Appendix B. Sample Information Security Policy

The scope of the Information Security Policy extends to all functional areas and all employees, Directors, consultants, contractors, temporary staff, co-op students, interns, partners and third-party employees, and joint venture partners unless explicitly excluded. At first glance, the policy may appear daunting. If you take a look at the Table of Contents, you will see that the Information Security Policy is organized by category. These categories form the framework of our Information Security Program. Supporting the policies are implementation standards, guidelines, and procedures. You can find these documents in the Governance section of our online company library.

Diligent information security practices are a civic responsibility and a team effort involving the participation and support of every employee and affiliate who deals with information and/or information systems. It is the responsibility of every employee and affiliate to know, understand, and adhere to these policies, and to conduct their activities accordingly. If you have any questions or would like more information, I encourage you to contact either our Compliance Officer or Chief Information Security Officer (CISO).

I thank you in advance for your support as we all do our best to create a secure environment and to fulfill our mission. – <<Name, Title, Date>>

To ensure that management is actively engaged in the success of the Information Security Policy and Program.

To provide the support and oversight required to maintain an effective policy and program.

To define organizational roles and responsibilities.

To provide the framework for effective risk management and continuous assessment.

1.2. Information Security Policy Authorization and Oversight

1.3. Chief Information Security Officer (CISO)

1.4. Information Security Steering Committee

1.5. Information Security Risk Management Oversight

1.6. Information Security Risk Assessment

1.7. Information Security Risk Response

1.1.2. Executive Management is responsible for establishing the mandate and general objectives of the aggregate Information Security Policy.

1.1.3. Information security policies must support organizational objectives.

1.1.4. Information security policies must comply with relevant statutory, regulatory, and contractual requirements.

1.1.5. Information security policies must be communicated to all relevant parties both within and external to the company.

1.1.6. As applicable, standards, guidelines, plans, and procedures must be developed to support the implementation of Information Security Policy objectives and requirements.

1.1.7. For the purpose of educating the workforce, user-level documents will be derived from the Information Security Policy including but not limited to acceptable use and agreement, and information handling instructions.

1.1.8. Any Information Security Policy distributed outside the organization must be sanitized.

1.1.9. All documentation will be retained for a period of six years from the last effective date.

1.2.2. An annual review of the Information Security Policy must be conducted.

1.2.2.1. The CISO is responsible for managing the review process.

1.2.3. Changes to the policy must be presented to and approved by a majority of the Board of Directors.

1.2.4. The COO and the CISO will jointly present an annual report to the Board of Directors that provides them the information necessary to measure the organizations’ adherence to the Information Security Policy objectives and the maturity of the Information Security Program.

1.2.5. When in-house knowledge is not sufficient to review or audit aspects of the Information Security Policy, or if circumstances dictate independence, third-party professionals must be engaged.

1.3.2. The CISO will report directly to the COO.

1.3.3. At his/her discretion, the CISO may communicate directly with members of the Board of Directors.

1.3.4. The CISO is responsible for managing the Information Security Program, assuring compliance with applicable regulations and contractual obligations, and working with business units to align information security requirements and business initiatives.

1.3.5. The CISO will function as an internal consulting resource on information security issues.

1.3.6. The CISO will chair the Information Security Steering Committee.

1.3.7. The CISO will be a standing member of the Incident Response Team and the Continuity of Operations Team.

1.3.8. Quarterly, the CISO will report to the Executive Management Team on the overall status of the Information Security Program. The report should discuss material matters including such issues as risk assessment, risk management, and control decisions, service provider arrangements, results of testing, security breaches or violations, and recommendations for policy changes.

1.4.2. The Information Security Steering Committee provides an open forum to discuss business initiatives and security requirements. Security is expected to be given the same level of respect as other fundamental drivers and influencing elements of the business.

1.4.3. Standing membership shall include the CISO (chair), the COO, the Director of Information Technology, the Risk Officer, the Compliance Officer, and business unit representatives. Adjunct committee members may include but are not limited to representatives of human resources, training, and marketing.

1.4.4. The Information Security Steering Committee will meet on a monthly basis.

1.5.2. Executive Management will communicate the above to decision makers throughout the company.

1.5.3. The CISO in consultation with the Chief Risk Officer is responsible for determining the information security risk assessment schedule, managing the risk assessment process, certifying results, jointly preparing risk reduction recommendations with business process owners, and presenting the results to Executive Management.

1.5.4. The Board of Directors will be apprised by the COO of risks that endanger the organization, stakeholders, employees, or customers.

1.6.2. Information security risk assessments must have a clearly defined and limited scope. Assessments with a broad scope become difficult and unwieldy in both their execution and the documentation of the results.

1.6.3. The CISO is charged with developing an information security risk assessment schedule based upon the information systems criticality and information classification level.

1.6.4. In addition to scheduled assessments, information security risk assessments must be conducted prior to the implementation of any significant change in technology, process, or third-party agreement.

1.6.5. The CISO and the business process owner are jointly required to respond to risk assessment results and develop risk reduction strategies and recommendations.

1.6.6. Risk assessment results and recommendations must be presented to Executive management.

1.7.2. Low level risks can be accepted by the business process owner.

1.7.3. Elevated risks and severe risks (or comparable rating) must be responded to within 30 days. Response is the joint responsibility of the business process owner and the CISO.

1.7.3.1. Risk reduction recommendations can include risk acceptance, risk mitigation, risk transfer, risk avoidance, or a combination thereof.

1.7.3.2. Recommendations must be documented and include a applicable level of detail.

1.7.4. Elevated and severe risks can be accepted by Executive Management.

1.7.5. The Board of Directors must be informed of accepted severe risk. At their discretion, they can choose to overrule acceptance.

ISO 27002:2013 Section 6 Organization of Information Security

ISO 27005:2005 Risk Management

NIST SP 800-30 Risk Management Guide for Information Technology Systems

NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View

Contact Information: <insert contact information>

To establish data classification levels.

To ensure that the company maintains an inventory of information security assets

To ensure that appropriate handling standards are developed for each classification.

2.2. Information Classification Policy

2.3. Inventory of Information System Assets

2.4. Information Classification Handling and Labeling Requirements

2.1.2. The Office of Information Security will maintain an inventory of information asset ownership.

2.1.3. Owners are required to classify information and information systems in accordance with the organizational classification guidelines.

2.1.4. Owners are responsible for determining the required level of protection.

2.1.5. Owners must authorize internal information and information system access rights and permissions.

2.1.6. Owners must review and reauthorize access rights and permissions on an annual basis.

2.1.7. Owners must authorize third-party access to information or information systems. This includes information provided to a third party.

2.1.8. Implementation and maintenance of controls is the responsibility of the Office of Information Security; however, accountability will remain with the owner of the asset.

2.2.2. The company will publish definitions for each classification.

2.2.3. The criteria for each level will be maintained by and available from the Office of Information Security.

2.2.4. All information will be associated with one of the four data classifications. It is the responsibility of information owners to classify data.

2.2.5. Information systems containing information from multiple classification levels shall be secured in accordance with the requirements of the highest classification level.

2.2.6. Data classification will remain in force regardless of the location or state of the data at any given time. This includes backup and archive media and locations.

2.2.7. The classification system will allow that classifications of information assets may change over time.

2.2.8. Each classification shall have documented handling requirements.

2.3.2. Each classification will have labeling requirements.

2.3.3. The Office of Information Security is responsible for the development and implementation of labeling and handling standards.

2.3.4. All employees, contractors, and affiliates will be provided or have access to written documentation that clearly describes the labeling and handling standards.

2.3.5. All employees, contractors, and affiliates will be provided with a resource that questions can be directed to.

2.3.6. All employees, contractors, and affiliates will be provided with a resource that violations can be reported to.

2.4.2. Company assets must be accounted for at all times.

2.4.3. The Office of Information Security will maintain the inventory documentation.

2.4.4. Copies of all inventory documentation will be included in the Business Continuity Plan.

NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories

NIST SP 800-88 Guidelines for Media Sanitization

Contact Information: <insert contact information>

Set the parameters for workforce background checks.

Require an enterprise-wide user provisioning process.

Define electronic monitoring activities, privacy rights, and employee consent.

Require confidentiality and acceptable use agreements as a condition of employment.

Ensure that disciplinary action, up to and including termination, is applied consistently and fairly according to the standard and attendant policies, procedures, and guidelines.

Ensure that all employees, contractors, interns, and designated third parties receive training appropriate to their position throughout their tenure.

3.2. Personnel Screening

3.3. User Provisioning

3.4. Electronic Monitoring

3.5. Employee Termination

3.6. Employee Agreements

3.7. Information Security Training

3.1.2. Candidates will not be allowed access to any secure area unless authorized in writing by the information owner.

3.1.3. All non-public information submitted by candidates must be classified as “protected” and handled in accordance with company handling standards.

3.1.4. Under no circumstances will the company request that candidates provide a password to social media, blog, web, or personal email accounts.

3.1.5. The Office of Information Security and the Office of Human Resources will be jointly responsible for the implementation and enforcement of this policy.

3.2.2. Comprehensive background screening will be conducted pre-hire. Criminal check will be conducted annually thereafter.

3.2.3. Background screening will be conducted in accordance with local, state, and federal law and regulations.

3.2.4. If the person will have access to “protected” or highly “confidential” information, additional screening may be required at the discretion of the information owner. This includes new personnel as well as employees who might be moved into such a position.

3.2.5. Background screening will be conducted and/or managed by the Human Resources department.

3.2.6. If temporary or contractor staff is provided by an agency or third party, the contract must clearly specify the agency or third-party responsibility for conducting background checks in accordance with this policy. Results must be submitted to the Human Resources department for approval.

3.3.2. The Office of Human Resources and the Office of Information Security are jointly responsible for the User Provisioning process.

3.4.2. The policy must be included in the employee acceptable use agreement and employees must acknowledge the policy by signing the agreement.

3.4.3. Whenever technically feasible, login banners and warning messages will remind users of this policy.

3.4.4. The Office of Human Resources and the Office of Information Security are jointly responsible for developing and managing electronic monitoring and employee notification

3.5.2. In the case of unfriendly termination, all physical and technical access will be disabled pre-notification.

3.5.3. In the case of a friendly termination including retirement, the Office of Human Resources is responsible for determining the schedule for disabling access.

3.5.4. Termination procedures are to be included in the User Provisioning Process.

3.5.5. The Office of Human Resources and the Office of Information Security are jointly responsible for the User Provisioning process.

3.6.2. All employees must be provided with and sign an acceptable use agreement as a condition of employment and prior to being granted access to any company information or systems.

3.6.3. The documents provided to the employee will clearly state the employee’s responsibilities during both employment and post-employment.

3.6.4. The employee’s legal rights and responsibilities will be included in the document.

3.6.5. Legal counsel is responsible for developing, maintaining, and updating the confidentiality agreement.

3.6.6. The Office of Information Security is responsible for developing, maintaining, and updating the acceptable use agreement.

3.6.7. The Office of Human Resources is responsible for distributing the agreement and managing the acknowledgment process.

3.7.2. Subsequent training will be conducted at the departmental level. Users will be trained on the use of departmental systems appropriate to their specific duties to ensure the CIA of information is safeguarded.

3.7.3. Annual information security training will be conducted by the Office of Information Security. All staff is required to participate and attendance will be documented. At a minimum, training will include the following topics: current information security-related threats and risks, security policy updates, and reporting of security incidents.

3.7.4. The company will support the ongoing education of information security personnel by funding attendance at conferences, tuition at local colleges and universities, subscriptions to professional journals, and membership in professional organizations.

NIST SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model

NIST SP 800-50 Building an Information Technology Security Awareness and Training Program

Contact Information: <insert contact information>

Defining a multi-tier classification system for defining workplace security requirements.

Ensuring physical access to secure areas are restricted to authorized personnel.

Ensuring facilities and rooms housing sensitive equipment are protected from physical and environmental danger, including fire, water, smoke, and theft.

Codifying the company’s commitment to sustainable computing and the minimization of power consumption.

Creating a consistent practice for media and devices disposal and destruction.

Creating a consistent practice for securing removable devices and media.

4.2. Physical Entry Controls

4.3. Workspace Classification

4.4. Working in Secure Areas

4.5. Clear Desk and Clear Screen

4.6. Power Consumption Policy

4.7. Data Center and Communications Facilities Environmental Safeguards

4.8. Secure Disposal Policy

4.9. Mobile Device and Media Security

4.1.2. An annual risk assessment of all existing business premises and information processing facilities will be performed to determine the type and strength of the security perimeter that is appropriate and prudent.

4.1.3. A risk assessment must be conducted on all new sites under consideration prior to building plans being finalized.

4.1.4. The Office of Facilities Management in conjunction with the Office of Information Security will conduct the risk assessment.

4.1.5. Risk assessment results and recommendations are to be submitted to the COO.

4.1.6. The Office of Facilities Management is responsible for the implementation and maintenance of all physical security perimeter controls.

4.2.2. The Office of Human Resources is responsible for providing access credentials to employees and contractors.

4.2.3. The Office of Facilities Management is responsible for visitor identification, providing access credentials, and monitoring access. All visitor management activities will be documented.

4.2.4. Employees and contractors are required to visibly display identification in all company locations.

4.2.5. Visitors are required to display identification in all non-public company locations.

4.2.6. Visitors are to be escorted at all times.

4.2.7. All personnel must be trained to immediately report unescorted visitors.

4.3.2. The company will publish definitions for each classification.

4.3.3. The criteria for each level will be maintained by and available from the Office of Facilities Management.

4.3.4. All locations will be associated with one of the three data classifications.

4.3.5. Classification assignment is the joint responsibility of the Office of Facilities Management and the Office of Information Security.

4.3.6. Each classification must have documented security requirements.

4.3.7. The COO must authorize exceptions.

4.4.2. All work in areas classified as “secure” will be recorded. The recordings will be maintained for a period of 36 months.

4.4.3. Mobile data storage devices are prohibited and may not be allowed in areas classified as “secure” without the authorization of the system owner or Information Security Officer.

4.4.4. Audio or video recording equipment is prohibited and may not be allowed in areas classified as “secure” without the authorization of the system owner or the Office of Information Security.

4.4.5. This policy is in addition to workspace classification security protocols.

4.5.2. During non-business hours, all documents classified as “protected” or “confidential” will be stored in a secure location.

4.5.3. While in use, device displays of any type must be situated to not allow unauthorized viewing.

4.5.4. When left unattended during business hours, device displays should be cleared and locked to prevent viewing.

4.5.5. “Protected” and “confidential” documents should only be printed to assigned printers. Print jobs should be retrieved immediately.

4.5.6. Scanners, copiers, and fax machines must be locked when not in use and require user codes to operate.

4.6.2. All computing devices purchased must be Energy Star© (or equivalent) certified.

4.6.3. All computing devices must be configured in power saver mode unless the setting degrades performance.

4.6.4. A bi-annual assessment must be conducted by the Office of Facilities Management to determine the best method(s) to provide clean, reliable Data Center power.

4.6.5. Data Center equipment must be protected by damage caused by power fluctuations or interruptions.

4.6.6. Data Center power protection devices must be tested on a scheduled basis for functionality and load capacity. A log must be kept of all service and routine maintenance.

4.6.7. Data Center generators must be tested regularly according to manufacturer’s instructions. A log must be kept of all service and routine maintenance.

4.7.2. Servers and communications equipment must be located in areas free from physical danger.

4.7.3. Servers and communications must be protected by uninterruptable power supplies and backup power sources.

4.7.4. Appropriate fire detection, suppression, and fighting equipment must be installed and/or available in all Data Center and Communications Facilities.

4.7.5. Appropriate climate control systems must be installed in all Data Center and Communications Facilities.

4.7.6. Emergency lighting must engage automatically during power outages at all Data Center and Communications Facilities.

4.7.7. The Office of Facilities Management is responsible for assessing the Data Center and Communications Facilities environmental requirements and providing the recommendations to the COO.

4.7.8. The Office of Facilities Management is responsible for managing and maintaining the Data Center and Communications Facilities climate control, fire, and power systems.

4.8.2. Devices or media containing “protected” or “confidential” information must not be sent off-site for repair and/or maintenance.

4.8.3. The standards for the highest classification must be adhered to when the device or media contains multiple types of data.

4.8.4. A chain of custody must be maintained for the destruction of “protected” and “confidential” information.

4.8.5. A Certificate of Destruction is required for third-party destruction of devices or media that contains “protected” and “confidential” information.

4.8.6. Disposal of media and equipment shall be done in accordance with all applicable state and federal environmental disposal laws and regulations.

4.9.2. Whenever feasible, an anti-theft technology solution must be deployed that enables remote locate, remote lock, and remote delete/wipe functionality.

4.9.3. Loss or theft of a mobile device or media must be reported immediately to the Office of Information Security.

NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems

NIST SP 800-88 Guidelines for Media Sanitization

Contact Information: <insert contact information>

Minimize harm and maximize success associated with making changes to information systems or processes.

Ensure that operating system and application code vulnerabilities are addressed through the timely deployment of security patches.

Ensure a company-wide effort to prevent, detect, and contain malicious software.

Minimize the risk of interrupted business operations.

Ensure there is a process in place to periodically review system access in order to confirm that unauthorized access has been prevented effectively.

Extend organizational requirements to service providers.

5.2. Operational Change Control

5.3. Security Patch Management

5.4. Malicious Software (Malware) Protection

5.5. Data Replication

5.6. Email and Email Systems Security

5.7. Security Log Management

5.8. Service Provider Management

5.1.1.1. Information system custodians are responsible for developing and testing the procedures.

5.1.1.2. Information system owners are responsible for authorization and ongoing review.

5.1.2. The Office of Information Security is responsible for the authorization, publication, distribution, and review of information security-related SOPs.

5.1.2.1. Information security custodians are responsible for developing and testing the procedures.

5.2.1.1. Vendor-released operating system, software application and firmware patches, updates and upgrades.

5.2.1.2. Updates and changes to internally developed software applications.

5.2.1.3. Hardware component repair/replacement.

5.2.1.4. Implementations of security patches are exempt from this process as long as they follow the approved patch management process.

5.2.2. The change control process must take into consideration the criticality of the system and the risk associated with the change.

5.2.3. Changes to information systems and processes considered critical to the operation of the company must be subject to pre-production testing.

5.2.4. Changes to information systems and processes considered critical to the operation of the company must have an approved rollback and/or recovery plan.

5.2.5. Changes to information systems and processes considered critical to the operation of the company must be approved by the Change Management Committee. Other changes may be approved by the Director of Information Systems, Chief Technology Officer (CTO), or Chief Information Officer (CIO).

5.2.6. Changes must be communicated to all impacted stakeholders.

5.2.7. In an emergency scenario, changes may be made immediately (business system interruption, failed server, and so on) to the production environment. These changes shall be verbally approved by a Manager supervising the affected area at the time of the change.

5.2.7.1. After the changes are implemented, the change must be documented in writing and submitted to the CTO.

5.3.2. The Office of Information Security is responsible for maintaining a documented patch management process.

5.3.3. The Office of Information Technology is responsible for the deployment of all operating system, application, and device security patches.

5.3.4. Security patches will be reviewed and deployed according to applicability of the security vulnerability and/or identified risk associated with the patch or hot-fix.

5.3.5. Security patches will be tested prior to deployment in the production environment.

5.3.5.1. The CIO and the CTO have authority to waive testing based on the severity and applicability of the identified vulnerability.

5.3.6. Vendors who maintain company systems are required to adhere to the company patch management process.

5.3.7. If a security patch cannot be successfully applied, the COO must be notified. Notification must detail the risk to the organization.

5.4.2. Anti-malware software must be installed on all computer workstations, mobile devices, and servers to prevent, detect, and contain malicious software.

5.4.3. Any system found to be out-of-date with vendor-supplied virus definition and/or detection engines must be documented and remediated immediately or disconnected from the network until it can be updated.

5.4.4. The Office of Human Resources is responsible for developing and implementing malware awareness and incident reporting training.

5.4.5. All malware-related incidents must be reported to the Office of Information Security.

5.4.6. The Office of Information Security is responsible for incident management.

5.5.2. Data contained on replicated or backup media will be protected at the same level of access control as the data on the originating system.

5.5.3. The Office of Information Technology is responsible for the implementation, maintenance, and ongoing monitoring of the replication and backup/restoration strategy.

5.5.4. The process must be documented.

5.5.5. The procedures must be tested on a scheduled basis.

5.5.6. Backup media no longer in rotation for any reason will be physically destroyed so that the data is unreadable by any means.

5.6.2. The Office of Information Security is responsible for creating email security standards including but not limited to attachment and content filtering, encryption, malware inspection, and distributed denial of service (DDoS) mitigation.

5.6.3. External transmission of data classified as “protected” or “confidential” must be encrypted.

5.6.4. Remote access to company email must conform to the corporate remote access standards.

5.6.5. Access to personal web-based email from the corporate network is not allowed.

5.6.6. The Office of Information Technology is responsible for implementing, maintaining, and monitoring appropriate controls.

5.6.7. The Office of Human Resources is responsible for providing email security user training.

5.7.1.1. Exceptions must be approved by the COO.

5.7.2. Access to logs must be restricted to individuals with a need-to-know.

5.7.3. Logs must be retained for a period of 12 months.

5.7.4. Log analysis reports must be retained for 36 months.

5.7.5. The Office of Information Security is responsible for:

5.7.5.1. Developing log management standards, procedures, and guidelines.

5.7.5.2. Prioritizing log management appropriately throughout the organization.

5.7.5.3. Creating and maintain a secure log management infrastructure.

5.7.5.4. Establishing log analysis incident response procedures.

5.7.5.5. Providing proper training for all staff with log management responsibilities.

5.7.6. The Office of Information Technology is responsible for:

5.7.6.1. Managing and monitoring the log management infrastructure.

5.7.6.2. Proactively analyzing log data to identify ongoing activity and signs of impending problems.

5.7.6.3. Providing reports to the Office of Information Security.

5.8.2. The Office of Risk Management is responsible for overseeing the selection, contract negotiations, and management of service providers.

5.8.3. The Office of Risk Management will be responsible for conducting applicable service provider risk assessments.

5.8.4. Due diligence research must be conducted on all service providers. Depending upon risk assessment results, due diligence research may include but is not limited to financial soundness review, internal Information Security Policy and control environment review, and review of any industry standard audit and/or testing of information security-related controls.

5.8.5. Service provider systems are required to meet or exceed internal security requirements. Safeguards must be commensurate with the classification of data and the level of inherent risk.

5.8.6. Contracts and/or agreements with service providers must specifically require them to protect the CIA of all company, customer, and proprietary information that is under their control.

5.8.7. Contracts and/or agreements must include the following:

5.8.7.1. Notification requirements for suspected or actual compromise or system breach.

5.8.7.2. A statement that acknowledges the service provider’s obligation to comply with all applicable state and federal regulations.

5.8.7.3. Provision for periodic security reviews/audits of the service provider environment.

5.8.7.4. Provision requiring service providers to disclose the use of contractors.

5.8.7.5. As applicable, a clause related to the proper destruction of records containing customer or proprietary information when no longer in use or if the relationship is terminated.

5.8.8. To the extent possible and practical, contractual performance will be monitored and/or verified.

5.8.8.1. Oversight is the responsibility of the business process owner.

ISO 27002:2013 Section 13 Communications Security

ISO 27002:2013 Section 15 Supplier Relationships

NIST SP 800-40 Creating a Patch and Vulnerability Management Program

NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops

NIST SP 800-45 Guidelines on Electronic Mail Security

NIST SP 800-92 Guide to Computer Security Log Management

NIST SP 800-42 Guideline on Network Security Testing

Contact Information: <insert contact information>

To state the access control authorization principles of the organization.

To ensure that access is granted only to authorized users and processes, and where appropriate, to provide users the minimum access required to perform a given role effectively.

To logically group network assets, resources, and applications for the purpose of applying security controls.

To define the requirements for the secure design, configuration, management, administration, and oversight of border devices.

To assign responsibility and set the requirements for remote access connections to the internal network.

To assign responsibility and set the requirements for teleworking.

To ensure that there is a means to prevent and/or detect attempts to gain access to information resources by unauthorized entities.

6.2. Access Control Authorization

6.3. Network Segmentation

6.4. Border Device Security

6.5. Remote Access

6.6. Teleworking Policy

6.7. User Access Control and Authorization

6.8. Administrative and Privileged Accounts

6.9. Monitoring System Access and Use

6.1.2. Multi-user or shared accounts are allowed only when there is a documented and justified reason that has been approved by the Office of Information Security.

6.1.3. The Office of Information Security is responsible for managing an annual user account audit of network accounts, local application accounts, and web application accounts.

6.1.4. Data classification, regulatory requirements, the impact of unauthorized access, and the likelihood of a threat being exercised must all be considered when deciding upon the level of authentication required. The Office of Information Security will make this determination in conjunction with the information system owner.

6.1.5. Operating systems and applications will at a minimum be configured to require single-factor complex password authentication.

6.1.5.1. Password complexity will be defined in the company password standard.

6.1.5.2. The password standard will be published, distributed, and included in the acceptable use agreement.

6.1.5.3. The inability to technically enforce this standard does not negate the requirement.

6.1.6. Web applications that transmit, store, or process “protected” or “confidential”, information must at a minimum be configured to require single-factor complex password authentication.

6.1.6.1. Passwords and PINs must be unique to the application.

6.1.6.2. Whenever feasible, multi-factor authentication must be implemented.

6.1.6.3. The inability to technically enforce this standard does not negate the requirement.

6.1.7. Exceptions to this policy must be approved by the Office of Information Security

6.1.8. All passwords must be encrypted during transmission and storage. Applications that do not conform to this requirement may not be used.

6.1.9. Any mechanism used for storing passwords must be approved by the Office of Information Security.

6.1.10. If any authentication mechanism has been compromised or is suspected of being compromised, users must immediately contact the Office of Information Security and follow the instructions given.

6.2.2. Access to information and information systems must be limited to personnel and processes with a need-to-know to effectively fulfill their duties.

6.2.3. Access permissions must be based on the minimum required to perform job or program function.

6.2.4. Information and information system owners are responsible for determining access rights and permissions.

6.2.5. The Office of Information Security is responsible for enforcing an authorization process.

6.2.6. Permissions must not be granted until the authorization process is complete.

6.3.2. The Office of Information Security and the Office of Information Technology are jointly responsible for conducting annual Network Segment Risk Assessments. The results of the assessment will be provided to the COO.

6.3.3. Complete documentation of the network topology and architecture will be maintained by the Office of Information Technology including an up-to-date network diagram showing all internal (wired and wireless) connections, external connections, and endpoints, including the Internet.

6.4.2. If any situation renders the Internet-facing border security devices inoperable, Internet service must be disabled.

6.4.3. The Office of Information Technology is responsible for designing, maintaining, and managing border security access control devices.

6.4.3.1. At the discretion of the COO, this function or part of may be outsourced to a Managed Security Service Provider (MSSP).

6.4.3.2. Oversight of internal or MSSP border security device administrators is assigned to the Office of Information Security.

6.4.4. The Office of Information Security is responsible for approving border security access control architecture, configuration, and rule-sets.

6.4.5. The default policy for handling inbound and outbound traffic should be to deny all.

6.4.5.1. The types of network traffic that must always be denied without exception will be documented in the border device security standards.

6.4.5.2. Rule-sets must be as specific and simple as possible. Rule-set documentation will include the business justification for allowed traffic.

6.4.5.3. All configuration and rule-set changes are subject to the organizational change management process.

6.4.5.4. All rule-set modifications must be approved by the Office of Information Security.

6.4.6. All border security access control devices must be physically located in a controlled environment, with access limited to authorized personnel.

6.4.7. To support recovery after failure or natural disaster, the border security device configuration, policy, and rules must be backed up or replicated on a scheduled basis as well as before and after every configuration change.

6.4.8. Border devices must be configured to log successful and failed activity as well as configuration changes.

6.4.8.1. Border device logs must be reviewed daily by the Office of Information Technology or MSSP and an activity report submitted to the Office of Information Security.

6.4.9. Configuration and rule-set reviews must be conducted annually.

6.4.9.1. The review is to be conducted by an external independent entity.

6.4.9.2. Selection of the vendor is the responsibility of the Audit Committee.

6.4.9.3. Testing results are to be submitted to the COO.

6.4.10. External penetration testing must at a minimum be performed semi-annually.

6.4.10.1. The testing is to be conducted by an external independent entity.

6.4.10.2. Selection of the vendor is the responsibility of the Audit Committee.

6.4.10.3. Testing results are to be submitted to the COO.

6.5.2. The Office of Information Technology is responsible for managing and monitoring remote access connection.

6.5.3. Remote access connections must use 128-bit or greater encryption to protect data in transit (that is, VPN, SSL, SSH).

6.5.4. Multifactor authentication must be used for remote access.

6.5.4.1. Whenever technically feasible, one factor shall be “out-of-band.”

6.5.5. Remote equipment must be company-owned and configured in accordance with company workstation security standards.

6.5.6. Business partners and vendors wishing to obtain approval for remote access to computing resources must have access approved by the COO. Their company sponsor is required to provide a valid business reason for the remote access to be authorized.

6.5.7. Employees, business partners, and vendors approved for remote access must be presented with and sign a Remote Access Agreement that acknowledges their responsibilities prior to being granted access.

6.5.8. Remote access devices must be configured to log successful and failed activity as well as configuration changes.

6.5.8.1. Remote access logs must be reviewed daily by the Office of Information Technology or designee and an activity report submitted to the Office of Information Security.

6.5.9. Remote access user lists must be reviewed quarterly by the Office of Human Resources.

6.5.9.1. The result of the review must be reported to both the Office of Information Security and Office of Information Technology.

6.5.10. External penetration testing must at a minimum be performed semi-annually.

6.5.10.1. The testing is to be conducted by an external independent entity.

6.5.10.2. Selection of the vendor is the responsibility of the Audit Committee.

6.5.10.3. Testing results are to be submitted to the COO.

6.6.2. The Office of Human Resources is responsible for notifying the Office of Information Security and Office of Information Technology when a user is granted or denied teleworking privileges.

6.6.3. Teleworking equipment including connectivity devices must be company-owned and configured in accordance with company security standards.

6.6.4. The Office of Information Technology is responsible for managing, maintaining, and monitoring the configuration of and the connection to the teleworking location.

6.6.5. Remote access will be granted in accordance with the Remote Access policy and standards.

6.6.6. The teleworker is responsible for the physical security of the telecommuting location.

6.6.7. Local storage of information classified as “protected” or “confidential” must be authorized by the Office of Information Security.

6.6.8. Monitoring the teleworker is the responsibility of their immediate supervisor.

6.7.2. Access to company information and systems shall only be authorized for workforce personnel with a need-to-know to perform their job function(s).

6.7.3. Access shall be restricted to the minimal amount required to carry out the business requirement of the access.

6.7.4. An authorization process must be maintained. Permissions must not be granted until the authorization process is complete.

6.7.5. Information owners are responsible for annually reviewing and reauthorizing user access permissions to data classified as “protected” or “confidential.”

6.7.6. The Office of Information Security is responsible for managing the review and reauthorization process.

6.7.7. Annual report of completion will be provided to the Audit Committee.

6.8.2. The Office of Information Security is responsible for determining the appropriate use of administrator segregation of duties and dual controls.

6.8.3. Administrative and privileged user accounts will only be used when performing duties requiring administrative or privileged access.

6.8.4. All administrative and privileged account holders will have a second user account for performing any function where administrative or privileged access is not required.

6.8.5. User accounts assigned to contractors, consultants, or service providers who require administrative or privileged access will be enabled according to documented schedule and/or formal request, and disabled at all other times.

6.8.6. Administrative and privileged account activity will be logged daily and reviewed by the Office of Information Security.

6.8.7. Administrative and privileged account assignments will be reviewed quarterly by the Office of Information Security.

6.9.1.1. Successful and failed network authentication.

6.9.1.2. Successful and failed authentication to any application that stores or processes information classified as “protected.”

6.9.1.3. Network and application administrative or privileged account activity.

6.9.2. Exceptions to the above list must be authorized by the COO.

6.9.3. Access logs must be reviewed daily by the Office of Information Technology or designee and an activity report submitted to the Office of Information Security.

NIST SP 800-40 Creating a Patch and Vulnerability Management Program

NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops

NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems

NIST SP 800-41 R1 Guidelines on Firewalls and Firewall Policy

NIST SP 800-46 R1 Guide to Enterprise Telework and Remote Access Security

NIST SP 800-77 Guide to IPsec VPNs

NIST SP 800-114 User’s Guide to Securing External Devices for Telework and Remote Access

NIST SP 800-113 Guide to SSL VPNs

NIST SP 880-114 User’s Guide to Securing External Devices for Telework and Remote Access

NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs)

Contact Information: <insert contact information>

Define the requirements for the implementation and maintenance of commercial and open source software.

Define code and application development security requirements.

Assign responsibility for key management and cryptographic standards.

7.2. System Implementation and Maintenance

7.3. Application Development

7.4. Key Management

7.1.2. At each phase, security requirements must be evaluated and, as appropriate, security controls tested.

7.1.3. The system owner in conjunction with the Office of Information Security is responsible for defining system security requirements.

7.1.4. The system owner in conjunction with the Office of Information Security is responsible for authorizing production systems prior to implementation.

7.1.5. If necessary, independent experts may be brought in to evaluate the project or any component thereof.

7.2.2. Without exception, alpha, beta, or prerelease applications must not be deployed on production systems.

7.2.3. It is the joint responsibility of the Office of Information Security and the Office of Information Technology to test system implementation and updates prior to deployment in the production environment.

7.2.4. The Office of Information Technology is responsible for budgeting for and maintaining a test environment that is representative of the production environment.

7.2.5. Without exception, data classified as “protected” must not be used in a test environment unless it has been de-identified.

7.2.5.1. It is the responsibility of the Office of Information Security to approve the de-identification schema.

7.3.2. Security requirements must be defined and documented during the application development initiation phase.

7.3.3. Code development will be done in accordance with industry best practices.

7.3.4. Developers will be provided with adequate training, resources, and time.

7.3.5. At the discretion of the system owner and with the approval of the Office of Information Security, third parties may be engaged to design, develop, and test internal applications.

7.3.6. All code developed or customized must be tested and validated during development, prior to release, and whenever a change is implemented.

7.3.7. The Office of Information Security is responsible for certifying the results of testing and accreditation to move to the next phase.

7.4.2. The Office of Information Security will publish cryptographic standards.

7.4.3. The Office of Information Technology is responsible for implementation and operational management of cryptographic technologies.

7.4.4. Without exception, encryption is required whenever “protected” or “confidential” information is transmitted externally. This includes email and files transfer. The encryption mechanism must be NIST approved.

7.4.5. Without exception, all portable media that stores or has the potential to store “protected” or “confidential” information must be encrypted. The encryption mechanism must be NIST approved.

7.4.6. Data at rest must be encrypted regardless of media when required by state and/or federal regulation or contractual agreement.

7.4.7. At all times, passwords and PINs must be stored and transmitted as cipher text.

ISO 27002:2013 Section 10 Information Systems Acquisition, Development, and Maintenance

NIST SP 880-57 Recommendations for Key Management

NIST SP 800-64 Security Considerations in the System Development Lifecycle

NIST SP 800-111 Guide to Storage Encryption Technologies for End Users

Contact Information: <insert contact information>

Classify incidents by severity and assigned response and notification requirements.

Ensure that information security incidents are responded to, managed, and reported in a consistent and effective manner.

Vest authority in those charged with responding to and/or managing an information security incident.

Ensure that evidence is handled in accordance with legal requirements.

Ensure compliance with all applicable laws, regulations, and contractual obligations, timely communications with customers, and internal support for the process.

8.2. Information Security Incident Classification

8.3. Information Security Incident Response Program

8.4. Incident Response Authority

8.5. Evidence Handling and Usage

8.6. Data Breach Reporting and Notification

8.1.2. An information security incident is defined as one or more of the following:

8.1.2.1. Actual or suspected unauthorized access to, compromise of, acquisition of, or modification of protected client or employee data including but not limited to: personal identification numbers, such as social security numbers (SSNs), passport numbers, driver’s license numbers, financial account or credit card information, including account numbers, card numbers, expiration dates, cardholder name, service codes, or healthcare/medical information.

8.1.2.2. Actual or suspected event that has the capacity to disrupt the availability of services provided to our clients.

8.1.2.3. Actual or suspected unauthorized access to, compromise of, acquisition of, or modification of company intellectual property.

8.1.2.4. Actual or suspected event that has the capacity to disrupt the company’s ability to provide internal computing and network services.

8.1.2.5. Actual or suspected event that is in violation of legal or statutory requirements.

8.1.2.6. Actual or suspected event not defined above that warrants incident classification as determined by management.

8.1.3. All employees, contractors, consultants, vendors, and business partners are required to report known or suspected information security incidents.

8.1.4. This policy applies equally to internal and third-party incidents.

8.2.2. Level 1 incidents are defined as those that could cause significant harm to the business, customers, or the public and/or are in violation of corporate law, regulation, or contractual obligation.

8.2.2.1. Level 1 incidents must be responded to immediately upon report.

8.2.2.2. The CEO, the COO, legal counsel, and CISO must be informed of Level 1 incidents.

8.2.3. Level 2 incidents are defined as compromise of or unauthorized access to non-critical systems or information; detection of precursor to a focused attack; believed threat of an imminent attack, or any act that is a potential violation of law, regulation, or contractual obligation.

8.2.3.1. Level 2 incidents must be responded to within 4 hours.

8.2.3.2. The COO, legal counsel and the CISO must be informed of Level 2 incidents.

8.2.4. Level 3 incidents are defined as situations that can be contained and resolved by the information system custodian, data/process owner, or human resources personnel. There is no evidence or suspicion of harm to customer or proprietary information, processes, or services.

8.2.4.1. Level 3 incidents must be responded to within 24 business hours.

8.2.4.2. The Information Security Officer must be informed of Level 3 incidents.

8.3.2. The Office of Information Security is responsible for the establishment and maintenance of an IRP.

8.3.3. The IRP will at a minimum include instructions, procedures, and guidance related to preparation, detection and investigation, initial response, containment, eradication and recovery, notification, closure and post-incident activity, and documentation and evidence handling.

8.3.4. In accordance with the Information Security Incident Personnel Policy, the IRP will further define personnel roles and responsibilities including but not limited to Incident Response Coordinators, Designated Incident Handlers, and Incident Response Team members.

8.3.5. All employees, contractors, consultants, and vendors will receive incident response training appropriate to their role.

8.3.6. The IRP must be annually authorized by the Board of Directors.

8.4.2. All responders must receive training commensurate with their role and responsibilities.

8.4.3. All responders must participate in recurring drills and exercises.

8.4.4. During a security incident, as well as during drills and exercises, incident management and incident response-related duties supersede normal duties.

8.4.5. The COO and/or legal counsel has the authority to notify law enforcement or regulatory officials.

8.4.6. The COO, Board of Directors, and/or legal counsel have the authority to engage outside personnel including but not limited to forensic investigators, experts in related fields such as security, technology, and compliance, and specialized legal counsel.

8.5.1.1. All evidence, logs, and data associated with the incident must be labeled.

8.5.1.2. All evidence, logs, and data associated with the incident should be placed in tamper-resistant containers, grouped together, and put in a limited access location.

8.5.1.3. All evidence handling must be recorded on a Chain of Custody.

8.5.2. Unless otherwise instructed by legal counsel or law enforcement officials, all internal digital evidence should be handled in accordance with the procedures described in the United States Department of Justice, National Institute of Justice, April 2008, “Electronic Crime Scene Investigation: A Guide for First Responders, 2^nd edition.” If not possible, deviations must be noted.

8.5.3. Unless otherwise instructed by legal counsel or law enforcement officials, subsequent internal forensic investigation and analysis should follow United States Department of Justice, National Institute of Justice, April 2004, “Forensic Examination of Digital Evidence; Guide for Law Enforcement” guidelines. If not possible, deviations must be noted.

8.5.4. Executive Management and the Designated Incident Handler have the authority to engage outside expertise for forensic evidence handling investigation and analysis.

8.5.5. Exceptions to this policy can only be authorized by legal counsel.

8.6.2. Executive Management has the authority to engage outside expertise for legal counsel, crisis management, public relations, and communications.

8.6.3. Affected customer and business partners will be notified as quickly as possible of a suspected or known compromise of personal information. The company will provide regular updates as more information becomes known.

8.6.4. Based upon applicable laws, legal counsel in collaboration with the CEO will make the determination regarding the scope and content of customer notification.

8.6.5. Legal counsel and the marketing/PR department will collaborate on all internal and external notifications and communications. All publications must be authorized by Executive Management.

8.6.6. Customer service must staff appropriately to meet the anticipated demand for additional information.

8.6.7. The COO is the official spokesperson for the organization. In his/her absence, legal counsel will function as the official spokesperson.

NIST SP 880-61 Computer Security Incident Handling Guide

NIST SP 800-66 Guide to Integrating Forensic Techniques into Incident Response

Contact Information: <insert contact information>

Require and assign responsibility for an annual business impact assessment (BIA).

Require the organization to have a Business Continuity Plan.

Assign business continuity management responsibilities.

Ensure that the organization is prepared to respond to an emergency situation.

Ensure that the organization can continue to provide essential services during the recovery period.

Ensure that the organization can recover infrastructure, systems, and facilities damaged during a disaster.

Codify testing and maintenance requirements and responsibility.

9.2. Business Impact Assessment (BIA)

9.3. Business Continuity Plan

9.4. Business Continuity Management

9.5. Emergency Response Plan

9.6. Operational Contingency Plan

9.7. Disaster Recovery Plan

9.8. Continuity Testing and Maintenance

9.1.2. The company will designate necessary resources to develop and maintain emergency preparedness and Business Continuity Plans and procedures.

9.2.2. The BIA will identify essential services and processes. Essential is defined as meeting one or more of the following criteria:

9.2.2.1. Required by law, regulation, or contractual obligation.

9.2.2.2. Disruption would be a threat to public safety.

9.2.2.3. Disruption would impact the health and well-being of employees.

9.2.2.4. Disruption would result in irreparable harm to customers or business partners.

9.2.2.5. Disruption would result in significant or unrecoverable financial loss.

9.2.3. For each essential service and/or process, the maximum tolerable downtime (MTD) will be documented. The MTD is the total length of time an essential function or process can be unavailable without causing significant harm to the business.

9.2.4. For each essential service and/or process, supporting infrastructure, devices/information systems and dependencies will be identified.

9.2.5. Recovery time objectives (RTOs) and recovery point objectives (RPOs) for supporting infrastructure and devices/information systems will be documented.

9.2.6. Current capability and capability delta will be identified. Deviations that put the organization at risk must be reported to the Board of Directors.

9.2.7. The COO, the CIO, and the Business Continuity Team are jointly responsible for aligning the BIA outcome with the Business Continuity Plan.

9.4.1.1. The Board must be appraised on a timely basis of any material changes to the business continuity strategy.

9.4.2. The COO or designee is responsible for the development, maintenance, and management of the business continuity strategy and plan.

9.4.3. The Chief Financial Officer will include business continuity expenses in the annual operating budget.

9.4.4. The Office of Information Technology is responsible for designing and supporting resilient systems and for the recovery of information and information systems in a disaster situation.

9.4.5. Senior managers are responsible for defining the operational needs of their departments and for creating and maintaining functional departmental contingency procedures.

9.4.6. The COO will appoint the Business Continuity Team chairperson. The chairperson will appoint members of the Business Continuity Team. The team must include representatives of key functional areas including but not limited to operations, communications, finance, information technology, information security, physical security, and facilities management. Team members are responsible for designating a backup to serve in their absence.

9.4.7. Business Continuity Team responsibilities include active participation in business continuity preparation, response, recovery, and resumption activities. At its discretion, the Business Continuity Team may create sub-teams and assign responsibilities.

9.4.8. The CEO has the authority to declare an emergency, activate the plan, and contact/assemble the Business Continuity Team.

9.4.8.1. In her/his absence, the COO has the authority to declare an emergency, activate the plan, and contact/assemble the Business Continuity Team.

9.4.8.2. In her/his absence, the Chief Financial Officer has the authority to declare an emergency, activate the plan, and contact/assemble the Business Continuity Team.

9.4.8.3. If none of the above listed are available, the Business Continuity Team chair in consultation with the Chairman of the Board of Directors has the authority to declare an emergency, activate the plan, and contact/assemble the Business Continuity Team.

9.4.9. The Business Continuity Team will be the authoritative body during emergency response and recovery periods. Officers and employees will continue to conduct the affairs of the company under the guidance of the team leadership, except in matters, which by statute require specific approval of the Board of Directors, or to conform to any governmental directives.

9.5.2. The objective of the Emergency Response Plan is to protect the health and safety of employees, customers, first responders, and the public at large, minimizing damage to property and the environment and set in motion response, contingency, and recovery operations.

9.5.3. The Emergency Response Plan must at a minimum address organizational alerts and notification, disaster declaration, internal and external communication channels, command and control centers, relocation options, and decision making authority.

9.5.4. Ancillary to the Response Plan are the Occupant Emergency Plan (OEP) and Crisis Communication Plan (CCP). Both plans may be utilized in conjunction with and/or referenced by the Response Plan.

9.5.5. The Office of Human Resources is responsible for maintaining the OEP.

9.5.6. The Office of Communications and Marketing is responsible for maintaining a CCP.

9.5.7. Personnel responsible for response operations must receive appropriate training.

9.5.8. Response plans and procedures must be audited in accordance with the schedule set forth by the Business Continuity Team.

9.5.9. Response procedures must be tested in accordance with the schedule set forth by the Business Continuity Team.

9.6.2. The Operational Contingency Plans must include strategies and procedures for providing essential services as determined by the BIA during the recovery operations.

9.6.3. The amount of procedural detail required should be enough that competent personnel familiar with the service or process could perform the alternate operation.

9.6.4. External system dependencies and relevant contractual agreements must be reflected in the contingency plan.

9.6.5. Personnel responsible for contingency operations must receive appropriate training.

9.6.6. Contingency plans and procedures must be audited in accordance with the schedule set forth by the Business Continuity Team.

9.6.7. Contingency procedures must be tested in accordance with the schedule set forth by the Business Continuity Team.

9.7.2. The Disaster Recovery Plan must include recovery strategies and procedures for systems and facilities as determined by the BIA.

9.7.3. Modifications to the recovery plan must be approved by the COO.

9.7.4. The amount of procedural detail required should be enough that competent personnel familiar with the environment could perform the recovery operation.

9.7.5. External system dependencies and relevant contractual agreements must be reflected in the recovery plan.

9.7.6. Personnel responsible for recovery operations must receive appropriate training.

9.7.7. Recovery plans and procedures must be audited in accordance with the schedule set forth by the Business Continuity Team.

9.7.8. Recovery procedures must be tested in accordance with the schedule set forth by the Business Continuity Team.

9.8.2. The COO or designee is responsible for maintenance of the Business Continuity Plan.

9.8.3. The COO or designee will conduct an annual review of the Business Continuity Plan.

9.8.4. The Business Continuity Team is responsible for publishing an annual testing schedule and managing the test plan.

9.8.4.1. The COO will report the results to the Board of Directors.

9.8.5. Internal audit is tasked with managing and selecting an independent firm to conduct an annual audit of the Business Continuity Plan.

9.8.5.1. The independent audit firm will report the results to the Board of Directors or designated committee.

NIST SP 880-34 Contingency Planning Guide for Information Technology Systems

NIST SP 800-84 Guide to Test, Training and Exercise Programs for Information Technology Plans and Capabilities

Contact Information: <insert contact information>