GM Information Security Controls
|
|
- Christal Floyd
- 6 years ago
- Views:
Transcription
1 : Table of Contents Responsibility to Maintain GM s Right to Monitor Personal Privacy Comply with Applicable Laws and Site Specific Restrictions Physical of GM s IT Assets Theft and Loss Malicious Code Prevention Password Use and Protection Laptop Network Mobile Device Travel Classifying GM Labeling of GM Handling of GM Classified Encryption of GM Digital Signatures Disposal of
2 2 Key Points must take individual responsibility for protecting GM Resources are expected to only access GM, and the computing and communication resources for which they are authorized and have a need must abide by applicable laws and regulations are responsible for the physical security and care of computing equipment. Refer to the GM Glossary for definitions Executive Summary This volume of the Controls contains the information security requirements applicable to users. It is expected that all users understand their responsibility to safeguard GM. All Employees and authorized users connecting to GM network resources and viewing or storing GM must adhere to GM s ; whether the computing equipment is GM owned or non-gm owned. How There Controls Apply to You are expected to understand their responsibility to safeguard GM and GM s IT assets regardless of classification. This includes the following: Complete GM awareness training upon being given initial access to GM resources in order to understand the value of GM, and the responsibility to protect it Take individual responsibility for protecting GM Resources including remaining vigilant against suspicious attempts to acquire GM by telephone, , or other socially-engineered means General Principles and Applicability a. GM in any form is considered an asset of GM and must be protected in accordance with the requirements outlined in the Policy and Controls. b. Computing equipment and associated software are provided by GM to users as tools to support GM business operations and user job-related functions. c. Employees and connecting to GM network resources or viewing or storing GM must adhere to the GM Policy and Controls regardless of computing device used, location, or ownership of device. d. Employee-owned or contractor-supplied computing equipment is also subject to these governing GM to the extent that it is used to create, distribute and print GM 2-1
3 Records or access GM Resources, including the requirements set forth in the ILM Record Retention Policy and Schedule. e. All GM is proprietary regardless of classification and must be protected. f. It is the responsibility of GM employees, other GM system users, and service providers to protect GM from unauthorized disclosure, modification, or destruction. g. GM classified as PERSONAL INFORMATION must be protected appropriately, based on data protection laws and regulations, and only shared based on a need to know principle. To determine whether particular information constitutes PERSONAL INFORMATION in any jurisdiction, and applicable restrictions on processing and handling of such information, including restrictions on the transmission across national borders, contact the Global Privacy Center at GM Headquarters or the Legal Staff. For more information, visit the Global Privacy Center. h. GM must be protected against unauthorized disclosure during the disposal process. Implementation Requirements 2.1 Responsibility to Maintain must not engage in any activities which could disrupt or compromise the confidentiality, integrity or availability of GM or GM s IT assets, (e.g., maintaining confidentiality of passwords) must protect all GM according to the provisions of these Controls relating to the authorized release of GM including any electronic distribution, (e.g., attachments, Lotus Notes databases, social networking sites, and web pages). 2.2 GM s Right to Monitor Employees and users acknowledge, in accordance with local law, that GM and / or GM s Third-party Service Providers: Have the right to monitor, audit, store, retrieve, or otherwise capture any electronic information occurrence, including but not limited to transmissions, sessions, or storage that occurs over its owned, controlled, or connected computing and communication resources, (e.g., content, Instant Message, Text Messages, voice mail content, network addresses, frequency of occurrence, and identification of specific on-line services) Reserve the right to block, alter priority, or terminate execution of, or access to, any service or activity that diminishes the effectiveness of use of computing and communication networks by whatever means it deems necessary May temporarily or permanently disconnect any user, division, or subsidiary to prevent any further unauthorized activity Will report any violation of local, state, federal, or international laws to the appropriate authorities. 2-2
4 Has the right to review, audit, or monitor or messages created, stored or transmitted on GM , instant messaging and social networking systems All GM , instant messaging and social networking messages and associated records remain the sole property of GM and may be deleted or disclosed at any time without prior notice Employees and users acknowledge that violation of the Policy and Controls may be used as a basis for the possible termination of employment and/or criminal penalties, including fines and imprisonment GM employees, contractors, suppliers, and business partners, must cooperate with internal and external auditors and provide timely responses. 2.3 Personal Privacy should have no expectation of privacy, other than provided by local laws, concerning their use of GM and GM s IT Assets, including but not limited to , corporate approved instant messaging tools, GM-provided computing equipment, the GM Intranet, GM-provided access to the public Internet, or other GM Systems. The required use of passwords to gain access to GM and GM s IT Assets is for GM s protection; password protection does not imply that users can expect that their communications and use of GM and GM s IT Assets are private specifically consent to having their use and communications monitored and recorded to the extent permitted by applicable law when using GM and GM s IT Assets. 2.4 Comply with Applicable Laws and Site Specific Restrictions are responsible for any software or any other material that is not provided by GM on GM computing equipment. must have the appropriate license or permission to use the software or other material and are responsible for any consequences of not having the appropriate authorization GM reserves the right to remove any software not provided by GM on GM-provided computing equipment without notice to the user. If appropriate, GM may also seek to recover the costs for rebuilds or other expenses associated with the use or installation of the software on GM computing equipment must not copy software on GM computing equipment for installation on home or other computers Employees must obtain the copyright owner s permission before reproducing or photocopying a non- GM copyrighted work. 2-3
5 2.4.5 A copyright notice must be used on General Motors copyrighted works that takes the following form: o XXXX, i.e., year of first publication, if applicable, General Motors Company. All Rights Reserved. o The notice may also contain the GM business unit responsible for the work must adhere to site specific authorized use requirements for mobile devices Use of employee-owned computing and communication resources for business purposes is prohibited unless expressly allowed by GM Management or the IT site manager, (e.g., Cell Phones, Smart Phones, and PDAs). 2.5 Physical of GM s IT Assets are responsible for the physical security and care of end user computing equipment assigned to them by GM are responsible for the physical security and care of their mobile device(s) and must be careful not to damage it during transportation, subject it to extreme temperatures, or expose it to liquids and/or magnetic fields must employ reasonable means to physically secure their computing equipment when not in use, including using locking devices or storing in a locked cabinet to minimize the risk of loss or damage to a laptop must lock devices in a secure compartment when left unattended. Devices left unattended in vehicles must not be visible. 2.6 Theft and Loss If a laptop or mobile device storing GM is lost or stolen, the user must do the following: Immediately notify their management, GM Global and IT Complete a GM Global Reporting & Investigations Tool (GRIT) form for all losses If a laptop is stolen, notify the appropriate local law enforcement agency Specific to Mobile Devices: For GM issued mobile devices, contact GM s service desk, open a case and request the service be stopped For user owned devices, contact the appropriate wireless carrier or vendor and request account / device suspension. 2-4
6 2.7 Malicious Code Prevention must not compromise the malicious code prevention efforts of the company or otherwise create the possibility of malicious code being introduced into GM computing systems must connect to GM networks to install security software and upgrade packages, (e.g., virus protection and patches), as soon as they are made available or as directed by GM must take individual responsibility for protecting GM Resources by avoiding risky IT behavior and installing required software or security upgrades as directed by GM IT, (e.g., enewsline communications, required patch notifications) All malware infections must be reported immediately to the GM Service Desk. All performing suppliers and vendors must inform the GM Manager of malware infections that impact GM. 2.8 Password Use and Protection are required to adhere to the GM password control requirements when selecting and using passwords are required to keep passwords confidential and not share them with other users are required to enable appropriate protections for unattended information processing equipment, (e.g., terminate sessions, enable screensavers, and log off) are required to protect sensitive information from casual observation or theft, (e.g., don t leave sensitive information unattended) must take due care when using removable media and be aware of the associated risks to the GM environment, (e.g., malware, loss / theft of Intellectual Property) Laptop users must make all reasonable efforts to store GM on a secured server, where access is controlled, (e.g., H drive, network S drive, SharePoint) must ensure GM stored on removable media is not the sole existing copy may not store GM on a laptop for any longer than is necessary to fulfill a specific business need and must delete or transfer laptop data to a secure device as soon as practically possible. 2.9 Laptop Network Only users with GM issued laptops may connect to General Motors corporate wireless networks. 2-5
7 2.9.2 with GM issued laptops may connect to a wired or wireless public network only if the laptop has the GM issued Virtual Private Network (VPN) solution. must browse the Internet through the VPN with non-gm issued laptops that contain GM may connect to a personal or corporate wired or wireless network only if the user s network complies with the minimum GM IT security standards Mobile Device Asset Management GM owned and managed mobile devices must not be shared with anyone not authorized by the primary user to operate the device in accordance with GM s Acceptable Use Practices Screen must be locked after, no longer than, 30 minutes of inactivity Where available, anti-virus (AV) software is required on AV-compatible mobile devices accessing or storing GM or any third party information GM has an interest in protecting must not circumvent the vendor security features or GM policy, (e.g., jail break), on GMissued or personally owned mobile devices accessing GM / networks Camera and Video Restrictions Mobile devices equipped with camera / video capabilities are permitted unless local facility policy prohibits their use. Local facility management has the right to restrict or forbid the making of images or videos with mobile devices equipped with camera and / or video capabilities Photos and recording of sound are only allowed when authorized Permission must be obtained from individuals involved before taking photos, recording sound or videoing them Written permission must be obtained from individuals involved before publishing or sending photos, recorded sound or video to anyone else or to any website Access Controls Requirements GM issued mobile devices may only download / install / use applications available from GM approved app stores GM issued mobile devices may automatically connect to known or stored networks; automatic connection to unknown WiFi or Bluetooth networks must be disabled. 2-6
8 For mobile devices containing GM, or third party information which GM has an interest in protecting, all GM business-related data connectivity must occur through a GM IT approved secure connection, (e.g., SSL, SSH, and VPN) Non-GM issued mobile devices may not connect to the GM production network. They may connect to the GM Guest network, GM authorized test networks, and applications available via GM approved methods Travel must not access GM Classified in a public place, such as on a train, aircraft, bus, or on any unsecured wireless connection, such as a coffee shop if it can be viewed by others must not leave an asset containing GM unattended in unsecured public areas, such as airport lounges, check-in counters, hotel lobbies, restrooms and conference centers must not put computing equipment in checked baggage when traveling, except as required by law should label computing equipment and carrying cases with their desk or mobile telephone number and must not use a General Motors business card or any other identifier with the General Motors logo should only place computing equipment on X-Ray or other security scanning systems to coincide with their entering the human scanning systems to minimize the opportunity of theft should store computing equipment in a hotel room safe where available If a suitable room safe is not available then users should keep the computing equipment in the user s possession whenever reasonably possible If a room safe is not available and if it is unreasonable to keep the computing equipment in the user s possession, user may leave the device(s) in the hotel room, however, the user must make all reasonable efforts to secure or hide the device(s) within the locked hotel room Classifying GM GM must be classified based on a risk assessment that considers the severity of impact from unauthorized disclosure. 2-7
9 Where required, the classification of GM must be one or more of the following: CONFIDENTIAL SECRET PERSONAL INFORMATION EXPORT CONTROLLED NOTE: Classification definitions can be found in the glossary. Management responsibility and ownership of GM must be identified and documented and data classifications must be periodically re-evaluated Labeling of GM All GM classified data must have a classification label that includes a prefix, (e.g., GM), along with the classification, (e.g., CONFIDENTIAL) All unclassified GM intended for public distribution must bear the legal, business markings, and legends necessary to communicate General Motors ownership, rights, management controls, and information integrity. Examples of such markings include Copyright notice Trademark, (e.g. logo and image), of the GM business unit Signature or name of the GM business unit All classified GM must bear the legal, business markings, and legends necessary to communicate General Motors ownership, rights, management controls, and information integrity. Examples of such markings include Classification label Copyright notice Trademark, (e.g., logo and image), of the GM business unit Signature or name of the GM business unit Business entities within GM may have a separate documented classification prefix for information created by the business entity for a third-party. In doing so, standard criteria for classification described in the GM Control must be applied. Business entity developed third party information controls must be auditable, that is, documented and consistently used Customer or supplier information must be labeled with the customer or supplier name and not labeled using any of GM s internal classification labels Handling of GM Classified GM managers must identify and adhere to local laws protecting employees by specifying additional controls required when handling GM pertaining to GM personnel matters. 2-8
10 All users must employ all reasonable means to store GM securely based on a risk analysis that considers the sensitivity of the information.mobile device storage of GM SECRET, GM CONFIDENTIAL, EXPORT CONTROLLED or SENSITIVE PERSONAL INFORMATION is prohibited Proper export authorization is required for GM deemed to be Export-Controlled prior to export or sharing. storing EXPORT CONTROLLED information on a laptop must maintain a separate list identifying such information for reporting purposes in the event the laptop is lost or stolen If a laptop containing EXPORT CONTROLLED information is lost or stolen, the user must immediately advise the Office of Export Compliance Encryption of GM To protect the confidentiality and integrity of certain GM based on its level of classification or sensitivity, information as identified in Table 2-1 must be encrypted while in-transit and/or while at-rest. Type of GM Encryption Requirement Transmission / Storage / At-Rest In-Transit SECRET Mandatory Mandatory SENSITIVE PERSONAL INFORMATION Mandatory Mandatory 1 SOX Discretionary Mandatory CONFIDENTIAL Discretionary 2 Discretionary 2 EXPORT CONTROLLED Discretionary 3 Discretionary 3 Table 2-1 Notes: 1 Applies to data transmission beyond the GM controlled network. 2 Must be based on the GM manager s assessment of sensitivity and determination if encryption is required. 3 Contact the Export Compliance Office to determine if encryption is required. Table 2-1: GM Encryption Requirements 2.16 Digital Signatures Digital Signatures must be used when proof of authorship and / or integrity of the data are required. 2-9
11 2.17 Disposal of GM provided laptops, desktops, mobile devices, media and any other hardware must be returned upon terminating the employment with the company or at the end of the specific contractual agreement GM reserves the right to audit any personal device upon separation to ensure that it does not contain any GM GM stored on any form including electronic media must be destroyed prior to disposal of the media GM must be protected against unauthorized disclosure during any disposal process All GM must be removed in an irretrievable fashion from any device at the end of lease or prior to redistribution. 2-10
Employee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationAcceptable Use Policy
Acceptable Use Policy 1. Purpose The purpose of this policy is to outline the acceptable use of computer equipment at Robotech CAD Solutions. These rules are in place to protect the employee and Robotech
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationAcceptable Use Policy
Acceptable Use Policy 1. Overview The Information Technology (IT) department s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Quincy College s established
More informationAcceptable Use Policy
Acceptable Use Policy 1. Overview ONS IT s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to ONS established culture of openness, trust and integrity.
More informationAcceptable Use Policy
Acceptable Use Policy. August 2016 1. Overview Kalamazoo College provides and maintains information technology resources to support its academic programs and administrative operations. This Acceptable
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationAcceptable Use Policy
Acceptable Use Policy POLICY 07.01.01 Effective Date: 01/01/2015 The following are responsible for the accuracy of the information contained in this document Responsible Policy Administrator Information
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationJacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope
Jacksonville State University Acceptable Use Policy 1. Overview Information Technology s (IT) intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Jacksonville
More informationEA-ISP-009 Use of Computers Policy
Technology & Information Services EA-ISP-009 Use of Computers Policy Owner: Nick Sharratt Author: Paul Ferrier Date: 28/03/2018 Document Security Level: PUBLIC Document Version: 1.05 Document Ref: EA-ISP-009
More informationTerms and Conditions 01 January 2016
Terms and Conditions 01 January 2016 thehealthsource: Terms and Conditions Page 1 of 7 This Agreement (the Agreement ) is entered into by and between thehealthsource (Pty) Ltd and the entity agreeing to
More informationDONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY
DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY Published By: Fusion Factor Corporation 2647 Gateway Road Ste 105-303 Carlsbad, CA 92009 USA 1.0 Overview Fusion Factor s intentions for publishing an
More informationMobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services
Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More informationII.C.4. Policy: Southeastern Technical College Computer Use
II.C.4. Policy: Southeastern Technical College Computer Use 1.0 Overview Due to the technological revolution in the workplace, businesses such as Southeastern Technical College (STC) have turned to computer
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationSafeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer
Safeguarding Controlled Unclassified Information and Cyber Incident Reporting Kevin R. Gamache, Ph.D., ISP Facility Security Officer Why Are We Seeing These Rules? Stolen data provides potential adversaries
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationHPE DATA PRIVACY AND SECURITY
ARUBA, a Hewlett Packard Enterprise company, product services ( Services ) This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationLegal notice and Privacy policy
Legal notice and Privacy policy We appreciate your interest in us. Below you will find information of legal relevance when visiting this website. In addition, you will find our Privacy Policy, which explains
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationEffective security is a team effort involving the participation and support of everyone who handles Company information and information systems.
BACKED BY REFERENCE GUIDE Acceptable Use Policy GENERAL GUIDANCE NOTE: This sample policy is not legal advice or a substitute for consultation with qualified legal counsel. Laws vary from country to country.
More informationInformation Technology Standards
Information Technology Standards IT Standard Issued: 9/16/2009 Supersedes: New Standard Mobile Device Security Responsible Executive: HSC CIO Responsible Office: HSC IT Contact: For questions about this
More informationCALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS
CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS INTRODUCTION: Before the California State Teachers Retirement System (hereinafter "CalSTRS," "We," or "Us") will provide services found at mycalstrs.com (the
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationInternet, , Social Networking, Mobile Device, and Electronic Communication Policy
TABLE OF CONTENTS Internet, Email, Social Networking, Mobile Device, and... 2 Risks and Costs Associated with Email, Social Networking, Electronic Communication, and Mobile Devices... 2 Appropriate use
More information<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy
Policy Title: Effective Date: Revision Date: Approval(s): LASO: CSO: Agency Head: Allowed Personally Owned Device Policy Every 2 years or as needed Purpose: A personally owned information system or device
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationDIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018
DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL June 14, 2018 A. Overriding Objective 1.1 This Directive establishes the rules and instructions for Bank Personnel with respect to Information
More informationSample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.
Sample BYOD Policy Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. SAMPLE BRING YOUR OWN DEVICE POLICY TERMS OF USE This Sample Bring
More informationProtecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 7 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationInformation Security Management Criteria for Our Business Partners
Information Security Management Criteria for Our Business Partners Ver. 2.1 April 1, 2016 Global Procurement Company Information Security Enhancement Department Panasonic Corporation 1 Table of Contents
More information2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY
2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY Purpose: The purpose of this policy is to provide instruction and information to staff, auditors, consultants, contractors and tenants on
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationBeam Technologies Inc. Privacy Policy
Beam Technologies Inc. Privacy Policy Introduction Beam Technologies Inc., Beam Dental Insurance Services LLC, Beam Insurance Administrators LLC, Beam Perks LLC, and Beam Insurance Services LLC, (collectively,
More informationPolicy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4
Policy Sensitive Information Version 3.4 Table of Contents Sensitive Information Policy -... 2 Overview... 2 Policy... 2 PCI... 3 HIPAA... 3 Gramm-Leach-Bliley (Financial Services Modernization Act of
More informationGuidelines for Use of IT Devices On Government Network
Guidelines for Use of IT Devices On Government Network October 2014 Version 1.0 Department of Electronics and Information Technology Ministry of Communications and Information Technology Government of
More information2. What is Personal Information and Non-Personally Identifiable Information?
Privacy Notice Snipp Interactive, Inc. Last Updated: February 11, 2016 Contents: 1. Introduction 2. What is Personal Information? 3. Information we collect about you 4. Use of Your Information 5. Location
More informationPolicy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.
London School of Economics & Political Science IT Services Policy Remote Access Policy Jethro Perkins Information Security Manager Summary This document outlines the controls from ISO27002 that relate
More informationThe Apple Store, Coombe Lodge, Blagdon BS40 7RG,
1 The General Data Protection Regulation ( GDPR ) is the new legal framework that will come into effect on the 25th of May 2018 in the European Union ( EU ) and will be directly applicable in all EU Member
More informationSecure Messaging Mobile App Privacy Policy. Privacy Policy Highlights
Secure Messaging Mobile App Privacy Policy Privacy Policy Highlights For ease of review, Everbridge provides these Privacy Policy highlights, which cover certain aspects of our Privacy Policy. Please review
More informationAcceptable Use Policy
Acceptable Use Policy This Acceptable Use Policy is in addition to South Central Communication s Terms of Service and together the documents constitute the Agreement between South Central Communications
More informationDonor Credit Card Security Policy
Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry
More informationSample Security Risk Analysis ASP Meaningful Use Core Set Measure 15
Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15 Risk Analysis with EHR Questions Example Answers/Help: Status What new electronic health information has been introduced into my practice
More informationRMU-IT-SEC-01 Acceptable Use Policy
1.0 Purpose 2.0 Scope 2.1 Your Rights and Responsibilities 3.0 Policy 3.1 Acceptable Use 3.2 Fair Share of Resources 3.3 Adherence with Federal, State, and Local Laws 3.4 Other Inappropriate Activities
More informationDate Approved: Board of Directors on 7 July 2016
Policy: Bring Your Own Device Person(s) responsible for updating the policy: Chief Executive Officer Date Approved: Board of Directors on 7 July 2016 Date of Review: Status: Every 3 years Non statutory
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationSTATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)
ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE INTRODUCED NOVEMBER 0, 0 Sponsored by: Assemblywoman ANNETTE QUIJANO District 0 (Union) SYNOPSIS Requires certain persons and business entities to maintain
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationThese pieces of information are used to improve services for you through, for example:
Eolach Accountants & Business Advisors Limited t/a McGinley & Co. Privacy Policy At Eolach Accountants & Business Advisors Limited t/a McGinley & Co. our policy is simple we understand the importance of
More informationTerms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.
Medical Privacy Version 2018.03.26 Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a Covered Entity
More informationREGULATION BOARD OF EDUCATION FRANKLIN BOROUGH
R 3321/Page 1 of 6 The school district provides computer equipment, computer services, and Internet access to its pupils and staff for educational purposes only. The purpose of providing technology resources
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationClass Composer General Terms of Use
Class Composer General Terms of Use Effective Date: July 24, 2017 Welcome to Class Composer! Please continue reading to learn about the terms by which you may use our Service. If you have any questions
More informationCorporate Policy. Revision Change Date Originator Description Rev Erick Edstrom Initial
Corporate Policy Information Systems Acceptable Use Document No: ISY-090-10 Effective Date: 2014-06-10 Page 1 of 5 Rev. No: 0 Issuing Policy: Information Systems Department Policy Originator: Erick Edstrom
More informationPCI Compliance. What is it? Who uses it? Why is it important?
PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationBHIG - Mobile Devices Policy Version 1.0
Version 1.0 Authorised by: CEO Endorsed By: Chief Operations Officer 1 Document Control Version Date Amended by Changes Made 0.1 20/01/2017 Lars Cortsen Initial document 0.2 29/03/2017 Simon Hahnel Incorporate
More information1 Privacy Statement INDEX
INDEX 1 Privacy Statement Mphasis is committed to protecting the personal information of its customers, employees, suppliers, contractors and business associates. Personal information includes data related
More informationCERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement
CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement Welcome to Certified Mail Envelopes and Certified Mail Labels web sites (the Site ) a website, trademark and business name owned and operated
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationIT ACCEPTABLE USE POLICY
CIO Signature Approval & Date: IT ACCEPTABLE USE POLICY 1.0 PURPOSE The purpose of this policy is to define the acceptable and appropriate use of ModusLink s computing resources. This policy exists to
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationThe City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.
Policy Number: 10-09-02 Section: Roads and Traffic Subsection: Traffic Operations Effective Date: April 25, 2012 Last Review Date: Approved by: Council Owner Division/Contact: For information on the CCTV
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationName of Policy: Computer Use Policy
Page: Page 1 of 5 Director Approved By: Approval Date: Reason(s) for Change Responsible: Corporate Services Leadership April 22, Reflect current technology and practice Corporate Services Leadership Leadership
More informationPrivacy Policy Effective May 25 th 2018
Privacy Policy Effective May 25 th 2018 1. General Information 1.1 This policy ( Privacy Policy ) explains what information Safety Management Systems, 2. Scope Inc. and its subsidiaries ( SMS ), it s brand
More informationAn Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule
An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule Legal Disclaimer: This overview is not intended as legal advice and should not be taken as such. We recommend that you consult legal
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationINFORMATION SECURITY-SECURITY INCIDENT RESPONSE
Information Technology Services Administrative Regulation ITS-AR-1506 INFORMATION SECURITY-SECURITY INCIDENT RESPONSE 1.0 Purpose and Scope The purpose of the Security Response Administrative Regulation
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationFerrous Metal Transfer Privacy Policy
Updated: March 13, 2018 Ferrous Metal Transfer Privacy Policy Ferrous Metal Transfer s Commitment to Privacy Ferrous Metal Transfer Co. ( FMT, we, our, and us ) respects your concerns about privacy, and
More informationWireless Security Access Policy and Agreement
Wireless Security Access Policy and Agreement Purpose The purpose of this policy is to define standards, procedures, and restrictions for connecting to Fort Valley State University s internal network(s)
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationXO SITE SECURITY SERVICES
XO SITE SECURITY SERVICES 1.0 Product and Services 1.1 Product Description. XO Site Security (the "Service") is a managed security service which uses Premises-based, multi-threat sensing Customer Premises
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationCloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationOCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA)
OCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA) This is a License Agreement (the "Agreement") for certain code (the Software ) owned by Akamai Technologies, Inc. ( Akamai ) that is useful in connection
More informationPersonal Communication Devices and Voic Procedure
Personal Communication Devices and Voicemail Procedure Reference No. xx Revision No. 1 Relevant ISO Control No. 11.7.1 Issue Date: January 23, 2012 Revision Date: January 23, 2012 Approved by: Title: Ted
More informationRemote Access Policy
Remote Consulting Group Policy 1.0 1234 Main Street Version 1.0 Philadelphia, PA 19000 1213 www.rcg.com 1. Overview Remote Access Policy Remote Access allows Remote Consulting Group (RCG) to leverage the
More informationBCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement
BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement BCN TELECOM, INC. ( BCN" or "Company") has established practices and procedures adequate to ensure compliance
More informationEU GDPR & ISO Integrated Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso integrated-documentation-toolkit
EU GDPR & https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit Note: The documentation should preferably be implemented in the order in which it is listed here. The order
More informationGOCO.IO, INC TERMS OF SERVICE
GOCO.IO, INC TERMS OF SERVICE GoCo.io, Inc. ("GoCo", the "Site", "https://www.goco.io") welcomes you! GoCo provides services to you subject of the following terms of service (the "Agreement"). The Agreement
More informationGramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationThe University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems
The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationHIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA Privacy & Security Training HIPAA The Health Insurance Portability and Accountability Act of 1996 AMTA confidentiality requirements AMTA Professional Competencies 20. Documentation 20.7 Demonstrate
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationUlster University Standard Cover Sheet
Ulster University Standard Cover Sheet Document Title Portable Devices Security Standard 1.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) Information
More informationCOMMENTARY. Information JONES DAY
February 2010 JONES DAY COMMENTARY Massachusetts Law Raises the Bar for Data Security On March 1, 2010, what is widely considered the most comprehensive data protection and privacy law in the United States
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More information