Information Security Policy

<h1>Information Security Policy</h1>Author: <a title="Frederick D. Paoletti, Jr." href="http://www.articlesbase.com/authors/frederick-d.-paoletti,-jr./73759.htm">Frederick D. Paoletti, Jr.</a> 
Information Security Policy
For
 
Paoletti and Gusmano
 
Table of Contents
Introduction................................................................................................................................. 1
Ethics and Acceptable Use Policies .................................................................................... ……….1 
Disciplinary Action....................................................................................................................... 2 
Protect Stored Data......................................................................................................................2 
Protect Data in Transit ................................................................................................................ 3 
Restrict Access to Data.................................................................................................................3
Physical Security...........................................................................................................................3
Security Awareness and Procedures.............................................................................................4 
Security Management / Incident Response Plan ........................................................................ 5
Appendix A – Agreement To Comply Form ..................................................................................6
Security Policy
Introduction 
This policy covers the security of company information and must be distributed to all company employees. Management will review and update this information security policy at least once a year to incorporate relevant security needs that may develop. Each employee must read and sign a form verifying they have read and understand this policy. 
 
Ethics and Acceptable Use Policies 
The company expects that all employees conduct themselves in a professional and ethical manner. An employee should not conduct business that is unethical or illegal in any way, nor should an employee influence other employees to act unethically or illegally. Furthermore, an employee should report any dishonest activities or damaging conduct to an appropriate supervisor. 
 
Security of company information is extremely important to our business. 
We are trusted by our customers to protect sensitive information that may be supplied while conducting business. Sensitive Information is defined as any personal information (i.e. - name, address, phone number, e-mail, Social Security number, driver’s license number, bank account, credit card numbers, etc.) or company information not publicly available (i.e. – clients, financial information, employee information, schedules, technology, etc.). It is important the employees do not reveal sensitive information about our company or our customers to outside resources that do not have a need to know such information. 
Disciplinary Action 
An employees failure to comply to the standards and policies set forth in this document may result in disciplinary action up to and including termination of employment. 
 
Protect Stored Data 
Protect Sensitive Information stored or handled by the company and its employees. All Sensitive Information must be stored securely and disposed of in a secure manner when no longer needed for business reasons. Any media (i.e – paper, floppy disk, backup tape, computer hard drive, etc.) that contains sensitive information must be protected against unauthorized access. Media no longer needed must be destroyed in such a manner to render sensitive data irrecoverable (i.e. – shredding, degaussing, disassembly, etc.). 
 
Credit Card Information Handling Specifics 
• Destroy cardholder information in a secure method when no longer needed. Media containing card information must be destroyed by shredding or other means of physical destruction that would render the data irrecoverable (shred, degauss, etc.). 
• It is prohibited to store the contents of the credit card magnetic stripe (track data) on any media whatsoever. 
• It is prohibited to store the card-validation code (3 or 4 digit value printed on the signature panel of the card) on any media whatsoever. 
• All but the last 4 numbers of the credit card account number must be masked (i.e. – x’s or *’s) when the number is displayed electronically or on paper. 
 
 
 
 
 
Protect Data in Transit 
If Sensitive Information needs to be transported physically or electronically, it must be protected while in transit (i.e. – to a secure storage facility or across the Internet). 
• Sensitive Information and Credit card account numbers must never be e-mailed without using proper encryption technologies (i.e. – PGP encryption). 
• Media containing Sensitive Information and credit card account numbers must only be given to trusted persons for transport to off-site locations. Restrict Access to Data Restrict access to sensitive information (business data and personal information) to those that have a need-to-know. No employees should have access to credit card account numbers unless they have a specific job function that requires such access. 
Restrict Access to Data
 
Restrict access to Sensitive Information (business data and personal information) to those that have a need-to-know. No employees should have access to credit card account numbers unless they have a specific job function that requires such access.
Physical Security 
Restrict physical access to Sensitive Information, or systems that house that information (ex. computers or filing cabinets storing cardholder data), to protect it from those who do not have a need to access that information. Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc. 
• Media containing Sensitive Information must be securely handled and distributed. 
• Media containing stored Sensitive Information (especially credit card account numbers and social security numbers) should be properly inventoried and disposed of when no longer needed for business by deleting, shredding, or degaussing before disposal. 
• Visitors should always be escorted and easily identifiable when in areas that may contain Sensitive Information.
• Password protected screen savers should always be used on any computers that may contain Sensitive Information. Security Awareness and Procedures Keeping Sensitive Information secure requires periodic training of employees and contractors to keep security awareness levels high. The following company policies and procedures address this issue. 
 
Security Awareness and Procedures
Keeping Sensitive Information secure requires periodic training of employees and contractors to keep security awareness levels high. The following company policies and procedures address this issue. 
• Hold periodic security awareness training meetings of employees and contractors to review correct handling procedures for Sensitive Information. Offline Merchant Security Policy 
• Employees are required to read this security policy and verify that they understand them by signing an acknowledgement form (see Appendix A). 
• Background checks (such as credit and criminal record checks, within the limits of local law) will be conducted for all employees that handle Sensitive Information. 
• All third parties with access to credit card account numbers are contractually obligated to comply with card association security standards (PCI/DSS). 
• Company security policies must be reviewed annually and updated as needed. Security Management / Incident Response Plan 
There will be an employee of the company designated as the security officer. The security officer is responsible for communicating security policies to employees and contractors and tracking the adherence to policies. In the event of a compromise of Sensitive Information, the security officer will oversee the execution of the incident response plan. 
 
 
 
 
 
 
 
 
 
 
Security Management / Incident Response Plan
1. If a compromise is suspected, alert the information security officer. 
2. Security officer will conduct an initial investigation of the suspected compromise. 
3. If compromise of information is confirmed, the security officer will alert management and begin informing parties that may be affected by the compromise. If the compromise involves credit card account numbers perform the following: 
• Contain and limit the extent of the exposure by shutting down any systems or processes involved in the compromise. 
• Alert necessary parties (Merchant Bank, Visa Fraud Control, law enforcement) 
• Provide compromised or potentially compromised card numbers to a Fraud Control within 24 hrs. 
Appendix A – Agreement To Comply Form
Agreement to Comply With Information Security Policies
Employee Name __________________________________________Department ___________________
I agree to take all reasonable precautions to assure that company internal information, or information that has been entrusted to the company by third parties such as customers, will not be disclosed to unauthorized persons. At the end of my employment or contract with the company, I agree to return all information to which I have had access as a result of my position. I understand that I am not authorized to use sensitive information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of the internal manager who is the designated information owner. 
I have access to a copy of the Information Security Policies, I have read and understand these policies, and I understand how it impacts my job. As a condition of continued employment, I agree to abide by the policies and other requirements found in the company security policy. I understand that non-compliance will be cause for disciplinary action up to and including dismissal, and perhaps criminal and/or civil penalties. 
I also agree to promptly report all violations or suspected violations of information security policies to the designated security officer. 
Employee Signature ________________________________________Date_______________________
Resource Box
Frederick D. Paoletti, Jr. is the founding principal of Paoletti & Gusmano Attorneys at Law, a criminal defense and personal injury firm located in Bridgeport, Connecticut. For more articles related to protecting yourself during personal injury and criminal situations, please visit <a href="http://www.paolettilaw.net/"><a target="_blank" href="http://www.paolettilaw.net">http://www.paolettilaw.net</a></a>.About the Author: Frederick D. Paoletti, Jr. is the founding principal of Paoletti & Gusmano Attorneys at Law, a criminal defense and personal injury firm located in Bridgeport, Connecticut. For more articles related to protecting yourself during personal injury and criminal situations, please visit <a target="_blank" href="http://www.paolettilaw.net.">http://www.paolettilaw.net.</a>Article Source: <a href="http://www.articlesbase.com/">ArticlesBase.com</a> - <a href="http://www.articlesbase.com/personal-injury-articles/information-security-policy-582810.html" title="Information Security Policy">Information Security Policy</a>

Information Security Policy

For

Paoletti and Gusmano

Table of Contents

Introduction................................................................................................................................. 1

Ethics and Acceptable Use Policies .................................................................................... ……….1

Disciplinary Action....................................................................................................................... 2

Protect Stored Data......................................................................................................................2

Protect Data in Transit ................................................................................................................ 3

Restrict Access to Data.................................................................................................................3

Physical Security...........................................................................................................................3

Security Awareness and Procedures.............................................................................................4

Security Management / Incident Response Plan ........................................................................ 5

Appendix A – Agreement To Comply Form ..................................................................................6

Security Policy

Introduction

This policy covers the security of company information and must be distributed to all company employees. Management will review and update this information security policy at least once a year to incorporate relevant security needs that may develop. Each employee must read and sign a form verifying they have read and understand this policy.

Ethics and Acceptable Use Policies

The company expects that all employees conduct themselves in a professional and ethical manner. An employee should not conduct business that is unethical or illegal in any way, nor should an employee influence other employees to act unethically or illegally. Furthermore, an employee should report any dishonest activities or damaging conduct to an appropriate supervisor.

Security of company information is extremely important to our business.

We are trusted by our customers to protect sensitive information that may be supplied while conducting business. Sensitive Information is defined as any personal information (i.e. - name, address, phone number, e-mail, Social Security number, driver’s license number, bank account, credit card numbers, etc.) or company information not publicly available (i.e. – clients, financial information, employee information, schedules, technology, etc.). It is important the employees do not reveal sensitive information about our company or our customers to outside resources that do not have a need to know such information.

Disciplinary Action

An employees failure to comply to the standards and policies set forth in this document may result in disciplinary action up to and including termination of employment.

Protect Stored Data

Protect Sensitive Information stored or handled by the company and its employees. All Sensitive Information must be stored securely and disposed of in a secure manner when no longer needed for business reasons. Any media (i.e – paper, floppy disk, backup tape, computer hard drive, etc.) that contains sensitive information must be protected against unauthorized access. Media no longer needed must be destroyed in such a manner to render sensitive data irrecoverable (i.e. – shredding, degaussing, disassembly, etc.).

Credit Card Information Handling Specifics

• Destroy cardholder information in a secure method when no longer needed. Media containing card information must be destroyed by shredding or other means of physical destruction that would render the data irrecoverable (shred, degauss, etc.).

• It is prohibited to store the contents of the credit card magnetic stripe (track data) on any media whatsoever.

• It is prohibited to store the card-validation code (3 or 4 digit value printed on the signature panel of the card) on any media whatsoever.

• All but the last 4 numbers of the credit card account number must be masked (i.e. – x’s or *’s) when the number is displayed electronically or on paper.

Protect Data in Transit

If Sensitive Information needs to be transported physically or electronically, it must be protected while in transit (i.e. – to a secure storage facility or across the Internet).

• Sensitive Information and Credit card account numbers must never be e-mailed without using proper encryption technologies (i.e. – PGP encryption).

• Media containing Sensitive Information and credit card account numbers must only be given to trusted persons for transport to off-site locations. Restrict Access to Data Restrict access to sensitive information (business data and personal information) to those that have a need-to-know. No employees should have access to credit card account numbers unless they have a specific job function that requires such access.

Restrict Access to Data

Restrict access to Sensitive Information (business data and personal information) to those that have a need-to-know. No employees should have access to credit card account numbers unless they have a specific job function that requires such access.

Physical Security

Restrict physical access to Sensitive Information, or systems that house that information (ex. computers or filing cabinets storing cardholder data), to protect it from those who do not have a need to access that information. Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc.

• Media containing Sensitive Information must be securely handled and distributed.

• Media containing stored Sensitive Information (especially credit card account numbers and social security numbers) should be properly inventoried and disposed of when no longer needed for business by deleting, shredding, or degaussing before disposal.

• Visitors should always be escorted and easily identifiable when in areas that may contain Sensitive Information.

• Password protected screen savers should always be used on any computers that may contain Sensitive Information. Security Awareness and Procedures Keeping Sensitive Information secure requires periodic training of employees and contractors to keep security awareness levels high. The following company policies and procedures address this issue.

Security Awareness and Procedures

Keeping Sensitive Information secure requires periodic training of employees and contractors to keep security awareness levels high. The following company policies and procedures address this issue.

• Hold periodic security awareness training meetings of employees and contractors to review correct handling procedures for Sensitive Information. Offline Merchant Security Policy

• Employees are required to read this security policy and verify that they understand them by signing an acknowledgement form (see Appendix A).

• Background checks (such as credit and criminal record checks, within the limits of local law) will be conducted for all employees that handle Sensitive Information.

• All third parties with access to credit card account numbers are contractually obligated to comply with card association security standards (PCI/DSS).

• Company security policies must be reviewed annually and updated as needed. Security Management / Incident Response Plan

There will be an employee of the company designated as the security officer. The security officer is responsible for communicating security policies to employees and contractors and tracking the adherence to policies. In the event of a compromise of Sensitive Information, the security officer will oversee the execution of the incident response plan.

Security Management / Incident Response Plan

1. If a compromise is suspected, alert the information security officer.

2. Security officer will conduct an initial investigation of the suspected compromise.

3. If compromise of information is confirmed, the security officer will alert management and begin informing parties that may be affected by the compromise. If the compromise involves credit card account numbers perform the following:

• Contain and limit the extent of the exposure by shutting down any systems or processes involved in the compromise.

• Alert necessary parties (Merchant Bank, Visa Fraud Control, law enforcement)

• Provide compromised or potentially compromised card numbers to a Fraud Control within 24 hrs.

Appendix A – Agreement To Comply Form

Agreement to Comply With Information Security Policies

Employee Name __________________________________________Department ___________________

I agree to take all reasonable precautions to assure that company internal information, or information that has been entrusted to the company by third parties such as customers, will not be disclosed to unauthorized persons. At the end of my employment or contract with the company, I agree to return all information to which I have had access as a result of my position. I understand that I am not authorized to use sensitive information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of the internal manager who is the designated information owner.

I have access to a copy of the Information Security Policies, I have read and understand these policies, and I understand how it impacts my job. As a condition of continued employment, I agree to abide by the policies and other requirements found in the company security policy. I understand that non-compliance will be cause for disciplinary action up to and including dismissal, and perhaps criminal and/or civil penalties.

I also agree to promptly report all violations or suspected violations of information security policies to the designated security officer.

Employee Signature ________________________________________Date_______________________

Resource Box

Frederick D. Paoletti, Jr. is the founding principal of Paoletti & Gusmano Attorneys at Law, a criminal defense and personal injury firm located in Bridgeport, Connecticut. For more articles related to protecting yourself during personal injury and criminal situations, please visit http://www.paolettilaw.net.

Rate this Article:

0 / 5 stars - 0 vote(s)

Re-Publish

Article Source: http://www.articlesbase.com/personal-injury-articles/information-security-policy-582810.html

Article Tags: Information Security Policy

Related Videos
Related Articles
Ask / Related Q&A

Play

How to Secure Network Endpoints - Part 2

Play

How to Secure an Apache Server

Play

How to Protect your messaging network with SecureComputing's Secure Mail

Play

How to protect your PC using SkyRecon's StormShield

Play

How to Protect Company Files - Information Security

Latest Personal Injury Articles
More from Frederick D. Paoletti, Jr.

Should You Make An Injury Claim At Work?

By: Adam Singleton | 15/12/2009
It’s never nice to suffer an injury, but when it occurs at work you need to think about what happened. Could it have been prevented?

Claiming for Whiplash

By: wragh | 15/12/2009
With so many cars on the roads, it's only a matter of time before a crash will happen. In severe cases whiplash can be enough to incapacitate people, but generally it results in a real pain in the neck.

Grocery Cart Accident - Expert Advice from a Florida Personal Injury Accidents Lawyer

By: Joseph M. Maus | 15/12/2009
An expert answer to a question about a Florida personal injury accidents case involving a grocery cart accident.

Michigan Dog Bite Laws

By: Lawrence J. Buckfire | 14/12/2009
Michigan dog bite lawyer dicusses Michigan dog bite laws and liability.

Expert Advice About Hiring Florida Auto Accidents Lawyers

By: Joseph M. Maus | 13/12/2009
When it gets down to settling, how does one determine that Florida auto accidents lawyers have "actually" gotten what the case is worth?

Why You Need a Business Plan Before Setting Up a Personal Injury Law Practice?

By: Boris C. | 13/12/2009
While it is true that starting a personal injury law practice is difficult because it requires you hard work and a lot of expenses, such situation can be minimized through a business plan. Linda Pinson, author of the book "Anatomy Of A Business Plan" cites the following reasons why you need a business plan in setting up an office:

Domestic Violence and Understanding Limits

By: Eric Bersano | 13/12/2009
Domestic violence law is a very complex field. Many a lawyer specializes in this field as those facing these charges oftentimes don’t understand that they’ve crossed a line and, oftentimes, they don’t understand why they’re being prosecuted on a domestic violence charge at all.

DUI Defense in the Sunshine State

By: Eric Bersano | 13/12/2009
Defense against a DUI charge starts with the citizen. Citizens have rights and, in many cases, officers will be able to build a case when a citizen becomes flustered, forgets their rights and submits to tests, interrogations and other procedures without knowing that they have the right to decline.

Dui Myths Explained: How to Protect yourself This Holiday Season

By: Frederick D. Paoletti, Jr. | 22/10/2008 | Criminal
Here are the little-known facts you must know if you're planning to drive this holiday season ... even if you don't drink.

A Connecticut Act Concerning the Confidentiality of Social Security Numbers

By: Frederick D. Paoletti, Jr. | 03/09/2008 | Personal Injury
On June 10, 2008 the state of Coonecticut passed a law concerning the confidenitality of Social Security Nunber, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

6 Crucial Questions to Ask Before You Hire a Criminal Law Lawyer

By: Frederick D. Paoletti, Jr. | 02/09/2008 | Personal Injury
6 Crucial Questions to Ask Before You Hire a Criminal Law Lawyer

How to Avoid the Biggest Misconception About Traffic Violations

By: Frederick D. Paoletti, Jr. | 02/09/2008 | Personal Injury
While your last traffic violation may have resulted in a fine in the hundreds of dollars, the amount you actually paid was probably well over $1,000.

11 Costly Mistakes to Avoid When Hiring a Criminal Law Attorney

By: Frederick D. Paoletti, Jr. | 02/09/2008 | Personal Injury
11 Costly Mistakes to Avoid When Hiring a Criminal Law Attorney

How to Protect yourself After a Car Accident

By: Frederick D. Paoletti, Jr. | 09/08/2008 | Personal Injury
No one wants to think about getting in an auto accident. But if you’re among the millions of people involved in collisions on our nation’s roads each year, you need to be familiar with the process so you can protect yourself.