The objective of the Information Security Training is to ensure that all customer information entrusted to us is protected in a manner consistent with industry best practices.
Intended Audience: All Employees and Contractors.
Training Requirements
- All new employees and contractors are required to review the following guide with their immediate supervisor within 5 business days of start date.
- If this guide is updated, you will receive an email requiring that you review all updates to this guide.
- You will receive an annual email that requires you to review this guide.
Personal Responsibilities
- You are responsible for your use of confidential information.
- You must not in any way divulge, copy, release, sell, loan, review, alter or destroy any information except as properly authorized within the scope of your professional activities.
- You must take appropriate measures to protect confidential information wherever it is located:
- in physical documents
- stored on computer media
- communicated over voice or data networks
- exchanged in conversation
- You must safeguard any physical key, ID card or computer/network account that allows you to access confidential information. This includes creating computer passwords that are difficult to guess.
- You must render unusable confidential information held on any physical document or computer storage medium (e.g., diskette, CD, magnetic tape, hard disk) that is being discarded. Please consult with IT personnel if you need assistance.
- You must report any activities that you suspect may compromise confidential information to your immediate supervisor.
Acceptable Use
All confidential data shall only be used in an appropriate manner. Confidential data shall not be:
- Shared between customers
- Shared with other employees and contractors that do not need access to the data
- Used for any purpose outside of their job responsibility
Guidelines
- Keep a “clean desk” – do not leave documents containing confidential information on your desk.
- When using email to transmit confidential documents, encrypt and password protect the documents before sending.
- When posting confidential documents to shared folders, encrypt and password protect the documents before posting.
- Avoid transmission passwords using email. Do not use Instant Messaging software to communicate passwords. Voice communication is the best method for communicating passwords.
- If receiver is not known to you, you should confirm prior to communicating credentials.
- If not prompted automatically, make sure to change passwords on a regular basis (every 90 days is recommended).
- Make sure to lock your desktop and laptop computer when you leave it unattended.
- Avoid downloading confidential data to personal equipment.
- Portable computing devices containing confidential information should be physically secured as one protects their wallet.
- If using company equipment outside of the corporate network make sure to work with your IT person to enable software firewall services. This helps to secure your computer when working from a remote location.
- When printing, faxing or scanning confidential information, print/fax/scan devices (e.g. dedicated or Multi-Function) should be actively monitored by user/sender/receiver to ensure information is properly protected.
- Confidential documents should be stored in locked file cabinets in offices that are locked when not in use.
- Shredders are available in all offices. Make sure to shred confidential documents/information when no longer needed. If a shredder is not available, please inform your local IT person.
Mobile Computing
In addition to the guidelines above:
- Make sure that your mobile device is locked when not in use
- That the latest security updates are applied in a timely manner
Teleworking
In addition to the guidelines above:
- Only approved equipment shall be used for teleworking (e.g. must be approved by IT)
- Equipment must adhere to standard guidelines (e.g. virus scanning, password protection, etc)
- VPN (or other secure networking technologies) must be used at all time to perform work functions
Risk Management
It is your responsibility to report security risks to your immediate supervisor.
Password Management
Passwords polices are enforced through technical means where possible; however, it is still your responsibility to manage your password properly.
If an employee or contractor has any suspicion that any unauthorized person has the ability to access or has accessed a restricted system, they should immediately notify their immediate supervisor.
Use the following guidelines when creating passwords:
- Minimum password length should be 8 characters.
- Mix use of uppercase and lowercase letters.
- Use 1 or more numeric digits.
- Consider using 1 or more special characters.
- Passwords should not be based on a dictionary word in any language.
- Passwords should not include dates.
- Passwords should not be based on user’s name or login ID.
Customer Data Management
- Access Control
- A small group of designated employees and contractors are given access to customer data on an as needed basis.
- Background checks are required for all employees and contractors that may at any time access customer data. Please notify your supervisor if you have not had a background check BEFORE accessing customer data.
- If your job function no longer requires that you to have access to a system containing customer data it is your responsibility to notify your supervisor.
- Customer Access
- Customer is solely responsible for granting/revoking access to their employees/agents.
- Customer is responsible for making sure appropriate controls are in place for granting access privileges to their employees and contractors.