Privacy Policy

SyCom Technologies

Information Security Policy Roll-Up Document

  • Initial Revision: May 4, 2018
  • Second Revision: August 3, 2018
  • Third Revision: April 25, 2019
  • Fourth Revision: September 30, 2019
  • Fifth Revision: September 9, 2020
  • Sixth Revision: September 17, 2020

Author: Allen Jenkins, Chief Information Security Officer

Asset Management Information Security Policy

Overview

Asset management is key to providing sound Information Security. Assets within SyCom Technologies include data, hardware, and software. These policies are meant to be followed by employees when they are “at work” or conducting SyCom business. These policies are in place to protect the customers and employees of SyCom Technologies. Topics covered include:

  • Inventory
  • Data Classification
  • Roles and Responsibilities
  • Asset Handling

Goals

  • To ensure that SyCom Technologies maintains an inventory of critical assets
  • To establish data classification levels
  • To assign specific roles and responsibilities
  • To ensure that data is handled appropriately

Definitions

  • Information Systems Assets
  • Servers and Storage Systems
  • Network Infrastructure – switches, routers, firewalls
  • End point systems – laptops and desktops
  • Cloud-hosted systems
  • CISO – Chief Information Security Officer
  • ITM – Information Technology Manager

Reference Information

  • Documents
    • Asset Handling Procedures
  • Responsible Parties
    • SyCom Support Team
    • CISO
    • IT Manager

Inventory

Information system assets will be identified and documented.

Data Classification

SyCom Technologies will use a two-tiered data classification scheme as listed:

  • Public – data is available for public access.
  • Private – data which shall not be available for public access. Specific private data types that SyCom handles includes:
    • Customer information
    • Vendor Information
    • Financial Information
  • Data will be reviewed for classification on an annual basis by the CISO or a designee.

Roles and Responsibilities

Information systems assets will be reviewed on an annual basis by either the ITM or the CISO.

Annual reviews will evaluate access controls, as well as validity of data for appropriate retention and data security practices.

Asset Handling

All data must be handled as documented in the Asset Handling Procedures.

Asset Handling Procedures will include NIST Cybersecurity parameters:

  • Identification
  • Protection
  • Detection
  • Respond and Recovery.

Asset Handling Procedures will be evaluated on annual basis by the CISO or a designee.

All data classified as “Private” must be handled in accordance with Asset Handling Procedures.

  • Data must be encrypted;
  • Data must be accessed and used by authorized personnel and services only;
  • Data must be safeguarded by personnel and services – meaning that personnel and services which are processing, storing and/or transmitting data are responsible for maintaining the confidentiality, integrity and availability of the data;
  • Any user who becomes aware of (or suspects) unauthorized access to a system should report this to the SyCom Support Team ASAP;
  • Any media used to store or transmit Private data which is lost or considered compromised, must be reported to the SyCom Support Team ASAP;
  • Disposal of media which contains Private data must be done following the Asset Handling Procedures.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Version History

DateNotesAuthor
2/22/2018Initial DevelopmentAllen Jenkins
5/4/2018Fine Tune for PublishAllen Jenkins, Sarah Schneider
4/25/2019Adjustments for Business modelAllen Jenkins
9/30/19UpdatesAllen Jenkins
9/9/20UpdatesAllen Jenkins

Human Resources Information Security Policy

Overview

Human resource management is key to providing sound Information Security practices. These policies are meant to be followed by employees when they are “at work” or conducting SyCom business. These policies are in place to protect the customers and employees of SyCom Technologies. Topics covered include:

  • Screening
  • On-boarding and Off-boarding
  • Privacy
  • Security Awareness and Training

Goals

  • To ensure that SyCom Technologies screens employees and contractors appropriately
  • To establish on-boarding and off-boarding processes
  • To ensure confidentiality of personally identifiable information
  • To ensure regular information security and compliance training for staff and contractors (as needed)

Definitions

  • CISO – Chief Information Security Officer
  • Physical Assets – refer to items which belong to the organization which have physical properties, such as furniture and computer hardware equipment
  • Intangible Assets – refer to items which belong to the organization which may not have physical properties, such as internet domain names, software, and contracts
  • PII = Personally Identifiable Information

Reference Information

  • Responsible Parties
    • Human Resources Manager
    • CISO

Screening

As a condition of employment, all employees and contractors must agree to and are subject to background screening processes, coordinated by SyCom Human Resources staff.

On-boarding & Off-boarding

Upon hiring of new employee or contractor, SyCom will follow a structured on-boarding process, as detailed in SyCom On-Boarding Procedure, encompassing the following activities:

  • Review of Information Security Policies.
  • Security Awareness Training.
  • Manager-approved provisioning of access to systems and Information Assets, following the principle of least required privilege.
  • The Human Resources Manager is responsible for conducting the on-boarding process.

Upon termination of employee or contractor, SyCom will follow a structured off-boarding process, as detailed in SyCom Off-Boarding Procedure, encompassing the following activities:

  • All access to physical and intangible assets will be terminated within 24 hours.
  • In the case of an involuntary termination, all access to physical and intangible assets will be terminated as soon as possible.
  • Any exceptions to the off-boarding process must be approved in writing by a member of the Executive staff.
  • The Human Resources Manager will be responsible for this process.

Privacy

Rules and Definitions for Privacy and Access to Private Information

  • Private Information is typically identified as PII (Personally Identifiable Information) and may consist of the following (based on NIST SP 800-122):
    • Full Name
    • Face (subjective)
    • Home Address
    • Email Address (subjective)
    • National Identification Number (Like a SSN)
    • Passport Number
    • Vehicle Registration Number
    • Driver’s License Number
    • Fingerprints or handwriting analysis information
    • Credit Card Numbers
    • Digital Identity
    • Date of Birth
    • Birthplace
    • Genetic Information
    • Telephone Number
    • Login name(s) (subjective)
  • Private Information may also be termed Personal Data (in EU terms) or Personal Information (in California Data Breach Notification Law, SB1386)

SyCom will only collect business related contact information from its customers to conduct business operations.

  • SyCom will take reasonable and appropriate precautions when storing and accessing Private Information.
  • Customers may request consultation with SyCom regarding its use of business contact information for Information Assurance purposes.

Members of SyCom Human Resources may handle Private Information for employees and potential employees (candidates) while maintaining control and privacy of said information.

  • Access to employee Private Information, will be restricted to HR staff or management staff, in concert with HR staff.
  • Access to electronic employee Private Information data will be conducted via secured corporate devices with encrypted storage media
  • Private Information stored on physical media, will be kept in secure and locked locations.

Any concerns around data security and privacy involving Private Information must be reported to HR and the CISO within two hours.

If any Private Information is found to have been breached, SyCom will notify the victim(s) within 48 hours of confirmation.

Website Privacy Parameters are listed below:

  • Information Collection, Use and Sharing
    • SyCom is the sole owner of all data collected or used on our website.
    • SyCom will not share your information with any third party without expressed written approval.
    • Users may at any time contact SyCom to inquire about any Private data collected, stored or shared.
    • Users may at any time contact SyCom to ask for modifications (up to and including deletion) to any Private data collected, stored or shared.
    • SyCom will take reasonable and appropriate precautions when storing and accessing Private data.
    • SyCom’s partners may use Cookies on the SyCom website. SyCom does not control or managed these cookies.
    • SyCom may provide links on it’s website to alternate web sites to provide additional information to our customers and partners. SyCom is not responsible for any Privacy or Security concerns when accessing other websites.

Security Awareness & Training

The Security Awareness program will consist of:

  • Annual training for all employees.
  • Training for new employees (within 14 days of hire).
  • Focused approach to educate users on Information Security policies and procedures.
  • Updates on current Information Security trends, tips, and techniques.
  • An employee tracking sheet for each employee. This sheet will validate that the employee has participated in and understands the Security Awareness concepts. HR Manager will maintain this tracking sheet.
  • Published Information Security tips. These tips may be delivered in various formats.

The CISO or designee will coordinate, monitor, and track Security Awareness training efforts as well as periodic informal Security Awareness information sharing activities (tips).

The CISO or designee will periodically review and update Security Awareness training materials, as needed.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Version History

DateNotesAuthor
2/22/2018Initial DevelopmentAllen Jenkins
5/4/2018Fine Tune for PublishAllen Jenkins, Sarah Schneider
8/3/2018Modified Privacy SectionAllen Jenkins
4/25/2019Annual review and slight mods for Business PurposesAllen Jenkins
9/17/2020Updates to Privacy for websiteAllen Jenkins

Physical and Environmental Information Security Policy

Overview

Physical and environmental security blends information security requirements and traditional security control with the objective of preventing, deterring, and detecting, unauthorized access, damage, and interference to business premises and equipment. These policies are meant to be followed by employees when they are “at work” or conducting SyCom business. These policies are in place to protect the customers and employees of SyCom Technologies. Topics covered:

  • Physical Access
  • Clean Desk
  • Mobile Device Security

Goals

  • To ensure that facilities where critical information system assets are located are physically secure.
  • To ensure that information security best practices are used in the office environment.
  • To ensure security of mobile devices.

Definitions

  • BYOD – Bring Your Own Device = personal mobile devices

Reference Information

  • Documents
    • Physical Access Records
    • Asset Handling Procedures
  • Responsible Parties
    • SyCom Support Team
    • Human Resources Manager

Physical Access

Access to areas such as the corporate datacenter and the offsite datacenter is restricted to designated individuals, based on role and business need.

HR will maintain records of designated individuals to be granted physical access (Physical Access Records).

Access keys/fobs are assigned by HR. Manager. HR will maintain detailed records of key and fobs distributed (Physical Access Records), the level of access, and to whom they have been assigned.

Employees are responsible for their assigned keys/fobs. If lost, employees must contact HR within 8 hours.

Clean Desk

All workspaces must be maintained in a manner which secures and protects all data, including access via physical and electronic media.

Unoccupied workspaces must be maintained with physical data in secured file cabinets, desk drawers or office spaces.

Unoccupied workspaces must be maintained so access to Information Technology resources is restricted; by password protected locked device or be device log out. 

Employees are responsible for the physical keys to locked compartments (cabinets, drawers, offices, etc.). Keys should not be left unattended.

If keys are lost, please report to Human Resources immediately.

Any Sensitive Data which is written on whiteboards or other media should be erased before workspace is vacated.

All data in physical format, must be disposed of according to appropriate Asset Handling Procedures.

Any data in physical format should be promptly retrieved/removed from printers/plotters/copiers/scanners immediately.

Peripheral devices (such as USB drives, CD-ROMs, DVDs) which may contain data must be secured.

Mobile Device Security

SyCom allows employees the use of BYOD devices.

Authorization to use a BYOD device may be suspended at any time:

  • If the user fails, or refuses, to comply with all SyCom policies;
  • In the event of an investigation of a potential or proven security breach, security incident, or violation of SyCom’s policy;
  • To protect an individual’s life, health, privacy, reputational, or financial interests;
  • To protect any assets, information, reputational, or financial interests of SyCom.

Authorization to use a BYOD device terminates:

  • Upon notification of a workforce member’s termination;
  • If it is determined that the workforce member violated this or any other SyCom policy;
  • If a BYOD device is used without authorization, while authorization is suspended, or after authorization has been terminated.

SyCom Support Team will have the ability to manage access to SyCom’s corporate data only and will not remotely access personal devices.

It is strongly encouraged that users consult with SyCom Support Team prior to investing in a new BYOD device to ensure the ability to support the device for corporate SyCom functions.

SyCom Support Team will provide access to SyCom’s corporate IT assets based on job functions and management approvals.

Corporate data access may be remotely wiped from a BYOD device or access to data removed if:

  • A device is lost or stolen;
  • The employee terminates his/her employment;
  • An incident involves a suspected data breach which could impact data confidentiality, integrity or availability.

SyCom Support Team will take every precaution to prevent loss of data from a BYOD device, but, it is the employee’s responsibility to take additional precautions such as backing up personal data including: emails, photos, contacts, etc.

The configuration is to be maintained as directed by SyCom Support Team to include:

  • Operating system must be kept current (SyCom Support Team will maintain the current levels required);
  • Device’s operating system must not be altered (including but not limited to jailbroken or rooted).
  • Access to SyCom’s corporate environment is only supported by applications specified by SyCom Support Team.

Physical protection is expected.  If the Mobile Device is lost, misplaced, stolen, or believed to be compromised, it must be reported to SyCom Support Team within 24 hours.

If a user suspects that unauthorized access to company data has taken place via a BYOD device, they must report the incident to SyCom Support Team within two hours.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Version History

DateNotesAuthor
2/22/2018Initial DevelopmentAllen Jenkins
5/4/2018Fine Tune for PublishAllen Jenkins, Sarah Schneider
4/25/2019Annual updatesAllen Jenkins

Communications & Operations Information Security Policy

Overview

Communications and operations security addresses information security in the context of internal and external communications and day to day operations. These policies are meant to be followed by employees when they are “at work” or conducting SyCom business. These policies are in place to protect the customers and employees of SyCom Technologies. Topics covered include:

  • Change Control
  • Patch Management
  • Secure Configuration Management
  • Email and Internet Security
  • Vendor Security

Goals

  • To ensure that SyCom Technologies performs appropriate change control processes.
  • To ensure adequate patch management.
  • To ensure adequate configuration management processes.
  • To ensure email and internet resources are used securely.
  • To ensure vendor controls are in place to ensure secure operations.

Definitions

  • Information Systems Assets
    • Servers and Storage systems
    • Network Infrastructure – switches, routers, firewalls
    • End point systems – laptops and desktops
    • Cloud hosted systems
  • CISO – Chief Information Security Officer
  • CFO – Chief Financial Officer
  • ITM – Information Technology Manager

Reference Information

  • Documents
    • IT Change Management Procedures
    • IT Patch Management Procedures
    • SyCom Secure Configuration Standards
    • Vendor Contract List
  • Responsible Parties
    • ITM
    • SyCom Support Team
    • CFO
    • CISO

Change Control

SyCom Technologies will establish and execute a process to plan, design, discuss, approve and manage changes (IT Change Management Procedures) to the information technology environment.

This change process (IT Change Management Procedures) will be supervised by the ITM.

The ITM will consult with other key staff members for all changes, including the CISO and any appropriate designees.

The change process will be documented (IT Change Management Procedures), and all changes logged.

The change logs will be maintained for a retention period of no less than 1 year.

Patch Management

SyCom Technologies will maintain a regular patch process (IT Patch Management Procedures) to review and apply appropriate patches to critical information assets to ensure a more secure environment.

The patch process (IT Patch Management Procedures) will be supervised by the ITM.

The patch process will be documented (IT Patch Management Procedures), and all patches logged in the change control logs.

Secure Configuration Management

SyCom Technologies will develop and maintain secure configuration standards (Configuration Standards) for critical information assets to ensure a more secure environment.

Examples of items for consideration in Configuration Standards include:

  • Removing default accounts from systems.
  • Removing un-necessary software or services from systems.
  • Applying approved controls to systems.

Email and Internet Security

Employees will not share Private data on any social media sites without written approval by a member of Executive staff.

Employees will use corporate email systems, internet, social media, and collaborative communication tools primarily for SyCom business.

Employees are prohibited from using non-corporate email and communications tools to conduct SyCom business.

Employees are prohibited from using any form of electronic communications for any illegal activities.

Employees are prohibited from using any form of electronic communications to send or receive any copyrighted materials

Employees are prohibited from using electronic communications tools to create or distribute any disruptive or offensive messages, including comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin.

  • Employees who receive any emails with this content from any SyCom employee should report the matter to their supervisor immediately.

Employees shall have no expectation of privacy regarding use of corporate email and communication tools.

Employees will only share Private data when there is a business need and when approved (in written format) by a member of Executive staff.

  • When this occurs, secure methods will be used to ensure Confidentiality, Integrity and/or Availability of Sensitive Data are not compromised. 

SyCom does not maintain a specific retention period for corporate email.

Vendor Security

SyCom will conduct business with its vendor partners in a secure manner.

Vendor security will be maintained by utilizing contractual documents to ensure the use of safe and secure business practices.

All Vendor contracts will be maintained by the CFO or a designee (Vendor Contract List).

All contracts between SyCom and its vendor partners will be reviewed, as appropriate, for Information Security standards by the CISO.

Enforcement

Any violation of this policy may result in employee disciplinary action, up to and including termination of employment.

Version History

DateNotesAuthor
2/22/2018Initial DevelopmentAllen Jenkins
5/4/2018Fine Tune for PublishAllen Jenkins, Sarah Schneider
4/25/2019Annual editsAllen Jenkins
9/9/2020UpdatesAllen Jenkins

Access Control Information Security Policy

Overview

Access Control is meant to ensure that only authorized users and processes can access information and resources and to prevent unauthorized users and process from access to the same. These policies are meant to be followed by employees when they are “at work” or conducting SyCom business. These policies are in place to protect the customers and employees of SyCom Technologies. Topics covered include:

  • Logical Access Control
  • Passwords
  • Wireless Networking
  • Remote/telework

Goals

  • To state the access control principles of SyCom Technologies.
  • To state the expectations of users, when handling data.
  • To outline password policies for the organization.
  • To outline wireless networking policies for the organization.
  • To describe expectations and policies for remote/telework.

Definitions

  • Information Systems Assets
    • Servers and Storage systems
    • Network Infrastructure – switches, routers, firewalls
    • End point systems – laptops and desktops
    • Cloud hosted systems
  • CISO – Chief Information Security Officer
  • CFO – Chief Financial Officer

Reference Information

  • Documents
    • Asset Handling Procedures
  • Responsible Parties
    • SyCom Support Team

Logical Access Control

Critical Information Systems Assets will be classified, based on the Asset Management policy (1.x).

Logical access should be limited to the minimal level required to conduct business in an appropriate manner, when designating access to Critical Information Systems Assets.

Passwords

Passwords must be protected.

  • Do NOT insert passwords into email messages or other forms of electronic communication.
  • Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including iPhones or similar devices) without encryption.
  • Do not share SyCom passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as private SyCom data.
  • Do not share a password with family members.
  • Do not reveal a password to co-workers while on vacation.
  • If an account or password is suspected to have been compromised, report the incident to SyCom Support Team and change all passwords ASAP.
  • Password cracking or guessing may be performed on a periodic or random basis by SyCom or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.

Passwords should be hard to crack and easy for the user to recall.

  • Should be at least twelve (12) alphanumeric characters long.
  • Are not based on personal information, names of family, etc.

Passphrases maybe used as well.

  • A passphrase is like a password in use; however, it is relatively long and constructed of multiple words, which provides greater security against dictionary attacks. Strong passphrases should follow the general password construction guidelines.

Wireless Networking

All wireless access points on the SyCom network must be registered, approved and managed by SyCom Support Team.

All wireless access points must be secured with reasonable and appropriate physical protections.

All wireless access points must be secured with reasonable and appropriate logical protections.

SyCom will logically segment wireless traffic, only allowing approved users access to SyCom’s corporate network, with guess access providing NO access to the SyCom corporate network.

SyCom guest wireless network access is provided at the sole discretion of SyCom and may be revoked or dis-allowed at any time for any reason.

Wireless access users must report any incident or suspected concerns to SyCom Support Team within 2 hours.

Remote/Telework

All employees who work remotely will have attended security awareness training.

All employees who work remotely will have been authorized to do so by a member of the management staff.

If accessing Private data in a public space, employees will diligently protect the security of their device and data.

All devices used to access SyCom’s corporate computing assets must meet security requirements as defined by SyCom Support Team.

Personal device connectivity to SyCom’s Corporate IT assets is only supported over the corporate provided virtual desktop provisions and e-mail portals.

Transmission of Private Data will only occur utilizing secured communication technologies, such as Virtual Private Networking (VPN), secure File Transfer Protocol (SFTP), or other encrypted methods, approved (in writing) by the CISO or ITM.

Enforcement

Any violation of this policy may be subject to disciplinary action, up to and including termination of employment.

Version History

DateNotesAuthor
2/22/2018Initial DevelopmentAllen Jenkins
5/4/2018Fine Tune for PublishAllen Jenkins, Sarah Schneider
4/25/2019Annual editsAllen Jenkins
9/30/2019UpdatesAllen Jenkins

Incident Response Information Security Policy

Overview

As an organization, it is critical that SyCom Technologies have the capability to respond quickly, minimize harm, comply with breach-related laws and federal regulations, and maintain their composure in the face of an information security-related incident. These policies are meant to be followed by employees when they are “at work” or conducting SyCom business. These policies are in place to protect the customers and employees of SyCom Technologies. Topics Include:

  • IT Incident Response Plan
  • Required components for IT Incident Response Plan
  • Required Change Management

Goals

  • Identify and document critical business functions.
  • Document underlying business and technical services which support these functions.
  • Assign appropriate roles and responsibilities around incident response functions.
  • Ensure that the organization has documented plans for response activities.
  • Ensure that these plans are tested and updated on an annual basis.

Definitions

  • Business Impact Assessment – listing of critical systems and an agreed upon prioritization, based on the impact of system failure to organization.

Reference Information

  • Documents
    • IT Incident Response Plan
    • Business Impact Assessment
  • Responsible Parties
    • CISO
    • ITM
    • Executive Team

Business Impact Assessment (BIA)

The CISO or the ITM will coordinate an annual Business Impact Assessment (BIA) review. This review will gain consensus with Executive team on criticality of systems, to include:

  • Agreement on criticality of systems;
  • Documented priority of critical systems;
  • Documented infrastructure for critical system functionality to include hardware, software, documentation, dependencies, etc., etc.;
  • Documented agreement on allowable loss of data, which equates to Recovery Point Objective (RPO) for each critical system; RPO might mean that we have agreed that we must be able to recover emails no further back than 1 day. (HOW OLD are your most recent backups?).
  • Documented agreement on allowable downtime, which equates to Recovery Time Objective (RTO) for each critical system; RTO might mean that we have agreed that it is acceptable to take 4 hours to recover email. (HOW LONG will it take to restore your backups?).
  • Agreement on current capabilities and capability delta, with documented Action Plan to close the gap(s).

IT Incident Response Plan

The company’s strategy for responding to incidents will be documented in an IT Incident Response Plan (IRP).

A member of the Executive team will be responsible for this IRP.

The IRP will be updated/reviewed annually.

The IRP will include:

  • Processes required to declare an Incident.
  • Processes for communications required during an Incident.
  • Responsible parties will be designated and notified as appropriate.
  • Specific processes for systems response, which will include standard incident response processes. These should include:
    • Assessment of the incident.
    • Actions to take to contain and/or eradicate the incident.
    • Review of the incident, for lessons learned.

The Incident Response Plan will be tested annually.

Enforcement

Any significant changes to the IT environment at SyCom will necessitate review/update of the IT Incident Response Plan.

Version History

DateNotesAuthor
2/22/2018Initial DevelopmentAllen Jenkins
5/4/2018Fine Tune for PublishAllen Jenkins, Sarah Schneider
4/25/2019Annual editsAllen Jenkins
9/9/2020UpdatesAllen Jenkins

Business Continuity Information Security Policy

Overview

Business Continuity management is meant to ensure the continued operations of essential services during a disruption in normal operating conditions. This policy is meant to define business continuity preparedness, response and recovery principles. These policies are meant to be followed by employees when they are “at work” or conducting SyCom business. These policies are in place to protect the customers and employees of SyCom Technologies. Topics covered Include:

  • Business Impact Assessment (BIA)
  • Business Continuity Plan (BCP)
  • Information Technology Disaster Recovery Plan (DRP)

Goals

  • Identify and document critical business functions.
  • Document underlying business and technical services which support these functions.
  • Assign appropriate roles and responsibilities around business continuity functions.
  • Ensure that the organization has documented plans for continuity of operations.
  • Ensure that the organization has documented plans for Information Technology disaster recovery, restoration and failback.
  • Ensure that these plans are tested and updated on an annual basis.

Definitions

  • Critical Information Systems Assets
    • Servers and Storage systems
    • Network Infrastructure – switches, routers, firewalls
    • Cloud hosted systems
  • CISO – Chief Information Security Officer
  • ITM –  Information Technology Manager

Reference Information

  • Documents
    • Business Impact Assessment
    • Business Continuity Plan
    • Information Technology Disaster Recovery Plan
  • Responsible Parties
    • ITM
    • CISO
    • Executive Team

Business Impact Assessment (BIA)

The CISO or the ITM will coordinate an annual Business Impact Assessment (BIA) review. This review will gain consensus with Executive team on criticality of systems, to include:

  • Agreement on criticality of systems;
  • Documented priority of critical systems;
  • Documented infrastructure for critical system functionality to include hardware, software, documentation, dependencies, etc., etc.;
  • Documented agreement on allowable loss of data, which equates to Recovery Point Objective (RPO) for each critical system; RPO might mean that we have agreed that we must be able to recover emails no further back than 1 day. (HOW OLD are your most recent backups?).
  • Documented agreement on allowable downtime, which equates to Recovery Time Objective (RTO) for each critical system; RTO might mean that we have agreed that it is acceptable to take 4 hours to recover email. (HOW LONG will it take to restore your backups?).
  • Agreement on current capabilities and capability delta, with documented Action Plan to close the gap(s).

Business Continuity Plan (BCP)

The company’s strategy for overall continuity of operations will be documented in a Business Continuity Plan.

A member of the Executive team will be responsible for this BCP.

The BCP will be updated/reviewed annually.

The BCP will include:

  • Procedures for continuity of operations during an incident or test;
  • Procedures for communications during an incident or test;
  • Procedures for annual testing of BCP;
  • Procedures for leveraging the Information Technology Disaster Recovery Plan (DRP) as appropriate.

Information Technology Disaster Recovery Plan (DRP)

The company’s strategy for critical Information Technology resiliency (IT Disaster Recovery Plan (DRP)) during a disaster will be documented in a Business Continuity Plan.

A member of the Executive team will be responsible for this DRP.

The DRP will be updated/reviewed annually.

The DRP will leverage information gathered from the BIA exercise(s).

The DRP will include:

  • Processes required to declare a Disaster;
  • Processes for communications required during a Disaster.
    • Responsible parties will be designated and notified as appropriate.
  • Specific processes for critical systems recovery, which will include data backup and restoration procedures. These should include:
  • Location of backup media storage;
  • Transportation of backup media information;
  • Approved personnel for backup media operations.

Enforcement

Any violation of this policy may subject the employee to disciplinary action, up to and including termination of employment.

Version History

DateNotesAuthor
2/22/2018Initial DevelopmentAllen Jenkins
5/4/2018Fine Tune for PublishAllen Jenkins, Sarah Schneider
4/25/2019Annual EditsAllen Jenkins
9/9/20UpdatesAllen Jenkins