Information Security Policy

Introduction
Information security is a holistic discipline, meaning that its application, or lack thereof, affects all facets
of an organization or enterprise. The goal of the (Company) Information Security Program is to protect
the Confidentiality, Integrity, and Availability of the data employed within the organization while providing
value to the way we conduct business. Protection of the Confidentiality, Integrity, and Availability are
basic principles of information security, and can be defined as:

 Confidentiality – Ensuring that information is accessible only to those entities that are
authorized to have access, many times enforced by the classic “need to know” principle.
 Integrity – Protecting the accuracy and completeness of information and the methods that
are used to process and manage it.
 Availability – Ensuring that information assets (information, systems, facilities, networks, and
computers) are accessible and usable when needed by an authorized entity.

(Company) has recognized that our business information is a critical asset and as such our ability to
manage, control, and protect this asset will have a direct and significant impact on our future success.

This document establishes the framework from which other information security policies may be
developed to ensure that the enterprise can efficiently and effectively manage, control and protect its
business information assets and those information assets entrusted to (Company) by its stakeholders,
partners, customers and other third parties.

The (Company) Information Security Program is built around the information contained within this policy
and its supporting policies.

Purpose
The purpose of the (Company) Information Security Policy is to describe the actions and behaviors
required to ensure that due care is taken to avoid inappropriate risks to (Company), its business partners,
and its stakeholders.

Scope
The (Company) Information Security Policy applies equally to any individual, entity, or process that
interacts with any (Company) Information Resource.

Responsibilities
Executive Management
 Ensure that an appropriate risk-based Information Security Program is implemented to
protect the confidentiality, integrity, and availability of all Information Resources collected or
maintained by or on behalf of (Company).
  Ensure that information security processes are integrated with strategic and operational
planning processes to secure the organization’s mission.
 Ensure adequate information security financial and personnel resources are included in the
budgeting and/or financial planning process.
 Ensure that the Security Team is given the necessary authority to secure the Information
Resources under their control within the scope of the (Company) Information Security
Program.
 Designate an Information Security Officer and delegate authority to that individual to ensure
compliance with applicable information security requirements.
 Ensure that the Information Security Officer, in coordination with the Information Security
Committee, reports annually to Executive Management on the effectiveness of the
(Company) Information Security Program.

Information Security Officer

 Chair the Information Security Committee and provide updates on the status of the
Information Security Program to Executive Management.
 Manage compliance with all relevant statutory, regulatory, and contractual requirements.
 Participate in security related forums, associations and special interest groups.
 Assess risks to the confidentiality, integrity, and availability of all Information Resources
collected or maintained by or on behalf of (Company).
 Facilitate development and adoption of supporting policies, procedures, standards, and
guidelines for providing adequate information security and continuity of operations.
 Ensure that (Company) has trained all personnel to support compliance with information
security policies, processes, standards, and guidelines. Train and oversee personnel with
significant responsibilities for information security with respect to such responsibilities.
 Ensure that appropriate information security awareness training is provided to company
personnel, including contractors.
 Implement and maintain a process for planning, implementing, evaluating, and documenting
remedial action to address any deficiencies in the information security policies, procedures,
and companys of (Company).
 Develop and implement procedures for testing and evaluating the effectiveness of the
(Company) Information Security Program in accordance with stated objectives.
 Develop and implement a process for evaluating risks related to vendors and managing
vendor relationships.
 Report annually, in coordination with the Information Security Committee, to Executive
Management on the effectiveness of the (Company) Information Security Program, including
progress of remedial actions.

All Employees, Contractors, and Other Third-Party Personnel

 Understand their responsibilities for complying with the (Company) Information Security
Program.
 Formally sign off and agree to abide by all applicable policies, standards, and guidelines that
have been established.
  Use (Company) Information Resources in compliance with all (Company) Information
Security Policies.
 Seek guidance from the Information Security Team for questions or issues related to
information security.

General Guidelines:
 (Company) maintains and communicates an Information Security Program consisting of topic-
specific policies, standards, procedures and guidelines that:
o Serve to protect the Confidentiality, Integrity, and Availability of the Information
Resources maintained within the organization using administrative, physical and
technical controls.
o Provide value to the way we conduct business and support institutional objectives.
o Comply with all regulatory and legal requirements, including: (adjust as appropriate)
 All applicable local laws, regulations, and standards.
 Information Security best companys, including ISO 27001 and 27002 and NIST.
 Contractual agreements,
 The information security program is reviewed no less than annually or upon significant changes
to the information security environment.

Prohibited Activities
Personnel are prohibited from the following activities. The list is not inclusive. Other prohibited activities
are referenced elsewhere in this document.

 Crashing an information system. Deliberately crashing an information system is strictly

prohibited. Users may not realize that they caused a system crash, but if it is shown that the
crash occurred as a result of user action, a repetition of the action by that user may be viewed as
a deliberate act.
 Attempting to break into an information resource or to bypass a security feature. This includes
running password-cracking programs or sniffer programs, and attempting to circumvent file or
other resource permissions.
 Introducing, or attempting to introduce, computer viruses, Trojan horses, peer-to-peer (“P2P”) or
other malicious code into an information system.
 Browsing. The willful, unauthorized access or inspection of confidential or sensitive information
to which you have not been approved on a "need to know" basis is prohibited. The purposeful
attempt to look at or access information to which you have not been granted access by the
appropriate approval procedure is strictly prohibited.
 Personal or Unauthorized Software. Use of personal software is prohibited. All software installed
on company’s computers must be approved by the appropriate level.
 Software Use. Violating or attempting to violate the terms of use or license agreement of any
software product used by the company is strictly prohibited.
 System Use. Engaging in any activity for any purpose that is illegal or contrary to the policies,
procedures or business interests of the company is strictly prohibited.

Electronic Communication, E-mail, Internet Usage

  As a productivity enhancement tool.The company encourages the business use of electronic
communications. However, all electronic communication systems and all messages generated
on or handled by Company owned equipment are considered the property of the Company – not
the property of individual users. Consequently, this policy applies to all Company employees and
contractors, and covers all electronic communications including, but not limited to, telephones, e-
mail, voice mail, instant messaging, Internet, fax, personal computers, and servers.

 Company provided resources, such as individual computer workstations or laptops, computer

systems, networks, e-mail, and Internet software and services are intended for business
purposes. However, incidental personal use is permissible as long as:

1) it does not consume more than a trivial amount of employee time or resources,
2) it does not interfere with staff productivity,
3) it does not preempt any business activity,
4) it does not violate any of the following:
a) Copyright violations – This includes the act of pirating software, music, books and/or
videos or the use of pirated software, music, books and/or videos and the illegal
duplication and/or distribution of information and other intellectual property that is
under copyright.
b) Illegal activities – Use of Company information resources for or in support of illegal
purposes as defined by federal, state or local law is strictly prohibited.
c) Commercial use – Use of Company information resources for personal or commercial
profit is strictly prohibited.
d) Political Activities – All political activities are strictly prohibited on Company premises.
The Company encourages all of its employees to vote and to participate in the election
process, but these activities must not be performed using Company assets or resources.
e) Harassment – The Company strives to maintain a workplace free of harassment and that
is sensitive to the diversity of its employees. Therefore, the Company prohibits the use
of computers, e-mail, voice mail, instant messaging, texting and the Internet in ways
that are disruptive, offensive to others, or harmful to morale. For example, the display
or transmission of sexually explicit images, messages, and cartoons is strictly prohibited.
Other examples of misuse include, but is not limited to, ethnic slurs, racial comments,
off-color jokes, or anything that may be construed as harassing, discriminatory,
derogatory, defamatory, threatening or showing disrespect for others.
f) Junk E-mail - All communications using IT resources shall be purposeful and appropriate.
Distributing “junk” mail, such as chain letters, advertisements, or unauthorized
solicitations is prohibited. A chain letter is defined as a letter sent to several persons
with a request that each send copies of the letter to an equal number of persons.
Advertisements offer services from someone else to you. Solicitations are when
someone asks you for something. If you receive any of the above, delete the e-mail
message immediately. Do not forward the e-mail message to anyone.

Reporting Software Malfunctions

Users should inform the appropriate Company personnel when the user's software does not appear to
be functioning correctly. The malfunction - whether accidental or deliberate - may pose an information
security risk. If the user, or the user's manager or supervisor, suspects a computer virus infection, the
Company computer virus policy should be followed, and these steps should be taken immediately:

 Stop using the computer

 Do not carry out any commands, including commands to <Save> data.
 Do not close any of the computer's windows or programs.
 Do not turn off the computer or peripheral devices.
 If possible, physically disconnect the computer from networks to which it is attached.
 Inform the appropriate personnel or Company ISO as soon as possible. Write down any unusual
behavior of the computer (screen messages, unexpected disk access, unusual responses to
commands) and the time when they were first noticed.
 Write down any changes in hardware, software, or software use that preceded the malfunction.
 Do not attempt to remove a suspected virus!

Transfer of Sensitive/Confidential Information

When confidential or sensitive information from one individual is received by another individual while
conducting official business, the receiving individual shall maintain the confidentiality or sensitivity of
the information in accordance with the conditions imposed by the providing individual. All employees
must recognize the sensitive nature of data maintained by the Company and hold all data in the strictest
confidence. Any purposeful release of data to which an employee may have access is a violation of
Company policy and will result in personnel action, and may result in legal action.

Transferring Software and Files between Home and Work

 Personal software shall not be used on Company computers or networks. If a need for specific
software exists, submit a request to your supervisor or department head. Users shall not use
Company purchased software on home or on non-Company computers or equipment.
 Company proprietary data, including but not limited to patient information, IT Systems
information, financial information or human resource data, shall not be placed on any
computer that is not the property of the Company without written consent of the respective
supervisor or department head. It is crucial to the Company to protect all data and, in order to
do that effectively we must control the systems in which it is contained. In the event that a
supervisor or department head receives a request to transfer Company data to a non-Company
Computer System, the supervisor or department head should notify the Privacy Officer or
appropriate personnel of the intentions and the need for such a transfer of data.
Confidentiality Agreement
All employees of the company information resources shall sign, as a condition for employment, an
appropriate confidentiality agreement. The agreement shall include the following statement, or a
paraphrase of it:
I understand that any unauthorized use or disclosure of information residing on the Company
information resource systems may result in disciplinary action consistent with the applicable laws and
regulations.

 Enforcement
 Personnel found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment, and related civil or criminal penalties.

 Any vendor, consultant, or contractor found to have violated this policy may be subject to
sanctions up to and including removal of access rights, termination of contract(s), and related
civil or criminal penalties.