Page:of 51
1.
Rotation requirements
1.
All system
level passwords should be rotated on at least a quarterly
basis. All user
level passwords should be rotated at least every six
months.
2.
If a credential is suspected of being compromised, the password in
question should be rotated immediately and the Engineering/Security
team should be notified.
2.
Password protection
1.
All passwords are treated as confidential information and should not be
shared with anyone. If you receive a request to share a password, deny
the request and contact the system owner for assistance in provisioning
an individual user account.
2.
Do not write down passwords, store them in emails, electronic notes, or
mobile devices, or share them over the phone. If you must store
passwords electronic
ally, do so with a password manager that has been
approved by IT. If you truly must share a password, do so through a
designated password manager or grant access to an application through
a single sign on provider.
3.
Do not use the “Remember Password” featur
e of applications and web
browsers.
4.
If you suspect a password has been compromised, rotate the password
immediately and notify engineering/security.
3.
Enforcement
1.
An employee or contractor found to have violated this policy may be
subject to disciplinary action.
Policy Training Policy
Purpose and Scope:
1.
This policy addresses policy education requirements for employees and
contractors.
2.
This policy applies to all full
time employees, part
time employees, and
contractors. Adherence to assigned policies is binding under their Employment
Offer Letter and/or Independent Contractor Agreement.
Applicability:
1.
Upon hire of a new employee or contr
actor, the Hiring Manager will determine
which subsets of policies will apply to that individual. The individual will have five
working days to read the assigned policies. The following will be logged in the
Policy Training Policy Ledger:
1.
Assignment date
2.
C
ompletion date
3.
Policy
4.
Assignee
5.
Assigner
6.
Notes
Remote Access Policy
Purpose and Scope:
1.
The purpose of this policy is to define requirements for connecting to the
organization’s systems and networks from remote hosts, including personally
owned devices, in
order to minimize data loss/exposure.
2.
This policy applies to all users of information systems within the organization.
This typically includes employees and contractors, as well as any external parties
that come into contact with systems and information c
ontrolled by the
organization (hereinafter referred to as “users”). This policy must be made readily
accessible to all users.
Background
1.
The intent of this policy is to minimize the organization’s exposure to damages
which may result from the unauthorized
remote use of resources, including but
not limited to: the loss of sensitive, company confidential data and intellectual
property; damage to the organization’s public image; damage to the
organization’s internal systems; and fines and/or other financial li
abilities incurred
as a result of such losses.
2.
Within this policy, the following definitions apply:
1.
Mobile computing equipment:
includes portable computers, mobile
phones, smart phones, memory cards and other mobile equipment used
for storage, processing a
nd transfer of data.
2.
Remote host:
is defined as an information system, node or network that is
not under direct control of the organization.
3.
Telework:
the act of using mobile computing equipment and remote hosts
to perform work outside the organization’s p
hysical premises.
Teleworking does not include the use of mobile phones.
Policy
1.
Security Requirements for Remote Hosts and Mobile Computing Equipment
1.
Caution must be exercised when mobile computing equipment is placed
or used in uncontrolled spaces such as vehicles, public spaces, hotel
rooms, meeting places, conference centers, and other unprotected areas
outside the organization’s premises.
2.
When using
remote hosts and mobile computing equipment, users must
take care that information on the device (e.g. displayed on the screen)
cannot be read by unauthorized persons if the device is being used to
connect to the organization’s systems or work with the or
ganization’s
data.
3.
Remote hosts must be updated and patched for the latest security
updates on at least a monthly basis.
4.
Remote hosts must have endpoint protection software (e.g. malware
scanner) installed and updated at all times.
5.
Persons using mobile com
puting equipment off
premises are responsible
for regular backups of organizational data that resides on the the device.
6.
Access to the organization’s systems must be done through an encrypted
and authenticated VPN connection with multi
factor authenticatio
n
enabled. All users requiring remote access must be provisioned with VPN
credentials from the organization’s information technology team. VPN
keys must be rotated at least twice per year. Revocation of VPN keys
must be included in the Offboarding Policy.
7.
Information stored on mobile computing equipment must be encrypted
using hard drive full disk encryption.
2.
Security Requirements for Telework
1.
Employees must be specifically authorized for telework in writing from
their hiring manager .
2.
Only device’s assigne
d owner is permitted to use remote nodes and
mobile computing equipment. Unauthorized users (such as others living
or working at the location where telework is performed) are not permitted
to use such devices.
3.
Devices must be authorized using certificates
4.
Users performing telework are responsible for the appropriate
configuration of the local network used for connecting to the Internet at
their telework location.
5.
Users performing telework must protect the organization’s intellectual
property rights, either
for software or other materials that are present on
remote nodes and mobile computing equipment.
Data Retention Policy
Purpose and Scope:
1.
This data retention policy defines the objectives and requirements for data
retention within the organization.
2.
This policy covers all data within the organization’s custody or control,
irregardless of the medium the data is stored in (electronic form, paper form, etc.)
Within this policy, the medium which holds data is referred to as information, no
matter what for
m it is in.
3.
This policy applies to all users of information systems within the organization.
This typically includes employees and contractors, as well as any external parties
that come into contact with systems and information the organization owns or
con
trols (hereinafter referred to as “users”). This policy must be made readily
available to all users.
Background
1.
The organization is bound by multiple legal, regulatory and contractual
obligations with regard to the data it retains. These obligations stipul
ate how long
data can be retained, and how data must be destroyed. Examples of legal,
regulatory and contractual obligations include laws and regulations in the local
jurisdiction where the organization conducts business, and contracts made with
employees,
customers, service providers, partners and others.
2.
The organization may also be involved in events such as litigation or disaster
recovery scenarios that require it to have access to original information in order
to protect the organization’s interests or those of its employees, customers,
service provider
s, partners and others. As a result, the organization may need to
archive and store information for longer that it may be needed for day
to
day
operations.
Policy
1.
Information Retention
1.
Retention is defined as the maintenance of information in a production
or
live environment which can be accessed by an authorized user in the
ordinary course of business.
2.
Information used in the development, staging, and testing of systems
shall not be retained beyond their active use period nor copied into
production or live
environments.
3.
By default, the retention period of information shall be an active use
period of exactly two years from its creation unless an exception is
obtained permitting a longer or shorter retention period. The business unit
responsible for the infor
mation must request the exception.
4.
After the active use period of information is over in accordance with this
policy and approved exceptions, information must be archived for a
defined period. Once the defined archive period is over, the information
must b
e destroyed.
5.
Each business unit is responsible for the information it creates, uses,
stores, processes and destroys, according to the requirements of this
policy. The responsible business unit is considered to be the information
owner.
6.
The organization’s l
egal counsel may issue a litigation hold to request that
information relating to potential or actual litigation, arbitration or other
claims, demands, disputes or regulatory action be retained in accordance
with instructions from the legal counsel.
7.
Each em
ployee and contractor affiliated with the company must return
information in their possession or control to the organization upon
separation and/or retirement.
8.
Information owners must enforce the retention, archiving and destruction
of information, and com
municate these periods to relevant parties.
2.
Information Archiving
1.
Archiving is defined as secured storage of information such that the
information is rendered inaccessible by authorized users in the ordinary
course of business but can be retrieved by an ad
ministrator designated
by company management.
2.
The default archiving period of information shall be 7 years unless an
approved exception permits a longer or shorter period. Exceptions must
be requested by the information owner.
3.
Information must be destroyed
(defined below) at the end of the elapsed
archiving period.
3.
Information Destruction
1.
Destruction is defined as the physical or technical destruction sufficient to
render the information contained in the document irretrievable by ordinary
commercially
avail
able means.
2.
The organization must maintain and enforce a detailed list of approved
destruction methods appropriate for each type of information archived,
whether in physical storage media such as CD
ROMs, DVDs, backup
tapes, hard drives, mobile devices, po
rtable drives or in database records
or backup files. Physical information in paper form must be shredded
using an authorized shredding device; waste must be periodically
removed by approved personnel.
4.
Retention and archival periods for information that is
created, processed, stored
and used by the organization is defined internally.
Risk Assessment Policy
Purpose and Scope:
1.
The purpose of this policy is to define the methodology for the assessment and
treatment of information security risks within th
e organization, and to define the
acceptable level of risk as set by the organization’s leadership.
2.
Risk assessment and risk treatment are applied to the entire scope of the
organization’s information security program, and to all assets which are used
with
in the organization or which could have an impact on information security
within it.
3.
This policy applies to all employees of the organization who take part in risk
assessment and risk treatment.
Background
A key element of the organization’s information security program is a holistic and
systematic approach to risk management. This policy defines the requirements and
processes for the organization to identify information security risks. The process consists
of four parts: identification of the organization’s assets, as well as the threats and
vulnerabilities that apply; assessment of the likelihood and consequence (risk) of the
threats and vulnerabilities being realized, identification of treatment for each
u
nacceptable risk, and evaluation of the residual risk after treatment.
Policy
1.
Risk Assessment
1.
The risk assessment process includes the identification of threats and
vulnerabilities having to do with company assets.
2.
The first step in the risk assessment is
to identify all assets within the
scope of the information security program; in other words, all assets
which may affect the confidentiality, integrity, and/or availability of
information in the organization. Assets may include documents in paper
or electr
onic form, applications, databases, information technology
equipment, infrastructure, and external/outsourced services and
processes. For each asset, an owner must be identified.
3.
The next step is to identify all threats and vulnerabilities associated with
each asset. Threats and vulnerabilities must be listed in a risk
assessment table. Each asset may be associated with multiple threats,
and each threat may be associated with multiple vulnerabilities. A sample
risk assessment table is provided as part of th
e Risk Assessment Report
Template (reference (a)).
4.
For each risk, an owner must be identified. The risk owner and the asset
owner may be the same individual.
5.
Once risk owners are identified, they must assess:
6.
The risk level is calculated by adding the cons
equence score and the
likelihood score.
Description of Consequence Levels and Criteria:
Description of Likelihood Levels and Criteria:
1.
Risk Acceptance Criteria
1.
Risk values 0 through 2 are considered to be acceptable risks.
2.
Risk values 3 and 4 are considered to be unacceptable risks.
Unacceptable risks must be treated.
2.
Risk Treatment
1.
Risk treatment is implemented through the Risk Treatment Table. All risks
from the Risk Assessment Table must be copied to the Risk Treatment
Ta
ble for disposition, along with treatment options and residual risk. A
sample Risk Treatment Table is provided in reference (a).
2.
As part of this risk treatment process, the CEO and/or other company
managers shall determine objectives for mitigating or trea
ting risks. All
unacceptable risks must be treated. For continuous improvement
purposes, company managers may also opt to treat other risks for
company assets, even if their risk score is deemed to be acceptable.
3.
Treatment options for risks include the fol
lowing options:
4.
After selecting a treatment option, the risk owner should estimate the new
consequence and likelihood values after the planned controls are
implemented.
3.
Regular Reviews of Risk Assessment and Risk Treatment
1.
The Risk Assessment Table and Risk Treatment Table must be updated
when newly identified risks are identified. At a minimum, this update and
review shall be conducted once per year. It is highly recommended that
the Risk Assessment and Risk Treatment Table
be updated when
significant changes occur to the organization, technology, business
objectives, or business environment.
4.
Reporting
1.
The results of risk assessment and risk treatment, and all subsequent
reviews, shall be documented in a Risk Assessment Repo
rt.
Vendor Management Policy
Purpose and Scope:
1.
This policy defines the rules for relationships with the organization’s Information
Technology (IT) vendors and partners.
2.
This policy applies to all IT vendors and partners who have the ability to impact
t
he confidentiality, integrity, and availability of the organization’s technology and
sensitive information, or who are within the scope of the organization’s
information security program.
3.
This policy applies to all employees and contractors that are respon
sible for the
management and oversight of IT vendors and partners of the organization.
Background
The overall security of the organization is highly dependent on the security of its contractual
relationships with its IT suppliers and partners. This policy
defines requirements for effective
management and oversight of such suppliers and partners from an information security
perspective. The policy prescribes minimum standards a vendor must meet from an
information
security standpoint, including security clau
ses, risk assessments, service level agreements, and
incident management.
Policy
1.
IT vendors are prohibited from accessing the organization’s information security
assets until a contract containing security controls is agreed to and signed by the
appropria
te parties.
2.
All IT vendors must comply with the security policies defined and derived from
the Information Security Policy (reference (a)).
3.
All security incidents by IT vendors or partners must be documented in
accordance with the organization’s Security I
ncident Response Policy (reference
(b)) and immediately forwarded to the Information Security Manager (ISM).
4.
The organization must adhere to the terms of all Service Level Agreements
(SLAs) entered into with IT vendors. As terms are updated, and as new one
s are
entered into, the organization must implement any changes or controls needed to
ensure it remains in compliance.
5.
Before entering into a contract and gaining access to the parent organization’s
information systems, IT vendors must undergo a risk asses
sment.
1.
Security risks related to IT vendors and partners must be identified during
the risk assessment process.
2.
The risk assessment must identify risks related to information and
communication technology, as well as risks related to IT vendor supply
chains
, to include sub
suppliers.
6.
IT vendors and partners must ensure that organizational records are protected,
safeguarded, and disposed of securely. The organization strictly adheres to all
applicable legal, regulatory and contractual requirements regarding t
he
collection, processing, and transmission of sensitive data such as Personally
Identifiable Information (PII).
7.
The organization may choose to audit IT vendors and partners to ensure
compliance with applicable security policies, as well as legal, regulato
ry and
contractual obligations.
Workstation Policy
Purpose and Scope:
1.
This policy defines best practices to reduce the risk of data loss/exposure
through workstations.
2.
This policy applies to all employees and contractors. Workstation is defined as
the collection of all company
owned and personal devices containing company
data.
Policy:
1.
Workstation devices must meet the following criteria:
1.
Operating system must be no more than one generation older than
current
2.
Device must be encrypted at rest
3.
Device must be locked when not in use or when employee leaves the
workstation
4.
Workstations must be used for authorized business purposes only
5.
Loss or d
estruction of devices should be reported immediately
6.
Laptops and desktop devices should run the latest version of antivirus
software that has been approved by IT
2.
Desktop & laptop devices
1.
Employees will be issued a desktop, laptop, or both by the company,
b
ased on their job duties. Contractors will provide their own laptops.
2.
Desktops and laptops must operate on macOS or Windows.
3.
Mobile devices
1.
Mobile devices must be operated as defined in the Removable Media
Policy, Cloud Storage, and Bring Your Own Device P
olicy.
2.
Mobile devices must operate on iOS or Android.
3.
Company data may only be accessed on mobile devices with Slack and
Gmail.
4.
Removable media
1.
Removable media must be operated as defined in the Removable Media
Policy, Cloud Storage, and Bring Your Own Dev
ice Policy.
2.
Removable media is permitted on approved devices as long as it does
not conflict with other policies.