Information Security Policy
The objective of Impexium in this document is to define the development and implementation of this comprehensive written information security program (“WISP”), is to create effective administrative, technical and physical safeguards for the protection of personal information of customers and to comply with our obligations under various regulations. The WISP sets forth our procedure for evaluating and addressing our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information.
The purpose of the WISP is to better: (a) ensure the security and confidentiality of personal information; (b) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and (c) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
This policy applies to all Impexium employees and third-party contractors that collect, process or otherwise handle sensitive personal information of employees or customers.
DATA PROTECTION OFFICER
Impexium has designated Shanker Katragadda to implement, supervise and maintain the WISP. This designated employee (the “Data Protection Officer”) will be responsible for the following:
- Implementation of the WISP including all provisions outlined in Section VII: Daily Operational Protocol;
- Training of all employees;
- Regular testing of the WISP’s safeguards;
- Evaluating the ability of any of our third party service providers to implement and maintain appropriate security measures for the personal information to which we have permitted them access, and requiring such third party service providers by contract to implement and maintain appropriate security measures;
- Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in our business practices that may implicate the security or integrity of records containing personal information;
- Conducting an annual training session for all owners, managers, employees and independent contractors, including temporary and contract employees who have access to personal information on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with our requirements for ensuring the protection of personal information.
INTERNAL RISK MITIGATION POLICIES
To guard against internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately:
- We will only collect personal information of clients, customers or employees that is necessary to accomplish our legitimate business transactions or to comply with any and all federal, state or local regulations.
- Access to records containing personal information shall be limited to those employees whose duties, relevant to their job description, have a legitimate need to access said records, and only for this legitimate job-related purpose.
- Written and electronic records containing personal information shall be securely destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements.
- A copy of the WISP is to be distributed to each current employee and to each new employee on the beginning date of their employment. It shall be the employee’s responsibility for acknowledging in writing, by signing the attached sheet, that he/she has received a copy of the WISP and will abide by its provisions. Employees are encouraged and invited to advise the WISP Data Protection Officer of any activities or operations which appear to pose risks to the security of personal information. If the Data Protection Officer is him or herself involved with these risks, employees are encouraged and invited to advise any other manager or supervisor or business owner.
- A training session for all current employees will be held to detail the provisions of the WISP.
- All employment contracts, where applicable, will be amended to require all employees to comply with the provisions of the WISP and to prohibit any nonconforming use of personal data as defined by the WISP.
- Terminated employees must return all records containing personal data, in any form, in their possession at the time of termination. This includes all data stored on any portable device and any device owned directly by the terminated employee.
- A terminated employee’s physical and electronic access to records containing personal information shall be restricted at the time of termination. This shall include remote electronic access to personal records, voicemail, internet, and email access. All keys, keycards, access devices, badges, company IDs, business cards, and the like shall be surrendered at the time of termination.
- Disciplinary action will be applicable to violations of the WISP, irrespective of whether personal data was actually accessed or used without authorization.
- All security measures including the WISP shall be reviewed at least annually to ensure that the policies contained in the WISP are adequate meet all applicable federal and state regulations.
- Should our business practices change in a way that impacts the collection, storage, and/or transportation of records containing personal information the WISP will be reviewed to ensure that the policies contained in the WISP are adequate meet all applicable federal and state regulations.
- The Data Protection Officer or his/her designee shall be responsible for all review and modifications of the WISP and shall fully consult and apprise management of all reviews including any recommendations for improves security arising from the review.
- The Data Protection Officer shall maintain a secured and confidential master list of all lock combinations, passwords, and keys. The list will identify which employee possess keys, keycards, or other access devices and that only approved employee have been provided access credentials
- The Data Protection Officer or his/her designee shall ensure that access to personal information is restricted to approved and active user accounts.
- Current employees’ user ID’s and passwords shall conform to accepted security standards. All passwords shall be changed at least annually, more often as needed (e.g. seasonally).
- Employees are required to report suspicious or unauthorized use of personal information to a supervisor or the Data Protection Officer.
- The Data Protection Officer is responsible for maintaining and executing the Data Breach Response Policy.
SUBPROCESSOR AND EXTERNAL RISK MITIGATION POLICIES
- Firewall protection, operating system security patches, and all software products shall be reasonably up-to-date and installed on any computer that stores or processes personal information.
- Personal information shall not be removed from the business premises in electronic or written form absent legitimate business need and use of reasonable security measures, as described in this policy.
- All system security software including, anti-virus, anti-malware, and internet security shall be reasonably up-to-date and installed on any computer that stores or processes personal information.
- There shall be secure user authentication protocols in place that:
- Control user ID and other identifiers;
- Assigns passwords in a manner that conforms to accepted security standards, or applies use of unique identifier technologies;
- Control passwords to ensure that password information is secure.
DAILY OPERATIONAL PROTOCOL
This section of Impexium’s WISP outlines daily efforts to minimize security risks to any computer system that processes or stores personal information, ensures that physical files containing personal information are reasonable secured and develops daily employee practices designed to minimize access and security risks to personal information of our clients and/or customers and employees.
The Daily Operational Protocol shall be reviewed and modified as deemed necessary at a meeting of the Data Protection Officer and personnel responsible and/or authorized for the security of personal information. Any modifications to the Daily Operational Protocol shall be published in an updated version of the WISP. At the time of publication, a copy of the WISP shall be distributed to all current employees and to new hires on their date of employment.
Recordkeeping Protocol: We will only collect personal information of clients and customers and employees that is necessary to accomplish our legitimate business transactions or to comply with any and all federal and state and local laws.
- Within 30 days of the publication of the WISP or any update the Data Protection Officer or his/her designee shall perform an audit of all relevant company records to determine which records contain personal information, assign those files to the appropriate secured storage location, and to redact, expunge or otherwise eliminate all unnecessary personal information in a manner consistent with the WISP.
- Any personal information stored shall be disposed of when no longer needed for business purposes or required by law for storage. Disposal methods must be consistent with those prescribed by the WISP.
- Any paper files containing personal information of clients or employees shall be stored in a locked filing cabinet. Only department heads and the Data Protection Officer will be assigned keys to filing cabinets and only those individuals are allowed access to the paper files. Individual files may be assigned to employees on an as-needed basis by the department supervisor.
- All employees are prohibited from keeping unsecured paper files containing personal information in their work area when they are not present (e.g. lunchbreaks).
- At the end of the day, all files containing personal information are to be returned to the locked filing cabinet by department heads or the Data Protection Officer.
- Paper or electronically stored records containing personal information shall be disposed of as follows:
- paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed;
- electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed
- Electronic records containing personal information shall not be stored or transported on any portable electronic device, sent or transmitted electronically to any portable device, or sent or transported electronically to any computer, portable or not, without being encrypted. The only exception shall be where there is no reasonable risk of unauthorized access to the personal information or it is technologically not feasible to encrypt the data as and where transmitted.
- If necessary for the functioning of individual departments, the department head, in consultation with the Data Protection Officer, may develop departmental rules that ensure reasonable restrictions upon access and handling of files containing personal information and must comply with all WISP standards. Departmental rules are to be published as an addendum to the WISP.
Access Control Protocol
- All computers shall restrict user access to those employees having an authorized and unique log-in ID assigned by the Data Protection Officer
- All computers that have been inactive for 15 or more minutes shall require relog-in
- After 5 unsuccessful log-in attempts by any user ID, that user ID will be blocked from accessing any computer or file stored on any computer until access privileges are reestablished by the Data Protection Officer or his/her designee.
- Access to electronically stored records containing personal information shall be electronically limited to those employees having an authorized and unique login ID assigned by the Data Protection Officer
- All visitors who are granted access to office space containing personal information shall be required to sign-in with a Photo ID at a designated reception area where they will be assigned a visitor’s ID or guest badge unless escorted at all times. Visitors are required to wear said visitor ID in a plainly visible location on their body, unless escorted at all times.
- All computers with will have up-to-date version software providing virus, anti-spyware and anti-malware protection installed and active at all times.
Third Party Service Provider Protocol
Any service provider or individual that receives, stores, maintains, processes, or otherwise is permitted access to any file containing personal information (“Third Party Service Provider”) shall be required to demonstrate that they have a written security policy that meets or exceeds the standards of this WISP. In the absence of an existing written information security policy (for example, in the case of an individual consultant), the third party will be provided a copy of this WISP and be required to abide by it while working with Impexium.
Breach of Data Security Protocol
Impexium’s Data Breach Response Policy is contained in Policy INFOSEC 8.
Any violation of this policy may result in disciplinary action, up to and including termination of employment. Impexium reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Impexium does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Impexium reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, should provide a written or verbal complaint to his or her manager, any other manager or the Human Resources department as soon as possible
ROLES AND RESPONSIBILITIES
Data Protection Officer – This person is designated to implement, supervise and maintain the WISP.
Management – Each organizational unit head is responsible for ensuring proper adherence to the WISP.
Employees and Subprocessors – Each user is responsible for being aware of the policies and procedures defined in this WISP and abiding by them.
TERMS AND DEFINITIONS
Personally Identifiable Information (PII) – Information that alone, or when combined with other personal or identifying information can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are neither encrypted nor redacted:
- Social security number;
- Driver’s license number or state identification card number issued in lieu of a driver’s license number; or
- Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to financial accounts.
AICPA/CICA Generally Accepted Privacy Principles
Mass. Gen. Laws ch. 93H
VA CODE § 18.2-186.6
Data Breach Response Policy, Classification Policy, Privacy Program Policy, Incident Response Policy