Employee Security Awareness Training Program

Similar documents
3 rd Party Certification of Compliance with MA: 201 CMR 17.00

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Table of Contents. PCI Information Security Policy

COMMENTARY. Information JONES DAY

SECURITY & PRIVACY DOCUMENTATION

Identity Theft Prevention Policy

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Red Flags/Identity Theft Prevention Policy: Purpose

Checklist: Credit Union Information Security and Privacy Policies

Frequently Asked Question Regarding 201 CMR 17.00

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

PS Mailing Services Ltd Data Protection Policy May 2018

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Policy and Procedure: SDM Guidance for HIPAA Business Associates

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

IAM Security & Privacy Policies Scott Bradner

Baseline Information Security and Privacy Requirements for Suppliers

Information Technology Standards

01.0 Policy Responsibilities and Oversight

Information Security Policy

Privacy Breach Policy

Data Protection Policy

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

HIPAA Security Manual

Donor Credit Card Security Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

UWTSD Group Data Protection Policy

Moat Analytics MSA Data Processing Addendum

Records Management and Retention

HPE DATA PRIVACY AND SECURITY

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

IDENTITY THEFT PREVENTION Policy Statement

Regulation P & GLBA Training

Oracle Data Cloud ( ODC ) Inbound Security Policies

Acceptable Use Policy

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

UTAH VALLEY UNIVERSITY Policies and Procedures

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Red Flags Program. Purpose

Data Processing Agreement

Southern Adventist University Information Security Policy. Version 1 Revised Apr

Putting It All Together:

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Subject: Kier Group plc Data Protection Policy

Protecting Your Gear, Your Work & Cal Poly

Data Protection Policy

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Standard for Security of Information Technology Resources

Security and Privacy Breach Notification

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Element Finance Solutions Ltd Data Protection Policy

Subject: University Information Technology Resource Security Policy: OUTDATED

INFORMATION ASSET MANAGEMENT POLICY

Privacy Policy on the Responsibilities of Third Party Service Providers

The Honest Advantage

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Learning Management System - Privacy Policy

HIPAA Security and Privacy Policies & Procedures

ADIENT VENDOR SECURITY STANDARD

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

POLICY TITLE: Record Retention and Destruction POLICY NO: 277 PAGE 1 of 6

PTLGateway Data Breach Policy

AGREEMENT FOR RECEIPT AND USE OF MARKET DATA: ADDITIONAL PROVISIONS

Bring Your Own Device Policy

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

GM Information Security Controls

Data Compromise Notice Procedure Summary and Guide

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Juniper Vendor Security Requirements

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Beam Technologies Inc. Privacy Policy

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Information Security Policy for Associates and Contractors

PayThankYou LLC Privacy Policy

Acceptable Use Policy

Eco Web Hosting Security and Data Processing Agreement

HIPAA Privacy and Security Training Program

POLICY 8200 NETWORK SECURITY

Building a Privacy Management Program

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Shaw Privacy Policy. 1- Our commitment to you

Table of Contents. 1.1 Terminology Acronyms Related Documents... 7

University of Sunderland Business Assurance PCI Security Policy

Ferrous Metal Transfer Privacy Policy

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

TIME SYSTEM SECURITY AWARENESS HANDOUT

Creative Funding Solutions Limited Data Protection Policy

GENERAL PRIVACY POLICY

Transcription:

Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015

1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor, partner, vendor or individual logging into an InComm database or network who is granted access to or uses InComm s systems. The Chief Security Officer and Information Security Department ( InfoSec ) is in charge of and maintains this Program. Questions about your obligations under this Program should be directed to InfoSec. 2. Purpose This purpose of this Program is to (a) concisely describe InComm s information security program and standards, (b) provide guidance on how InComm safeguards sensitive personally identifiable information that it collects, receives or controls and (c) describe the administrative, technical and physical safeguards InComm implements, so you understand and comply with all security obligations. InComm expects and requires that all employees will conduct any and all information services activities on behalf of InComm in accordance with the security and usage guidelines in this Program. For purposes of this Program, sensitive personally identifiable information means (a) social security numbers, (b) financial account numbers (including credit card numbers), (c) identification card, drivers license or government-issued ID numbers, (d) personal health information (including medical identification or health insurance identification number), and (e) online account identifiers (e.g. user names/passwords) ( Sensitive Data ). This Program was created based on and will continue to support InComm s assessment of reasonably foreseeable internal and external risks to the security, confidentiality and integrity of electronic, paper and other records containing Sensitive Data. InComm has and will continue to evaluate, and where necessary improve, the effectiveness of its safeguards to limiting such risks, including employee training, ensuring ongoing employee compliance with this Program, and the development of measures for detecting and preventing security system failures. 3. Responsibilities COLLECTION You will use your best efforts to avoid collecting any Sensitive Data that is not needed for a business function. STORAGE AND ACCESS You will ensure that all Sensitive Data in your custody or under your control (and electronic, paper, or other records containing Sensitive Data) is stored in secure and locked facilities, storage areas, containers or other secured environments. If you see someone you do not know accessing Sensitive Data or present in a secured area you should report them to Human Resources or InfoSec. Only those individuals who have a need to use Sensitive Data for legitimate company business purposes and to fulfill their job duties may access such data, and you will ensure that 2 Proprietary and Confidential

reasonable restrictions are placed on access to records containing Sensitive Data in your custody or under your control. If you are aware of or suspect Sensitive Data is not properly secured, you will report such insecurity to InfoSec. Computer accounts are assigned on an individual basis, to be used only by the assigned employee and must not be shared. Every individual who has a legitimate need to access InComm computer systems and networks will be assigned unique (non-default) passwords, which passwords are reasonably designed to maintain the integrity and security of access controls. If you are in charge of distributing and assigning such passwords, you will ensure that the terms of this Program are met. No terminated employees are permitted access to records containing Sensitive Data. If your job function includes working with or handling terminated employees, you understand that you will be required to take all the steps necessary to prohibit terminated employees from accessing Sensitive Data as such steps will be communicated to you from time to time. InComm requires the use of secure user authentication protocols to allow access to Sensitive Data on computers. To the extent that these issues fall within the scope of your job duties, you will ensure that the provisions of this Program are met, including: Controlling user IDs and other identifiers that are used to access Sensitive Data; Changing all vendor-supplied default settings, including passwords, encryption keys, and other security-related settings; Using a reasonably secure method of assigning and selecting passwords that are used to access Sensitive Data, or using unique identifier technologies, such as token devices; Controlling access to security passwords used to access Sensitive Data, and ensuring that such passwords are kept in a location or in a format that does not compromise the security of the information they protect; Restricting access to computers that contain Sensitive Data to only active users and active user accounts; and Blocking access to user identification after multiple unsuccessful attempts to gain access to Sensitive Data. You understand that InComm requires network and computer systems containing Sensitive Data be monitored, using reasonable monitoring systems and approaches, for unauthorized access or use of Sensitive Data. BREACHES A breach of data security could lead to the loss of InComm employee, customer and/or company Sensitive Data. In the event of a suspected or actual breach of security an appropriate technology authority may make inaccessible or remove any unsafe user/login names, data and/or programs from the network. Employees are responsible for immediately reporting any suspected or known breach of security to InfoSec. TRANSPORTATION Storing Sensitive Data on laptops or other portable devices is strongly discouraged, and should be limited to situations in which it is absolutely necessary to fulfill your job duties. Do not e-mail confidential information or Sensitive Data to your personal e-mail account or maintain Proprietary and Confidential 3

a copy of any document containing such information or Data on your laptop or other portable device. Any Sensitive Data used on a laptop or portable device must be proactively deleted after use. If necessary, all Sensitive Data stored on laptops or other portable devices must be encrypted, as must any files containing Sensitive Data that will travel across public networks or be transmitted wirelessly. Encrypted means using appropriate and current technologies to ensure that data is transformed into a form in which meaning cannot be assigned without the use of a confidential process or key. The data must be altered to be encrypted. Files containing Sensitive Data that are electronically stored, transmitted or on portable systems connected to the Internet, must have reasonably up-to-date firewall protection and operating system security patches, which firewalls and patches are designed to maintain the integrity of the Sensitive Data. Such files also must have up to date system security agent software, which must include malware protection and reasonably up to date patches and virus definitions. DISCLOSURE Sensitive Data may be disclosed outside of InComm only to third party service providers with whom InComm has a written agreement in place, under which agreement the third party has agreed to use the Sensitive Data only for InComm s business purposes and in compliance with all applicable laws, rules, regulations, and company policies, including the safeguard procedures outlined in this Program, in Massachusetts 201 C.M.R. 17.00, and Nevada N.R.S. 603A.210. In selecting service providers who will or may handle Sensitive Data, InComm takes reasonable steps to select and retain only those parties that are capable of maintaining appropriate security measures to protect Sensitive Data as outlined in this Program. If you are in charge of selecting such third parties, you understand that you will be required to ensure that they can provide such security safeguards and commitments, and to work with InfoSec to ensure such commitments are in place. SOCIAL SECURITY NUMBER HANDLING PROCEDURES InComm is obligated under state and federal laws to safeguard Social Security Numbers. All employees that handle Social Security Number information (or any other government-issued ID numbers) are required to comply with the following security requirements. All electronic files containing Social Security Numbers (or any other government-issued ID numbers, such as drivers license numbers) will be appropriately protected. Use the established procedure to save any document containing Social Security Numbers to InComm s internal databases. Under no circumstances should any employee save a document containing Social Security Numbers or any other government-issued ID number to his or her hard drive (Desktop, My Documents, etc.). Ensure that a Social Security Number or government-issued ID number is not written down on paper, emailed, or otherwise stored at your desk. Paper documents containing Social Security Numbers or other government IDs must be stored securely in locked filing cabinets designated for that purpose and, eventually, may be destroyed under the Destruction guidelines outlined below. All InComm personnel must immediately report any actual or suspected security incident 4 Proprietary and Confidential

involving Social Security Numbers or other government-issued ID number to InfoSec, which will escalate the matter as appropriate. Those found to be violating this Program may be subject to discipline, up to and including termination. CARD ACCOUNT DATA PROTECTIONS InComm is required to have appropriate measures in place to protect network-branded (e.g. Visa, MasterCard, Discover and Amex) card account data. Card account data includes cardholder data, which is the credit, debit or prepaid card account number, as well as the account number plus one or more of the following pieces of information: cardholder name, expiration date and/or service code (the three or four digit number that can be found on front or back of the card, near the expiration date). Credit account data also includes sensitive authentication data, which is personal data used to authenticate cardholders or authorize payment card transactions. InComm s card data protection program is integrated into its overall security strategy. Therefore, all employees who handle card account data are required to comply with the security procedures outlined in this Program, as well as the specific restrictions below. In order to protect card account data, employees must only save and access the information on a firewall-protected, secure network. If the cardholder data needs to be transmitted on a public network, the authorized employees will ensure that the information is encrypted before it is sent. Sensitive authentication data must be deleted after the authorization process is complete, and cannot be stored under any circumstances. In addition to requiring employees to comply with these requirements, InComm will only allow employees to access to card account data if they need to do so to fulfill their job responsibilities. InComm will also track and monitor all access to card account data. PHYSICAL SAFEGUARDS InComm takes reasonable steps to implement safeguards to protect InComm facilities and equipement from unauthorized access. InComm also protects information through physical security levels and clear desktop and workspace policies to prevent inadvertent disclosures. Follow all relevant procedures relating to physical security, including use of your personal badge and care of your equipment and work station. If you are aware of or suspect there has been unauthorized access to your equipment or work station, immediately notify InfoSec. SYSTEMS MANAGEMENT AND MONITORING InComm takes reasonable steps to monitor its systems for unauthorized use or access to Sensitive Data. If you are aware of or suspect there has been a breach of Sensitive Data, immediately notify InfoSec, which will initiate a response. In the event of a breach of Sensitive Data, InComm requires documentation of all responsive steps in accordance with InComm s Security Incident Response Plan. InComm also requires a post-incident review of the events and any actions taken to change business practices for Sensitive Data. InComm regularly monitors this Program, at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of data containing Sensitive Data, to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of Sensitive Data. Where necessary, InComm will update its security policies, including this Program, as necessary to limit risks. Proprietary and Confidential 5

DESTRUCTION Except as otherwise directed by InfoSec, InComm personnel shall dispose of Sensitive Data no longer needed for a business function in a responsible manner. Paper documents containing Sensitive Data, especially Social Security Numbers or any other government IDs, and cardholder data, must be shredded and securely disposed of. For electronic data, employees must permanently erase or otherwise modify the Sensitive Data to make it permanently unreadable or indecipherable. Sensitive Data should be disposed of in accordance with InComm s Record Retention Policy. If you have any questions regarding the destruction of data, contact your supervisor or InfoSec. TRAINING, MONITORING AND DISCIPLINE As part of InComm s training of directors, officers and employees, you acknowledge that you (a) have read and understand your obligations and InComm s legal obligations as set forth in this Program, (b) understand the importance to InComm of the security of Sensitive Data and the proper use of computer programs, networks, systems, paper records and other materials that contain Sensitive Data, and (c) will take all steps necessary to ensure that those obligations are met. Additionally, in the event that, in InComm s sole discretion, you violate the terms of this Program, you understand that InComm may take disciplinary action against you, up to and including terminating your employment. 6 Proprietary and Confidential

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback