Company Security Policy
The purpose of this security policy is to ensure
the proper use of data across the network from all employees, contractors, and
limited vendors.
Server
Corporate server access is only granted to
employees and contractors on the administrative team. Backups are performed on a daily basis to a
separate location and transferred to an offsite location as specified by the
administrative manager.
Computers
All corporate computers are to have an approved
encryption software installed to protect the contents of the hard drive. COMPANY employees are responsible for locking
the device whenever away for an extended time period. A password protected timed screen saver must
be configured at all times to ensure it is activated whenever the device has
been inactive for longer than five minutes.
Confidential data
Protection of confidential data which includes
but is not limited to, blueprints, employee records, and client
information. It is the responsibility of
the administrative team to protect confidential data on the corporate
network. The Traps anti-virus software
must be up to date and functioning properly on all devices located on the
corporate network. All devices are
required to have encryption setup on their hard drives. The network administrator is required to
maintain the secured network at all times to ensure the protection of all
confidential data. If new firmware or
software updates are released, they must be applied within a months’ time. In the case of a network breach, it should be
dealt with immediately and all users are to be notified.
If a COMPANY employee transmits any confidential
data, the responsibility is now the COMPANY employees. Ensuring the data is encrypted during
transmission reduces the risk of multiple threats. It is required to have the following software
installed and configured, Traps Anti-Virus, Veracrpyt encryption software, and
a secured network connection. If
confidential data must be transferred from its originally location off the
network, then the COMPANY employee is required to encrypt the documentation
before it can be transferred, sent, or moved.
A COMPANY employee will not allow any unauthorized users to view the
confidential data.
Databases
Maintenance and backups are required on a
regular basis to ensure the integrity of the database. A full backup will be completed on a monthly
basis, while periodic backups are completed on a daily basis. Encryption is required utilizing the Veracrypt
software, once the backup is completed. The
backups are then transferred to an offsite location on a weekly basis, by a
member of the administrative team. Maintenance
is mandatory on a weekly basis and is the responsibility of the administrative
team. Database servers are required to
have anti-virus software installed and functioning constantly.
COMPANY employees with database access are not
allowed to share access or discuss the contents with others. Database utilization must be done in a considerate
manner and any change requests should be delivered to the manager on duty. It is the responsibility of the COMPANY
employee to safely close and exit the database when finished working with it.
Passwords
Password requirements include at least one
capital letter, one number, one special character and should be a minimum of 8
characters long without multiple consecutive characters. Any common dictionary words, name or
username, and birthdates are not allowed.
Passwords must be changed every 90 days and cannot contain previous
passwords. Selecting a password that
meets expectations is required and can be done utilizing phrases such as “What
Would Jesus Do At All Times?”. This phrase
can be broken down into a password like so “WwJdAaT1?”. Password managers may be used if approved by
the information services department manager.
The usage of password generator can be authorized if selecting a
password is too difficult.
Network equipment and
configuration
Physical access to networking equipment is only provided
to the administrative team, specifically the network administrator. Configuration access and changes to
networking equipment is only permitted by the networking team. Regular firmware and software updates should
be applied on a regular basis, within a month of their release. Backups of the networking configuration are
required after any modifications.
Software
The COMPANY software development team is
responsible for maintaining updates, changes, and backups of all software on
the network. Anti-virus software should
be deployed on all devices across the network.
All software servers, including the licensing server are required to
have a static IP and constant traffic monitoring. Administrators are responsible for access to
the servers containing licensed software.
Top-Level administrators are responsible for all custom-made
applications and software.
Update releases will be monitored by COMPANY
employees to ensure they are applied within a timely manner. Testing is required before the updates are
applied to ensure and check their effect on the system. A backup of the software’s current state is
required before and after the update has been applied.
Equipment
It’s the COMPANY employee’s responsibility to
report any damages, issues, theft, or loss of COMPANY equipment. Every device is required to have an inventory
sticker to manage the inventory and acknowledge their existence on the network,
from updates, changes, and tracking. Care
and maintenance is the responsibility of the COMPANY employee’s, if it is out
of the employee’s abilities, it will be reported to the information services
department immediately.
Communication
The information technology system allows smooth
communication, as long as the system is utilized properly. Confidential data must not be shared with
anyone who does not have the appropriate access. The COMPANY employee must gain approval from
their manager to share any data with employees outside of the department which
the data resides. Encryption software is
required when sending emails to other employees and clients.
Remote accessibility
It is the employee’s responsibility for any
actions performed while remotely connected to the COMPANY corporate network. An approved VPN client is required to access
the internal network whenever working offsite.
Recreational use of a device that is connected to the corporate network
is not permitted and the employee is held accountable for any actions
performed.
