Information Security Policy
We intend to manage its information technology and information assets to maximize their efficient, effective, and secure use in support of our business and our customers. This document, the Information Security Policy (Policy), defines the governing principles for the secure operation and management of the information technology used, administered, and/or maintained by the company and for the protection of our information assets. Violations of this Information Security Policy must be reported to the Data Protection Officer (DPO) or other officer assuming that role.
To define the responsibilities of our officers, employees, agents, and managers with respect to the appropriate use and protection of our information assets. To ensure that our information assets are secure from unauthorized access, misuse, degradation, or destruction.
This Information Security Policy applies to the company, its managers, officers, employees, temporary employees, interns, vendors, consultants, contractors, and agents thereof–collectively referred to as ― User(s). The principles set forth in this Policy are applicable to all information assets, in all formats, in our control. ID123 reserves the right to amend this Policy or any part or provision of it.
Organizing Information Security
A. Information Security Coordination
The Data Protection Officer or DPO is responsible for designing, implementing, and maintaining a company-wide information security program–in conjunction with other managers–and for assisting all teams in implementing and maintaining information management practices at their respective locations.
B. Allocation of information security responsibilities
The Data Protection Office (DPO) is responsible for the overall security of information assets at the company. The DPO may delegate specific responsibilities related to information security to others within the company based on their job function.
C. Confidentiality Agreements
Employees, consultants, or contractors who use our information technology are required to read, understand, and agree to our Confidentiality and Work for Hire Agreement regarding their responsibilities and conduct related to the protection of our information assets.
D. Third Parties
The company may utilize third parties in support of delivering business services. When, as a result, these arrangements extend our information technology processes into the third parties‘ computing environments—for example, in cases of Application Service Providers (ASPs)—the third parties must contractually abide by this Policy, as applicable, unless specific additional provisions have been established through other contractual agreements.
A. Information Classification
Our information, whether in electronic or physical form, can be categorized into three classifications. Due care must be taken to protect our information assets in accordance with the three classifications, as described within this Policy.
- Confidential – Sensitive personally identifiable information (PII) used for business purposes within the company which, if disclosed through unauthorized means, could adversely affect our customers or personnel, and could have legal, statutory, or regulatory repercussions.
- Internal – Information related to our business that if disclosed, accessed, modified, or destroyed by unauthorized means, could have a limited or significant financial or operational impact on us. Examples include strategic plans, vendors‘ proprietary information, and responses to Requests for Proposals (RFPs), information protected by intergovernmental non-disclosure agreements or other non-disclosure agreements, and design documents.
- Public – Information intended for unrestricted public disclosure in the course of our business. Examples include press releases, public marketing materials, and employment advertisements.
B. Responsibility for Assets
- Ownership of Assets – All information collected, stored, and processed over our technology systems are either the property of ID123 or our Clients. Employees who use our technology systems should have no expectation of their own personal privacy associated with the information they store in or send through these systems, within the limits of the federal, state, and local laws of the United States and, where applicable, foreign laws.
- Acceptable and Unacceptable Use of Assets
- a. To effectively conduct our business and operations, we make available to authorized employees and third parties various information technology resources, including laptops, phones, tablets, e-mail services, Chat applications, the Internet, and other communication and productivity tools. The use of these resources is intended for business purposes in accordance with Users‘ job functions and responsibilities.
- b. Users must not allow any consultant, visitor, friend, family member, customer, vendor, or other unauthorized people to use their network account, e-mail address, or other company-provided computer facilities. Users are responsible for the activities performed by and associated with the accounts assigned to them by the company.
- c. No User may use company-provided Internet or Intranet access or Confidential or Internal information to solicit or conduct any personal commercial activity or for personal gain or profit or company approved solicitations.
- d. Users must not make statements on behalf of ID123, its management, or disclose Confidential or Internal company information unless expressly authorized in writing by senior management. This includes Internet postings, or bulletin boards, newsgroups, chat rooms, or instant messaging.
- e. Users must protect Confidential or Internal information being transmitted across the Internet or public networks in a manner that ensures its confidentiality and integrity between a sender and a recipient. Confidential information such as Social Security numbers, credit card numbers, and electronic Protected Health Information (ePHI) must be transmitted using encryption software.
- f. Internal information such as email lists must not be posted to any external information source, listed in telephone directories, placed on business cards, or otherwise made available to third parties without the prior express written permission of the Data Protection
- g. Users must not install software on the company network and computer resources without prior express written permission from Data Protection Officer. Person-to-person (P2P) applications, Voice over IP (VOIP), instant messenger (IM) applications, and remote access applications pose an especially high risk to the company and their unauthorized use is strictly prohibited. No Company business may be conducted on any device that allows P2P communication (such as file sharing music applications) without explicit approval from Data Protection Officer.
- h. Users must not copy, alter, modify, disassemble, or reverse engineer any authorized software or other intellectual property in violation of licenses provided to or by ID123. Additionally, Users must not download, upload, or share files in violation of U.S. patent, trademark, or copyright laws. Intellectual property that is created for the company by its employees, vendors, consultants, and others is property of ID123 unless otherwise agreed upon by means of third-party agreements or contracts.
- i. Users must not access the Internet, the Intranet or e-mail to use, upload, post, mail, display, or otherwise transmit in any manner any content, communication, or information that, among other inappropriate uses:
- i. interferes with official company business;
- ii. is hateful, harassing, threatening, libelous or defamatory, pornographic, profane, or sexually explicit;
- iii. is deemed by the company to offend persons based on race, ethnic heritage, national origin, sex, sexual orientation, age, physical or mental illness or disability, marital status, employment status, housing status, religion, or other characteristics that may be protected by applicable civil rights laws;
- iv. impersonates a person (living or dead), organization, business, or other entity;
- v. enables or constitutes gaming, wagering, or gambling of any kind;
- vi. promotes or participates in unauthorized fundraisers;
- vii. promotes or participates in partisan political activities;
- viii. promotes or participates in unauthorized advertising of company projects and any advertising of private projects;
- ix. compromises or degrades the performance, security, or integrity of our technology resources and information assets;
- x. contains a virus, logic bomb, or malicious code;
- xi. Constitutes participation in chain letters, unauthorized chat rooms, unauthorized instant messaging, spamming, or any unauthorized auto-response program or service.
- Anti-Virus and Malware Protection
All computers MUST have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system.
All employees must only use email services on computers and laptops that provide scanning services for malware and phishing detection.
Human Resources Security
A. Prior to Employment
All employees, consultants, and contractors who use company information technology as part of their job function are required to sign our Confidentiality and Work for Hire Agreement. Consultants and contractors who are hired to support our information technology infrastructure must be able to provide proof of background checks (including a statement of what checks are conducted and how they are conducted) prior to accessing our information technology infrastructure. The background checks must include a criminal background check.
B. During Employment
- Information Security Awareness, Education, and Training
Security Awareness begins during the hiring process and it is the responsibility of the User to remain aware of current security policies. Our Intranet site contains our Security Policies as well as educational materials. Users should read the Security Reminders that are periodically distributed by email. Users must also ready and if necessary, act, on any Information Security Notice that is displayed while logging on to mentioned systems.
- Disciplinary Process
Any violation of this Policy, or any part or provision hereof, may result in disciplinary action, including termination and/or civil action and/or criminal prosecution.
C. Termination or Change of Employment
- Return of Assets
When a user leaves the company, all Information Assets remain the property of ID123. A User must not take away such information or take away a copy of such information when he or she leaves the company for any reason whatsoever.
- Removal of Access Rights
Upon termination of an employee or vendor, the HR will provide the form to reach out to the Netops team who is also responsible for SaaS subscriptions. This team will create a checklist of access granted to the terminated employee and confirmation their access has been removed. The terminated employees manager will provide a list of DevOps resources the terminated employee had access to and confirmation they have been removed. HR will confirm all workstations and other company-supplied facilities are returned immediately. We may automatically disable or delete certain access or accounts prior to termination.
Communications and Operations Management
A. Protection Against Malicious Code
- It is our policy to conduct virus scanning of its technology resources to protect them from the threat of malicious code. We will attempt to intercept and/or quarantine any networking and computer resource that poses a virus threat to its information assets.
- All servers and workstations (networked and standalone) must have company-approved antivirus protection software installed, properly configured, and functioning at all times. Additionally, systems that have not been issued by the company but that use our network must also be protected by antivirus software
- All incoming and outgoing e-mails must be scanned for viruses. Our company email accounts provide email scanning services by default.
- Users are responsible for ensuring that software, files, and data downloaded onto our workstations are properly scanned for viruses.
- Users must conduct virus scans on all external media received or used on company devices or networks.
- Users must ensure that all workstations (networked and standalone) have the most current antivirus signature files loaded.
Users must perform regular backups of files stored on a company-provided cloud file storage drive. No backups of company information assets may be taken on personal backup drives or personal cloud systems.
C. Disposal of Media
Except as otherwise provided by law or court order, electronic media will be destroyed according to our Data Destruction Policy.
1. Monitoring System Use
a. Employees and Contractors should have no expectation of privacy in their use of Internet services provided by the company. We reserve the right to monitor for unauthorized activity the information sent, received, processed, or stored on the company-provided network and computer resources, without the consent of the creator(s) or recipient(s). This includes the use of the Internet as well as our e-mail and instant messaging systems
b. All information technology administrators, technicians, and any other employees who by the nature of their assignments have privileged access to networks or computer systems must obtain written approval from the DPO to monitor User activity.
2. Clock Synchronization
All server clocks must be synchronized in a manner approved by our DPO in order to provide for timely administration and accurate auditing of systems.
User Access Policy
A. User Access Management
- User Account Management
- Access to Confidential and Internal data must be made in writing and approved by senior management
- User accounts that have not been used for 90 days may be disabled without warning. After 180 days of inactivity, these accounts may be deleted without warning
- Managers must notify the DPO of a change in employment status (such as when a User takes a leave of absence, transfers managers, or is terminated). The account of a User on a leave of absence can be retained, suspended, or deleted at the discretion of the User‘s manager.
B. User Responsibilities
1. Password Use
- All e-mail, network, domain accounts must be password protected. All new accounts will be created with a temporary password. The temporary password must be changed upon first use. Passwords must adhere to the company Password Policy.
- The use of password-protected screen savers is recommended to prohibit unauthorized system access. Screensavers should initiate after 15 minutes of inactivity. Password-protected screen savers are required on workstations that access Confidential information or Internal information.
C. Mobile Computing and Remote Access
- Laptops, off-site computers, and Physical media that contain Confidential information must be encrypted using an encryption technique approved by the DPO. Physical media that contain Internal information must be protected using an encryption technique approved by DPO, a strong logon password, or restricted physical access in order to protect the data.
- Personal media devices (for example, MP3 players such as iPods) must not be used as peripheral devices on company-issued workstations
- Remote access is provided by the company as an information conduit to assist in the accomplishment of municipal duties and goals. Any other use is strictly prohibited. Requests for remote access must have a valid business reason and be approved by the DPO
- All remote access connections must be through a secure, centrally administered point of entry approved by the company. Authorized remote access connections must be properly configured and secured according to company-approved standards including our password policy. All remote desktop protocol implementations must be authorized by the DPO. Remote access through unapproved entry points will be terminated when discovered.
- Non-company-owned computer equipment used for remote access must be approved and must also comply with company policies and standards. The company will not be responsible for maintenance, repair, upgrades, or other support of non-company-owned computer equipment used to access our network and computer resources through remote access services.
- Users may not utilize workstations that are shared with individuals who have not signed a Confidentiality Agreement with ID123 and must ensure that our data is removed or deleted if access to a workstation is offered to any other individual.
- All workstations or servers that are connected to company networks whether direct or via remote access technologies must use the most up-to-date anti-virus software (Norton 365 Premium). Any Third party connections to company networks must comply with requirements as stated in the Third Party Agreement.
Information Security Incident Management
A. Reporting Information Security Events and Weaknesses
- Violations of our Information Security Policy or any or all parts or provisions of this Policy must be reported to the DPO immediately.
- Users must ensure that the DPO is notified immediately whenever a security incident occurs. Examples of security incidents include a virus outbreak, defacement of a website, interception of email, blocking of firewall ports, and theft of physical files or documents.
- All reports of alleged violations of this Policy, or any part or provision hereof, will be investigated by the DPO. During the course of an investigation, access privileges may be suspended.
Encryption Algorithm Requirement
A. Ciphers in use must meet or exceed the set defined as “AES-compatible” or “partially AES-compatible” defined in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents. The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption.
B. Algorithms in use must meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is required for asymmetric encryption.
C. Key Agreement and Authentication
- Key exchanges must use one of the following cryptographic protocols: DiffieHellman, IKE, or Elliptic curve Diffie-Hellman (ECDH).
- Endpoints must be authenticated prior to the exchange or derivation of session keys.
- Public keys used to establish trust must be authenticated prior to use.
- All servers used for authentication (for example, RADIUS or TACACS) must have installed a valid certificate signed by a known trusted provider.
- All servers and applications using SSL or TLS must have the certificates signed by a known, trusted provider.
- Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.
- Key generation must be seeded from an industry-standard random number generator (RNG).
A. Compliance with Legal Requirements
1. Intellectual Property Rights
- Intellectual Property that is created for the company by its employees is property of ID123 unless otherwise agreed upon by means of third-party agreements or contracts.
- No User may transmit to, or disseminate from, the Internet any material that is protected by copyright, patent, trademark, service mark, or trade secret, unless such disclosure is properly authorized and bears the appropriate notations.
2. Prevention of Misuse of Information Processing Facilities
Users are prohibited from using our data processing facilities—including data centers, network cabinets or closets, and other facilities housing our technology equipment–in any way that violates any company Policy or federal, state, or municipal law.
3. Compliance with Relevant Laws and Regulations
ID123 is subject to certain laws and regulations related to information security and privacy of information. These laws and regulations, in some circumstances, may require additional safeguards for the protection of information beyond the stipulations of this Policy. (For example, when accessing credit/debit cardholder data remotely, it is never to be stored on local hard drives, floppy disks, or external media. Furthermore, cut-and-paste and print functions are prohibited during remote access sessions.) Accordingly, Users with access to Protected Health Information (PHI) must abide by HIPAA, and Users with access to credit/debit card information must abide by PCI, as applicable.
4. Compliance with Security Policies and Standards
All Users must read and sign our Confidentiality and Acceptable Use Agreement prior to being authorized to access our information technology and information assets.