IT Security Policy

Purpose

The purpose of this policy is to:

  • Outline the proper disposal of confidential client information at Susco Solutions. These rules are in place to protect confidential client information, employees, and Susco Solutions. Inappropriate disposal of Susco Solutions’s confidential client information may put employees and Susco Solutions at risk.
  • Outline the proper disposal/sanitization/destruction of media (physical or electronic) at Susco Solutions. These rules are in place to protect sensitive and classified information, employees, and Susco Solutions. Inappropriate disposal of Susco Solutions’s customer data or media may put employees and Susco Solutions at risk.

Scope

This policy applies to all Susco Solutions employees and Third-Party contractors with remote access to information systems and networks.

Policy

Required Approval  

Remote Working Agreement – All Susco Solutions employees must sign an agreement to abide by all Susco Solutions IT security policies, procedures and standards. The agreement will be reviewed and signed annually.

Risk Mitigation 

Evaluation – Security practices will be evaluated regularly throughout the year by Susco’s IT services vendor.  One example of this is periodic email safety checks on all Susco employees.

Component/Service Evaluation – Before any system is used in production, it will be researched and approved by the Security Team and the Leadership Team.

Compliance Requirements

Software License Restrictions – Remote workers must follow software licensing restrictions and agreements on all software used.

Remote Working Information Security Policies – Workers must follow Susco Solutions information security policies.

Information Systems Security

Approved Remote Worker Equipment – Employees working on Susco Solutions business must use Susco Solutions-provided computer equipment unless other devices have been approved by Susco Solutions leadership.

Personally-Owned Information systems – Remote workers are allowed use their own mobile computing devices for Susco Solutions business without prior authorization from their supervisor.

Malware Protection Software – All systems that access Susco Solutions networks remotely must have an anti-malware (anti-virus) package installed by the managed service provider.

Remote Access Control

Sharing Access and Systems Prohibited – Remote workers must not share passwords or any other access devices or parameters with anyone without prior approval from the managed service provider. This means that a remote computer used for Susco Solutions business must be used exclusively by the telecommuter. Family members, friends, and others must not be permitted to use this machine.

Data Protection

Encryption and Boot Protection – All computers used which contain sensitive Susco Solutions information must consistently employ both hard disk encryption for all data files and boot protection through a password. These two essential controls must be provided through software or hardware systems approved by the managed service provider.

Backup and Media Storage

Backup Procedures – Susco’s managed service provider maintains backup services.  All personnel are required to have local work files backed up to a network location.  Examples include SharePoint, OneDrive and Azure Devops using Git.

Remote System Management

Changes to Configurations and Software – On Susco Solutions-supplied computer hardware, workers must not change the operating system configuration or install new software not directly related to their job role.

Changes to Hardware – Remote working computer equipment supplied by Susco Solutions must not be altered or added to in any way without prior knowledge and authorization from the managed service provider.

Information Disposal

Susco Solutions Property – The security of Susco Solutions property at a remote work site is just as important as it would be at a central office.  Reasonable and prudent precautions must be taken to protect Susco Solutions hardware, software, and information from theft, damage, and misuse.  

Paper Records Disposal – All printed copies of sensitive Susco Solutions information must be shredded for disposal. Telecommuting workers on the road must not throw away Susco Solutions sensitive information in hotel wastebaskets or other publicly accessible trash containers. Sensitive information must be retained until it can be shredded or destroyed with other approved methods.

Accountability and Responsibility

Security Team – A team of two or more employees will be responsible for the following:

  • Reporting and addressing any identified security events in a quick and efficient manner
  • Documenting security events
  • Determining and executing mitigation actions
  • Communication and coordination with external parties about significant security events
  • Working with third-party vendors to maintain risk assessment practices
  • Identifying risks, and recommending any practice or policy changes
  • Address requests, questions and complaints in an efficient manner.
  • Training Susco employees in security risk avoidance
  • Evaluate unanticipated security issues for resolution, documentation and future risk mitigation

System Ownership and Return

Return of Property – If Susco Solutions supplied an employee or contractor with software, hardware, or other materials to perform Susco Solutions business remotely, all such items must be promptly returned to Susco Solutions when an employee or contractor separates from Susco Solutions, or when so requested by the employee’s manager or the human resources department.

Liability for Susco Solutions Property – If Susco Solutions supplied an employee or contractor with software, hardware, information, or other materials to perform Susco Solutions business remotely, Susco Solutions assumes all risks of loss or damage to these items unless such loss or damage occurs due to the employee’s negligence. Susco Solutions expressly disclaims any responsibility for loss or damage to persons or property caused by or arising out of the usage of such items.

Changes to the Security Policy

Change Process – Susco will work with third-party vendors to monitor system operation and security.  If changes are needed due to design deficiencies, andy identified operation ineffectiveness, or updates to technologies,  then updates to the policy will be drafted by the security team for approval by the leadership team.  After approval by the leadership team, the changes will be communicated to the entire company.

Information Confidentiality

Information that has been deemed confidential will be disclosed only to employees as needed and will be restricted when possible.  This includes but is not limited to client data, business data belonging to clients and employee data.  This information will be protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition.

Any changes to information restriction will be communicated to clients and vendors to protect information confidentiality.

Vendor Conformity

When vendors with whom information is transmitted are contracted, the Susco Security team will verify that their security policies conform to the policies outlined in Susco Solutions’ security policy with respect to confidentiality and system requirements.  At least once per year, and as needed, the policies and practices of all vendors will be reviewed for conformity to this policy.

Violations

Any violation of this policy may result in disciplinary action, up to and including termination of employment. Susco Solutions reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Susco Solutions does not consider conduct in violation of this policy to be within an employee’s or Third-Party’s course and scope of employment, or the direct consequence of the discharge of the employee’s or Third-Party’s duties. Accordingly, to the extent permitted by law, Susco Solutions reserves the right not to defend or pay any damages awarded against employees or Third-Parties that result from violation of this policy.

Definitions

Confidential Information (Sensitive Information) – Any Susco Solutions information that is not publicly known and includes tangible and intangible information in all forms, such as information that is observed or orally delivered, or is in electronic form, or is written or in other tangible form.  Confidential Information may include, but is not limited to, source code, product designs and plans, beta and benchmarking results, patent applications, production methods, product roadmaps, customer lists and information, prospect lists and information, promotional plans, competitive information, names, salaries, skills, positions, pre-public financial results, product costs, and pricing, and employee information and lists including organizational charts.  Confidential Information also includes any confidential information received by Susco Solutions from a Third-Party under a non-disclosure agreement.

Information Asset – Any Susco Solutions data in any form that is used in the course of executing business. This includes, but is not limited to, corporate, customer, and Third-Party data.

Information System – Any Susco Solutions equipment, applications or systems used to manage, process, or store Susco Solutions data. This includes, but is not limited to, information systems managed by third-parties.

Password – An arbitrary string of characters chosen by a user that is used to authenticate the user when he attempts to log on, in order to prevent unauthorized access to his account.

Third-Party – Any non-employee of Susco Solutions who is contractually bound to provide some form of service to Susco Solutions.

User – Any Susco Solutions employee or Third-Party who has been authorized to access any Susco Solutions electronic information resource.