Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:... 1 Security Policy Workflow:... 1 Scope... 1 Exceptions... 1 SEC Workflow Diagram... 3 Pomeroy Principle Security Statements and Policies... 4 Security Processes and Procedures... 6 Revision Details:... 7 Purpose: Effective security is done by coordinating all aspects of controls, based on policies defined by the company, to form a unified and well-defined mandate. Basis of these Principles is found in such standards as the ISO 27002 (note: Pomeroy does not claim ISO 27002 certification but rather adheres to accepted best practices for security). This document provides the policies that Pomeroy has deemed required for proper governance. The fundamentals outlined here will be referenced in the Pomeroy Security Controls Reference. That manual will provide the instructions for enforcing the policies outlined here. Security Policy Workflow: Pomeroy has adopted the policy workflow model as shown in Figure 1 below. This shows how policies are generated to act upon business objects to protect them and how the procedures applied are refined to produce proper controls. Management approval is required to approve the policies and the controls applied as well as the auditing reports that can drive new or revised policies. The integral concept is that security is a continuous process of testing and revisions to maintain an appropriate level of protection. Scope This policy applies to all workers, contractors, consultants, temporary workers and other workers at Pomeroy, including those workers affiliated with third parties to access Pomeroy computer networks. This policy also applies to all computer and data communication systems owned and/or administered by Pomeroy. Workers employed in client locations must adhere to Pomeroy Security policies when doing so does not conflict with or counter security policies at the client s location Exceptions Under rare circumstances, business needs may require that Pomeroy deviate from this policy. POM_SEC_Principles_2015_v1.docx Page 1 of 7
Exceptions to this policy must be documented. To document an exception, the designated security coordinator and/or business unit management must complete the Security Exception Form (SecExceptionTemplate.docx) located in the Pomeroy Security Binder ( Sites > Sites > > Company-Wide). POM_SEC_Principles_2015_v1.docx Page 2 of 7
SEC Workflow Diagram Figure 1- Security Policy Workflow Management Approvals Produce Security /Controls Policies applied via procedures/processes Produces Business Objects: Revisions Security Procedures Infrastructure and support for deliverables External and internal processes, connectivity, and access to these objects Security Policies Updates Reporting and Auditing New objects needing policies Produce Revisions Management Approvals POM_SEC_Principles_2015_v1.docx Page 3 of 7
Pomeroy Principle Security Statements and Policies Principle Security Statement 1) Access to private Pomeroy systems, assets, and physical space will be restricted to authorized users. 2) Those with access to Pomeroy systems, assets, and physical space will be expected to use this access appropriately 3) Those with access to Pomeroy systems will be informed on a regular basis how they can help keep Pomeroy secure (security awareness). 4) Important Pomeroy assets will be labeled and tracked so that they can be properly managed. Assets containing Pomeroy business information are considered important assets. Corresponding Policy a) Pomeroy will award logon names and passwords (credentials), tokens, or other means for access to be protected, secret, and unshared. b) Least privilege access will be required for any special access within the company s systems. c) All new users must be authorized by the appropriate management process and this authorization must be documented. d) Timely revocation of the credentials is required and also requires documentation via the approved process. e) Adherence to these access policies will be periodically audited and feedback given to improve the processes. a) An appropriate use policy document will outline specific expectations and all users will acknowledge an understanding of these expectations. b) Documents for appropriate use will be readily available to all users. c) All users will be expected to understand contractual and licensing constraints in using Pomeroy systems. a) A security awareness program will inform users of security issues. It will provide both new and current users with information on proper behavior to minimize security risks. b) This program will be provided at least annually. a) Assets with significant impact on Pomeroy business are to be uniquely labeled and tracked such that they may be retained or disposed of as appropriate to their lifecycle. b) Assets that store information and are re-used or disposed of will have all previous information removed prior to this status change. POM_SEC_Principles_2015_v1.docx Page 4 of 7
Principle Security Statement 5) Pomeroy will regularly assess the risk of loss or damage from internal and external means. Proper steps will be taken to mitigate these risks. 6) Plans must be in place to recover and re-establish company assets and systems so that the business may continue after a risk becomes an actual disruption to normal operations. 7) All forms of data, systems, and communication for the company will be protected from improper use, control, or damage due to loss. This includes written, voice, or electronic communications. Related policy is the Network Design and Maintenance Policy. Corresponding Policy a) Risk assessments and audits must be done on a regular basis. b) Pomeroy will employ objective third-party auditing to review security and information protection on an annual basis. c) An appropriate incident management process will be defined to respond threats to the business. a) Disaster Recovery (DR) and a Business Continuity Plan (BCP) must be available to proper Pomeroy staff and reviewed/updated on a regular basis. b) Disaster recovery tests for all critical systems (information, facilities, and personnel) must be held at least once a year. These tests will include a postmortem of the findings to properly revise future implementations. c) Any significant disrupting incident (as defined by agreed criteria) will use the incident response and notification procedures approved by management. a) Disclaimers will be attached to all communications in case of mistakenly addressed instances b) Encryption will protect all network or application logins c) Encrypted communications will exist whenever external connections are made to the Pomeroy network. d) Devices attaching to company networks must be authorized to do so and must be properly protected. e) Physical and virtual protection will be applied to the devices handling communications to prevent unauthorized access f) Monitoring of systems to discover malicious programs or unauthorized system alterations will be maintained. g) Monitoring of systems for appropriate capacity (regarding availability) will be maintained. h) Redundancy and duplication of critical data, systems and communications is assessed and provided. POM_SEC_Principles_2015_v1.docx Page 5 of 7
Principle Security Statement 8) All information owned by the company will be classified so that it may be handled appropriately. 9) All information stored by the company will be stored and moved appropriate to its classification. 10) All changes to important and/or critical systems will follow appropriate processes of testing and approval and be documented (change management). The availability of these systems will be properly communicated during planned change or other disruption. 11) The Company will designate staff that will create, review, and update the security policies, controls, risk assessments, and responses needed for operating a secure business. Impartial 3rd parties will audit these measures at least annually. This will include appropriate compliance to applicable laws and regulations. Corresponding Policy a) Pomeroy will keep, as part of its security awareness program, information as to how to classify information handled by users. 1. Pomeroy will update this information to keep pace with business, government and other legal requirements of protected information. a) User roles/functions within the company will determine what information they can see and act upon. b) An appropriate separation of duties will exist to prevent unchecked execution of financially impacting actions. c) Removal or destruction of information or assets will be done to prevent re-use or inappropriate access. a) A documented workflow will be followed, based on ITIL service lifecycle concepts, to handle production changes. b) Only after testing and quality assurance will changes be submitted for review via the approval workflow. c) Emergency changes to systems, regardless of the cause, will be communicated to all appropriate users and management. a) Policies will be written and procedures generated by these policies by the appropriate staff. These will be vetted by the appropriate authority. b) Executive management will have knowledge of the risks discovered and the policies and procedures created to mitigate these risks. Approval of security policy documents is done at least annually. c) Organization of contracts and legal requirements will be maintained. d) Annual audits by a 3rd party firm will apply generally accepted, independent standards, to review the security policies, procedures and controls in place for The Company. Security Processes and Procedures The above principles and policy statements relate directly to the Security Controls- Pomeroy document. This should be referenced for details on how Pomeroy applies its security policies. POM_SEC_Principles_2015_v1.docx Page 6 of 7
Revision Details: Date Version Change Summary 4/11/13.1 DRAFT creation of document for review by stakeholders 5/13/2013 1 Approved for rollout by CIO 1/28/2014 1.1 3/28/14 1.2 Added statement 11 (designated security policy creators and reviewers) Added incident response language to Principle 6 policy and added language to Principle 7 and policies for malicious programming or malware and redundancy. 7/3/2014 1.3 Added Principle 11 and attendant policies, CIO approval of changes 10/17/14 1.4 Added capacity language for Principle 7 3/14/15 1.5 Placed revisions at end of doc, reviewed Policy Approval: Signature: Kristi Nelson, SVP Shared Business Services Date: signed POM_SEC_Principles_2015_v1.docx Page 7 of 7