Information Security Policy

Purpose and Scope

The purpose of this policy is to provide a security framework that will ensure the protection of client information from unauthorized access, loss or damage while supporting the open, information-sharing needs of our organization. Client information may be verbal, digital, and/or hard copy, individually-controlled or shared, stand-alone or networked, used for administration, research, teaching, or other purposes.

It is the policy of Pulley that all information contained on the network or computers attached to it’s network is strictly confidential. Confidential information as outlined in the Pulley Information Asset Classification Policy is not to be used or given to anyone, whether inside or outside Pulley, unless there is an authorized business purpose and/or there is a legitimate need to know. It is the responsibility of each person to honor this confidentiality and to report actual or suspected violations to the appropriate authorities at Pulley. Any violations of confidentiality or unauthorized access will be investigated and disciplinary action, including termination, may result.

Audience

This Information Security Policy applies to all Pulley faculty and staff acting on behalf of Pulley. This policy also applies to all other individuals and entities granted use of client information, but not limited to, contractors, temporary employees, third-party vendors, and volunteers.

Objectives

The goal of this Information Security Policy is to set a series of standards and guidelines for the access, control, and responsibility of data as well as practices to maintain it’s security and integrity. The following sections will outline policies, classifications, responsibilities, and duties regarding the proper risk management and awareness of a level of security that Pulley deems acceptable.

Authority and Access Control Policy

Information Security Officer

The Information Security Officer (ISO) for each entity is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of Pulley. Specific responsibilities include:

  • Ensuring security policies, procedures, and standards are in place and adhered to by the entity.

  • Providing basic security support for all systems and users.

  • Advising owners in the identification and classification of computer resources. See Data Classification.

  • Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation.

  • Educating information owner and user with comprehensive information about security controls affecting system users and application systems.

  • Providing on-going employee security education.

  • Performing security audits.

  • Reporting regularly to the Pulley Board of Directors on entity’s status with regard to information security.

Information Owner

The owner of a collection of information is usually the representative responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual by completing the Pulley Information Owner Delegation Form. The owner of information has the responsibility for:

  • Knowing the information for which she/he is responsible.

  • Determining a data retention period for the information, relying on advice from the Legal Department.

  • Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the unit.

  • Authorizing access and assigning custodianship.

  • Specifying controls and communicating the control requirements to the users of the information.

  • Reporting promptly to the ISO the loss or misuse of Pulley's information.

  • Initiating corrective actions when problems are identified.

  • Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.

  • Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.

Information User

The user is any person who has been authorized to read, enter, or update information. A user of information is expected to:

  • Access information only in support of their authorized job responsibilities.

  • Comply with Information Security Policies and Standards and with all controls established by the owner and ISO.

  • Keep personal authentication devices (e.g. passwords, SecureCards, PINs, etc.) confidential.

  • Report promptly to the ISO the loss or misuse of Pulley's information.

  • Initiate corrective actions when problems are identified.

Data Classification

The definitions for data classifications are represented in the Pulley Information Asset Classification Policy document. A summary of the labeling is: PUBLIC, INTERNAL USE ONLY, CONFIDENTIAL, HIGHLY RESTRICTED.

Data Integrity & Operational Security Standards

Password Management

Passwords

Passwords are the entry point to our resources. Protecting access to our computer resources is pivotal in ensuring that our systems and the confidential information of our clients remain secure. While we have not been exploited, nor do we expect to be, we must be diligent in guarding access to our resources and protecting them from threats both inside and outside our organization.

Password Handling

Passwords for all systems, applications, and client sites are subject to the following rules:

  • No passwords are to be spoken, written, emailed, hinted at, shared or in any way known to anyone other than the parties directly involved. This includes supervisors and personal assistants.

  • Passwords are not to be displayed or concealed in your workspace.

Password Composition

  • Passwords should rotate, and change every 30/60 days.

  • Account lockout should be set to a maximum of 5 tries. The account should reset after 60 minutes. If a user forgets their password they should reach out to an administrator.

  • Password may not contain

    • All or part of the users/clients account name

    • First name, middle name, or last name

    • Company name

    • Any portion of your social security number

    • Any portion of your address

    • Any portion of your date of birth

    • Nickname

    • Any item that could easily be guessed by someone who is familiar with you

  • Password is at least eight characters long

  • Password contains characters from three of the following four categories:

    • English uppercase characters [A…Z]

    • English lowercase characters [a...z]

    • Base 10 digits [0...9]

    • Non-alphanumeric character [ !, $, #, %, etc.. ]

Administrative Passwords

Administrative passwords are subject to stringent composition, frequent change, and limited access. This includes passwords for access to any digital cloud server, hosting environment, CRM tool, or any other IT resource.

Passwords for Administrative Resources must meet the following criteria:

  • Password is at least 10 characters long

  • Password contains at least three non-alphanumeric characters

  • Password contains at least two numbers

Email Use

Inappropriate use of company email

Our employees and contractors represent our company whenever they use their company email address. They must not:

  • Sign up for illegal, unreliable, disreputable or suspect websites and services.

  • Send unauthorized marketing content or solicitation emails.

  • Register for a competitor’s services unless authorized.

  • Send insulting or discriminatory messages and content.

  • Intentionally spam other people’s emails, including their coworkers.

Our company has the right to monitor and archive corporate emails.

Appropriate use of corporate email

Employees are allowed to use their company email for work-related purposes without limitations. For example, employees can use their email to:

  • Communicate with current or prospective customers and partners.

  • Log in to purchased software they have legitimate access to.

  • Give their email address to people they meet at conferences, career fairs or other corporate events for business purposes.

  • Sign up for newsletters, platforms and other online services that will help them with their jobs or professional growth.

Personal use

Employees are allowed to use their company email for some personal reasons. For example, employees can use their corporate email to:

  • Register for classes or meetups.

  • Send emails to friends and family as long as they don’t spam or disclose confidential information.

  • Download ebooks, guides and other content for their personal use as long as it is safe and appropriate.

Employees must adhere to this policy at all times.

Encryption Policy

Cryptographic Controls - this section covers the use of cryptography to encrypt sensitive data.The recommended text includes:

Cryptographic controls must be utilized for sensitive information classified by our company as CONFIDENTIAL or HIGHLY RESTRICTED including, but not limited to: Personally Identifiable Information (PII), Protected Health Information (PHI), credit card numbers, passwords, intellectual property, budget or contract proposals, legal correspondence and research and development information. All encryption mechanisms utilized by our company must be authorized by the appropriate authority.

Network Encryption

All sensitive information classified by our company as CONFIDENTIAL or HIGHLY RESTRICTED including, but not limited to, PII, PHI, credit card numbers, passwords, and research and development information, must be encrypted when transmitted outside of our company. This includes transmission of information via email or other communication channels. Remote management activities for our company, such as contractors accessing our network remotely, must consistently employ session encryption.

Clean Desk

Clean desk is defined in this policy as having all CONFIDENTIAL and HIGHLY-RESTRICTED documentation or information locked in a secure environment when the user is not utilizing said information or leaves their workstation. No CONFIDENTIAL and HIGHLY-RESTRICTED information will be left in public view at any times while the user is not physically present or in control of the information.

This policy is enabled to prevent the likelihood that anyone can gain access to CONFIDENTIAL and HIGHLY-RESTRICTED information or the information of our clients.

Transfer of Electronic Data

The transferring, downloading, uploading of electronic data between systems or users is strictly controlled, and must abide by security protocol. When transferring, the data in question must be encrypted with either a password or a secure token passed only between the two parties. For example, sending login credentials from Information Owner to Information User should utilize a OTP tool such as One Time Secret to generate a token for authenticating receipt of said credentials.

Contingency

Controls ensure that Pulley can recover from any damage to computer equipment or files within a reasonable period of time. Each entity is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain Highly Restricted, Confidential, or Internal Information. This will include developing policies and procedures to address the following:

Data Backup Plan

  • A data backup plan is documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information.

  • Backup data is stored in an off-site location and protected from physical damage.

  • Backup data is afforded the same level of protection as the original data.

Awareness and Behavior

Data Responsibilities

All Pulley staff regardless of role recognize the responsibilities as outlined in this document. The staff member has thoroughly read through this document and understands all definitions, contingencies and procedures to maintain data integrity.

Oral Communication Awareness

Pulley staff should be aware of their surroundings when discussing Highly Restricted and Confidential Information. This includes the use of cellular telephones in public areas. Pulley staff should not discuss Highly Restricted or Confidential Information in public areas if the information can be overheard. Caution should be used when conducting conversations in: semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.

Evaluation

Pulley goes through periodic technical and non-technical evaluations to be performed in response to environmental or operational changes affecting the security of electronic information to ensure its continued protection.

Duties and Personnel

Information Security Officer

Dillon Lomnitzer - [email protected]