Employee Security Awareness Training Program

Transcription

1 Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015

2 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor, partner, vendor or individual logging into an InComm database or network who is granted access to or uses InComm s systems. The Chief Security Officer and Information Security Department ( InfoSec ) is in charge of and maintains this Program. Questions about your obligations under this Program should be directed to InfoSec. 2. Purpose This purpose of this Program is to (a) concisely describe InComm s information security program and standards, (b) provide guidance on how InComm safeguards sensitive personally identifiable information that it collects, receives or controls and (c) describe the administrative, technical and physical safeguards InComm implements, so you understand and comply with all security obligations. InComm expects and requires that all employees will conduct any and all information services activities on behalf of InComm in accordance with the security and usage guidelines in this Program. For purposes of this Program, sensitive personally identifiable information means (a) social security numbers, (b) financial account numbers (including credit card numbers), (c) identification card, drivers license or government-issued ID numbers, (d) personal health information (including medical identification or health insurance identification number), and (e) online account identifiers (e.g. user names/passwords) ( Sensitive Data ). This Program was created based on and will continue to support InComm s assessment of reasonably foreseeable internal and external risks to the security, confidentiality and integrity of electronic, paper and other records containing Sensitive Data. InComm has and will continue to evaluate, and where necessary improve, the effectiveness of its safeguards to limiting such risks, including employee training, ensuring ongoing employee compliance with this Program, and the development of measures for detecting and preventing security system failures. 3. Responsibilities COLLECTION You will use your best efforts to avoid collecting any Sensitive Data that is not needed for a business function. STORAGE AND ACCESS You will ensure that all Sensitive Data in your custody or under your control (and electronic, paper, or other records containing Sensitive Data) is stored in secure and locked facilities, storage areas, containers or other secured environments. If you see someone you do not know accessing Sensitive Data or present in a secured area you should report them to Human Resources or InfoSec. Only those individuals who have a need to use Sensitive Data for legitimate company business purposes and to fulfill their job duties may access such data, and you will ensure that 2 Proprietary and Confidential

3 reasonable restrictions are placed on access to records containing Sensitive Data in your custody or under your control. If you are aware of or suspect Sensitive Data is not properly secured, you will report such insecurity to InfoSec. Computer accounts are assigned on an individual basis, to be used only by the assigned employee and must not be shared. Every individual who has a legitimate need to access InComm computer systems and networks will be assigned unique (non-default) passwords, which passwords are reasonably designed to maintain the integrity and security of access controls. If you are in charge of distributing and assigning such passwords, you will ensure that the terms of this Program are met. No terminated employees are permitted access to records containing Sensitive Data. If your job function includes working with or handling terminated employees, you understand that you will be required to take all the steps necessary to prohibit terminated employees from accessing Sensitive Data as such steps will be communicated to you from time to time. InComm requires the use of secure user authentication protocols to allow access to Sensitive Data on computers. To the extent that these issues fall within the scope of your job duties, you will ensure that the provisions of this Program are met, including: Controlling user IDs and other identifiers that are used to access Sensitive Data; Changing all vendor-supplied default settings, including passwords, encryption keys, and other security-related settings; Using a reasonably secure method of assigning and selecting passwords that are used to access Sensitive Data, or using unique identifier technologies, such as token devices; Controlling access to security passwords used to access Sensitive Data, and ensuring that such passwords are kept in a location or in a format that does not compromise the security of the information they protect; Restricting access to computers that contain Sensitive Data to only active users and active user accounts; and Blocking access to user identification after multiple unsuccessful attempts to gain access to Sensitive Data. You understand that InComm requires network and computer systems containing Sensitive Data be monitored, using reasonable monitoring systems and approaches, for unauthorized access or use of Sensitive Data. BREACHES A breach of data security could lead to the loss of InComm employee, customer and/or company Sensitive Data. In the event of a suspected or actual breach of security an appropriate technology authority may make inaccessible or remove any unsafe user/login names, data and/or programs from the network. Employees are responsible for immediately reporting any suspected or known breach of security to InfoSec. TRANSPORTATION Storing Sensitive Data on laptops or other portable devices is strongly discouraged, and should be limited to situations in which it is absolutely necessary to fulfill your job duties. Do not confidential information or Sensitive Data to your personal account or maintain Proprietary and Confidential 3

4 a copy of any document containing such information or Data on your laptop or other portable device. Any Sensitive Data used on a laptop or portable device must be proactively deleted after use. If necessary, all Sensitive Data stored on laptops or other portable devices must be encrypted, as must any files containing Sensitive Data that will travel across public networks or be transmitted wirelessly. Encrypted means using appropriate and current technologies to ensure that data is transformed into a form in which meaning cannot be assigned without the use of a confidential process or key. The data must be altered to be encrypted. Files containing Sensitive Data that are electronically stored, transmitted or on portable systems connected to the Internet, must have reasonably up-to-date firewall protection and operating system security patches, which firewalls and patches are designed to maintain the integrity of the Sensitive Data. Such files also must have up to date system security agent software, which must include malware protection and reasonably up to date patches and virus definitions. DISCLOSURE Sensitive Data may be disclosed outside of InComm only to third party service providers with whom InComm has a written agreement in place, under which agreement the third party has agreed to use the Sensitive Data only for InComm s business purposes and in compliance with all applicable laws, rules, regulations, and company policies, including the safeguard procedures outlined in this Program, in Massachusetts 201 C.M.R , and Nevada N.R.S. 603A.210. In selecting service providers who will or may handle Sensitive Data, InComm takes reasonable steps to select and retain only those parties that are capable of maintaining appropriate security measures to protect Sensitive Data as outlined in this Program. If you are in charge of selecting such third parties, you understand that you will be required to ensure that they can provide such security safeguards and commitments, and to work with InfoSec to ensure such commitments are in place. SOCIAL SECURITY NUMBER HANDLING PROCEDURES InComm is obligated under state and federal laws to safeguard Social Security Numbers. All employees that handle Social Security Number information (or any other government-issued ID numbers) are required to comply with the following security requirements. All electronic files containing Social Security Numbers (or any other government-issued ID numbers, such as drivers license numbers) will be appropriately protected. Use the established procedure to save any document containing Social Security Numbers to InComm s internal databases. Under no circumstances should any employee save a document containing Social Security Numbers or any other government-issued ID number to his or her hard drive (Desktop, My Documents, etc.). Ensure that a Social Security Number or government-issued ID number is not written down on paper, ed, or otherwise stored at your desk. Paper documents containing Social Security Numbers or other government IDs must be stored securely in locked filing cabinets designated for that purpose and, eventually, may be destroyed under the Destruction guidelines outlined below. All InComm personnel must immediately report any actual or suspected security incident 4 Proprietary and Confidential

5 involving Social Security Numbers or other government-issued ID number to InfoSec, which will escalate the matter as appropriate. Those found to be violating this Program may be subject to discipline, up to and including termination. CARD ACCOUNT DATA PROTECTIONS InComm is required to have appropriate measures in place to protect network-branded (e.g. Visa, MasterCard, Discover and Amex) card account data. Card account data includes cardholder data, which is the credit, debit or prepaid card account number, as well as the account number plus one or more of the following pieces of information: cardholder name, expiration date and/or service code (the three or four digit number that can be found on front or back of the card, near the expiration date). Credit account data also includes sensitive authentication data, which is personal data used to authenticate cardholders or authorize payment card transactions. InComm s card data protection program is integrated into its overall security strategy. Therefore, all employees who handle card account data are required to comply with the security procedures outlined in this Program, as well as the specific restrictions below. In order to protect card account data, employees must only save and access the information on a firewall-protected, secure network. If the cardholder data needs to be transmitted on a public network, the authorized employees will ensure that the information is encrypted before it is sent. Sensitive authentication data must be deleted after the authorization process is complete, and cannot be stored under any circumstances. In addition to requiring employees to comply with these requirements, InComm will only allow employees to access to card account data if they need to do so to fulfill their job responsibilities. InComm will also track and monitor all access to card account data. PHYSICAL SAFEGUARDS InComm takes reasonable steps to implement safeguards to protect InComm facilities and equipement from unauthorized access. InComm also protects information through physical security levels and clear desktop and workspace policies to prevent inadvertent disclosures. Follow all relevant procedures relating to physical security, including use of your personal badge and care of your equipment and work station. If you are aware of or suspect there has been unauthorized access to your equipment or work station, immediately notify InfoSec. SYSTEMS MANAGEMENT AND MONITORING InComm takes reasonable steps to monitor its systems for unauthorized use or access to Sensitive Data. If you are aware of or suspect there has been a breach of Sensitive Data, immediately notify InfoSec, which will initiate a response. In the event of a breach of Sensitive Data, InComm requires documentation of all responsive steps in accordance with InComm s Security Incident Response Plan. InComm also requires a post-incident review of the events and any actions taken to change business practices for Sensitive Data. InComm regularly monitors this Program, at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of data containing Sensitive Data, to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of Sensitive Data. Where necessary, InComm will update its security policies, including this Program, as necessary to limit risks. Proprietary and Confidential 5

6 DESTRUCTION Except as otherwise directed by InfoSec, InComm personnel shall dispose of Sensitive Data no longer needed for a business function in a responsible manner. Paper documents containing Sensitive Data, especially Social Security Numbers or any other government IDs, and cardholder data, must be shredded and securely disposed of. For electronic data, employees must permanently erase or otherwise modify the Sensitive Data to make it permanently unreadable or indecipherable. Sensitive Data should be disposed of in accordance with InComm s Record Retention Policy. If you have any questions regarding the destruction of data, contact your supervisor or InfoSec. TRAINING, MONITORING AND DISCIPLINE As part of InComm s training of directors, officers and employees, you acknowledge that you (a) have read and understand your obligations and InComm s legal obligations as set forth in this Program, (b) understand the importance to InComm of the security of Sensitive Data and the proper use of computer programs, networks, systems, paper records and other materials that contain Sensitive Data, and (c) will take all steps necessary to ensure that those obligations are met. Additionally, in the event that, in InComm s sole discretion, you violate the terms of this Program, you understand that InComm may take disciplinary action against you, up to and including terminating your employment. 6 Proprietary and Confidential