- Donald E. Hester
Security Policy, Academic
Security Policy, written for American Military University, Criminal Justice Department
Company ABC Security Policy
Scope[1]
Timely and accurate information is an integral part of business at Company ABC. The company has made a substantial investment in physical, human, and financial resources to manage the profitability and ongoing business operations. The purpose of this policy is to outline the minimum safeguards of Company ABC to protect company investments and the privacy of client information. This includes general administrative, technical, and physical safeguards.
The enclosed policies and directives have been established in order to:
· Protect Company investments.
· Safeguard the company’s information.
· Reduce business and legal risk.
· Protect the good name of the company.
· Maintain Quality Control.
Roles and Responsibilities[2]
Chief Security Officer / Privacy Officer
The board of directors shall appoint a Security Officer who shall be responsible for all security within the company. The duties specified herein shall be included in his/her job description and duties. The CSO shall create and enforce this security policy, conduct an annual review and update this policy as needed.[3]
The CSO shall work with all divisions within the company to develop a security program and assess the current security. The assessment will use available and proven security best practices in order to assess the company’s current security. The CSO shall implement controls as needed to maintain security throughout Company ABC.
Human Resources Manager
The human resources department will be responsible for the publishing of this policy and making it available to employees. He must also notify employees of the policy and any subsequent changes.
The Human resources manager shall be responsible for conducting pre-employment screening for each applicant for employment. Screening will be conducted by an outside vendor and should consist of a criminal background and credit check.[4] A signed consent form should be signed by the applicant before the check is conducted.[5] The criminal background check should only include criminal convictions.[6] Once hired the Human Resources department shall ensure that all employees attend security awareness training twice a year. [7]
Assurance Manager
The Assurance Department[8] is responsible for the administration of this policy. The Assurance Manager shall develop and maintain written standards and procedures necessary to ensure implementation of and compliance with these policy directives. The Assurance Manager shall provide appropriate support and guidance to assist employees to fulfill their responsibilities under this directive. The Assurance Department shall respond to all security incidents, document each incident and report the findings to the CSO. The Assurance Manager shall act as a liaison and point of contact for all security questions and comments for employees, vendors and clients.[9]
All Managers and Supervisors shall ensure that all appropriate personnel are aware of and comply with this policy. They shall create appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe this policy.
All employees, contractors and consultants shall adhere to this policy at all times. If any section is unclear, contact your supervisor or Assurance manager for clarification. All employees, contractors and consultants shall use good judgment and act ethically and legally at all times.
Personnel Security
Information Security Awareness Training and Support
All employees, contractors and consultants shall undergo security awareness training[10] that explains this security policy and any procedures for information handling prior to being allowed access to the building and biannually there after.
Monitoring and Privacy
Electronic communications through the company’s information systems are the property of Company ABC to assist in carrying out business. The company treats all electronic communications sent, received or stored as business messages, including those for personal use. All users shall have no expectations of privacy with respect to any electronic message. While the company will not do this routinely, it reserves the right to monitor, access, review, copy, store, or delete any electronic communications, including personal messages, from the system for any purpose and to disclose them to others, as deemed appropriate.[11] Personal use messages, if found during the course of normal work, will not be viewed, read, opened,[12] or disclosed to any other person other than the intended recipient.[13]
Violations
Violations may result in disciplinary action in accordance with company policy. Failure to observe these guidelines may result in disciplinary action by the company depending upon the type and severity of the violation, whether it causes any liability or loss to the company, and/or the presence of any repeated violation(s).
Information Security
Information Classification[14]
1. “Trade Secret” and “Intellectual Property” includes, but is not limited to, all work produced in the line of work for Company ABC. This includes all work papers, programs, code, software, processes and published works.[15]
2. “Confidential Information” includes, but is not limited to: client information (i.e. client financial data),[16] personnel information (Payroll, and Personnel files), and Company ABC financial records.
3. “General Internal Information” is non-sensitive internal information such as blank forms, company memos and policies.
4. “Public Information” is any information that can be disclosed to the public and includes such information as our external website.
Information Handling
1. Backups
a. Shall be done on a routine basis.
2. Disclosure
a. Information shall only be disclosed to appropriate parties.
b. Disclosure to third parties should only be done with express written consent from the client or customer. Written consent should be stored with client correspondence information.[17]
3. Archive and storage
a. Archive backups shall be stored offsite in a secure location.
b. Files that are not current but must be retained for legal reasons will be stored offsite in a secure location.
c. Files and electronic data that has passed its’ retention period should be disposed of properly.
d. Electronic files should be stored in PDF format.[18]
4. Transportation
a. Confidential information should never be emailed unencrypted over the internet.[19]
b. Confidential information should not be stored on laptops.
c. Physical control will be maintained while information, such as files and laptops, is being transported from one location to another.
d. Do not print client Social Security Numbers on documents or correspondence mailed to individuals.[20]
5. Retention
a. Records, files and electronic data shall be retained for a 5 year period and promptly disposed of after that period has elapsed.
b. Exclusions
i. In the event of legal litigation or subpoena, those records will be turned over to comply with legal requests, by direction of the CEO.
ii. Records for a client involved in litigation will be kept for an indefinite period of time.
c. Employees shall not keep any trade secret, intellectual property, client list or client information after engagements are completed and after termination or voluntary leave.
6. Disposal
a. Hard disks and media should be degaussed and destroyed before disposal.[21]
b. Files and paperwork with confidential information on them, such as client financial data,[22] shall be shredded and destroyed for disposal.
Copyrights
Employees are not permitted to copy, transfer, rename, add, or delete information or programs belonging to others unless they have been given express written permission to do so by the owner. Failure to observe copyright or license agreements may result in disciplinary action by the company and/or legal action by the copyright owner.[23]
Client Disclosures
A disclosure[24] should contain a paragraph stating that Company ABC keeps records related to the engagement but does not disclose any client information to anyone without permission. This paragraph shall be included in client engagement letters or as an attachment to client billings. Additional disclosures will be made with respect to software providers or other services used by the Company ABC, with respect to safeguarding of records. Any vendors or third party companies that have access to client information shall sign a Chain of Trust agreement.[25]
Security Officers
It is company policy to protect company property including, but not limited to, inventory, tools, equipment, files, electronic files, computer hardware, software, data, and documentation from misuse, theft, unauthorized access, and environmental hazards. This section will cover company policy as it pertains to Security officers. For more information on asset and physical security, see company policy “Inventory and Equipment Policy” and “Grounds and Building Security”.
Security officers (uniformed guards) employed or contracted by Company ABC will be certified and attend training regularly. Security officers who are certified to carry a loaded weapon will be allowed to carry unconcealed loaded weapons on company property only.[26] Security officers will limit enforcement of this and all other policies to company property. Protestors or picketers on adjacent public property shall not be engaged. If such protestors or picketers are not peaceful, the local police department shall be called to deal with them.
Security officers make arrests of other persons who attempt to commit an offense in the officers’ presence, if the officer knows that the person in question has committed a felony not in the officers’ presence or if the officer reasonably believes, in fact, that a felony has been committed.[27] Arrests for misdemeanors shall not be conducted between 10 pm and 6 am.[28] After the arrest has been made, the officer shall take the person to the local police department or call the police department to have the person turned over to police custody.[29] All arrested persons should be asked to sign the “Release of a False Arrest” form. The signing should be witnessed by two parties and include a check for $500.[30]
The Security officer shall only use reasonable force to make an arrest. Deadly force may only be used when it is necessary to prevent a person from killing or causing great bodily harm to the officer or another person.[31] If protestors are on company property, they may be removed with reasonable force. [32]
If security officers detain a person, it shall be done on the premises.[33] The security officer should have probable cause that the person may have stolen property of Company ABC. The detention will be for a reasonable amount of time.[34]
If a security officer intends to conduct a search, he/she should first make every effort to obtain consent of the person in question. If possible, it is preferable to have such consent in writing and signed by the person. The human resources department should have Pre-employment and post-employment consent forms signed on file.[35] Security officers may perform a carefully limited search or frisk to determine whether or not the person has a weapon.[36] Any contraband items or stolen company property in plain view can be confiscated. Lockers, locked desks, lunch pails, or other exclusive private areas, will not be searched. All confiscated items shall be placed in appropriate containers and labeled with identifying information, latex gloves should be used when possible and the chain of custody shall be preserved.[37]
Security officers conducting an investigation shall perform it discreetly, without the threat of force, or the holding of a person belongings.[38] Written and electronic confessions should be signed and a formal report should be filed by the officer.[39]
Questions with regard this policy and its application can be made to the Assurance Manager.
I acknowledge that I have read an understand policy and agree to be bound and to abide by this policy. I further understand that violations of this policy may result in disciplinary action, including termination.
Bibliography
American Hospital Association, “HIPAA Checklist for Compliance”. Chicago: American Hospital Association, 2003.
Barman, Scott, Writing Information Security Policies. San Francisco: New Riders, 2002.
Corby, Michael J., CISSP CCP, "Security is all about business, not technology" [Online article]. New York: Auerbach Publications, 2002. Available at http://www.techrepublic.com/article_guest.jhtml?id=r00520020416ern01.htm&fromtm=e101-7
Fraser, Ed. "Site Security Handbook" RFC 2196. Internet Engineering Task Force, 1997.
Inbau, Fred E., Farber, Bernard J., & Arnold, David W., Protective Security Law, Second Edition. Boston, Butterworth-Heinemann, 1996.
ISO (the International Organization for Standardization), “Information Technology - Code of practice for Information Security Management” ISO/IEC 17799:2000(E). Geneva: ISO (the International Organization for Standardization), 2000.
NIST, “An Introduction to Computer Security, The NIST Handbook” NIST SP 800-12. Washington DC: National Institute of Standards and Technology, 1995.
Ortmeir, PJ, Security Management An Introduction. New Jersey: Pearson Education Ltd., 2002.
Oz, Effy, Management of Information Systems 3rd Edition. Boston: Course Technology, 2002.
Ozier, Will, Chair GASSP Committee, “GASSP: Generally Accepted System Security Practices” Version 2. I2SF, (International Information Security Foundation), 1999.
Pabrai, Uday O. Ali, Getting Started with HIPAA. Boston: Premier Press, 2003.
PrivacyLaw.net “The right corporate policy e-mail and internet use” [Online Article] available at http://www.privacylaw.net accessed January 14, 2003.
Samuelson, Pamela, “Copyright law and electronic compilations of data” [Report online]. Available online at http://www.eff.org/IP/ip_and_electronic_data.paper Accessed 5-21-03
Swanson, Marianne & Guttman, Barbara, “Generally Accepted Principles and Practices for Securing Information Technology Systems” NIST SP 800-14. Washington DC: National Institute of Standards and Technology, 1996.
Tipton, Harold F. & Krause, Micki, Information Security Management Handbook 2003 Edition [CD-ROM]. New York: Auerbach Publications, 2003.
Tittel, Ed, “Seven secrets to successful employee involvement in security policies”. TechTarget, 20 Dec 2002. [Online Article] Available at http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci870942,00.html
U.S. Public Law 104-191, Health Insurance Portability and Accountability Act of 1996 (HIPAA)
U.S. Public Law 106-102, the Financial Services Modernization Act commonly known as the Gramm-Leach-Bliley Act (GLBA).
Whitman, Michael E. and Mattord, Herbert J., Principles of Information Security. Boston: Course Technology, 2002.
Foot Notes
[1] ISO (the International Organization for Standardization), “Information Technology - Code of practice for information security management” ISO/IEC 17799:2000(E) § 3.1.1 (Geneva: ISO (the International Organization for Standardization), 2000), p. 1
[2] American Hospital Association, “HIPAA Checklist for Compliance” (Chicago, American Hospital Association, 2003)
[3] ISO (the International Organization for Standardization), “Information Technology - Code of practice for information security management” ISO/IEC 17799:2000(E) § 3.1.2 (Geneva: ISO (the International Organization for Standardization), 2000), p. 2
[4] P. J. Ortmeir, Security Management An Introduction, (New Jersey, Pearson Education Ltd. 2002), p. 131
[5] Fred E. Inbau, Bernard J. Farber and David W. Arnold, Protective Security Law, Second Edition (Boston, Butterworth-Heinemann, 1996) pg. 123
[6] California Labor Code § 432.7 (1992)
[7] U.S. Public Law 104-191, Health Insurance Portability and Accountability Act of 1996; U.S. Public Law 106-102, the Financial Services Modernization Act commonly known as the Gramm-Leach-Bliley Act
[8] Scott Barman, Writing Information Security Policies. (San Francisco, New Riders, 2002) pg. 31
[9] U.S. Public Law 104-191, Health Insurance Portability and Accountability Act of 1996; U.S. Public Law 106-102, the Financial Services Modernization Act commonly known as the Gramm-Leach-Bliley Act
[10]Marianne Swanson and Barbara Guttman, “Generally Accepted Principles and Practices for Securing Information Technology Systems, SP 800-14 (Washington DC, National Institute of Standards and Technology, 1996); Scott Barman, Writing Information Security Policies. (San Francisco, New Riders, 2002) pg. 31
[11] PrivacyLaw.net “The right corporate policy e-mail and internet use” [Online Article] available at http://www.privacylaw.net accessed January 14, 2003
[12] California Penal Code § 637.1 (1994)
[13] California Penal Code § 637 (1994)
[14] ISO (the International Organization for Standardization), “Information Technology - Code of practice for information security management” ISO/IEC 17799:2000(E) § 5.2 (Geneva: ISO (the International Organization for Standardization), 2000), p. 9
[15] Pamela Samuelson, “Copyright law and electronic compilations of data” [Report online]. Available online at http://www.eff.org/IP/ip_and_electronic_data.paper Accessed 5-21-03
[16] Internal Revenue Code § 6103
[17] U.S. Public Law 106-102, the Financial Services Modernization Act commonly known as the Gramm-Leach-Bliley Act
[18] Meets IRS Revenue Procedure 97-22 for storage in a retrievable format.
[19] ISO (the International Organization for Standardization), “Information Technology - Code of practice for information security management” ISO/IEC 17799:2000(E) § 8.7.4 (Geneva: ISO (the International Organization for Standardization), 2000), p. 30
[20] California Civil Code § 1798.85
[21] ISO (the International Organization for Standardization), “Information Technology - Code of practice for information security management” ISO/IEC 17799:2000(E) § 8.6.2 (Geneva: ISO (the International Organization for Standardization), 2000), p. 29
[22] U.S. Public Law 106-102, the Financial Services Modernization Act commonly known as the Gramm-Leach-Bliley Act
[23] U.S.C. Title 17 Copyrights, Available online at http://www4.law.cornell.edu/uscode/17 ; Scott Barman, Writing Information Security Policies. (San Francisco, New Riders, 2002) pg. 31
[24] U.S. Public Law 106-102, the Financial Services Modernization Act commonly known as the Gramm-Leach-Bliley Act
[25] U.S. Public Law 104-191, Health Insurance Portability and Accountability Act of 1996
[26] California Penal Code § 12031
[27] California Penal Code § 837
[28] California Penal Code § 840
[29] California Penal Code § 847
[30] Fred E. Inbau, Bernard J. Farber and David W. Arnold, Protective Security Law, Second Edition (Boston, Butterworth-Heinemann, 1996) pg. 160
[31] Fred E. Inbau, Bernard J. Farber and David W. Arnold, Protective Security Law, Second Edition (Boston, Butterworth-Heinemann, 1996) pg. 26-27
[32] Fred E. Inbau, Bernard J. Farber and David W. Arnold, Protective Security Law, Second Edition (Boston, Butterworth-Heinemann, 1996) pg. 112
[33] Fred E. Inbau, Bernard J. Farber and David W. Arnold, Protective Security Law, Second Edition (Boston, Butterworth-Heinemann, 1996) pg. 61
[34] California Penal Code § 490.5
[35] Fred E. Inbau, Bernard J. Farber and David W. Arnold, Protective Security Law, Second Edition (Boston, Butterworth-Heinemann, 1996) pg. 46
[36] Fred E. Inbau, Bernard J. Farber and David W. Arnold, Protective Security Law, Second Edition (Boston, Butterworth-Heinemann, 1996) pg. 48
[37] P. J. Ortmeir, Security Management An Introduction, (New Jersey, Pearson Education Ltd. 2002), p. 171
[38] Fred E. Inbau, Bernard J. Farber and David W. Arnold, Protective Security Law, Second Edition (Boston, Butterworth-Heinemann, 1996) pg. 64-68
[39] P. J. Ortmeir, Security Management An Introduction, (New Jersey, Pearson Education Ltd. 2002), p. 184-186
