues you may face. Balancing our need to protect the Company’s information assets with getting work done can also be challenging. Many effective administrative, physical, and technical safeguards are available. Do not make assumptions about the cost or time required to implement them. Ask for help.
You must seek guidance before taking any actions that create information security risks. Contact your manager.
- For questions about this Policy or technical information security issues contact: firstname.lastname@example.org ; or
- For guidance regarding legal obligations, including customer/client agreements, contact: email@example.com.
1.4 No Expectation of Privacy and Monitoring. Except where applicable law provides otherwise, you should have no expectation of privacy when using the Company’s network or systems, including, but not limited to, transmitting, and storing files, data, and messages.
To enforce compliance with the Company’s policies and protect the Company’s interests, the Company reserves the right to monitor any use of its network and systems to the extent permitted by applicable law. By using the Company’s systems, you agree to such monitoring. Monitoring may include (but is not necessarily limited to) intercepting and reviewing network traffic, emails, or other messages or data sent or received and inspecting data stored on individual file directories, hard disks, or other printed or electronic media.
1.5 Regulatory Compliance. Various information security laws, regulations, and industry standards apply to the Company and the data we handle. The Company is committed to complying with applicable laws, regulations, and standards. Our customers/clients expect nothing less from us.
This section lists the obligations that you are the most likely to encounter. Do not assume that these are the only laws that may apply. To identify specific obligations, you must seek guidance from Legal and the Information Security Coordinator when collecting, creating, or using new or different types of information.
(a) Personal Information: Data Protection and Breach Notification Laws. Various laws protect individuals’ personal information, such as government-assigned numbers, financial account information, and other sensitive data. Many jurisdictions have enacted breach notification laws that require organizations to notify affected individuals if personal information is lost or accessed by unauthorized parties. Some locations have data protection laws that require organizations to protect personal information using reasonable data security measures or more specific means. These laws may apply to personal information for the Company’s employees, customers/clients, business partners, and others.
Before collecting, creating, or using personal information for any purpose, contact firstname.lastname@example.org
2. Responsibilities: Security Organization, Authority, and Obligations.
The Company and its leadership recognize the need for a strong information security program.
2.1 Information Security Coordinator. The Company has designated Information Security Group Chief (email@example.com) to be its Information Security Coordinator and accountable for all aspects of its information security program.
2.2 Policy Authority and Maintenance. The Company has granted the Information Security Coordinator the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes, as he or she may deem necessary and appropriate
2.3 Policy Review. On at least an annual basis, the Information Security Coordinator will initiate a review of this Policy, engaging stakeholders such as individual business units, Human Resources, Legal, and other the Company organizations, as appropriate
2.4 Exceptions. The Company recognizes that specific business needs and local situations may occasionally call for an exception to this Policy. Exception requests must be made in writing. The Information Security Coordinator must approve in writing, document, and periodically review all exceptions.
Do not assume that the Information Security Coordinator will approve an exception simply because he or she has previously approved a similar exception. Each non-compliant situation requires a review of the specific facts and risks to the Company’s information assets and those of our customers/clients.
To request an exception, contact firstname.lastname@example.org.
2.5 Workforce Obligation to Comply. Employees and contractors are obligated to comply with all aspects of this Policy that apply to them. This Policy is not intended to restrict communications or actions protected or required by applicable law.
The Company may treat any attempt to bypass or circumvent security controls as a violation of this Policy. For example, sharing passwords, deactivating anti-virus software, removing, or modifying secure configurations, or creating unauthorized network connections are prohibited unless the Information Security Coordinator has granted an exception as described in Section 2.4, Exceptions.
The Company takes steps to help employees and contractors understand this Policy. You are responsible for your own actions and compliance with this Policy. You should question and report any situation to your manager or the Information Security Coordinator that appears to violate this Policy or creates any undue information security risk.
2.6 Sanctions. Any violation of this Policy may result in disciplinary action or other sanctions. Sanctions may include (suspension, access restrictions, work assignment limitations, or more severe penalties up to and including termination, in accordance with applicable law. If the Company suspects illegal activities, it may report them to the applicable authorities and aid in any investigation or prosecution of the individuals involved.
2.7 Acknowledgment. All employees and contractors must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process. Acknowledgment must be completed on a timely basis following a new hire or as otherwise designated by the Information Security Coordinator. Material changes to this Policy may require additional acknowledgment. The Company will retain acknowledgment records.
2.8 Training. The Company recognizes that an astute workforce is the best line of defense. We will provide security training opportunities and expert resources to help employees and contractors understand their obligations under this Policy and avoid creating undue risks. Employees must complete information security training within a reasonable time after initial hire. All workforce members must complete information security training on at least an annual basis. Managers must ensure that their employees complete all required training.
The Company may deem failure to participate in required training a violation of this Policy. The Company will retain attendance records and copies of security training materials delivered.
2.9 Customer/client Policies. The Company may handle sensitive customer/client information. In some cases, the Company may agree to comply with specific customer/client information security policies or standards. To minimize special cases, the Company has developed this Policy to include the requirements common to most of our customers/clients.
If the Company agrees to comply with additional customer/client-specific information security policies or standards, we will notify affected workforce members. You must comply with any such policies or standards, including any related training or additional background screening requirements.
Legal and the Information Security Coordinator must review and approve any customer/client agreements that require compliance with specific information security policies or standards.
3. Data: Information Classification and Risk-Based Controls.
The Company has established a three-tier classification scheme to protect information according to risk levels. The information classification scheme allows the Company to select appropriate security controls and balance protection needs with costs and business efficiencies.
- press releases.
- the Company marketing materials.
- job announcements; and
- any information that the Company makes available on its publicly accessible website.
(a) Confidential Information Examples. Some Confidential Information examples include, but are not limited to:
- the Company financial data, customer/client lists, revenue forecasts, program or project plans, and intellectual property;
- customer/client-provided data, information, and intellectual property;
- customer/client contracts and contracts with other external parties, including vendors;
- communications or records regarding internal the Company matters and assets, including operational details and audits;
- the Company policies, procedures, standards, and processes (for example, this Policy is Confidential Information and should not be shared without authorization from the Information Security Coordinator);
- any information designated as “confidential” or some other protected information classification by an external party and subject to a current non-disclosure or other agreement;
- information regarding employees (see also, Section 3.3, Highly Confidential Information, regarding personal information);
- any summaries, reports, or other documents that contain Confidential Information; and
- drafts, summaries, or other working versions of any of the above.
- Authentication. Electronically stored Confidential Information must only be accessible to an individual after logging in to the Company’s network.
- Discussions. Only discuss Confidential Information in non-public places, or if a discussion in a public place is absolutely necessary, take reasonable steps to avoid being overheard.
- Copying/Printing/Faxing/Scanning. Only scan, make copies, and distribute Confidential Information to the extent necessary or allowed under any applicable non-disclosure agreement or other applicable agreement. Take reasonable steps to ensure that others who do not have a business need to know do not view the information. When faxing Confidential Information, use a cover sheet that informs the recipient that the information is the Company’s Confidential Information. Set fax machines to print a confirmation page after sending a fax. Locate copiers, fax machines, scanners, and other office equipment in physically secured areas and configure them to avoid storing Confidential Information.
- Encryption. You should encrypt Confidential Information when storing it on a laptop, smartphone, or other mobile device, including mobile storage devices. Consider encrypting Confidential Information when transmitting or transporting it externally, based on specific risks. Seek assistance from your manager or email@example.com, if needed.
- Mailing. Use a service that requires a signature for receipt of the information when sending Confidential Information outside the Company. When sending Confidential Information inside the Company, use a sealed security envelope marked “Confidential Information.”
- Meeting Rooms. You should only share Confidential Information in physically secured meeting rooms. Erase or remove any Confidential Information that you write on a whiteboard or other presentation tool upon the meeting’s conclusion.
- Need to know. Only access, share, or include Confidential Information in documents, presentations, or other resources when there is a business need to know.
- Physical Security. Only house systems that contain Confidential Information or store Confidential Information in paper or other forms in physically secured areas.
(a) Highly Confidential Information Examples. Some Highly Confidential Information examples include, but are not limited to:
- personal information for employees, customers/clients, business partners, or others; and
- sensitive the Company business information, such as budgets, financial results, or strategic plans.
(b) Safeguards. You must protect Highly Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks and as prescribed by applicable laws, regulations, and standards, including (but not necessarily limited to):
- Authentication. Electronically stored Highly Confidential Information must only be accessible to an individual after logging in to the Company’s network and with specific authorization.
- Discussions. Only discuss Highly Confidential Information in non-public places.
- Copying/ Printing/Faxing/Scanning. Do not scan, copy, or distribute Highly Confidential Information unless absolutely necessary. Take reasonable steps to ensure that others who do not have a specific business need to know do not view the information. When faxing Highly Confidential Information, use a cover sheet that informs the recipient that the information is the Company’s Highly Confidential Information. Set fax machines to print a confirmation page after sending a fax. Locate copiers, fax machines, scanners, and other office equipment in physically secured areas and configure them to avoid storing Highly Confidential Information.
- Encryption. You must encrypt Highly Confidential Information when transmitting it, whether externally or internally, or when storing it on a laptop, smartphone, or other mobile device, including mobile storage devices such as USB drives. You should also encrypt Highly Confidential Information when storing it on a server, database, or other stationary device.
- Mailing. Do not mail Highly Confidential Information unless absolutely necessary. Use a service that requires a signature for receipt of the information when sending Highly Confidential Information outside the Company. When sending Highly Confidential Information inside the Company, use a sealed security envelope marked “Highly Confidential Information.” If you use electronic media to mail Highly Confidential Information, you must encrypt, and password protect it.
- Meeting Rooms. You must only share Highly Confidential Information in physically secured meeting rooms. Erase any Highly Confidential Information that you write on a whiteboard or other presentation tool upon the meeting’s conclusion.
- Need to know. Only access, share, or include Highly Confidential Information in documents, presentations, or other resources when there is a specific business need to know.
- Network Segmentation. You may only make Highly Confidential Information available to areas of the Company’s network where there is a specific business need. Highly Confidential Information must be segmented from the rest of the Company’s network using controls such as firewalls, access control lists, or other security mechanisms.
- Physical Security. Only house systems that contain Highly Confidential Information or store Highly Confidential Information in paper or other forms in physically secured areas, accessible only to those with a specific business need to know.
4. People: Roles, Access Control, and Acceptable Use.
People are the best defense in information security. They are also the weakest link. The Company grants access to its systems and data based on business roles. The Company places limits on how you may use and interact with its information assets. These restrictions help lower risks and protect you and the Company.
4.1 Roles. Business roles and role-based access are based on the individual’s relationship with the Company and assigned activities.
(a) Employees. Human Resources provides employee screening and background investigations. For more information, contact firstname.lastname@example.org. The Company may require employees who handle Highly Confidential Information to undergo additional background screening and testing where permitted by applicable laws.
Supervising managers may request access for their employees only to those the Company systems and data required to meet business needs.
(b) External Parties. The Company grants systems access to approved external parties, such as contractors, vendors, service providers, business partners, or others with a demonstrated business need that cannot be reasonably met through other means (see Section 7, Service Providers: Risks and Governance). The Company may support different access levels for different business situations.
A sponsoring employee must be designated for any external party before the Company grants access to its systems or data. The sponsoring employee is responsible for supervising the external party, including compliance with this Policy.
The sponsoring employee may request access only to those the Company resources necessary to meet business needs. The sponsoring employee must also request that any access granted be terminated when the business need ends.
4.2 Identity and Access Management. The Company uses identity and access management controls to provide user accounts with appropriate privileges to employees and others. The Company will assign each individual a unique identifier using a standard algorithm (the individual’s “primary ID”). You should only create device or application-specific identifiers if the primary ID cannot be used. Device or application-specific identifiers must be linked to an accountable individual.
(a) Unique User Accounts. The Company assigns unique user accounts and passwords to individuals, using their primary ID. You must not share your account or password with others. If system or other administrative accounts cannot be uniquely assigned to specific individuals, use mediated access, audit logs, or other technical controls to provide individual accountability.
(b) Add, Change, Terminate Access. The Company restricts access to specific resources to those with a business need to know. Responsible managers should direct requests to add or change access levels to IT. System and application administrators must periodically review user accounts and access levels to confirm that a legitimate business need for the access still exists.
When an employee leaves the business, Human Resources must immediately notify IT. IT will timely deactivate the individual’s account(s).
Authorization Levels and Least Privilege. Proper authorization levels ensure that the Company only grants individuals the privileges they need to perform their assigned activities and no more. Known as least privilege access, this method minimizes risks. Least privilege applies to user and administrative access. You must not grant administrative privileges unless there is a specific business need and limit them to the extent feasible.
(c) Role-Based Access Controls. Use role-based access control methods whenever feasible to assign authorization levels according to business functions, rather than uniquely for each individual. This method supports the least privilege approach by standardizing access. It also simplifies periodic access reviews.
4.3 Acceptable Use Policy. The Company provides employees and others with network resources and systems to support its business requirements and functions. This section limits how you may use the Company’s information assets and explains the steps you must take to protect them.
If you have any questions regarding acceptable use of the Company’s resources, please discuss them with your manager or contact the Information Security Coordinator for additional guidance.
(a) General Use of Information Technology Resources. The Company provides network resources and systems for business purposes. Any incidental non-business use of the Company’s resources must be for personal purposes only. Do not use the Company’s resources for commercial purposes, personal gain, or any purpose that may create a real or perceived conflict of interest with the Company.
Do not use the Company’s resources in a manner that negatively impacts your job performance or impairs others’ abilities to do their jobs. The Company’s network and systems are subject to monitoring (see Section 1.4, No Expectation of Privacy and Monitoring).
Do not use the Company’s network or systems for activities that may be deemed illegal under applicable law. If the Company suspects illegal activities, it may report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved.
(i) Prohibited Activities. The Company prohibits using its resources to engage in activities such as (but not necessarily limited to) the following:
(A) hacking, spoofing, or launching denial of service attacks;
(B) gaining or attempting to gain unauthorized access to others’ networks or systems;
(C) sending fraudulent email messages;
(D) distributing or attempting to distribute malicious software (malware);
(E) spying or attempting to install spyware or other unauthorized monitoring or surveillance tools;
(F) committing criminal acts such as terrorism, fraud, or identity theft;
(G) downloading, storing, or distributing child pornography or other obscene materials;
(H) downloading, storing, or distributing materials in violation of another’s copyright;
(I) creating undue security risks or negatively impacting the performance of the Company’s network and systems;
(J) causing embarrassment, loss of reputation, or other harm to the Company;
(K) uploading, downloading, or disseminating defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene, or otherwise inappropriate or offensive messages or media;
(L) distributing joke, chain letter, commercial solicitations, or hoax emails or other messages (spamming);
(M) disrupting the workplace environment, creating a hostile workplace, or invading the privacy of others;
(N) using encryption or other technologies in an attempt to hide illegal, unethical, or otherwise inappropriate activities; and
(O) installing or distributing unlicensed or pirated software.
(b) Desktop, Laptop, and End-User Controls. You may only access the Company’s network using approved end-user devices that support our current minimum information security standards. Standards for end-user devices may include protective controls and specific configurations, such as anti-virus software, patching levels, and required operating system or other software versions. The Company-owned machines may be configured to automatically receive upgrades. You may be denied remote access using non-the Company owned devices that do not meet current standards.
Use your own the Company-provided account(s) to access the Company’s network and systems, unless you have been specifically authorized to use a device-specific, administrative, or other account (see Section 4.2, Identity and Access Management).
Screen saver passwords, also known as “workstation timeouts” or “lock screens,” secure Confidential Information by protecting active computer sessions when you step away. Locking screen savers must activate after a maximum inactivity time of 15 minutes. If you handle Highly Confidential Information, lock your screen any time you leave it unattended.
(c) Information Handling and Storage. You must properly handle, store, and securely dispose of the Company’s information in accordance with the Company’s Records Retention Schedule. You are responsible for any Confidential or Highly Confidential Information that you access or store. Do not allow others to view, access, or otherwise use any Confidential or Highly Confidential Information you control unless they have a specific business need to know.
Store files or other data critical to the Company’s operations on regularly maintained (backed up) servers or other storage resources. Do not store business critical data only on end-user devices such as desktops, laptops, smartphones, or other mobile devices.
Physically secure any media containing the Company information, including hard drives, CDs, disks, paper, voice recordings, removable drives (such as thumb drives, flash drives, USB drives), or other media. You must store media containing Confidential or Highly Confidential Information in a locked area when not in use.
Shred or otherwise destroy paper that contains Confidential or Highly Confidential Information prior to disposal. Return all electronic, magnetic, or optical media to IT for secure disposal when it is no longer required to meet business needs.
(d) Internet Use: Email, Messaging, Social Media, and Cloud Computing. The internet offers a variety of services that the Company employees and contractors depend on to work effectively. However, some technologies create undue risks to the Company’s assets. Some uses are not appropriate in the workplace.
the Company may block or limit access to particular services, websites, or other internet-based functions according to risks and business value. Recognize that inappropriate or offensive websites may still be reachable and do not access them using the Company resources.
(i) General Internet Use. Limit your web browsing and access to streaming media (such as videos, audio streams or recordings, and webcasts) to business purposes or as otherwise permitted by this Policy. Internet use must comply with this Policy.
Never use internet peer-to-peer file sharing services, given the risks to the Company’s information assets they create.
Do not use internet-based remote access services to access the Company’s network or systems, including desktop computers. If you need remote access, use the Company-provided or authorized software (see Section 4.3(f), Remote Access).
(ii) Email and Social Media. Do not disclose Confidential or Highly Confidential Information to unauthorized parties on blogs or social media or transmit it in unsecured emails or instant messages (see Section 3, Data: Information Classification and Risk-Based Controls). Do not make postings or send messages that speak for the Company or imply that you speak for the Company unless you have been authorized to do so.
Use good professional judgment when drafting and sending any communications. Remember that messages may be forwarded or distributed outside your control, and your professional reputation is at stake. Email signatures should be professional, appropriate for your business role, and not unreasonably long or complex.
Never open an email attachment that you did not expect to receive, click on links, or otherwise interact with unexpected email content. Attackers frequently use these methods to transport viruses and other malware. Be cautious, even if messages appear to come from someone you know, since attackers can easily falsify (spoof) email senders. The Company may block some attachments or emails, based on risk.
Do not respond to an email or other message that requests Confidential or Highly Confidential Information unless you have separately verified and are certain of its origin and purpose. Even then, always protect Confidential or Highly Confidential Information as described in Section 3, Data: Information Classification and Risk-Based Controls.
If you have any doubts regarding the authenticity or risks associated with an email or other message you receive, contact IT immediately and before interacting with the message. Do not reply to suspicious messages, including clicking links or making unsubscribe requests. Taking those actions may simply validate your address and lead to more unwanted or risky messages.
(iii) Cloud Computing. The Company may use internet-based, outsourced services for some computing and data storage activities based on business needs. Cloud computing services store data and provide services in internet-accessible data centers that may be located almost anywhere. Cloud services vary significantly in their service levels and security measures.
While cloud services may offer an attractive cost model, they also present significant risks. Using them may also affect the Company’s ability to comply with some laws. Before using any cloud computing services to collect, create, store, or otherwise manage the Company’s Confidential or Highly Confidential Information, you must obtain approval from Legal and the Information Security Coordinator (see Section 7, Service Providers: Risk and Governance).
This Policy applies to any document sharing or other internet-based services, if the Company Confidential or Highly Confidential Information is stored.
(e) Mobile Devices and Bring Your Own Device to Work. Mobile devices, including laptops, smartphones, and tablet computers, can provide substantial productivity benefits. Mobile storage devices may simplify information exchange and support business needs. However, all these mobile devices also present significant risks to the Company’s information assets, so you must take appropriate steps to protect them.
the Company may permit employees and others to use their own equipment to connect to its network and systems. If you choose to do so, you agree that your use of those devices is subject to this Policy and any additional policies, procedures, standards, and processes the Company implements. The Company may require you to install specific security controls on your device (for example, device management software, access controls, encryption, remote wiping in case your device is lost or stolen, or other security controls).
You must allow IT (or another the Company resource) to review your device and remove any the Company data, if your relationship with the Company terminates, you change devices or services, or in other similar situations. You must also promptly provide the Company with access to your device when requested for the Company’s legitimate business purposes, including any security incident or investigation.
Use encryption, other protection strategies (for example, device management software, access controls, remote wiping in case your device is lost or stolen, or other security controls), or both on any mobile device that contains Confidential or Highly Confidential Information. Mobile devices, including those that provide access to the Company email, must be protected using a password or other approved authentication method.
Physically secure any mobile devices you use to access or store the Company information. Never leave laptops or other devices unattended unless locked or otherwise secured. Do not leave mobile devices or the bags containing them visible in a parked car or check them as baggage on airlines or other public transportation.
Do not connect a mobile device containing the Company information to any unsecured network without an up-to-date firewall configured (or other security controls in place). Unsecured networks include home networks, hotel networks, open or for-pay wireless hotspots, convention networks, or any other network that the Company has not approved or does not control.
(f) Remote Access. If you have a business need to access the Company’s network and systems from home, while traveling, or at another location, the Company may grant you remote access.
Use two-factor authentication to access the Company’s network remotely. Configure remote access capabilities to limit access to only those assets and functions the Information Security Coordinator approves. You may only use the Company-provided means for remote access (for example, VPN connections, dial-up modems, the Company portal). Do not install or setup any other remote connections, including remote desktop software, without the Information Security Coordinator’s authorization.
Remote access connections should timeout (be disconnected) after a maximum of one hour of inactivity. The Company does not permit split tunneling or other mechanisms that bridge unsecure networks with the Company’s network.
(g) External Network Connections. Some business situations may require creating a secure connection from the Company’s network to an external party’s network (extranet). Examples include working extensively with customer/client systems, outsourcing, or partnering with another organization for an extended period. Extranet connections allow the organizations to share information and technical resources in a secure manner by connecting the two networks at their respective perimeters.
The Information Security Coordinator must review and approve all extranets and any other external connections to the Company’s network before implementation. A signed business agreement between the two organizations must accompany any extranet connection. Limit connectivity to only those assets required to perform the specified functions. The Company monitors extranet connections and may deactivate them if unusual or inappropriate traffic is detected.
(h) Wireless Network Connections. Do not connect any wireless access points, routers, or other similar devices to the Company’s network unless the Information Security Coordinator has reviewed and approved them.
Secure and maintain approved wireless network (WiFi) connections according to current the Company technical and physical security standards. Do not connect wireless access points (WAPs) directly to the Company’s trusted network without going through a firewall or other protective controls. Deactivate WAPs when they are not in use, including during non-business hours.
Only transmit, receive, or make available Highly Confidential Information through WiFi connections using appropriate protective controls, including encryption. If you have questions regarding appropriate WiFi security measures to take when handling Highly Confidential Information, contact the Information Security Coordinator.
End-user devices that access wireless networks, such as laptops, must have personal firewalls installed and maintained according to current the Company standards. Deactivate your computer’s wireless networking interface when it is not in use.
5. Information Assets: Protecting and Managing the Company's Information Technology Environment.
This section describes key safeguards that the Company uses to protect and manage its information technology (IT) environment. You must support their use to the extent that they apply to you.
Configure user accounts to require strong passwords. To protect against password guessing and other brute force attacks, the Company will deactivate user accounts after five failed login attempts. Reactivation may be based on a timeout or manual reset according to risk and technical feasibility.
Secure remote access points and require two-factor authentication. Encrypt authentication credentials during transmission across any network, either internal or external.
(b) Passwords and User Credentials. Select strong passwords and protect all user credentials, including passwords, tokens, badges, smart cards, or other means of identification and authentication. Implement password rules so that users select and use strong passwords. Automate password rule enforcement to the extent technically feasible.
(i) Minimum Password Rules. At minimum passwords must:
(A) be at least 8 characters;
(B) be comprised of a mix of letters (upper and lower case), numbers, and special characters (punctuation marks and symbols);
(C) not be comprised of or use words that can be found in a dictionary;
(D) not be comprised of an obvious keyboard sequence or common term (i.e., “qwerty,” “12345678,” or “password”); and
(E) not include easily guessed data such as personal information about yourself, your spouse, your pet, your children, birthdays, addresses, phone numbers, locations, etc.
Several techniques can help you create a strong password. Substituting numbers for words is common. For example, you can use the numerals two or four with capitalization and symbols to create a memorable phrase. Another way to create an easy-to-remember strong password is to think of a sentence and use the first letter of each word as a password.
Treat passwords as Highly Confidential Information. You may be required to change your password periodically according to current the Company standards. Change your password immediately and report the incident (see Section 6.1, Incident Reporting) if you have reason to believe that it has been compromised.
(ii) Password Protection. Always protect your passwords by:
(A) Not disclosing your passwords to anyone, including anyone who claims to be from IT;
(B) Not sharing your passwords with others (including co-workers, managers, customers/clients, or family);
(C) Not writing down your passwords or otherwise recording them in an unsecure manner;
(D) Not using save password features for applications, unless provided or authorized by the Company;
(E) Not using the same password for different systems or accounts, except where single sign on features are automated; and
(F) Not reusing passwords.
IT procedures and technical standards define additional steps to protect passwords for administrative or device-specific accounts.
(c) Perimeter Controls. Perimeter controls secure the Company’s network against external attacks. Use firewalls, configured according to current technical standards and procedures, to separate the Company’s trusted network from the internet or internet-facing environments.
(d) Data and Network Segmentation. The Company may use technical controls, such as firewalls, access control lists, or other mechanisms, to segment some data or areas of its network according to risks. Segment Highly Confidential Information from the rest of the Company’s network, to the extent technically feasible and reasonable (see Section 3.3, Highly Confidential Information). Do not alter network segmentation plans without approval from the Information Security Coordinator.
(e) Encryption. The Company uses encryption to protect Confidential and Highly Confidential Information according to risks. Encryption may be applied to stored data (data-at-rest) and transmitted data (data-in-transit). Encrypting personal information may lower the Company’s liability in the event of a data breach.
Only use generally accepted encryption algorithms and products approved by the Information Security Coordinator. Periodically review encryption products and algorithms for any known risks.
Laws may limit exporting some encryption technologies. Seek guidance from Legal prior to exporting or making any encryption technologies available to individuals outside the US.
(i) Encryption Key Management. Encryption algorithms use keys to transform and secure data. Because they allow decryption of the protected data, proper key management is critical. Select encryption keys to maximize protection levels, to the extent feasible and reasonable. Treat them as Highly Confidential Information.
Ensure that keys are available when needed to support data decryption by using secure storage methods and creating and maintaining secure backups. Track access to keys. Keys should never be known or available to only a single individual. Change encryption keys on a periodic basis according to risks.
(f) Data and Media Disposal. When the Company retires or otherwise removes computing, network, or office equipment (such as copiers or fax machines) or other information assets that may contain Confidential or Highly Confidential Information from the business, specific steps must be taken to scrub or otherwise render the media unreadable.
Simply deleting files or reformatting disks is not sufficient to prevent data recovery. Either physically destroy media, according to applicable waste disposal regulations, or scrub it using data wiping software that meets generally accepted data destruction standards.
(g) Log Management and Retention. The Company logs system and user activities on network, computing, or other information assets according to risks. Security controls or other network elements may also produce logs.
Secure log data and files to prevent tampering and retain them according to the Company’s records retention policy Regularly review logs, using automated means where feasible, to identify any anomalous activities that may indicate a security incident.
(h) Physical (Environmental) Security. The Company uses physical safeguards to avoid theft, intrusions, unauthorized use, or other abuses of its information assets. You must comply with the Company’s current physical security policies and procedures and:
(i) position computer screens where information on the screens cannot be seen by unauthorized parties;
(ii) not display Confidential and Highly Confidential Information on a computer screen where unauthorized individuals can view it;
(iii) log off or shut down your workstation when leaving for an extended period or at the end of your work day;
(iv) house servers or other computing or network elements (other than end-user equipment) in secure data centers or other areas approved by the Information Security Coordinator;
(v) not run network cabling through unsecured areas unless it is carrying only Public Information or otherwise protected data, such as encrypted data;
(vi) deactivate network ports that are not in use; and
(vii) store end-user devices that are not in use for an extended period in a secure area or securely dispose of them (see Section 5.1(e), Data and Media Disposal).
(i) Disaster Preparedness (Business Continuity and Disaster Recovery). The Company develops, maintains, and periodically tests disaster preparedness plans. These plans support continuity of operations and systems availability if a disaster or other unplanned business impacting event occurs. The plans must be developed, reviewed, and tested according to the Company’s Business Continuity Planning Policy and Procedures. Treat disaster preparedness plans as Confidential Information.
System administrators must perform regular data backups for the information assets they maintain according to the Company’s Backup Policy and Procedures. When selecting a backup strategy, balance the business criticality of the data with the resources required and any impact to users and network resources. Protect backups according to the information classification level of the data stored. Document and periodically test restoration procedures.
5.2 Managing Information Assets. IT manages IT operations and related activities at the Company.
Only the Company-supplied or approved software, hardware, and information systems, whether procured or developed, may be installed in the Company’s IT environment, or connected to the Company’s network.
IT must approve and manage all changes to the Company’s production IT environment to avoid unexpected business impacts. Direct questions regarding IT operations to email@example.com. Development environments must comply with this Policy and current IT standards to minimize information security risks.
(a) Procurement. Only IT, or those authorized by IT, may procure information assets for use in or connection to the Company’s network. This Policy applies whether software or other assets are purchased, open source, or made available to the Company at no cost. Seek guidance from the Information Security Coordinator early in the software development process to identify and manage information security risks before implementation. Before using cloud computing services to access, store, or manage Confidential or Highly Confidential Information, you must obtain authorization from Legal and the Information Security Coordinator (see Section 4.3(e)(iii), Cloud Computing).
(b) Asset Management. Track and document all information assets, including hardware, software, and other equipment, using the Company’s asset management system(s). This inventory tracking should include operating system levels and all installed software and software versions to support vulnerability identification and mitigation (see Section 9.2, Vulnerability Management). Update the asset inventory as assets are removed from the business. Confidential or Highly Confidential Information must have an assigned data owner who is responsible for tracking its location, uses, and any disclosures. Properly dispose of all data and media to help avoid a breach of Confidential or Highly Confidential Information (see Section 5.1(e), Data and Media Disposal).
(c) Authorized Environments and Authorities. Only authorized IT personnel, or other project personnel approved by IT, may install and connect hardware or software in the Company’s IT environment. Do not convert end-user computers to servers or other shared resources without assistance from IT. Limit administrative or privileged systems access to those individuals with a business need to know. IT must distribute administrative access and information regarding administrative processes to more than one individual to minimize risks.
Internet connections and internet-facing environments present significant information security risks to the Company. The Information Security Coordinator must approve any new or changed internet connections or internet-facing environments.
(d) Change Management. IT maintains a change management process to minimize business impact or disruptions when changes are made in the Company’s production IT environment. Change requests must be accompanied by an action plan that includes assigned roles and responsibilities, implementation milestones, testing procedures, and a rollback plan, if the change fails.
Implement and maintain a change management process to track identified problems, fixes, and releases during software development. Design these processes to include code archiving (versioning) tools so that earlier versions can be recovered and rebuilt, if necessary.
(e) Application and Software Development. To avoid any undue or unexpected impact to the Company’s production IT environment, application and other software development activities, including system testing, must take place in reasonably segmented environments. Maintain segregation of duties between development and operations. Developers may be granted limited access to production environments where personnel and expertise availability is limited, but only for specific troubleshooting or support purposes. Software development must take place in authorized environments (see Section 5.2(c), Authorized Environments and Authorities).
Use security-by-design principles to identify potential information security risks and resolve them early in the development process. Seek guidance from the Information Security Coordinator, critical vendors, industry experts, and best practices to identify and avoid application-level security risks. Pay particular attention to protecting Highly Confidential Information through encryption or other appropriate means. Use defensive coding techniques and regular code review and application-level scanning to identify and remediate any information security issues before releasing software.
6. Incident Reporting and Response.
The Information Security Coordinator maintains a security incident reporting and response process that ensures management notifications are made based on the seriousness of the incident. The Information Security Coordinator investigates all reported or detected incidents and documents the outcome, including any mitigation activities or other remediation steps taken.
6.1 Incident Reporting. Immediately notify firstname.lastname@example.org if you discover a security incident or suspect a breach in the Company’s information security controls. The Company maintains various forms of monitoring and surveillance to detect security incidents, but you may be the first to become aware of a problem. Early detection and response can mitigate damages and minimize further risk to the Company.
Treat any information regarding security incidents as Highly Confidential Information and do not share it, internally or externally, without specific authorization.
(a) Security Incident Examples. Security incidents vary widely and include physical and technical issues. Some examples of security incidents that you should report include, but are not limited to:
(i) loss or suspected compromise of user credentials or physical access devices (including passwords, tokens, keys, badges, smart cards, or other means of identification and authentication);
(ii) suspected malware infections, including viruses, Trojans, spyware, worms, or any anomalous reports or messages from anti-virus software or personal firewalls;
(iii) loss or theft of any device that contains the Company information (other than Public Information), including computers, laptops, tablet computers, smartphones, USB drives, disks, or other storage media;
(iv) suspected entry (hacking) into the Company’s network or systems by unauthorized persons;
(v) any breach or suspected breach of Confidential or Highly Confidential Information;
(vi) any attempt by any person to obtain passwords or other Confidential or Highly Confidential Information in person or by phone, email, or other means (sometimes called social engineering, or in the case of email, phishing); and
(vii) any other any situation that appears to violate this Policy or otherwise create undue risks to the Company’s information assets.
(b) Compromised Devices. If you become aware of a compromised computer or other device:
(i) immediately deactivate (unplug) any network connections, but do not power down the equipment because valuable information regarding the incident may be lost if the device is turned off; and
(ii) immediately notify email@example.com.
6.2 Event Management. The Information Security Coordinator defines and maintains a security incident response plan to manage information security incidents. Report all suspected incidents, as described in this Policy, and then defer to the incident response process. Do not impede the incident response process or conduct your own investigation unless the Information Security Coordinator specifically requests or authorizes it.
6.3 Breach Notification. Applicable law may require the Company to report security incidents that result in the exposure or loss of certain kinds of information or that affect certain services or infrastructure to various authorities, affected individuals or organizations whose data was compromised, or both. Breaches of Highly Confidential Information (and especially personal information) are the most likely to carry these obligations (see Section 1.5, Regulatory Compliance). The Information Security Coordinator’s incident response plan includes a step to review all incidents for any required breach notifications. Coordinate all external notifications with Legal and the Information Security Coordinator. Do not act on your own or make any external notifications without prior guidance and authorization.
7. Service Providers: Risks and Governance.
The Information Security Coordinator maintains a service provider governance program to oversee service providers that interact with the Company’s systems or Confidential or Highly Confidential Information. The service provider governance program includes processes to track service providers, evaluate service provider capabilities, and periodically assess service provider risks and compliance with this Policy.
7.1 Service Provider Approval Required. Obtain approval from Legal and the Information Security Coordinator before engaging a service provider to perform functions that involve access to the Company’s systems or Confidential or Highly Confidential Information.
7.2 Contract Obligations. Service providers that access the Company’s systems or Confidential or Highly Confidential Information must agree by contract to comply with applicable laws and this Policy or equivalent information security measures. The Company may require service providers to demonstrate their compliance with applicable laws and this Policy by submitting to independent audits or other forms of review or certification based on risks.
8. Customer/Client Information: Managing Intake, Maintenance, and customer/client Requests.
The Company frequently creates, receives, and manages data on behalf of our customers/clients. With guidance from the Information Security Coordinator, each business unit develops, implements, and maintains an appropriate process and procedures to manage customer/client data intake and protection.
Business unit-specific customer/client data intake and protection processes may vary but must include, at minimum, means for (1) identifying customer/client data and any pertinent requirements prior to data intake or creation; (2) maintaining an inventory of customer/client data created or received; and (3) ensuring the Company implements and maintains appropriate information security measures, including proper data and media disposal when the Company no longer has a business need to retain the customer/client data (or is no longer permitted to do so by customer/client agreement).
8.1 Requirements Identification. Identify any pertinent customer/client data requirements prior to data intake or creation according to your business unit’s customer/client data intake and protection process. Requirements may be contractual, the result of applicable law or regulations, or both (see Section 1.5, Regulatory Compliance).
8.2 Intake Management. Business unit-specific customer/client data intake processes and procedures must provide for secure data transfer. Maintain an inventory of customer/client data that includes, at a minimum:
(a) a description of the customer/client data;
(b) the location(s) where the data is stored;
(c) who is authorized to access the data (by category or role, if appropriate);
(d) whether the data is Confidential or Highly Confidential Information;
(e) how long the data is to be retained (using criteria, if appropriate); and
(f) any specific contractual or regulatory obligations or other identified data protection or management requirements.
Treat any customer/client-provided personal information as Highly Confidential Information (see Section 3.3, Highly Confidential Information). To minimize risks for customers/clients and the Company, engage customers/clients in an ongoing dialogue to determine whether business objectives can be met without transferring personal information to the Company.
8.3 customer/client Data Protection. Protect all customer/client data the Company creates or receives in accordance with this Policy and the data’s information classification level, whether Confidential or Highly Confidential Information, in addition to any specific client-identified requirements.
8.4 customer/client Data and Media Disposal. Ensure that any customer/client data or media containing customer/client data is securely disposed of when it is no longer required for the Company business purposes, or as required by customer/client agreement (see Section 5.1(e), Data and Media Disposal). Update the applicable business unit customer/client data inventory accordingly.
9. Risk and Compliance Management.
The Company supports an ongoing risk management action cycle to (1) enforce this Policy; (2) identify information security risks; (3) develop procedures, safeguards, and controls; and (4) verify that safeguards and controls are in place and working properly.
9.1 Risk Assessment and Analysis. The Company maintains a risk assessment program to identify information security risks across its IT environment, including application software, databases, operating systems, servers, and other equipment, such as network components. The Information Security Coordinator coordinates risk assessment activities that may take several forms, including analyses, audits, reviews, scans, and penetration testing. Do not take any actions to avoid, impact, or otherwise impede risk assessments.
Only the Information Security Coordinator is authorized to coordinate risk assessments. Seek approval from Legal and the Information Security Coordinator prior to engaging in any risk assessment activities or disclosing any assessment reports outside the Company.
9.2 Remediation and Mitigation Plans. The Information Security Coordinator maintains and oversees remediation and mitigation plans to address risk assessment findings according to risk levels.
9.3 Vulnerability Management. Manufacturers, security researchers, and others regularly identify security vulnerabilities in hardware, software, and other equipment. In most cases, the manufacturer or developer provides a patch or other fix to remediate the vulnerability. In some situations, the vulnerability cannot be fully remediated, but configurations can be changed, or other steps taken to mitigate the risk created.
The Information Security Coordinator maintains a process to identify and track applicable vulnerabilities, scan devices for current patch status, and advise system administrators. Schedule any necessary updates using standard change management processes (see Section 5.2(d), Change Management) and according to risk level. Make all the Company-owned devices available to IT for timely patching and related activities.
9.4 Compliance Management. The Company maintains compliance management processes to enforce this Policy. The Company may automate some monitoring and enforcement processes. If compliance management processes indicate that you may have acted contrary to this Policy, you may receive an automated notification or be contacted by the Information Security Coordinator to explain. In some cases, the Information Security Coordinator may contact your supervising manager or Human Resources to resolve the issue.
This Information Security Policy is effective as of 24th August 2020.
10.1 Revision History. Original publication