1 General Security
Learn on Demand Systems (“LODS” or the “Company”) and its management is committed to establishing and maintaining secure environments in which it conducts business. The following security policies define the Company’s approach to managing security.
1.1 Scope of Policies
These policies apply to all operations, employees, information handled, and computer and data communication systems owned by or administered by the Company Examples of what these policies cover would include:
- All business systems involved in collecting, processing, maintaining, transmitting, or reporting of both Company and customer
- Network infrastructure components, which support and provide access to these business or product
1.2 Risks to be Protected Against
Information is an asset, which, like other important business assets, has significant value to the Company and consequently needs to be suitably protected. Learn on Demand Systems, as part of its on-going program to maintain adequate and effective internal controls, seeks to ensure that it’s Information Systems (e.g. devices, operating systems, applications, and, most importantly, its proprietary company and customer information), are adequately protected to reduce the risk of loss and security breaches due to:
- Intentional acts by individuals inside or outside the Company;
- Inappropriate access by individuals or groups untrained in correct Company policies or procedures;
- Accidental loss of a portable device (such as a laptop) containing confidential or proprietary Company information; and
- Accidents, natural disasters, or another force majeure
This document represents the Company’s Security Policies. It may be supplemented by human resources but should be considered as minimal security requirements to be met by all employees. Additionally, some customer specific situations may require more detailed or more stringent policies in which case these policies will be documented and attached as an addendum to this document covering those operations.
If there is any conflict between any Security Policies or laws and regulations applicable to a particular business unit, employees should comply with the most restrictive requirement.
1.3 What is Being Protected
These Security Policies seek to protect systems as defined in the Policy Scope:
- All desktop computers, servers, data storage devices, communication systems, routers, switches, hubs, and other information system devices owned or leased by the Company (collectively, “Computing Platforms”);
- Any Computing Platforms, operating system software, middleware, or application software under the control of third parties that connect in any way to our computer networks;
- All operating systems which provide the foundation for our Information Systems;
- All proprietary software developed by the Company for internal and external use or any software developed by a third party specifically for the Company’s internal use;
- All third party “shrink-wrapped” application software licensed by the Company and running on any of its Computing Platforms;
- All open-source software legally licensed by the Company and running on any of its Computing Platforms; and
- Any and all data, information, knowledge, documents, presentations, databases, graphics, or other intellectual property stored on the Company’s Computing Platforms; this includes, but is not limited to, electronically stored, printed, or faxed
Information and information systems must be protected from unauthorized access, disclosure, use, modification or destruction in a manner consistent with their value, sensitivity and criticality. It is intended to cover all corporate information and systems regardless of their physical location, the media on which it is stored, the systems that process it or the methods by which it is moved or transmitted.
1.4 Who These Policies Apply to
These Policies apply worldwide to:
- All full and part-time employees of the Company;
- All exempt and non-exempt employees of the Company;
- All affiliated third parties and contractors who work on the Company’s premises or who remotely connect their computing platforms to the Company’s computing
1.5 Major Goals of these Security Policies
The major goals of the Learn on Demand Systems. Security Policies are:
- To provide an overall framework, to guide Company personnel when implementing network security policies and procedures for the Company’s computing platforms and other information assets;
- To provide guidance to all employees on the proper handling of Company Confidential Information;
- To provide a basis for security and confidentiality training and educational awareness programs developed by the Company; and
- To provide the Company’s IT staff with the framework necessary to convert the Company’s Info Security Policy to implementation standards for each platform, operating system, application, and security device that can then be monitored and enforced against the policies.
1.6 Data Classification
Data is defined as the collection of information assets compiled, generated or maintained to support the business.
This data can be classified as one of two major types; Public or Proprietary
Public data is any program, or other electronic information that can be gathered by any person within or outside of Learn on Demand Systems’ employ without using unusual means, such as theft or plagiarism.
Proprietary, is Confidential information of all kinds (hard copy or electronic) that is known only to appropriate employees of the Company. Including but not limited to, customer information as well as Learn on Demand Systems’ generated programs or data.
Refer to Appendix A for terms used in the Learn on Demand Systems’ Security Policies.
3 Security Policy Standards and Procedures
3.1 Information Security Policy Document(s)
Learn on Demand Systems shall at all times maintain Security Policies, which define the Information Security Policies for the Company.
Management is responsible for approval of Learn on Demand Systems’ Security Policies. These Policies shall be published and communicated to all employees of the Company and to others whom these Policies apply. These Policies demonstrate management’s commitment and set out the approach to managing information security.
These policies should be communicated throughout the Company to users in a form that is relevant, accessible, and understandable to the intended reader.
3.2 Maintenance, Review, and Evaluation of Policies
Development, maintenance and review of these Security Policies are the responsibility of management. These Security Policies may be revised from time to time in response to changes such as significant security incidents, new vulnerabilities or changes to the Company or its technical infrastructure.
To ensure the ongoing relevance of the Policy, management will periodically reassess:
- The Security policies’ effectiveness, as demonstrated by the nature, number, and impact of recorded security incidents;
- The cost and impact of controls on business efficiency; and
- Effects of changes to
3.3 Evidence of Compliance with Policies
Business Units will be required to provide evidence to senior management that the controls described in this document have been implemented and executed. The evidence must be retained for a minimum of two (2) years. Management may provide further guidance about retention of evidence. Evidence may take the form of hand written, printed, and/or electronic documents.
Controls may be evidenced in many ways depending on the specific control, consult with management for more information.
3.4 Exceptions to Policies
Where it is considered not feasible to comply with Security Policies, exceptions should be documented and initially approved within the business unit. Exceptions should then be forwarded by the senior manager for the business unit to Chief Technology Officer for final approval.
4 Organizational Security Processes
Learn on Demand Systems Leadership believes that information security is a business responsibility shared by all of its employees. It is the Company’s. intention, through the creation, maintenance, and implementation of these Security Policies, that employees shall be trained in, updated on, and empowered to implement those responsibilities within their department/business unit.
4.1 Corporate, and Business Unit Security Responsibilities
The following roles/titles, and associate responsibilities/user privileges are defined as part of this Security Policy document:
|Security Officer||Responsibilities include:|
· Communicating any applicable laws or
regulations affecting Information Technology to
which the Company is subject, in any country, state, locality or other legal jurisdiction in which it does business;
· Communicating management direction to the Company relative to information security;
· Communicating the information readiness of the Company to management;
· Ensuring that all the Company’s Information Processing Systems have appropriate policies, procedures, personnel, and equipment in place to ensure the integrity and confidentiality of all information residing on those systems;
· Setting security standards for the Company;
· Managing the security of shared network components not owned by any division business unit;
· Managing the Company’s IT/Security personnel;
· Instituting best security practices, the Company or its external auditors for Information Technology;
· Ensuring that business unit security programs appropriately address security across different functional departments.
|IT/Technology Security Management/Personnel||Responsibilities include:|
· Communicating security incidents to the Security Officer;
· Deploying and managing security technologies such as virus protection, patch deployment, vulnerability scanning, and any technologies approved for use by the Company;
· Understanding the security posture for the products and services offered by the Company.
· Evaluating new security technologies and establishing approved technologies and vendors;
|Owners of Information Assets||Responsibilities include:|
|· The owner is ultimately responsible for the security of all information assets under their control and should be able to determine that any delegated responsibility has been discharged correctly.|
|· Owners of information assets may delegate their security responsibilities to individual managers or Service providers. To allow for differences in organization structures within business units, the identification of Owners of Information Assets will occur within each business unit.|
|The Human Resource Manager/Security Officer, in conjunction with the company’s IT Group (business associate), is responsible for:|
1. Establishing the company’s security program and overseeing its implementation;
2. Ensuring compliance with federal, state and industry security regulations and standards;
3. Reviewing all purchases or acquisitions of information technology for consistency with the company’s security policies and standards;
4. Investigating security incidents (i.e., known or suspected);
5. Violations of security policies and procedures and breaches in security measures or the security of the private customer information);
6. Reviewing information system activity to ensure compliance with the company’s security policies and procedures;
7. Developing and implementing a security training and awareness program for the employees and staff;
8. Reviewing and approving the security provisions of contracts with third parties;
9. Delegating specific tasks such as review of third parties contracts, while remaining responsible for compliance with the company’s security policies and standards; and
10. Reviewing annually compliance with security requirements, policies, and standards.
The Security Officer may assign any of these responsibilities to other staff members or contractors but continues to be responsible for making sure these responsibilities are carried out.
5. Personnel Security
This section details the measures taken by the Company to ensure that our staff is not a risk to the Company or its customers and that they understand their responsibilities and expected conduct when performing their jobs.
5.1 Background Checks
Employees are exposed to confidential customer information and sometimes non-public private information about our customers’ employees and it is critical that we exercise appropriate best practices to ensure that no members of our staff represent a risk to this information. The standard practice in the securities industry in which we operate is to perform background checks on employees at the time of hiring.
Criminal background checks will be administered by the Human Resources department to ensure confidentiality and maintain appropriate records of these checks.
Existing employees may, from time to time, be subject to additional or enhanced background checks as may be required to fulfill contractual requirements or changing industry standards. These checks will be administered by the Human Resources department.
Any questions regarding this program should be directed to the Human Resources department.
5.2 Terms and Conditions of Employment
In addition to having access to confidential customer information as described above, operates as a trusted partner to our customers and is an upstanding member of the business community. Our reputation is paramount to our success and our employees are responsible to act accordingly to protect our business and our clients.
At the time they are hired, each Employee shall receive and acknowledge receipt of, the Code of Business Conduct and Ethics, which reviews their specific obligations and responsibilities under their hiring letter, the Company’s standard Confidentiality Agreement, and any Non-Compete Agreements, and Assignment of Invention Agreements they have signed as part of their hiring process.
Employees will, at least annually, re-attest to their receipt and understanding of these important documents. If deemed necessary, training on specific topics will be developed and delivered to staff.
This program is administered by the Human Resources department and any questions regarding it should be directed to them.
All Employees and affiliated Third Parties shall be required to sign or otherwise be subject to a company standard confidentiality agreement and, where appropriate, prior to beginning work for the Company.
Because they are exposed to confidential customer information and sometimes non-public private information about our customers’ employees, employees are subject to the standard company confidentiality agreement and an additional more comprehensive specific confidentiality agreement.
Confidentiality agreements will be reviewed when there are changes to terms of employment or a contract with a Third Party.
A review of the Employees’ or affiliated Third Parties’ responsibilities under these agreements will be part of the Company’s standard procedures at the termination of employment or upon termination of a contract.
Employees will, at least annually, attest to their receipt and understanding of these important documents. If deemed necessary, training on specific topics will be developed and delivered to staff.
This program is administered by the Human Resources department and any questions regarding it should be directed to them.
Confidentiality agreements should be retained as evidence of compliance.
5.4 Responding to Security Incidents and Malfunctions
Reporting Security Incidents or Malfunctions
Incidents should be reported through appropriate management channels according to the Learn on Demand Systems Incident Response Plan. This plan defines an incident response procedure, setting out the action to be taken on receipt of an incident report.
Emergency Contact Hierarchies
Emergency contact hierarchies shall be created and maintained within each Business Unit.
The emergency contact hierarchy is designed to be used when normal Company communication systems (e.g. PBXs, phone systems) fail for a specific location or Company-wide.
6 Physical Facilities
6.1 Physical Security Perimeter
6.2 Physical Entry Controls
6.3 Equipment Security
Equipment Siting and Protection
Valuable equipment, whether for information processing or other uses, shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
At a minimum, the following controls will apply when designing/maintaining Company premises:
- Environmental conditions will be monitored for conditions which could adversely affect the operation of Information Processing Facilities; and
- The impact of a disaster happening in nearby premises, (e.g. a fire in a neighboring building; water leaking from the roof or in floors below ground level; or an explosion in the street) is to be taken into account in the design of Company
Important equipment will be protected from power failures and other electrical anomalies. A suitable electrical supply that conforms to the equipment manufacturer’s specification shall be provided to all such equipment.
Emergency power switches/disconnects will be clearly marked and noted for all personnel related to the maintenance and operation of the equipment.
Where appropriate, back-up power is also provided by generators, with automatic transfer switches that provide for unattended switchover from utility to generator power within minutes of a power failure. These generators and switches are serviced and exercised regularly to ensure that they are in an operational condition when needed.
All locations containing equipment shall have appropriate fire suppression equipment for the area. As well, fire alarm/notification system shall be installed and maintained.
7 Communications and Operations Management
7.1 Documented Operating Procedures
All operating procedures needed to support/implement the Security Policies contained in this document are documented and maintained by the appropriate Process Owners. Operating procedures will be documented and maintained within each Business Unit.
7.2 Operational Change Control
General Change Control Policies
Changes to all Company Information Processing Facilities and the systems they contain shall be controlled by the appropriate IT Manager or Business Manager.
All written documentation generated by the change control policies will be retained as evidence of compliance, according to the policy identified.
Additions of Facilities or Information Processing Systems
New Computing Platforms and Third-Party software shall receive written approval of acceptance for installation from the appropriate Managers, before being put into service in a given Information Processing Facility.
Changes to Operational Systems
Any changes to major operational settings (e.g. processor utilization, automated backups, handling of batch jobs, access controls or other security settings) made in the normal course of business, shall be approved in advance using the applicable Change Management procedures.
Any and all changes to operational systems, especially those done under emergency circumstances, shall be logged with the date and time of any change, the individual who made the change, the previous setting and the changed setting.
General Security Controls
7.3 Network Security
Firewalls shall be implemented at any point where the company network can be bridged to the internet. As well any facility housing servers or equipment containing company information shall have a firewall installed at the access point.
Power and telecommunications cabling carrying data or supporting information services shall be protected from unauthorized interception or damage.
Individuals using Mobile Computing Devices to log into Company networks shall use strong authentication techniques for login, as described in section 9, Access Control.
Remote users using wireless networks or otherwise untrusted networks for accessing the Company networks shall be secured using the approved secure access protocols and policies
Remote users will be instructed not to allow unauthorized access to their machines while connected to Company resources.
7.4 Clear Screen Policy
All endpoints (e.g. workstations or servers) that provide access to Information Processing Systems shall be configured so that a screen-saver or other lock-down mechanism (that prevents unauthorized viewing of screen information or unauthorized access to the system) shall automatically be implemented if the system has been left unattended for fifteen (15) minutes.
7.5 Anti-Virus/Malware Protection
All computers, including internal workstations/servers as well as those of remote users, shall be protected by commercially available antivirus software obtained from a leading, highly reputable manufacturer. This software will automatically update (at least daily and without user intervention) to ensure its effectiveness in preventing loss or corruption by malicious software. LODS currently utilizes Symantec Endpoint Protection Small business edition. A copy of the current corporate license in use can be found in the log book located in the server room.
Company Technology Staff will regularly monitor for review all available patches to operating systems and applications. Upon acceptance, patches will be deployed to all work stations and servers in a timely manner so as to reduce the risk of exposure to malicious threats.
8 Access Control
8.1 Business Requirements for Access Control
All Company Information Processing Systems shall have an appropriate role-based access control system installed.
Each individual with a user account shall be required to use a unique card to gain access to any Company Information Processing System for which he or she is authorized to access.
The ability to manage the capabilities of any access control system shall be strictly controlled by a role-based authentication capability. Only System Managers with administrative rights on the access control system should be able to change system parameters.
Unrestricted access to managerial capabilities of any access control system should be limited to those few authorized individuals needed to support the specific Information Processing Facility with a reasonable service level.
8.2 Access Control Rules
Each Business Unit shall develop, document, and approve appropriate rules which control access to information systems. Access control rules can vary widely between types of applications, business areas, customer types, user roles, data risk categories, and trust level of relationships between individuals. As such, these Security Policies cannot provide specific access control rules for the entire Company. See appendix B for local access rule definitions.
8.3 Registration Process
A formal user registration and de-registration procedure is required for granting access to any Company network, multi-user Information Processing Systems, or on-line services.
These processes should include:
- A written request to assign a new user account to a specific individual which contains details about the individual, as well as the systems for which the individual will require access. This request must be approved by the manager of the individual and owner of the systems;
- Securely establishing the identity of the new user who will be granted access to the system. The level of authentication of identity prior to creating a new account depends on whether access is being granted to an employee, affiliated Third Party, or customer, their method of access, and the risk level of assets to which they will be granted access;
- Using unique user IDs so that users can be linked to and made responsible for their actions. The use of group or shared IDs is not permitted, except in exceptional cases where they are the only suitable alternative for the work carried out. If this policy cannot be met, the Exception process should be
- Checking that the level of access granted is appropriate to the business purpose, as described above, and is consistent with organizational Security Policy;
- Maintaining a formal record of all persons registered to use a specific system, application, or service including the level of authorization granted;
- Having a process in place to remove access rights of users who have changed jobs or left the organization; and
- Reviewing modified IDs; and checking for, and removing, redundant user IDs and accounts at least
8.4 Password Management
Confidentiality of Passwords
Any user of a Company Information Processing System shall be instructed as part of their registration process for a user account on the importance of keeping their passwords confidential.
Secure Communication and Storage of Passwords
User passwords should only be communicated via secure communication links. These include:
- Encrypted email
- Sealed written communications
- Hand delivered communications
- Via phone, once a user’s identity has been reasonably authenticated
- User passwords shall also be stored in a secure
No user account on any Company Information Processing System shall be allowed to have a blank or null password.
Passwords chosen by users should be of a complexity that makes them less vulnerable to a brute force attack. A brute force attack is when a hacker searches every possible combination of letters, numbers, and other characters in an effort to break into a computer or system.
Passwords for Company employee authentication and business applications should at a minimum consist of at least eight (8) characters with at least one (1) numeric.
When a user forgets or loses his or her password, the user may call or otherwise contact the local IT support who may then reset their password. This process will only be initiated after positive identification of the user.
Password Lifecycle Requirements
Business units may establish and require maximum timeframes for password changes, and procedures regarding reuse of changed passwords, consistent with any regulations applicable to their business unit.
Company employee passwords and business applications should at a minimum require passwords to be changed every ninety (90) days.
A password shall not be reused within a twelve (12) month period.
These lifecycle requirements do not apply to passwords that are part of “hidden accounts” or are hidden from end users via use of the access control system. The lifecycle policies for these passwords may be set by the owner of the specific information assets or Information Processing Systems as he or she seems appropriate based on the risk category of the system, the risk category of the assets, and the overhead involved in changing these “hidden” passwords on any regular basis. Examples of such an account is the scanner accessing the user areas to store an image.
8.5 Account Lockout Requirements
Procedures shall be established to lock out accounts in a manner that meets regulatory requirements applicable to each business unit.
Company employee authentication and business applications shall lock out accounts or force timeout
after no more than ten (10) unsuccessful login attempts and shall remain locked out for at least five (5) minutes before further log-on attempts are allowed or until manually reset by a system administrator.
Where accounts are locked out and require a reset by a system administrator, appropriate authentication procedures are required.
Inactive accounts shall also be subject to automatic lockout. Accounts that are inactive for more than ninety (90) days shall be disabled.
8.6 Review of User Access Rights
To maintain effective control over access to data and Information Processing Systems, Information Security staff shall conduct periodic formal reviews of access rights. This should be performed at least annually.
All relevant shared directories on the file servers will have the users associated with it sent to the management or business group responsible for the information. Those individuals will report on any discrepancies found in the lists. The Security manager will correct any notations made and record the differences.
8.7 User Responsibilities
Users shall follow good security practices in the selection and use of passwords.
All users should be educated to:
- Keep passwords confidential;
- Avoid keeping a paper record of passwords, unless this can be stored securely;
- Change passwords whenever there is any suspicion or indication of possible system or password compromise;
- Create passwords of a level of complexity that meet or exceed the requirements, as defined above;
- Select choices of characters for password that are:
- Easy to remember
- Not based on anything somebody else could easily guess or obtain using person related information (e.g. names, telephone numbers, and dates of birth, );
- Not included un-encrypted passwords in any automated log-on process (e.g. stored in a macro or function key)
8.8 Unattended User Equipment
Users should ensure that unattended equipment has appropriate protection. Equipment installed in user areas (e.g. workstations or file servers) may require specific protection from unauthorized access when left unattended for an extended period. All Users and affiliated Third Parties should be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection. Examples of these procedures include:
- Terminating active sessions when finished, unless they can be secured by an appropriate locking mechanism (e.g. a password protected screen saver). In cases where users forget, the access control system, as described above, will automatically timeout the user session after no more than 15 minutes; and
- Securing portable computing platforms from theft by placing them in locked storage or using a desktop security device that prevents theft of the device
8.9 Network Access Control
Use of Network Services
Any connections to company equipment that run over the public Internet for any portion of their transport shall utilize virtual private network (VPN) technology to encrypt information in transit.
Remote login methods transmitting user credentials in clear text un-encrypted shall be prohibited (e.g. telnet, rlogin, etc.).
User Authentication for Remote Access
Technology Operations is responsible to determine the appropriate means to authenticate remote access by Employees or affiliated Third Parties.
Affiliated Third Parties may require remote Network access in order to provide support to a specific Information Processing System they support. In this case, the affiliated Third Parties shall be identified in writing between the Company and the affiliated Third Parties. Affiliated Third Party access shall be re-authorized annually.
Remote access events (e.g. log-in, log-out, and session duration) should be logged and periodically reviewed. Any Security incidents should be reported through appropriate management channels according to the Company Security Incident Response Plan.
Remote Diagnostic Port Protection
Access to diagnostic ports on any Information Processing System shall be strictly controlled with prior approval required.
Segregation in Networks
By default, to help prevent unauthorized access, each Information Processing Facility, as well as each facility occupied by the Company shall have its own subnet and security domain. This requirement can be changed (e.g. in the case of small sales branch offices which should be on a single subnet) through a written request to the network management function and notification to the Corporate Security Officer.
Application Access Restriction
Users of application systems, including support staff, shall be provided with access to information and application system functions in accordance with a defined access control policy, based on individual business application requirements and consistent with organizational information access policy, as described above.
9 Systems Development and Maintenance
9.1 Control of Internal Processing
This section will have different processes based on each business unit. SOP’s should be in place for those entities.
Areas of Risk
Appropriate validation checks shall be incorporated into Information Processing Systems to detect processing errors. The design of applications should seek to ensure that restrictions are implemented to minimize the risk of processing failures leading to a loss of integrity.
Checks and Controls
The validation controls required will depend on the nature of the application and the business impact of any corruption of data.
Company designs and implements all its systems so as to ensure that data will always be in a consistent state. It does this through the use of database transaction support together with transaction processing design practices, using standard techniques, to ensure database integrity.
9.2 Control of Operational Software
Controls shall be instituted for the implementation of software on operational systems, including:
- Updating of operational program libraries shall only be performed by designated IT Operations staff;
- Where applicable Operational systems shall only hold executable code; and
- Executable code shall not be implemented on an operational system until it has passed successful testing and user acceptance, and the corresponding program source libraries have been
9.3 Change Control Procedures
Software shall only be developed and amended in environments that are separate from the operating environments. Only authorized users shall be given access to the software development environments.
No shared application, which exists in an operating environment, shall be added, updated, revised, removed or have its operating parameters altered in any way without the documented change control process being followed.
Each Business Unit is expected to establish and maintain a documented change control process. These procedures should include:
- Business Manager or Business Lead approval prior to the start of program change lifecycle;
- Notification of the appropriate IT Manager that a change to his or her operating environment is being requested;
- Review of the rollout plan (created according to the Company Application Lifecycle Management Policies and Procedures), by IT Management to ensure minimal business disruption;
- A formal pre-operational security review, dependent on the risk level of the Information Assets and Facilities involved;
- Approval in writing by the appropriate IT Manager that the change may be made;
- Version control which shall be maintained for all software updates;
- System documentation that shall be updated prior to the completion of each change and old documentation will be archived or appropriately disposed of; and
- Maintenance of an audit trail of all changes requested and
Emergency Change Control Procedures
Any emergency changes made to rectify major problems outside the normal change control process shall follow the documented emergency change control procedures.
These procedures should include:
- An approval process prior to the change; and
- Emergency changes are documented after the change has been implemented, as specified above.
9.4 Technical Review of Operating System Changes
Before changes to operating systems, including upgrades, patch installation, and outright replacement are made, the appropriate IT Manager shall ensure that changes will not compromise application control and integrity procedures, and will not materially and adversely affect operation of applications, and that appropriate approval and change control procedures are followed.
10 Third Party Access
10.1 Types of Access Allowed to Third Parties
Access to the Company’s Information Processing Facilities by third parties should be controlled. The following types of access to Information Processing Facilities are allowed:
Affiliated Third Parties
Certain third parties may require logical access to Information Processing facilities. Examples of these types of third parties include:
- hardware and software maintenance and support staff;
- contractors; and
Logical access should only be allowed after an approval process has been completed. Once approved, standard access policies shall apply to these types of third parties.
Unaffiliated Third Parties
The Company considers all other types of Third Parties to be unaffiliated. Access to unaffiliated Third Parties shall not be allowed except in the following situations:
- Access required by regulatory or other legal requirements; and
- A prospect, customer or partner that needs to inspect the Information Processing Facility or its contents under a specific contractual obligation of the
The unaffiliated Third Party shall be escorted continuously by at least one member of the Information Processing Facility’s staff.
The unaffiliated Third Party shall also be required to sign-in upon entry to and to sign-out upon departure from the Information Processing Facility.
Affiliated Third Party Access Controls
Access to an Information Processing System shall be determined by the affiliated Third Party’s role and his or her need for access to certain systems.
Access requests shall be made in writing by the affiliated Third Party’s Direct Manager/Supervisor.
Access shall have a specific time-limitation no greater than one year and must be renewed at least annually.
Approval of Third-Party access must be granted by an appropriate Company Manager(s) and follow a documented process.
Unaffiliated Third-Party Access controls
No access shall be allowed to an unaffiliated Third Party at any time or for any reason.
10.2 Security Requirements for Third Party Contracts
Arrangements involving third party access to organizational information processing facilities should be based on a formal contract containing, or referring to, all the security requirements to ensure compliance with the organization’s security policies and standards. The goal of these requirements is to avoid any misunderstanding between the organization and the third party.
Access to information and Information Processing Facilities by third parties should not be provided until the appropriate controls have been implemented and a contract has been signed defining the terms for the connection or access.
Refer to Appendix B for further details on the terms which should be considered for inclusion in Third Party contracts.
11 Backup and Media Handling
11.1 Backup Procedures
Data is one of Company most important assets. In order to protect this asset from loss or destruction, it is imperative that it be safely and securely captured, copied, and stored.
Back-up copies of information and software should be made at a frequency that is appropriate for the type of information and risk exposure associated with data loss. At a minimum, backups should occur daily. Appropriate backup hierarchies will be determined by the process owner (e.g. how often to do a complete backup versus a differential backup), based on the type and volume of Information Assets to be backed up.
- Adequate back-up storage space shall be provided to ensure that all essential business information and software can be recovered following a disaster or media failure;
- Back-up information should be given an appropriate level of physical and environmental protection, consistent with the standards applied at the main site.
- The controls applied to media at the main site should be extended to cover the back-up site;
- Back-up arrangements for individual systems shall be tested at least quarterly to ensure that they meet the requirements of the business continuity plans. Back-up media should be regularly tested, to ensure that they can be relied upon for emergency use when necessary. Restoration procedures should be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery; and
- The retention period for business information may vary by business unit, and some may require archive copies to be permanently retained. Details on retention periods and backup schedules can be found in the Company Backup Schedule.
All Information Processing Systems must have the ability to log activities that occur on the system(s) in scope, and these logging capabilities shall be turned on at all times for relevant security events (e.g. failed log-ins, password changes, account lockouts, etc.).
All log entries should be date and time-stamped and indicate which user, process or service initiated the specific activity.
Emergency operations logs shall be reviewed by operations staff. All other logs shall be reviewed as needed with any indication of a security incident reported immediately. For the internal servers used by LODS LODS these priority messages are monitored by the TAB systems patrol dog software which notifies the service crew to take immediate action.
Managers should adhere to business and regulatory requirements to determine the reasonable retention period for operator logs.
Log files are to be retained for a period of at least 180 days where possible.
Employees and affiliated Third Parties shall report any actual or suspected faults in backup systems to the Company’s Support staff, where they shall be logged, and a work ticket generated according to the Company’s support procedures.
11.2 Media Management
Media will be clearly labeled, and logs will be maintained identifying the location and content of backup media.
Current media used for LODS server backup is a combination of Dell EMC Data Domain storage units, Azure Storage backup cloud storage with backup retention and global replication policies and Amazon Glacier long term cloud backup and storage.
As a matter of Policy, the Company does not recycle media.
Periodically and according to the recommended lifetime defined for the backup media utilized, Company Technology Operations will retire & dispose of media so as to avoid media failures. Details on media disposal can be found in the Company Media Destruction and Disposal Procedures.
11.3 Storage, Access and Security
All backup media must be stored in a secure area that is accessible only to designated Company Technology Operations staff or if used, the employees of the contracted secure off-site media vaulting vendor used by the Company.
11.4 Retirement and Disposal of Media
Prior to retirement and disposal, Company Technology Operations will ensure the following:
- the media no longer contains active backup images or that any active backup images have been copied to other media
- the media’s current or former contents cannot be read or recovered by an unauthorized party
11.5 Restoration Requests
In the event of accidental deletion or corruption of information, requests for restoration of information will be made through processes defined within Company Security Policy.
As the restoration of information has security consequences including:
- possible escalation of privileges by parties authorized to access information
- access by non-authorized parties
Company Technology Operations will carefully verify that the request for restoration of information is authorized by the owners of the information prior to performing the restoration.
Company Technology Operations will additionally ensure that the restored information restored is restored to a file system location with access controls appropriate to the information being restored.
12 Data Protection & Handling
All data in Company facilities is securely guarded, this includes confidential corporate data as well as confidential customer data. Processes to protect this data include:
Physical data, such as tapes or diskettes are kept in a locked area which is accessible only to management, data programming and authorized personnel.
Electronically transmitted data is kept on a secure, backed‐up data server ‐ access to such data requires unique network permission and password.
Appendix A – Definition of Terms
The following table lists the terms used in the Company Security Policies.
|Access Control List||Access Control Lists filter network traffic by controlling whether data packets are forwarded or blocked at various points in the network.|
|Affiliated Third Party||Individuals which may require physical or logical access to the Company’s Information Processing facilities. Individuals may be employees, contractors, temporary employees, or vendor|
personnel providing maintenance or support.
|Asset||See Information Asset|
|Authentication||The process to establish and prove the validity of a claimed identity.|
|Authorization||The act of granting access to one or more Information Processing Systems or Information Assets.|
|Availability||Ensuring that information and vital services are accessible by authorized users whenever needed.|
|Business Unit||A segment of the business entity by which both revenues are received, and expenditure is caused or controlled, such revenues and|
expenditure being used to evaluate segmental performance.
|Brute Force Attack||A type of attack in which every possible key (every possible combination of letters, numbers, and other characters) is attempted until the correct key is found. Typically used within the context of a|
username or password
|Classification||The designation given to information assets from a defined category|
on the basis of its sensitivity to disclosure, modification or destruction.
|Company||Shall mean Learn on Demand Systems|
|Compliance||The state achieved when a process or system meets or exceeds criteria or criterion laid out in company policies, laws, regulations,|
industry standards, or other mandatory performance controls or guidelines.
|Computing Platforms||Any physical device which contains an electronic processor, runs|
an operating system, can run many applications, and can be connected to the Company’s Network (e.g. desktop computers, servers, data storage devices, communication systems, routers,
switches, hubs, personal digital assistants (PDAs) and other information system devices).
|Confidential Information||Any code, inventions, know-how, business, customer, employee, technical or financial information that the Company considers proprietary and does not want disclosed to Third Parties or is required to prevent from disclosure to unauthorized Third Parties by law, regulation, or other legislative decree.|
|Confidentiality||The protection of information from unauthorized access disclosure to individuals, entities, or processes.|
|Control||A method, tool, or procedure for enforcing a security policy|
|Control Objective||A brief description of the required result of protecting information within an IT product and its immediate environment.|
|Countermeasure||An action taken to reduce risk. It may reduce the “value” of the asset, the threats facing the asset or the vulnerability of the asset to|
|Data||The collection of information assets compiled, generated or maintained to support the business.|
|Denial of Service (DOS)||An attack that takes up so much of the Company’s resources|
that it results in degradation of performance or loss of access to/ the Company’s business services.
|Disaster||A condition in which an information asset is unavailable, as a result of a natural or man-made occurrence, that is of sufficient, duration to cause significant disruption in the accomplishment of the Company’s business objectives.|
|Encryption||The cryptographic transformation of data to render it unintelligible through an algorithmic process using a cryptographic key.|
|Firewall||A security mechanism that creates a barrier between an internal network and an external network.|
|Guideline||System specific or procedural specific “suggestions” for best practice.|
A guideline is not a mandatory action but should be implemented whenever possible.
|Information||Any knowledge produced by the Company or Third Parties. This knowledge can be contained in databases, reports, inventions, discoveries, improvements, developments, devices, tools, software, video, audio, multimedia productions, marketing programs, marketing concepts, marketing plans, marketing proposals, procedures, financial information, formula, processes, plans, samples, models, drawings, compilations, methods, designs, programs, techniques and specifications, oral or in writing or in some other form. Information asset Information processing facilities, equipment, and software owned or leased by the Company that is used to process information including but not limited to: computing platforms, software, data files, system documentation, user manuals, training materials, operational, and support procedures, continuity plans, and archived (backed-up) information.|
|Information Processing Facility||Any physical location (building, floor, room) which is solely dedicated to housing Information Processing Systems (e.g. Data Center).|
|Information Processing System Information Systems||A combination of hardware and software information assets (such as; devices, operating systems, applications, and, most importantly, proprietary company and customer information) that together provides a specific service to employees, customers, or partners.|
|Information Security||The protection of the Company’s information assets from accidentalor intentional unauthorized access, modification, destruction, or disclosure.|
|Integrity||The protection of data and information from intentional or accidental unauthorized changes by individuals or systems.|
|Intrusion Detection||The monitoring of network activities to detect, log and report upon actual or suspected authorized access and events for investigation and resolution.|
|Logical Access||Access to the Company’s information or resources on a system (e.g. databases, information processing systems).|
|Personally, Identifiable Information||Any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains.|
|Phishing||A type of Internet piracy in which thieves are “fishing” for personal financial information.|
|Physical Access||Access to the Company’s premises (e.g. offices, computer rooms, filing cabinets).|
|Physical Asset||Equipment, furniture, buildings or another item controlled by the Company.|
|Physical Security||The protection of information processing equipment from damage, destruction or theft; information processing facilities from damage, destruction or unauthorized entry; and personnel from potentially|
|Premises||A building, floor, or other enclosed space that is under the control of the Company and subject to its policies.|
|Privacy||The right of individuals and organizations to control the collection, storage, and disclosure of any information about themselves.|
|Privileged Account||Special authorization that is granted to particular users to perform security-relevant operations.|
|Procedure||Procedure(s) define how to execute / implement the policy standards.|
|Proprietary Information||Confidential information of all kinds that is known only to appropriate|
employees of the Company. Including customer data as well as LODS generated information.
|Public Information||Public information is any data, program, or other electronic information that can be gathered by any person within or outside of|
LODS’s Systems employ without using unusual means, such as theft or plagiarism.
|Removable Media||Any tapes, disks, cassettes, removable hard drives, CD-ROMs, optical drives, or printed materials that are specifically designed to be easily|
removed and transported from location to location, that may contain Company information of any kind.
|Risk.||The potential for loss of productivity, revenue, reputation or for regulatory sanction|
|Risk Assessment||The process of identifying threats to information or information systems, determining the likelihood of occurrence of the threat, and|
identifying system vulnerabilities that could be exploited by the threat.
|Security Mechanism||See Control|
|Security Perimeter||The established physical extent to which a specific set of Company Security Policies applies.|
|Security Policy||A Security Policy defines in general terms, what is and what is not permitted during the operation of a Company system application or facility.|
|Security Requirement||The types and levels of protection necessary for equipment, data, information, applications, and facilities to meet security policy.|
|Security Safeguard||The protective measures and controls that are prescribed to meet the security requirements specified for a system. Those safeguards may include but are not necessarily limited to hardware and software security features, operating procedures, accountability procedures,|
access and distribution controls, management constraints, personnel security, and physical structures, areas, and devices.
|Security Standard.||Standards specify how the policy will be implemented or enforced at the operational level|
|Shall||The use of the word “shall” indicate a security “control” requirement,|
which must be followed and from which no deviation is permitted.
|Should||The use of the word “should” indicate security “control” guidelines, which are “strongly” recommended, and while not mandated in every|
circumstance, warrants serious consideration.
|System||See Information Processing System|
|Unaffiliated Third Party||Individuals who are not allowed physical or logical access to the|
Company’s Information Processing Facilities.
|Virtual Private Network||A collection of technologies that ensure the privacy of data over a shared IP network infrastructure.|
|Vulnerability||A weakness of a system or facility holding information which|
can be exploited to gain access.
|Written Request||When a written request is required to perform any action, an e-mail will constitute as a valid written request.|
Appendix B – Security Standards for Third Party Contracts
The requirements below should be considered for inclusion in Third Party contracts as appropriate. These security requirements pertain to organizations outside of LODS’s Systems, Inc., which will be providing information services to, or on behalf of, LODS’s Systems, Inc.
- Firewalls which meet International Computer Security Association (ICSA) Labs or Trust Technology Assessment Program (TTAP) certification shall be used to protect all networks and servers hosting Company information from hostile networks. This requirement must be implemented before going into
- Network-based intrusion detection (IDS) shall be used to monitor all networks on which servers hosting Company information are located. This requirement shall be implemented within six (6) months of contract signing
II. OPERATING SYSTEMS
- Host-based intrusion detection (IDS) shall be used to monitor server(s) on which Company information is hosted. This requirement shall be implemented within six (6) months of contract signing
- All servers hosting Company information and/or providing services on behalf of Company shall run common, industry standard anti-virus software with “real-time” signature updates
- Service provider shall have a documented patch management
III. VULNERABILITY MANAGEMENT
- Vulnerability assessment and/or penetration testing using commercial products and/or services of all network subnet(s) and servers hosting Company information shall be conducted at least
- Remediation of critical and service affecting vulnerabilities shall be completed within 90 days of
- Vulnerability assessment and/or penetration testing using commercial products and/or services of all applications processing Company information shall be conducted at least
- Service provider shall have a documented patch management program and shall adhere to application vendors recommended best
Definition: “Strong encryption” is defined as the use of 1024-bit or greater keys for public keys and 128-bit or greater length keys for symmetric keys. AES is the preferred cipher with 3DES being acceptable if AES is not available. Under no circumstances should “proprietary” or “secret” cipher algorithms be utilized. Use of any other ciphers must be reviewed by the Technology Operations department.
- In all cases where personal information is collected from a customer or a Company employee Secure Sockets Layer (SSL, version 3.0 required) session encryption shall be used to protect the privacy of that information during collection and
- Use of SSL shall be with “strong encryption” using a Global Server ID from VeriSign or
- All personal information collected from a customer or a Company employee shall be stored encrypted, using “strong encryption”.
- If Company employees login to a server (e.g., to upload content, or to perform any administrative function), then that logon shall utilize session encryption to protect authentication information (e.g., username + password). This session encryption may be SSL, Secure Shell (SSH), SFTP or similar. Use of insecure means for logon (i.e., username + password transmitted in the clear) is not acceptable (e.g. telnet, ftp).
VI. ACCESS CONTROL
- All systems hosting Company information and/or providing services on behalf of Company shall be maintained in a physically secure environment that ensures an unbroken barrier to unauthorized
- Access to all systems hosting Company information and/or providing services on behalf of Company shall be actively controlled through the use of physical and logical access control systems which uniquely identify each individual requiring access, grant access based on least privileges best practices, and log all relevant access
- Each person requiring access shall be issued a unique non-transferable system ID which will be revoked upon termination of employment or when access to Company related systems is no longer
VII. INCIDENT RESPONSE
- Service provider shall have a security incident response plan that will provide reports and notifications to appropriate IT security managers on any suspected unusual activity that may represent a potential security threat. Any and all security breaches to systems hosting Company information and/or providing services on behalf of Company shall be reported to Company
- Service provider shall undergo an annual audit, by an accredited trusted third party, to certify compliance with all requirements. Initial audit shall be completed within one
- year of contract signing
- Audit methodology shall follow SAS 70 Type II/SSAE16.
- A full copy of the audit report shall be provided by the accredited trusted third party to Company within four weeks of completion with responses and planned remediation dates for any weaknesses
- Service provider shall have a formal attestation letter prepared for Company certifying compliance, and verification of compliance with all security requirements listed
- Attestation letter shall be delivered to Company within one (1) year of contract signing date, and annually
- Attestation letter shall be prepared by a professional services firm mutually agreeable to Company and service