Cascade Strategies Security Awareness Training
Purpose
The purpose of this Security Awareness Training Policy is to ensure that all employees, contractors, and third-party users understand and comply with our organization’s security policies and procedures. This policy aims to reduce security risks, protect sensitive information, and foster a culture of security awareness within the organization.
Scope
This policy applies to all employees, contractors, and third-party users who have access to the organization’s information systems and data. This includes full-time, part-time, and temporary staff, as well as consultants and vendors.
Additionally, this policy covers all internal computer systems, computer networks, electronic communications, facilities, and other related computing assets used to transmit, store and process data, text, and software used by .
Policy Statement
All individuals covered by this policy are required to participate in security awareness training programs designed to educate them about their security responsibilities and the best practices for protecting the organization’s information assets.
Responsibilities
- HR Department: Coordinate and manage the onboarding process, including initial security training for new hires.
- IT Department: Develop and deliver security training content, track training completion, and provide technical support.
- Managers: Ensure their team members complete the required training and understand their security responsibilities.
- Employees: Actively participate in security awareness training programs and adhere to the organization’s security policies and procedures.
Assumptions
In order to establish and maintain a secure environment, Information Security Policies must be developed and enforced. Management supports the information security program and all Policies, Procedures and Standards created with the program. With oversight of Management, all Security Policies will be reviewed at a minimum of a yearly basis or when a change in Policy dictates.
The Standards, Procedures and Guidelines required to implement the Information Security Policy will be established in separate documents. All Policies outlined in this document must be enforced. Any provisions unenforceable will be placed in the Guidelines or Procedures document and should be complied with, except where extenuating circumstance prevails. Adopting these Policies will make us much more valuable to ourselves, our Clients and our Partners.
The primary purpose of this document and its companion documents, ‘Information Security Procedures’ and other security guideline documents (ex CIS_Microsoft_Windows_7_Benchmark_v1.2.) is to provide a secure environment for through enforceable policies, standardized device requirements, standardized build procedures and awareness of these issues.
The underlying goal of the policies will be in four areas:
- Confidentiality – Assuring that sensitive data is read only by authorized individuals, and is not disclosed to unauthorized individuals or the public.
- Integrity – Protecting data or software from improper modification
- Availability – Ensuring that systems, networks, applications, and data are on-line and accessible when authorized users need them.
- Accountability – the ability to tell who did what; a means of verifying compliance with security policies and procedures
Any deviation of the approved policy can only be authorized via an exception or waiver granted by an authorized company official and approved via the Information Security Department.
Requirements
- Initial Training: All new hires must complete security awareness training within 30 days of their start date.
- Annual Training: All employees, contractors, and third-party users must complete an annual security awareness course.
- Specialized Training: Employees in roles with access to sensitive information or critical systems (e.g., IT staff, data custodians) must complete additional specialized training.
- Ad-hoc Training: As needed, additional training sessions will be conducted to address specific security incidents, new threats, or changes in policies and procedures.
Training Content
The security awareness training program will cover, but is not limited to, the following topics:
- Information Security Policies: Overview of the organization’s security policies and procedures.
- Phishing and Social Engineering: Recognizing and responding to phishing attempts and social engineering tactics.
- Password Management: Best practices for creating, using, and managing strong passwords.
- Data Protection: Handling sensitive information securely, including data classification and encryption.
- Physical Security: Protecting physical access to the organization’s facilities and devices.
- Incident Reporting: Procedures for reporting security incidents or suspicious activities.
- Mobile Device Security: Securing mobile devices used for work purposes.
- Internet and Email Usage: Safe browsing and email practices to avoid malware and data breaches.
- Incident Reporting: Procedures for reporting security incidents or suspicious activities.
- Mobile Device Security: Securing mobile devices used for work purposes.
- Internet and Email Usage: Safe browsing and email practices to avoid malware and data breaches.
Compliance and Monitoring
- Completion Tracking: The HR department, in collaboration with IT, will track the completion of security awareness training programs.
- Audits: Regular audits will be conducted to ensure compliance with the training requirements.
- Non-Compliance: Employees who fail to complete the required training within the specified timeframe may face disciplinary action, up to and including termination of employment.
Policy
User Identities (User-IDs) and Passwords are an important aspect of computer security. They are the front line of protection for user accounts. Individual and unique User-IDs are necessary for providing accountability for user activities. Good/Strong passwords limit the chances that a User-ID will be misused. As such, all employees (including customers, contractors, and vendors) with access to systems are responsible for taking the appropriate steps, as outlined below.
Access to all proprietary computer systems, applications and infrastructure devices, requires a unique User-ID and Password. Access to multiple IDs and Domains will not be permitted unless there is a valid business reason accompanied by an approved Exception via the Information Security team. Enforcing a single and unique Domain credential per individual enables to maintain a level of individual accountably required by our clients. Additionally, in order to strengthen this security posture to meet regulatory requirements, all externally accessible computer systems, applications and infrastructure devices will require the use of a 2-Factor authentication mechanism.
All passwords are to remain confidential to the assigned user. Users are never permitted to share User-ID’s and/or Passwords; they must remain confidential. Similarly, all 2-Factor authentication credentials must remain confidential to the assigned user. The 2-Factor authentication users are not permitted to share their User-ID’s, and 2-Factor mechanisms (Tokens, PIN’s, etc.).
Specific provisions are as follows:
User Identity Policy
- Unique User IDs are assigned to individuals and assigned according to the User-ID naming conventions; this pertains to the current 2-Factor authentication mechanisms as well
- All users of the current 2-Factor authentication mechanisms will be assigned a uniquely serial-numbered mechanism which will identify as specific individual; their User-id will be assigned to this mechanism
- All default vendor accounts are to be disabled or have their passwords changed. These would include Windows Administrator, UNIX root, Data Base servers DBA, CISCO Router Enable accounts, and other infrastructure devices.
- User Identities are never to be hard-coded into applications
- User-IDs and 2-Factor authentication mechanisms are never to be shared with anyone
- All default accounts need to be changed and/or disabled after initial installation of a system.
Password Policy
- All system-level passwords (e.g., root, enable, Windows admin, application administration accounts, etc.) must be changed periodically.
- All user-level passwords (e.g., Domain, email, web, desktop computer, etc.) must be changed at least every 90 days; an exception would be where a 2-Factor mechanism is utilized for authentication to a system, these generate new passcodes and therefore expiration for those accounts may not apply
- User accounts that have system-level privileges granted through group memberships or programs such as “sudo” or custom created Windows Domain (or Built-in) groups must have a unique password from all other accounts held by that user (no shared accounts).
- Where SNMP is used, the community strings must be defined as something other than the standard defaults of “public,” “private” and “system” and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).
- All user-level and system-level passwords must conform to the guidelines described below.
- All service accounts, where feasible must have their passwords changed every 90 days or at the very least annually.
Password, PIN, and Passcode Protection Standards
Do not use the same password, passcode, or PIN for accounts as for other non-access (e.g., personal ISP account, option trading, benefits, etc.).
Do not share passwords, passcode, or PIN’s with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, Confidential information.
Here is a list of “don’ts”:
- Don’t reveal a password over the phone to ANYONE
- Don’t reveal a password in an email message
- Don’t reveal a password to your manager
- Don’t talk about a password in front of others
- Don’t hint at the format of a password (e.g., “my family name”)
- Don’t reveal a password on questionnaires or security forms
- Don’t share a password with family members
- Don’t reveal a password to co-workers while on vacation
- Do not use the “Remember Password” feature of applications (e.g., IE, Firefox) (This should be disabled).
Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Smart Phones or similar devices) without encryption.
Change passwords at least once every 90 days
If an account or password is suspected to have been compromised, report the incident to the Information Security Group and change all passwords.
Password cracking or guessing may be performed on a periodic or random basis by InfoSec or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.
Storage and Transmission of Passwords
All passwords are to be stored in secure encrypted databases. Insecure authentication protocols such as telnet and ftp MUST be avoided when possible. Instead, ssh (Secure Shell) should be used for logins to critical/high risk servers. If insecure protocols are used, they should be augmented with other controls that can mitigate the risk of passwords and user IDs being discovered. These would include the use of VPN protocols (IPSec, L2TP, PPTP, Secure FTP, SSL) or third party authentication (Secure ID, digital certificates, two factor authentication).
Customer Accounts
- All customer remote access accounts are to be expired or renewed annually. Confirmation must be obtained from customers to renew their existing accounts
- Customers are to be provided unique User-IDs for each individual customer. The use of the User-IDs and corresponding passwords must be accounted for in formal contract provisions with each customer.
- Customers must notify whenever User-IDs are no longer valid
- Vendors User-ID and password provisions
- An approved list of vendor employees and unique-id’s must be obtained/managed.
- All vendor remote access accounts are to be expired/renewed annually. Confirmation must be obtained from the vendors to renew their existing accounts on an annual basis.
- Vendors are to be provided unique User-IDs. The use of the User-IDs and corresponding passwords must be accounted for in formal contract provisions with each vendor.
- Vendors must notify whenever User-IDs are no longer valid
- All vendor unique User-Ids must be disabled until right before the actual work is performed; upon completion of the work, the vendor user-id must be disabled again to ensure the account is not used until necessary
Database Account Policy
Computer programs running on networks often require the use of one of the many internal database servers. In order to access one of these databases, a program must authenticate to the database by presenting acceptable credentials. The database privileges that the credentials are meant to restrict can be compromised when the credentials are improperly stored. In addition, the level of privileges should be as restrictive as possible. There should be no accounts from Web Servers or application servers that have DBA Authority. This should be restricted to the DBA function where separate specific non-privileged credentials are used.
Storage of Database User Names and Passwords
- When sensitive data, database credentials may reside on the database server. In this case, a hash number identifying the credentials may be stored in the executing body of the program’s code.
- Pass through authentication (i.e., Oracle OPS$ authentication) must not allow access to the database based solely upon a remote user’s authentication on the remote host.
- Passwords or pass phrases used to access a database must adhere to the Password Policy.
- Access to Database User Names and Passwords
- Every program or every collection of programs implementing a single business function must have unique database credentials. Sharing of credentials between programs is not allowed.
- Database passwords used by programs are system-level passwords as defined by the Password Policy.
- Developer groups must have a process in place to ensure that database passwords are controlled and changed in accordance with the Password Policy. This process must include a method for restricting knowledge of database passwords to a need-to-know basis.
Application for Access
The requestor emails the request to the Helpdesk. All requests are cross checked with the approved authorized account initiator request list.
The Helpdesk sets up user accounts for an employee, client or other 3rd party. All requests received by the Helpdesk for setting up a user account are logged via email.
A request for User account additions, changes, or deletions must be properly authorized prior to being the application owner.
Employee Access Request
- An employee’s manager must send a request to the Helpdesk.
- The Helpdesk fulfills the access request for User Adds, Modifications, and Deletions
- The Helpdesk completes the work order a sends e-mail to the requestor stating that the request was completed.
- If a new User Account was set up, the user name assigned to the new account is included in the e-mail.
- The e-mail also asks the requestor to call the Helpdesk to obtain the password assigned when the new user account was created.
- The User is forced to change their password upon initial logon
Employee Terminations
Upon the termination of an employee, the applicable manager must submit a termination request to HR. An email is sent from HR to the Information Security Group for disabling the employee’s user accounts.
The accounts that are disabled are logged via email. All terminated employee’s accounts must be disabled in a timely manner. Helpdesk representatives will regularly review the procedure of the termination list and the timely disabling of user accounts.
In order to determine what to disable when a user is terminated, a listing must be maintained for all users of the data they have access to.
The Security Department and Helpdesk are responsible for ensuring that all network services linked to the terminated user account is also disabled. The Helpdesk notifies System Administrators as needed to disable services that the Helpdesk does not have security privileges to access. Confirmation from the System Administrators to verify when the accounts network access was disabled will be provided to the Helpdesk in a timely manner. Upon the completion of disabling all services associated with this user ID, the account is changed to complete.
Client Access Requests
Requests may be submitted by an authorized person in the Sales Department, Client Services Department, or Business Department or other authorized designee. All requests must be forwarded to the Helpdesk. Special services; such as Remote Access, Site to Site VPN access, etc. requires the approval of the Information Security Managers.
Upon receipt of a request for an addition, change or deletion of a user account, the Helpdesk determines that the information contained in the request is complete to perform the task properly. If the information provided with the request is inadequate, the Helpdesk will either return the request or contact the requestor to obtain the information needed.
Policy Enforcement
At Senior Management’s discretion, intentional misuse of the contained Policy Directives resulting in a breach of any part of this policy will result in disciplinary action.
Deliberate violations of the policy:
- Will be subject to actions defined in the Compliance and Enforcement section of this document.
- May result in termination of a Client, Business Partner or Vendor contract
- Will be carefully weighed against the severity of the breach and may result in prosecution of the violating entities
Access Control & Authorization
Controlling user or device access to a computing system or data residing on a system and ensuring those entities have the properly assigned rights to access specific computing systems or data (i.e. a user is authorized to read a file but is not authorized to modify it).
- All employees will be limited to the least amount of rights or privileges required to perform their job function.
- These rights must be reviewed yearly to ensure that least amount of rights or privileges are enforced.
- All employees must not attempt to access drives, shares, systems, software or network devices they have not been explicitly tasked to do by their manager and have been granted access by IT Management to such data media.
- Managers have the responsibility to monitor their employees for potential unauthorized access or misuse
- All mobile media devices such as the use of USB drives are prohibited
Information Owner
Information Owners are managers with the authority for acquiring, creating, and maintaining information and information systems within their assigned area of control. In the case of storing client information, the client representative will take on this role to ensure that all Information Ownership responsibilities of the client are being met.
The Information Owner is responsible for ensuring:
- A classification hierarchy is agreed upon and is appropriate for the types of information processed for the particular business / unit.
- Information is categorized for the area that the senior business unit manager (Information Owner) has been designated an Owner using classifications defined in the Data Classification section.
- For each classification type, the appropriate levels of information security safeguards are available (e.g., the logon controls and access permissions applied by the Information Custodian provide the required levels of confidentiality). Appropriate contingency planning efforts exist for this information.
- Information (or specific application systems) is categorized according to a criticality scale defined by the Information Security Department.
- User access to information is on the need-to-know.
- Appropriate privacy regulations are addressed in the classification of data.
- Implementation of appropriate separation of duties on a need-to-know basis, rather than rank or position.
- Ensure that employees and users of the information understand and abide by this policy.
- Report any violation of this policy to Information Security.
- Periodically check to ensure that information continues to be classified appropriately and that the safeguards remain valid and operative.
Data Ownership & Classification
If information is sensitive, confidential or for internal use only, from the time it is created until the time it is destroyed or declassified, it must be labeled with an appropriate data classification designation.
Ownership
- It is necessary for an owner to be identified for all data assets in order to classify data assets.
- In accordance with the classifications outlined in this policy, all owners of data are responsible for identifying, classifying and labeling their data.
- All electronic documents must be minimally, clearly labeled in the Header (Top) and Footer (Bottom) portions of the document (Procedures)
- All Hard copy and Media types must be clearly labeled as well, with the proper designation (Procedures)
- Default Classification for data is either Confidential Company Data or Confidential Customer Data
Confidential Company Data
- Applies to highly sensitive information that is intended for use only within by restricted, select individuals and must not be publicly disclosed
- This information may pose an adverse effect to if disclosed or released to the public, possibly carrying significant fiscal, civil or criminal liability
- Disclosure to other individuals by recipients of this information classification type must only do so, with prior authorization from the identified owner, on a ‘need to know’ basis.
- This information can be re-classified by the owner
- Ex: Strategic Business Plans, Cryptographic Keys, Personal Employee Information
Confidential Customer/Client Data
- Applies to highly sensitive customer/client data that must not be disclosed outside of the authorized .
- This information may pose an adverse effect to , Customer/Client relationships and related entities if disclosed or released to unauthorized individuals; possibly carrying significant fiscal, civil or criminal liability
- This information must be clearly labeled and protected from malicious and non-malicious exposure.
- Ex: Customer/Client proprietary information (IT Architecture, Client lists), non-public individual information (social security or medical information)
- When applicable, all information defined by the Customer as Confidential will be stored and transmitted encrypted
Internal Use Only
- This classification applies to all other information, which does not clearly fit into the above classifications, that any authorized entity can access internally within .
- Its unauthorized disclosure is not permitted
- Unintentional disclosure is not expected to seriously nor adversely impact , its employees, its business partners, and/or its customers.
- Ex: Maintenance schedules, new employee training materials, internal policy manuals
Public Data
- Applies to information that any entity, internal or external, can freely access. data that:
- Has been explicitly approved by for release to the public
- May be freely exchanged and disseminated without potential harm or liability to .
- Ex: product and service brochures, advertisements, job opening announcements, press releases
Sensitive Data Definitions
HIPAA
The HIPAA Privacy & Security Rule protects the privacy of individually identifiable health information, called protected health information (PHI). The combination of these Rules protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Roles and Responsibilities
Information Security Department
The Information Security Department is responsible for managing and overseeing the companywide Information Security posture such that risk and associated costs are managed per Executive direction.
Duties and Responsibilities Include:
- Review and approve Firewalls/Firewall rules, Intrusion Detection Systems, network design solutions, Business unit applications, and technical systems to determine and mitigate the risks and vulnerabilities.
- Develop, guide, and manage the Information Security program to ensure that controls are in place to monitor for compliance with established objectives of the company and its customers.
- Conduct Vulnerability and Risk assessments concerning critical business applications, within a variety of operating systems, and throughout the network infrastructure on a continual basis.
- Network is monitored via Intrusion Protection System (IPS) and events are addressed on a case-by-case basis.
- Lead and coordinate vendor, partner and customer risk reviews, audits and compliance validations.
- Facilitate / Participate in contingency planning, yearly system disaster recovery testing and mock disaster planning/session events.
- Authorize and manage all new and existing information security systems and data
- Provide the highest level of technical expertise and support with thorough risk assessments, penetration testing and the implementation of appropriate data security procedures, technical solutions and products.
- Oversee the product review processes and controls to ensure that the security related portions of IT systems exist and function as required.
- Oversee the administration, processing and provisioning of all user logical and physical access.
- Maintain an awareness of existing and proposed security standards, policies and procedures, including State and Federal legislation / regulations pertaining to information security while communicating the relevant information to all levels of staff.
- IT Security team members, when applicable, will join and take part in relevant special interest groups and monitor IT Security forums and websites. e. Sans Internet Storm Center. http://isc.sans.edu/
- Draft, facilitate approval, and monitor the Information Security Policy, Process and Standards.
Life Cycle
All data confidentiality, integrity and accuracy must be maintained throughout the life cycle of the data. Typical data life cycle entails:
- Generation – when the data is created or placed into an electronic format or derived from an electronic format (document, print, scan, fax, voice to text, etc.)
- Use – time or phase when the data provides meaning and value to , it’s Vendors, or Customers
- Storage – type or place where the data resides during it’s useful part of the life cycle
- Disposal – when the data is deemed no longer useful it must be destroyed or properly disposed of.
Account Management
New User Accounts
- User Accounts must be created that uniquely identify individuals. Creation and Use of group, default, generic or shared user-IDs are prohibited
- All newly created accounts will be disabled until the start date of the user
- New Users must receive their passwords after acknowledgment of Information Security Policy and Handbook
Privileged User Accounts
- Privileged User Accounts must be Approved and Created by Information Security
- Privileged User Accounts must be created that uniquely identify individuals. Creation and Use of group, default, generic or shared user-IDs are prohibited
- Privileged User Accounts will be disabled until the start date of the user
- Privileged User Accounts must receive their passwords after acknowledgment of Information Security Policy and Handbook.
Default Accounts
- Application and other default accounts must be deleted after installation is complete. If needed, the account should be renamed, and password changed. Exception must be approved by President or Operations Manager.
Sharing of User Accounts
- Uniquely created user accounts may not be shared with anyone other than the specific individual it was created for, all users must logon with only their ID.
Inactive Accounts
Unprivileged accounts that have been inactive for 90 days must be disabled and remain disabled until the department manager notifies the security department that the account needs to be re-enabled or the account is purged from the system.
Privileged accounts that have been inactive for 30 days will be disabled. These accounts will only be re-enabled when their use is necessary and only by a request of the responsible manager.
Disabled User Accounts
- All disabled accounts must be removed 90 days after the disablement date.
Remote Access
All users remotely accessing the network must use a higher level of Authentication such as Two-Factor Authentication or Biometrics in addition to an encrypted connection (such as a minimum TLS1.2 Encryption)
User Account Change
- Any activity involving an account change (i.e. responsibility change or job transfer) must be well documented; prior written approval must be received from the responsible department manager
- All employees incurring a job function change must not attempt to access data their old job function previously allowed
Passwords
Default Account Passwords
- All devices, operating systems and software installations with default accounts created must have the passwords of those accounts changed immediately or prior to the device or software being placed on a ‘live’, production environment.
Password Expiration
- All users will be required to change their password on a regular basis.
- All systems must enforce password expiration, requiring a user to change it.
No Documented Passwords
- Passwords must not be documented in anyway
- Passwords must not be written down (i.e. writing tool, electronically or in print) and stored anywhere
- Passwords must not be distributed through email or any other clear-text media
- Unauthorized use of password crackers is prohibited
Password History
- Passwords must not be re-used or recycled. Password history files must be set to disallow the reuse of passwords.
Minimum Length of Passwords
- The minimum character length of passwords is 8 characters with password complexity (must contain Upper and Lower case, numeric, special character), must be set to a uniform, industry acceptable character length at the Operating System or Network level, enforced at creation (See Procedures for Specific Settings).
Compromised Passwords
- Passwords of other Users may not be stolen or used by another User; disciplinary actions will be taken with users engaging in this activity.
- Users believing their passwords have been compromised or if a user knows of another individual who has had their password compromised must immediately report this incident to the Information Security Manager.
- Compromised passwords must be immediately changed by a Helpdesk System Administrator and verbally distributed to the user the incident occurred to.
Password Creation Policy
- All employees, clients, contractors or vendors requiring a logon must receive password policy and creation guideline documents, to aid in the secure use of passwords and constructing stronger passwords.
- Users must not share or use the same “known” password of another user, see “Compromised Passwords”
- All passwords must be set to be change after the initial use
Unapproved Program/Device Usage
- All employees, unless a member of IT, must not change or uninstall any software on their workstations or remove any devices from their workstations.
- All employees, unless a member of IT, must not install any software on their workstations or add any devices to their workstations.
- Use of all programs, applications and devices must be approved and accepted by the IT and Security Departments prior to installation or implementation.
- An inventory of all applications will be completed on a yearly basis. All unapproved or unlicensed software will be removed.
- All Wireless devices must have a clear approved business purpose prior to installation or implementation
- Unapproved devices will be immediately removed from the premises; possible disciplinary action may be taken
Network Computing Access
Network Devices
- All access must be limited to authorized users only according to their job function.
- All network administration must be logged and documented.
- All administrators of Network devices must use unique usernames and passwords, where applicable.
- Enabled ports and services running on network border devices must have a clear business purpose; the value must outweigh the risk.
- Clear-text protocols must not be utilized for administration access purposes (see proc).
- Border devices must be used to block or filter known malicious; ‘blackholed’ networks
- Ports and Services from the internal network to the Internet shall be limited by border devices, to avoid malicious acts such as IP spoofing, Spamming, DDoS attacks, Virus and Trojan exposure to other networks. Egress filtering should be implemented on the border routers.
- A separate network segment, a De-Militarized Zone (DMZ), must be established for all externally accessible servers and devices, filtering all unnecessary IP addresses, ports and services; ingress and egress filtering must apply here.
Servers
- All access must be limited to authorized users only according to their job function.
- Auto-Locking Screen Savers, or other time-out device, must be utilized to ‘lock’ an idle Server after 5 minutes of elapsed time.
- All system administration must be logged and documented.
- All system administrators must use unique usernames and passwords
- All sensitive data must be stored in the appropriate file directories on file servers and proper permissions will be assigned to only individuals who require access to that data to perform their job function.
Workstation Devices
- All access must be controlled through use of a unique username and password
- Auto-Locking Screen Savers must be utilized to ‘lock’ an idle workstation after 5 minutes of elapsed time. If the workstation is not capable of auto-locking, the inactivity timer must be accommodated via the application (please reference the application programming section below).
- All data must be stored on the network, not a local desktop workstation drive. This will ensure availability of the data as well as provide a means for disaster recovery in case an incident (accidental or intentional) occurs.
- All Client data must be securely stored within a server environment; Client data may not be saved to a local workstation hard drive.
Application Programming –When Applicable
- Applications that utilize, display or manipulate sensitive data must be controlled through use of a unique username and password.
- Applications that utilize, display or manipulate sensitive data must include an inactivity timer set to 15 minutes of elapsed time unless an inactivity timer is already accommodated via the workstation.
- Access to Application Source Code is restricted on only authorized personnel
Clean Desk
A clean desk environment must be maintained at all times, prior to leaving your work area. While the information meant to be protected by this measure is ‘Confidential Customer’, ‘Confidential Corporate’ as well as, ‘Internal Use’ designated information; other sensitive information specific to various departments may also apply. These types of information must be visibly removed from the work area and locked in a secure device or cabinetry prior to leaving the work area.
All employees must:
- Remove all hardcopy documents with sensitive information from their work area prior to leaving their work area
- Remove all hard copy sensitive documents from printers immediately upon sending it to print
- Ensure all unclaimed sensitive hardcopies left in print areas are shredded at the end of the day
- Clean all whiteboards after use
- Ensure Message/Cork boards are free of sensitive information
- Lock their computers before leaving their work area
- Ensure sensitive display areas are out of view in high traffic areas (screen protectors and blinds can help)
- Password protect Cell Phones/Laptops
- Not leave passkeys, ID badges or keys unprotected; must lockup or keep with them
- Lock all sensitive material in cabinets
- Remove all USB “thumb” drives, CD’s, DVD’s or other data media containing any sensitive or confidential information from their work area, prior to leaving their work area
Accountability and Monitoring
Accountability Logging
- All critical networking devices and computing systems must generate logfiles and alerts showing all additions, modifications, and deletions to the configurations and key system files of such devices and systems
- All critical production server and application systems, which handle sensitive corporate and customer information, must generate logfiles and alerts that show every access, addition, modification, and deletion to such sensitive information.
- All user account creation, deletion, modification and privilege change activity performed by systems administrators and others with privileged user accounts must be securely logged and regularly monitored.
- All failed access attempts to all network devices and computing systems must be logged and monitored; if an account is locked out the incident must be reported to the Information Security Group, fully investigated and an Incident Response Report completed.
- Only users pre-approved by the Information Security Manager have access to the logged data. This prevents any tampering with the data.
- All systems clocks need to be synchronized to a central time server for logging purposes. For example, time.nist.gov.
Remote User Auditing
- All remote user activity must be recorded to a central alerting and logging system
- All unusual activity must be reported to the Information Security Manager, investigated and an Incident Response Report generated
System/Network Monitoring
- All critical network segments must have Network-based Intrusion Detection System (NIDS) sensors installed to detect attacks, intrusions, misuse, backdoors, and other malicious or unwanted events occurring across the network infrastructure
- All Intrusion Detection Sensors (HID/NID) must be centrally monitored in real-time by trained, qualified, security personnel
Risk Assessment
Testing
- All computing systems and devices residing on all critical Network Segments must be regularly tested by the Information Security group for known, security vulnerabilities to ensure all systems are resolved of such vulnerabilities. This includes computer, network and physical vulnerabilities. For example, laptops, servers, firewalls and cablings.
- Information Security will audit the remediation including patch levels at least once a year.
- All newly configured or installed computing systems and devices must be tested and approved by the Information Security group, prior to placing on a production segment of the network.
- A report must be generated at least quarterly and distributed to the proper IT groups detailing the results of vulnerability testing as well as, available fixes or updates.
- A Risk Assessment will be performed on a periodic basis which must include, at minimum:
- Vulnerability scans for internal and external resources including IS systems
- Full port/service discovery of all devices
- Non-intrusive overall Risk and threat assessment
- Penetration Testing
- ISO 27001 Policy Compliance Assessment
- Wireless Rogue system detection
Alert Monitoring
- Each IT Infrastructure vertical will be monitored for their corresponding 3rd party provided Information Security Alert/Vulnerability/Standards. These alerts, newsletters, standards and vulnerability warnings will be reviewed, evaluated and incorporated into the Information Security Policy, Process or Standards as applicable.
Incident Response
All attempted or successful incidents of suspicious behavior must be fully investigated, possibly resulting in dismissal and or prosecution, if the act is intentionally malicious. Preservation of the evidence must be a priority during an investigation, as possible for identifying the incident and the possible suspects.
Examples of possible incidents warranting investigation:
- Unauthorized System or Data Access Attempts
- Successful Unauthorized System or Data Access
- Exploit of a system vulnerability
- Introduction of a Trojan, Virus or Worm into the environment
- Stolen Passwords or unauthorized cracking of password files
- Denial of Service attack against the network or a specific host
- Stolen Computer related equipment
- Successful Unauthorized System Changes
- Unauthorized use of Network, System or Security Tools
- Intentional misuse of a device or software
- Unauthorized physical access to data center or any office
- Human error causing
Anonymous Reporting
- Anonymous reporting of incidents, is fully encouraged, anonymity will be completely maintained
- Use of the Main Number and leave a message
Response
- All reported suspicious incidents must be responded to in a timely manner dependent upon: type of incident, type of data involved, and current risk presented
- All incident investigations must be led by the Data Security Manager or an appointee of the Data Security Manager
Client Attempts
- If an incident involves a Customer account or Customer data, the Customer must be immediately informed of the incident.
Collection of Data
- will utilize the appropriate vendor to maintain the chain of custody and integrity of the data.
- Incident Reports
- All investigations of incidents must be well documented from the time of discovery, through evidence gathering, to resolution and possible criminal action.
- A comprehensive, final Incident Response Report must be generated and distributed to the CIO and applicable management.
Incident Response Plan/Procedure
- The Incident response plan/procedure must be regularly reviewed, maintained and updated (once per year).
- Annual testing is required in order to demonstrate the effectiveness, validate the roles and responsibilities, and the documentation’s compliance to NIST principles and standards.
User Account Status Change
User Responsibility Change
- Any activity involving an account change (i.e. responsibility change or job transfer) must be well documented; prior written approval must be received from the responsible department manager (See Procedures for process).
- All employees incurring a job function change must not attempt to access data their old job function previously allowed
Terminations
- Employee terminations must be immediately, verbally reported to Human Resources, Physical Security Manager and the Data Security Manager. Where applicable, prior notice of the event is advised.
- All Clients, Contractors or Vendors must immediately notify their Business Representative of employee terminations that have active accounts
- Client, Contractor or Vendor terminations must be immediately reported to the VP of Infrastructure, Physical Security Manager and the Data Security Manager.
- If a termination is hostile, all of the relevant Client, Contractor or Vendor accessed accounts must be immediately disabled and data links terminated.
- Accounts and data links of resigned or mutually terminated employees, clients, contractors or vendors will be disabled on the last day of employment or contracted date.
- Any activity involving a termination must be well documented utilizing the Account Change Form. The department manager of the employee must complete this form. In the case of Client, Contractor or Vendor terminations, the department leader responsible for the Client, Contractor or Vendor must complete this form.
- Files of Terminated User Accounts may be archived for future use
- All Company owned software, hardware, licensed technology or other property must be returned upon termination. If software or hardware is installed on a home pc, the equipment must be returned and/or the software must be uninstalled. A screenshot or log file may be required as proof of such actions.
- If an employee is terminated, they are not allowed to attempt to logon, locally or remotely, to a computer system or our network without permission from their department manager
Data Handling
- The company does not use production data in a test or development environment. The use of production databases containing personal information or any other sensitive information for testing purposes is prohibited unless the data does not contain sensitive data or personally identifiable data.
Mobile Devices
- Mobile devices, i.e. Laptops, Cell Phones, etc. must not contain “Confidential Customer” or Client data, unless such information is safeguarded via encryption or alternate controls approve by Information Security
- All Company issued mobile devices, i.e. Laptops, Mobile Media, etc. are required to have Whole Disk Encryption (WDE) protection deployed and always enabled.
- Access to Global resources is strictly prohibited on any bring your own device (BYOD) except for Global guest WiFi.
- Mobile devices must be reasonably secured to ensure against compromise
- Password protected
- Securely locked while not in use
- Kept updated for security patches
- Where applicable, ensure the latest Anti-virus updates are performed
- Auto-locking screensavers where available within 5 minutes of inactivity
- Any lost or stolen mobile devices should be reported to Information Security within 48 hours
- Prior approval by the Information Security department is needed before connecting to the wireless corporate wireless network.
- Users should only utilize encrypted protocols such as HTTPS or an SSL VPN when connecting to open wireless or other hotspots.
Physical Access
Facility
- The entrance to all offices have a standardized electronic access device that allows secure entry into the facility.
- A receptionist is posted in all offices. Physical access to the company is not granted without permission.
- All facilities maintenance and repair that could lead to a compromise of the physical integrity of the building will be noted in the Facility Management Log.xlsx
- All offices/areas that store confidential information will be locked and only necessary personnel will have the ability to unlock them
- All assets deemed critical by will be protected by surge protectors and or UPS systems
- All wiring closets are locked to protect from any unauthorized access
- Visitors must sign the visitors’ log
- All visitors must be escorted to any sensitive areas within the premises.
- reserves the right to inspect all packages leaving and entering the facility
- All packages must be delivered to the receptionist or designated employee
Data Center
- All entrances to the Data Center have an electronic standardized access device that allows secure entry into the facility
- Badge access
- Biometric fingerprint
- CCTV recordings are managed by the building.
- Log files and video tapes are reviewed when necessary
Equipment Removal
- All equipment being removed from the premises must be pre-authorized by the appropriate manager and logged in the Global Equipment Removal spreadsheet.
- Security Officers must log removal of all equipment; details such as date, time, description and serial numbers must be recorded
Security Awareness and Education
To enhance the knowledge of our employees, Data Security Awareness and Education must be incorporated into all areas of the company:
- New Hire Orientation
- Bulletin boards or posters highlighting ‘Best Practices’
- Email, regularly scheduled brief awareness emails
- Annual revalidation of the Acceptable Use policy
- Security awareness training topics to include, but not limited to:
- Data classification
- Personal data and compliance
- Cyber Risk
- Malware
- Phishing
- Social Engineering
- Mobile devices and BYOD
- Social media and being safe online
- Passwords and authentication
- Removable media
- All employees must receive a copy of the document titled, “Acceptable Use policy” and be directed to an accessible copy of this document.
- All employees with job duties that involve security incident response must receive periodic training to ensure they are kept abreast of the most recent tools and methodologies in dealing with security breaches.
- At time of hire, all employees must sign the employee handbook, which will include a section that covers the Information Security Policy and Privacy, Security and Non-Disclosure of sensitive information.
Third Party Management
At no time does a vendor or sub-contractor receive any client or PII information. If it is necessary and its employees will only provide client or PII information under:
- The direction of the client
- The request is received in writing
Any use of a vendor or sub-contractor requires the following:
- Signing the corporate NDA
- Written verification that the client is aware of the involvement of a third-party vendor or subcontractor should PII be involved
- A criminal background check including Dunn & Bradstreet if appropriate
- Signing of the Security NDA
- Successful completion of the Security and Awareness training and test
- Agree to comply with a third-party security review if should deem it necessary.
All NDA’s, security training, and background checks are only valid for 12 months of initial signing and must be reviewed at the end of that period if their services are still required.
Compliance and Enforcement
All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with Sanction Policy.
Last update: May 16, 2024