Information Security Policy

Last Updated: 07/24/2018

Overview

CodeREADr intends to manage its information technology and information assets to maximize their efficient, effective, and secure use in support of our business and our customers. This document, the Information Security Policy (Policy), defines the governing principles for the secure operation and management of the information technology used, administered, and/or maintained by us and for the protection of our information assets. Violations of this Information Security Policy must be reported to the Data Protection Officer (DPO).

Purpose

To define the responsibilities of our officers, employees, agents, and managers with respect to appropriate use and protection of our information assets. To ensure that our information assets are secure from unauthorized access, misuse, degradation, or destruction.

Scope

This Information Security Policy applies to codeREADr, our managers, officers, employees, temporary employees, interns, vendors, consultants, contractors and agents thereof–collectively referred to as User(s). The principles set forth in this Policy are applicable to all information assets, in all formats, stored in our IT systems and the systems in use by our Users. We reserve the right to amend this Policy or any part or provision of it.

Organizing Information Security

A. Information Security Coordination

The Data Protection Officer or DPO is responsible for designing, implementing and maintaining a company-wide information security program–in conjunction with other managers–and for assisting all teams in implementing and maintaining information management practices at their respective locations.

Our DPO an be reached by emailing privacy@codeREADr.com or dpo@codeREADr.com.

B. Allocation of information security responsibilities

The Data Protection Office (DPO) is responsible for overall security of information assets at our company. The DPO may delegate specific responsibilities related to information security to others within the company based on their job function.

C. Confidentiality Agreements

Employees, consultants, or contractors who use our information technology are required to read, understand, and agree to our Confidentiality and Work for Hire Agreement​ regarding their responsibilities and conduct related to the protection of our information assets.

D. Third Parties

We may utilize third parties in support of delivering business services. When, as a result, these arrangements extend our information technology processes into the third parties‘ computing environments—for example, in cases of Application Service Providers (ASPs)—the third parties must abide by this Policy, as applicable, unless specific additional provisions have been established through contractual agreements

Asset Management

A. Information Classification

Our information, whether in electronic or physical form, can be categorized into three classifications. Due care must be taken to protect our information assets in accordance with the three classifications, as described within this Policy.

1. Confidential – Sensitive personally identifiable information (PII) used for business purposes within codeREADr which, if disclosed through unauthorized means, could adversely affect our customers or personnel, and could have legal, statutory, or regulatory repercussions.

2. Internal – Information related to our business that if disclosed, accessed, modified or destroyed by unauthorized means, could have limited or significant financial or operational impact on us. Examples include: strategic plans, vendors‘ proprietary information, and responses to Requests for Proposals (RFPs), information protected by intergovernmental non-disclosure agreements or other non-disclosure agreements, and design documents.

3. Public – Information intended for unrestricted public disclosure in the course of our business. Examples include: press releases, public marketing materials, and employment advertisements.

B. Responsibility for Assets

1. Ownership of Assets – All information collected, stored and processed over our information technology systems is either the property of codeREADr or our Clients. Our employees using our information technology systems have no expectation of privacy associated with the information they store in or send through these systems, within the limits of the federal, state and local laws of the United States and, where applicable, foreign laws.

2. Acceptable and Unacceptable Use of Assets – 

a. To effectively conduct our business and operations, we makes available to authorized employees and third parties various information technology resources, including laptops, phones, tablets, e-mail services, chat applications, the Internet, and other communication and productivity tools. Use of these resources is intended for business purposes in accordance with Users‘ job functions and responsibilities.

b. Users must not allow any consultant, visitor, friend, family member, customer, vendor or other unauthorized person to use their network account, e-mail address or other company provided computer facilities. Users are responsible for the activities performed by and associated with the accounts we assign to them.

c. No User may use company provided Internet/Intranet access or our Confidential information to solicit or conduct any personal commercial activity or for personal gain or profit.

d. Users must not make statements on behalf of codeREADr or disclose Confidential or Internal information unless expressly authorized in writing by senior management. This includes Internet postings, or bulletin boards, newsgroups, chat rooms, or instant messaging.

e. Users must protect Confidential or Internal information being transmitted across the Internet or public networks in a manner that ensures its confidentiality and integrity between a sender and a recipient. Confidential information such as Social Security numbers, credit card numbers, and electronic Protected Health Information (ePHI) must be transmitted using encryption software.

f. Internal information such as email lists must not be posted to any external information source, listed in telephone directories, placed on business cards, or otherwise made available to third parties without the prior express written permission of the Data Protection Officer.

g. Users must not install software on our network and computer resources without prior express written permission from Data Protection Officer. Person-to-person (P2P) applications, Voice over IP (VOIP), instant messenger (IM) applications, and remote access applications pose an especially high risk to codeREADr and their unauthorized use is strictly prohibited. CodeREADr business must not be conducted on any device that allows P2P communication (such as file sharing music applications) without explicit approval from Data Protection Officer.

h. Users must not copy, alter, modify, disassemble, or reverse engineer any authorized software or other intellectual property in violation of licenses provided to or by codeREADr. Additionally, Users must not download, upload, or share files in violation of U.S. patent, trademark, or copyright laws. Intellectual property that is created for codeREADr by its employees, vendors, consultants and others is property of codeREADr unless otherwise agreed upon by means of third party agreements or contracts.

Users must not access the Internet, the Intranet or e-mail to use, upload, post, mail, display, or otherwise transmit in any manner any content, communication, or information that, among other inappropriate uses:

i. interferes with our official business;

ii. is hateful, harassing, threatening, libelous or defamatory, pornographic, profane, or sexually explicit;

iii. is deemed by our human resources department to offend persons based on race, ethnic heritage, national origin, sex, sexual orientation, age, physical or mental illness or disability, marital status, employment status, housing status, religion, or other characteristics that may be protected by applicable civil rights laws;

iv. impersonates a person (living or dead), organization, business, or other entity;

v. enables or constitutes gaming, wagering or gambling of any kind;

vi. promotes or participates in unauthorized fundraisers;

vii. promotes or participates in partisan political activities;

viii. promotes or participates in unauthorized advertising of our projects and any advertising of private projects;

ix. compromises or degrades the performance, security, or integrity of our information technology resources and information assets;

x. contains a virus, logic bomb, or malicious code;

xi. Constitutes participation in chain letters, unauthorized chat rooms, unauthorized instant messaging, spamming, or any unauthorized auto-response program or service.

3. Anti-Virus and Malware Protection – All computers MUST have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system. Our employees must only use email services on computers and laptops that provide scanning services for malware and phishing detection.

Human Resources Security

A. Prior to Employment

All employees, consultants, and contractors who use our information technology as part of their job function are required to sign our Confidentiality and Work for Hire Agreement​. Consultants and contractors who are hired to support our information technology infrastructure must be able to provide proof of background checks (including a statement of what checks are conducted and how they are conducted) prior to accessing our information technology infrastructure. The background checks must include a criminal background check.

B. During Employment

1. Information Security Awareness, Education, and Training – Security Awareness begins during the hiring process and it is the responsibility of the User to remain aware of current security policies. Our Intranet site contains our Security Policies as well as educational materials. Users should read the Security Reminders that are periodically distributed by email. Users must also respond to any Information Security Notice that is displayed while logging on to codeREADr related systems.

2. Disciplinary Process – Any violation of this Policy, or any Part or provision hereof, may result in disciplinary action, including termination and/or civil action and/or criminal prosecution.

C. Termination or Change of Employment  

1. Return of Assets – When a User no longer works with us, all Information Assets remain the property of codeREADr. A User must not take away such information or take away a copy of such information when he or she leaves without the prior express written permission of our senior management.

2. Removal of Access Rights – Upon termination of an employee or vendor, the person who requested access to technology resources must request the termination of that access using our access request procedure. In the event that the requestor is not available, the responsibility is placed upon the manager of the employee or vendor. We may automatically disable or delete accounts where termination is suspected even if formal notification was by-passed.

Communications and Operations Management

A. Protection Against Malicious Code

1. It is our policy to conduct virus scanning of its technology resources to protect them from the threat of malicious code. We will attempt intercept and/or quarantine any networking and computer resource that poses a virus threat to its information assets.

2. All servers and workstations (networked and standalone) must have our approved antivirus protection software installed, properly configured, and functioning at all times. Additionally, systems that have not been issued by our company but that use our network must also be protected by antivirus software.

3. All incoming and outgoing e-mails must be scanned for viruses. Our company email accounts provide email scanning services by default.

4. Users are responsible for ensuring that software, files, and data downloaded onto their workstations are properly scanned for viruses.

5. Users must conduct virus scans on all external media received or used.

6. Users must ensure that all workstations (networked and standalone) have the most current antivirus signature files loaded.

B. Back-Up

We will perform regular backups of User files stored on company provided cloud file storage drive. No backups of company information assets may be taken on personal backup drives or personal cloud systems.

C. Disposal of Media

Except as otherwise provided by law or court order, electronic media will be destroyed according to our Data Destruction Policy.

D. Monitoring

1. Monitoring System Use

a. Employees and Contractors should have no expectation of privacy in their use of Internet services provided by our company. We reserve the right to monitor for unauthorized activity the information sent, received, processed or stored on company provided network and computer resources, without the consent of the creator(s) or recipient(s). This includes use of the Internet as well as our e-mail and instant messaging systems.

b. All information technology administrators, technicians and any other employees who by the nature of their assignments have privileged access to networks or computer systems must obtain written approval from the DPO to monitor User activity.

2. Clock Synchronization – All server clocks must be synchronized in a manner approved by our DPO in order to provide for timely administration and accurate auditing of systems.

User Access Policy

A. User Access Management

1. Access to Confidential and Internal data must be made in writing and approved by senior management.

2. User accounts that have not been used for 90 days may be disabled without warning. After 180 days of inactivity, these accounts may be deleted without warning.

3. Managers must notify the DPO of a change in employment status (such as when a User takes a leave of absence, transfers managers, or is terminated). The account of a User on a leave of absence can be retained, suspended, or deleted at the discretion of the User‘s manager.

B. User Responsibilities

1. Password Use

a. All e-mail, network, domain accounts must be password protected. All new accounts will be created with a temporary password. The temporary password must be changed upon first use. Passwords must adhere to the our Password Policy.

2. Screensavers

a. Use of password-protected screen savers is recommended to prohibit unauthorized system access. Screensavers should initiate after 15 minutes of inactivity. Password-protected screen savers are required on workstations that access Confidential information or Internal Information.

C. Mobile Computing and Remote Access

1. Laptops, off-site computers, and Physical media that contain Confidential information must be encrypted using an encryption technique approved by the DPO. Physical media that contain Internal information must be protected using an encryption technique approved by DPO, a strong logon password, or restricted physical access in order to protect the data.

2. Personal media devices (for example, MP3 players such as iPods) must not be used as peripheral devices on company issued workstations.

3. Remote access is provided by our company as an information conduit to assist in the accomplishment of municipal duties and goals. Any other use is strictly prohibited. Requests for remote access must have a valid business reason and be approved by the DPO

4. All remote access connections must be through a secure, centrally administered point of entry approved by the DPO. Authorized remote access connections must be properly configured and secured according to company approved standards including our password policy. All remote desktop protocol implementations must be authorized by the DPO. Remote access through unapproved entry points will be terminated when discovered.

5. Non-codeREADr owned computer equipment used for remote access must be approved and must also comply with our standards. We will not be responsible for maintenance, repair, upgrades or other support of non-company owned computer equipment used to access our network and computer resources through remote access services.

6. Users who utilize workstations that are shared with individuals who have not signed a Confidentiality Agreement with codeREADr must ensure that our data is removed or deleted after each use.

7. All hosts that are connected to our internal networks via remote access technologies must use the most up-to-date anti-virus software (place url to corporate software site here), this includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement.

Information Security Incident Management

A. Reporting Information Security Events and Weaknesses

1. Violations of this Information Security Policy or any or all parts or provisions of this Policy must be reported to the DPO immediately.

2. Users must ensure that the DPO is notified immediately whenever a security incident occurs. Examples of security incidents include a virus outbreak, defacement of a website, interception of email, blocking of firewall ports, and theft of physical files or documents.

3. All reports of alleged violations of this Policy, or any part or provision hereof, will be investigated by the DPO. During the course of an investigation, access privileges may be suspended.

Encryption Algorithm Requirement

A. Ciphers in use must meet or exceed the set defined as “AES-compatible” or “partially AES-compatible” defined in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents. The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption.

B. Algorithms in use must meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is required for asymmetric encryption.

C. Key Agreement and Authentication

1. Key exchanges must use one of the following cryptographic protocols: DiffieHellman, IKE, or Elliptic curve Diffie-Hellman (ECDH).

2. End points must be authenticated prior to the exchange or derivation of session keys.

3. Public keys used to establish trust must be authenticated prior to use.

4. All servers used for authentication (for example, RADIUS or TACACS) must have installed a valid certificate signed by a known trusted provider.

5. All servers and applications using SSL or TLS must have the certificates signed by a known, trusted provider.

6. Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.

7. Key generation must be seeded from an industry standard random number generator (RNG).

Compliance

A. Compliance with Legal Requirements

1. Intellectual Property Rights

a. Intellectual Property that is created for codeREADr by its employees is property of codeREADr unless otherwise agreed upon by means of third party agreements or contracts.

b. No User may transmit to, or disseminate from, the Internet any material that is protected by copyright, patent, trademark, service mark, or trade secret, unless such disclosure is properly authorized and bears the appropriate notations.

2. Prevention of Misuse of Information Processing Facilities – Users are prohibited from using our processing facilities—including data centers, network cabinets or closets, and other facilities housing our technology equipment–in any way that violates any our Policies or federal, state, or municipal law.

3. Compliance with Relevant Laws and Regulations – CodeREADr is required by certain laws and regulations dealing with security and privacy of information. These laws and regulations, in some circumstances, may require additional safeguards for protection of information beyond the stipulations of this Policy. (For example, when accessing credit/debit cardholder data remotely, it is never to be stored on local hard drives, floppy disks, or external media. Furthermore, cut-and-paste and print functions are prohibited during remote access sessions.) Accordingly, Users with access to Protected Health Information (PHI) must abide by HIPAA and Users with access to credit/debit card information must abide by PCI, as applicable.

4. Compliance with Security Policies and Standards – All Users must read and sign our Confidentiality and Acceptable Use Agreement prior to being authorized to access our information technology and information assets.