Information Security Policy
1. Introduction: Policy Foundation and Regulatory Compliance. This Information Security Policy (Policy) promotes an effective balance between information security practices and business needs. The Policy is intended to help SKUxchange, Inc. (“SKUx”) meet our legal obligations and our clients’ expectations. From time to time, SKUx may implement different levels of security controls for different information assets, based on risk and other considerations.
You are expected to read, understand, and follow this Policy. However, no single policy can cover all the possible information security issues you may face. You must seek guidance from the Information Security Coordinator (see Section 2.1, Responsibilities: Information Security Coordinator) before taking any actions that create information security risks or otherwise deviating from this Policy’s guidelines. SKUx may treat any failure to seek and follow such guidance as a violation of this Policy.
This Policy is Confidential Information. Do not share this Policy outside SKUx unless authorized by the Information Security Coordinator. You may share this Policy with an approved contractor that has access to SKUx’s information or systems under a non-disclosure agreement or other agreement that addresses confidentiality (see Section 7, Service Providers: Risks and Governance).
Our clients, employees, and others rely on us to protect their information. An information security breach or cyber incident could severely damage our credibility. Security events can also cause loss of business and other harm to SKUx. Strong information security requires diligence by all workforce members, including employees, contractors, volunteers, and any others accessing or using our information assets. It is part of everyone’s job.
1.1 Guiding Principles. SKUx follows these guiding principles when developing and implementing information security controls:
(a) SKUx strives to protect the confidentiality, integrity, and availability of its information assets and those of its clients.
(b) We will comply with applicable privacy and data protection laws.
(c) We will balance the need for business efficiency with the need to protect sensitive, proprietary, or other confidential information from undue risk.
(d) We will grant access to sensitive, proprietary, or other confidential information only to those with a need to know and at the least level of privilege necessary to perform their assigned functions.
(e) Recognizing that an astute workforce is the best line of defense, we will provide security training opportunities and expert resources to help individuals understand and meet their information security obligations.
1.2 Scope. This Policy applies across the entire SKUx enterprise.
This Policy states SKUx’s information security policy. In many cases, you are personally responsible for taking or avoiding specific actions as the Policy states. In some situations, the Information Security Coordinator takes or avoids the stated actions.
From time to time, SKUx may approve and make available more detailed, or location or business unit-specific policies, procedures, standards, and processes to address specific information security issues. Those additional policies, procedures, standards, and processes are extensions to this Policy. You must comply with them, where applicable, unless you obtain an approved exception.
1.3 Resources. No single document can cover all the possible information security issues you may face. Balancing our need to protect SKUx’s information assets with business and operational efficiency can also be challenging. Many effective administrative, physical, and technical safeguards are available. Do not make assumptions about the cost or time required to implement them. Ask for help.
You must seek guidance before taking any actions that create information security risks. If you have questions about this Policy, technical information security issues, or legal obligations, including client agreements, contact the Information Security Coordinator (see Section 2.1, Responsibilities: Information Security Coordinator).
1.4 No Expectation of Privacy and Monitoring. Except where applicable law provides otherwise, you should have no expectation of privacy when using SKUx’s network or systems, including, but not limited to, transmitting and storing files, data, and messages.
To enforce compliance with SKUx’s policies and protect SKUx’s interests, SKUx reserves the right to monitor any use of its network and systems to the extent permitted by applicable law. By using SKUx’s systems, you agree to such monitoring. Monitoring may include (but is not necessarily limited to) intercepting and reviewing network traffic, emails, or other messages or data sent or received and inspecting data stored on individual file directories, hard disks, or other printed or electronic media.
1.5 Regulatory Compliance. Various information security laws, regulations, and industry standards may apply to SKUx and the data we handle. SKUx is committed to complying with applicable laws, regulations, and standards. Our clients expect nothing less from us.
This section lists the obligations that you are the most likely to encounter. Do not assume that these are the only laws that may apply. To identify specific obligations, you must seek guidance from the Information Security Coordinator when collecting, creating, or using new or different types of information.
(a) Personal Information: Data Protection and Breach Notification Laws. Various laws protect individuals’ personal information, such as government-assigned numbers, financial account information, and other sensitive data. Many jurisdictions have enacted breach notification laws that require organizations to notify affected individuals if personal information is lost or accessed by unauthorized parties. Some locations have data protection laws that require organizations to protect personal information using reasonable data security measures or more specific means. These laws may apply to personal information for SKUx’s employees, clients, business partners, and others.
Before collecting, creating, or using personal information for any purpose, contact the Information Security Coordinator (see Section 2.1, Responsibilities: Information Security Coordinator).
(b) Some applicable laws, regulations, and guidance that may apply to SKUx’s activities, include Florida’s general data breach notification law, Fla. Stat. Ann. § 501.171., and guidance on cybersecurity for small businesses from the Federal Trade Commission. Other times SKUx may be a service provider to clients that have specifically regulatory requirements to safeguard personal information that they must flow through to SKUx (see also Section 8, Client Information).
2. Responsibilities: Security Organization, Authority, and Obligations. SKUx and its leadership recognize the need for a strong information security program.
2.1 Information Security Coordinator. SKUx has designated the role of t Information Security Coordinator (the “Information Security Coordinator”) to be accountable for all aspects of its information security program. In the event the position is vacant the Chief Growth and Administrative Officer will fulfill the duties until the position is filled.
2.2 Policy Authority and Maintenance. SKUx has granted the Information Security Coordinator the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes, as s/he may deem necessary and appropriate.
2.3 Policy Review. On at least an annual basis, the Information Security Coordinator will initiate a review of this Policy, engaging other stakeholders, as appropriate.
2.4 Exceptions. SKUx recognizes that specific business needs and local situations may occasionally call for an exception to this Policy. Exception requests must be made in writing or by email. The Information Security Coordinator must approve in writing, document, and periodically review all exceptions.
Do not assume that the Information Security Coordinator will approve an exception simply because s/he has previously approved a similar exception. Each non-compliant situation requires a review of the specific facts and risks to SKUx’s information assets. To request an exception, contact the Information Security Coordinator.
2.5 Workforce Obligation to Comply. Employees and contractors are obligated to comply with all aspects of this Policy that apply to them. This Policy is not intended to restrict communications or actions protected or required by applicable law.
SKUx may treat any attempt to bypass or circumvent security controls as a violation of this Policy. For example, sharing passwords, deactivating anti-virus software, removing or modifying secure configurations, or creating unauthorized network connections are prohibited unless the Information Security Coordinator has granted an exception as described in Section 2.4, Responsibilities: Exceptions.
SKUx takes steps to help employees and contractors understand this Policy. You are responsible for your own actions and compliance with this Policy. You should question and report any situation to your manager or the Information Security Coordinator that appears to violate this Policy or creates any undue information security risk.
2.6 Sanctions. Any violation of this Policy may result in disciplinary action or other sanctions. Sanctions may include suspension, access restrictions, work assignment limitations, or more severe penalties up to and including termination, in accordance with applicable law. If SKUx suspects illegal activities, it may report them to the applicable authorities and aid in any investigation or prosecution of the individuals involved.
2.7 Acknowledgment. All employees and contractors must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process. Acknowledgment must be completed on a timely basis following a new hire or as otherwise designated by the Information Security Coordinator. Material changes to this Policy may require additional acknowledgment. SKUx will retain acknowledgment records.
2.8 Training. SKUx recognizes that an astute workforce is the best line of defense. We will provide security training opportunities and expert resources to help employees and contractors understand their obligations under this Policy and avoid creating undue risks. Employees must complete information security training within a reasonable time after initial hire. All workforce members must complete information security training on at least an annual basis. The Information Security Coordinator will ensure that all employees complete all required training.
SKUx may deem failure to participate in required training a violation of this Policy. SKUx will retain attendance records and copies of security training materials delivered.
2.9 Client Policies. SKUx may handle sensitive client information. In some cases, SKUx may agree to comply with specific client information security policies or standards. To minimize special cases, SKUx has developed this Policy to include the requirements common to most of our clients.
If SKUx agrees to comply with additional client-specific information security policies or standards, we will notify affected workforce members. You must comply with any such policies or standards, including any related training or additional background screening requirements.
The Information Security Coordinator must review and approve any client agreements that require compliance with specific information security protocols or standards. For more information, see Section 8, Client Information.
3. Data: Information Classification and Risk-Based Controls. SKUx has established a three-tier classification scheme to protect information according to risk levels. The information classification scheme allows SKUx to select appropriate security controls and balance protection needs with costs and business efficiencies.
All SKUx information is classified as (from least to most sensitive): (1) Public Information, (2) Confidential Information, or (3) Highly Confidential Information.
Unless it is marked otherwise or clearly intended to be Public Information, treat all SKUx and client information as if it is at least Confidential Information, regardless of its source or form, including electronic, paper, verbal, or other medium.
You must apply security controls appropriate for the assigned information classification level to all information you store, transmit, or otherwise handle. Use classification level markings, where feasible.
3.1 Public Information. Public Information is information that SKUx has made available to the general public. Information received from another party (including a client) that is covered under a current, signed non-disclosure agreement must not be classified or treated as Public Information.
(a) Public Information Examples. Some Public Information examples include, but are not limited to:
(i) press releases;
(ii) SKUx released marketing materials;
(iii) job announcements; and
(iv) any information that SKUx makes available on its publicly accessible website.
Do not assume that any information you obtain from SKUx’s network or systems, including approved cloud-based solutions from third-party service providers, is publicly available. For example, draft marketing materials are typically Confidential Information until their release. Consider all information to be at least Confidential Information, and not available for public disclosure without authorization, until you verify it is Public Information.
3.2 Confidential Information. Confidential Information is information that may cause harm to SKUx, its clients, customers, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available. Harms may relate to an individual’s privacy, SKUx’s marketplace position or that of its clients, or legal or regulatory liabilities.
All information stored in applications or databases should be considered Confidential. Consult the Information Security Coordinator for any questions regarding any clarity for information that is unmarked or if you are unsure. You must have authorization to disclose Confidential Information to an external party. Seek guidance from the Information Security Coordinator, prior to disclosing Confidential Information and verify that an appropriate non-disclosure or other agreement is in effect.
(a) Confidential Information Examples. Some Confidential Information examples include, but are not limited to:
(i) SKUx financial data, client or customer lists, revenue forecasts, program or project plans, and intellectual property;
(ii) client- or customer-provided data, information, and intellectual property;
(iii) client or customer contracts and contracts with other external parties, including vendors;
(iv) communications or records regarding internal SKUx matters and assets, including operational details and audits;
(v) SKUx policies, procedures, standards, and processes (for example, this Policy is Confidential Information and should not be shared without authorization from the Information Security Coordinator);
(vi) any information designated as “confidential” or some other protected information classification by an external party and subject to a current non-disclosure or other agreement;
(vii) information regarding employees (see also Section 3.3, Data: Highly Confidential Information, regarding personal information);
(viii) any summaries, reports, or other documents that contain Confidential Information; and
(ix) drafts, summaries, or other working versions of any of the above.
(b) Safeguards. You must protect Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks, including (but not necessarily limited to):
(i) Authentication. Electronically stored Confidential Information must only be accessible to an individual after logging in to SKUx’s network, including approved cloud-based solutions from third-party service providers.
(ii) Discussions. Only discuss Confidential Information in non-public places, or if a discussion in a public place is absolutely necessary, take reasonable steps to avoid being overheard.
(iii) Copying/Printing/Faxing/Scanning. Only scan, make copies, and distribute Confidential Information to the extent necessary or allowed under any applicable non-disclosure agreement or other applicable agreement. Take reasonable steps to ensure that others who do not have a business need to know do not view the information.
When faxing Confidential Information, use a cover sheet that informs the recipient that the information is SKUx’s Confidential Information. Set fax machines to print a confirmation page after sending a fax. Locate copiers, fax machines, scanners, and other office equipment in physically secured areas and configure them to avoid storing Confidential Information.
(iv) Encryption. You should encrypt Confidential Information when storing it on a laptop, smartphone, or other mobile device, including mobile storage devices. You should also encrypt Confidential Information when transmitting or transporting it externally. Seek assistance from the Information Security Coordinator, if needed.
(v) Mailing. Use a service that requires a signature for receipt of the information when sending Confidential Information outside SKUx. When sending Confidential Information inside SKUx, use a sealed security envelope marked “Confidential Information.”
(vi) Meeting Rooms. You should only share Confidential Information in physically secured meeting rooms. Erase or remove any Confidential Information that you write on a whiteboard or other presentation tool upon the meeting’s conclusion.
(vii) Need to know. Only access, share, or include Confidential Information in documents, presentations, or other resources when there is a business need to know.
(viii) Physical Security. Only house systems that contain Confidential Information or store Confidential Information in paper or other forms in physically secured areas.
3.3 Highly Confidential Information. Highly Confidential Information is information that may cause serious and potentially irreparable harm to SKUx, its clients, customers, employees, or other entities or individuals if disclosed or used in an unauthorized manner. Highly Confidential Information is a subset of Confidential Information that requires additional protection.
Mark Highly Confidential Information to denote its status when technically feasible. Applications or databases that contain Highly Confidential Information may be marked with an initial banner shown upon system access.
You may not remove Highly Confidential Information from SKUx’s environment without authorization.
You must have authorization to disclose Highly Confidential Information to an external party. Seek guidance from the Information Security Coordinator, prior to disclosing Highly Confidential Information externally to ensure SKUx meets its legal obligations.
(a) Highly Confidential Information Examples. Some Highly Confidential Information examples include, but are not limited to:
(i) personal information for employees, clients, customers, business partners, or others;
(ii) proprietary information of SKUx’s clients and customers; and
(iii) sensitive SKUx business information, such as budgets, financial results, or strategic plans.
(b) Safeguards. You must protect Highly Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks and as prescribed by applicable laws, regulations, and standards, including (but not necessarily limited to):
(i) Authentication. Electronically stored Highly Confidential Information must only be accessible to an individual after logging in to SKUx’s network, including approved cloud-based solutions from third-party service providers, and with specific authorization.
(ii) Discussions. Only discuss Highly Confidential Information in non-public places.
(iii) Copying/ Printing/Faxing/Scanning. Do not scan, copy, or distribute Highly Confidential Information unless absolutely necessary. Take reasonable steps to ensure that others who do not have a specific business need to know do not view the information.
When faxing Highly Confidential Information, use a cover sheet that informs the recipient that the information is SKUx’s Highly Confidential Information. Set fax machines to print a confirmation page after sending a fax. Locate copiers, fax machines, scanners, and other office equipment in physically secured areas and configure them to avoid storing Highly Confidential Information.
(iv) Encryption. You must encrypt Highly Confidential Information when transmitting it, whether externally or internally, or when storing it on a laptop, smartphone, or other mobile device, including mobile storage devices such as USB drives. You should also encrypt Highly Confidential Information when storing it on a server, database, or other stationary device.
(v) Mailing. Do not mail Highly Confidential Information unless absolutely necessary. Use a service that requires a signature for receipt of the information when sending Highly Confidential Information outside SKUx. When sending Highly Confidential Information inside SKUx, use a sealed security envelope marked “Highly Confidential Information.” If you use electronic media to mail Highly Confidential Information, you must encrypt and password protect it.
(vi) Meeting Rooms. You must only share Highly Confidential Information in physically secured meeting rooms. Erase any Highly Confidential Information that you write on a whiteboard or other presentation tool upon the meeting’s conclusion.
(vii) Need to know. Only access, share, or include Highly Confidential Information in documents, presentations, or other resources when there is a specific business need to know.
(viii) Network Segmentation. You may only make Highly Confidential Information available to areas of SKUx’s network, including approved cloud-based solutions from third-party service providers, where there is a specific business need. Highly Confidential Information must be segmented from the rest of SKUx’s network using controls such as firewalls, access control lists, or other security mechanisms.
(ix) Physical Security. Only house systems that contain Highly Confidential Information or store Highly Confidential Information in paper or other forms in physically secured areas, accessible only to those with a specific business need to know.
4. People: Roles, Access Control, and Acceptable Use. People are the best defense in information security. They are also the weakest link. SKUx grants access to its systems and data based on business roles. SKUx places limits on how you may use and interact with its information assets. These restrictions help lower risks and protect you and SKUx.
4.1 Roles. Business roles and role-based access are based on the individual’s relationship with SKUx and assigned activities.
(a) Employees. SKUx provides employee screening in accordance with applicable laws. SKUx may require employees who handle Highly Confidential Information to undergo additional background screening and testing where permitted by applicable laws.
(b) External Parties. SKUx grants systems access to approved external parties, such as contractors, vendors, service providers, business partners, or others with a demonstrated business need that cannot be reasonably met through other means (see Section 7, Service Providers: Risks and Governance). SKUx may support different access levels for different business situations.
4.2 Identity and Access Management. SKUx uses identity and access management controls to provide user accounts with appropriate privileges to employees and others. SKUx uses Single Sign On (“SSO”) to register each specific user to access applicable SKUx systems through a specified unique user account. Device or application-specific identifiers must be linked to an accountable individual.
(a) Unique User Accounts. SKUx assigns a unique user accounts to individuals through an SSO account. You must not share your account or password with others. If system or other administrative accounts cannot be uniquely assigned to specific individuals, use mediated access, audit logs, or other technical controls to provide individual accountability.
(b) Add, Change, Terminate Access. SKUx restricts access to specific resources to those with a business need to know. The Information Security Coordinator adds or changes access levels. The Information Security Coordinator must periodically review user accounts and access levels to confirm that a legitimate business need for the access still exists.
When an employee leaves the business, the system administrator will timely deactivate the individual’s account(s).
(c) Authorization Levels and Least Privilege. Proper authorization levels ensure that SKUx only grants individuals the privileges they need to perform their assigned activities and no more. Known as least privilege access, this method minimizes risks. Least privilege applies to user and administrative access. You must not grant administrative privileges unless there is a specific business need and limit them to the extent feasible.
(d) Role-Based Access Controls. Use role-based access control methods whenever feasible to assign authorization levels according to business functions, rather than uniquely for each individual. This method supports the least privilege approach by standardizing access. It also simplifies periodic access reviews.
4.3 Acceptable Use Policy. SKUx provides employees and others with network resources and systems, including approved cloud-based solutions from third-party service providers, to support its business requirements and functions. This section limits how you may use SKUx’s information assets and explains the steps you must take to protect them.
If you have any questions regarding acceptable use of SKUx’s resources, please discuss them with the Information Security Coordinator, or contact the Information Security Coordinator for additional guidance.
(a) General Use of Information Technology Resources. SKUx provides network resources and systems, including approved cloud-based solutions from third-party service providers, for business purposes. Any incidental non-business use of SKUx’s resources must be for personal purposes only. Do not use SKUx’s resources for commercial purposes, personal gain, or any purpose that may create a real or perceived conflict of interest with SKUx.
Do not use SKUx’s resources in a manner that negatively impacts your job performance or impairs others’ abilities to do their jobs. SKUx’s network and systems, including approved cloud-based solutions from third-party service providers, are subject to monitoring (see Section 1.4, No Expectation of Privacy and Monitoring).
Do not use SKUx’s network or systems, including approved cloud-based solutions from third-party service providers, for activities that may be deemed illegal under applicable law. If SKUx suspects illegal activities, it may report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved.
(b) Prohibited Activities. SKUx prohibits using its resources to engage in activities such as (but not necessarily limited to) the following:
(i) hacking, spoofing, or launching denial of service attacks;
(ii) gaining or attempting to gain unauthorized access to others’ networks or systems;
(iii) making unauthorized changes to others’ networks or systems;
(iv) sending fraudulent email messages;
(v) distributing or attempting to distribute malicious software (malware);
(vi) spying or attempting to install spyware or other unauthorized monitoring or surveillance tools;
(vii) committing criminal acts such as terrorism, fraud, or identity theft;
(viii) downloading, storing, or distributing child pornography or other obscene materials;
(ix) downloading, storing, or distributing materials in violation of another’s copyright;
(x) creating undue security risks or negatively impacting the performance of SKUx’s network and systems or those of its clients;
(xi) causing embarrassment, loss of reputation, or other harm to SKUx;
(xii) uploading, downloading, or disseminating defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene, or otherwise inappropriate or offensive messages or media;
(xiii) distributing joke, chain letter, commercial solicitations, or hoax emails or other messages (spamming);
(xiv)disrupting the workplace environment, creating a hostile workplace, or invading the privacy of others;
(xv) using encryption or other technologies in an attempt to hide illegal, unethical, or otherwise inappropriate activities;
(xvi)installing or distributing unlicensed or pirated software; and
(xvii) violating any use restrictions that clients have imposed on SKUx employees and to which SKUx has agreed (see Section 2.9, Responsibilities: Client Policies and Section 8, Client Information).
(c) Desktop, Laptop, and End-User Controls. You may only access SKUx’s network, including approved cloud-based solutions from third-party service providers, using approved end-user devices that support our current minimum information security standards. Standards for end-user devices may include protective controls and specific configurations, such as anti-virus software, patching levels, and required operating system or other software versions.
Use your own SKUx-provided account(s) to access SKUx’s network and systems, including approved cloud-based solutions from third-party service providers, unless you have been specifically authorized to use a device-specific, administrative, or other account (see Section 4.2, People: Identity and Access Management).
Screen saver passwords, also known as “workstation timeouts” or “lock screens,” secure Confidential Information by protecting active computer sessions when you step away. Locking screen savers must activate after a maximum inactivity time of 15 minutes. If you handle Highly Confidential Information, lock your screen any time you leave it unattended.
(d) Information Handling and Storage. You must properly handle, store, and securely dispose of SKUx’s information, including following client guidelines on records retention or disposal (see also Section 5.1(g), Information Assets: Data and Media Disposal). You are responsible for any Confidential or Highly Confidential Information that you access or store. Do not allow others to view, access, or otherwise use any Confidential or Highly Confidential Information you control unless they have a specific business need to know.
Store files or other data critical to SKUx’s operations on regularly maintained (backed up) servers or other storage resources, including approved cloud-based solutions from third-party service providers. Do not store business critical data only on end-user devices such as desktops, laptops, smartphones, or other mobile devices.
Physically secure any media containing SKUx information, including hard drives, CDs, disks, paper, voice recordings, removable drives (such as thumb drives, flash drives, USB drives), or other media. You must store media containing Confidential or Highly Confidential Information in a locked area when not in use.
Shred or otherwise destroy paper that contains Confidential or Highly Confidential Information prior to disposal. Return all electronic, magnetic, or optical media to SKUx for secure disposal when it is no longer required to meet business needs.
(e) Internet Use: Email, Messaging, Social Media, and Cloud Computing. The internet offers a variety of services that SKUx employees and contractors depend on to work effectively. However, some technologies create undue risks to SKUx’s assets. Some uses are not appropriate in the workplace.
SKUx may block or limit access to particular services, websites, or other internet-based functions according to risks and business value. Recognize that inappropriate or offensive websites may still be reachable and do not access them using SKUx resources.
(i) General Internet Use. Limit your web browsing and access to streaming media (such as videos, audio streams or recordings, and webcasts) to business purposes or as otherwise permitted by this Policy. Internet use must comply with this Policy.
Never use internet peer-to-peer file sharing services, given the risks to SKUx’s information assets they create.
(ii) Email and Social Media. Do not disclose Confidential or Highly Confidential Information to unauthorized parties on blogs or social media or transmit it in unsecured emails or instant messages (see Section 3, Data: Information Classification and Risk-Based Controls). Do not make postings or send messages that speak for SKUx or imply that you speak for SKUx unless you have been authorized to do so.
Use good professional judgment when drafting and sending any communications. Remember that messages may be forwarded or distributed outside your control, and your professional reputation is at stake. Email signatures should be professional, appropriate for your business role, and not unreasonably long or complex.
Never open an email attachment that you did not expect to receive, click on links, or otherwise interact with unexpected email content. Attackers frequently use these methods to transport viruses and other malware. Be cautious, even if messages appear to come from someone you know, since attackers can easily falsify (spoof) e-mail senders. SKUx may block some attachments or emails, based on risk.
Do not respond to an email or other message that requests Confidential or Highly Confidential Information unless you have separately verified and are certain of its origin and purpose. Even then, always protect Confidential or Highly Confidential Information as described in Section 3, Data: Information Classification and Risk-Based Controls.
If you have any doubts regarding the authenticity or risks associated with an email or other message you receive, contact the Information Security Coordinator immediately and before interacting with the message. Do not reply to suspicious messages, including clicking links or making unsubscribe requests. Taking those actions may simply validate your address and lead to more unwanted or risky messages.
(iii) Cloud Computing. SKUx may use internet-based, outsourced services for some computing and data storage activities based on business needs. Cloud computing services store data and provide services in internet-accessible data centers that may be located almost anywhere. Cloud services vary significantly in their service levels and security measures.
Before using any cloud computing services to collect, create, store, or otherwise manage SKUx’s Confidential or Highly Confidential Information, you must obtain approval from SKUx (see Section 7, Service Providers: Risks and Governance).
A list of approved cloud-based solutions from third-party service providers is available from the Information Security Coordinator. These approved providers have demonstrated the necessary data protection and information security standards that SKUx requires.
This Policy applies to any document sharing or other internet-based services, if SKUx Confidential or Highly Confidential Information is stored.
(f) Mobile Devices and Bring Your Own Device to Work. Mobile devices, including laptops, smartphones, and tablet computers, can provide substantial productivity benefits. Mobile storage devices may simplify information exchange and support business needs. However, all these mobile devices also present significant risks to SKUx’s information assets, so you must take appropriate steps to protect them.
SKUx may permit employees and others to use their own equipment to connect to SKUx’s network and systems, including approved cloud-based solutions from third-party service providers. If you choose to do so, you agree that your use of those devices is subject to this Policy and any additional policies, procedures, standards, and processes SKUx implements. SKUx may require you to install specific security controls on your device (for example, device management software, access controls, encryption, remote wiping in case your device is lost or stolen, or other security controls).
You must allow SKUx to review your device and remove any SKUx data, if your relationship with SKUx terminates, you change devices or services, or in other similar situations. You must also promptly provide SKUx with access to your device when requested for SKUx’s legitimate business purposes, including any security incident or other investigation.
Use encryption, other protection strategies (for example, device management software, access controls, remote wiping in case your device is lost or stolen, or other security controls), or both on any mobile device that contains Confidential or Highly Confidential Information. Mobile devices, including those that provide access to SKUx email, must be protected using a password or other approved authentication method.
Physically secure any mobile devices you use to access or store SKUx information. Never leave laptops or other devices unattended unless locked or otherwise secured. Do not leave mobile devices or the bags containing them visible in a parked car or check them as baggage on airlines or other public transportation.
Ensure an up-to-date firewall is installed on the device prior to connecting the device to an unsecured network. Unsecured networks include home networks, hotel networks, open or for-pay wireless hotspots, convention networks, or any other network that SKUx has not approved or does not control.
(g) Remote Access. When possible, use multi-factor authentication to access SKUx’s network remotely, including approved cloud-based solutions from third-party service providers. Remote access connections should timeout (be disconnected) after eight hours of usage.
(h) Wireless Network Connections. Secure and maintain wireless network (WiFi) connections according to current SKUx technical and physical security standards.
Only transmit, receive, or make available Highly Confidential Information through WiFi connections using appropriate protective controls, including encryption. If you have questions regarding appropriate WiFi security measures to take when handling Highly Confidential Information, contact the Information Security Coordinator.
End-user devices that access wireless networks, such as laptops, must have personal firewalls installed and maintained according to current SKUx standards. Deactivate your computer’s wireless networking interface when it is not in use.
5. Information Assets: Protecting and Managing SKUx’s Information Technology Environment. This section describes key safeguards that SKUx uses to protect and manage its information technology (“IT”) environment. You must support their use to the extent that they apply to you. You must also apply these safeguards when accessing client’s IT environments, to the extent feasible. If you have any questions, contact the Information Security Coordinator.
5.1 Protecting Information Assets. Install and configure SKUx-owned computers according to current technical standards and procedures, including anti-virus software, other standard security controls, and approved operating system version and software patches. SKUx supports preventive controls to avoid unauthorized activities or access to data, based on risk levels. SKUx supports detective controls to timely discover unauthorized activities or access to data, including continuous system monitoring and event management.
(a) End-User Computers and Access. Users may not access SKUx’s network, including approved cloud-based solutions from third-party service providers, unless they have been properly authenticated.
SKUx and/or our third-party authentication app will deactivate user accounts after a handful of failed login attempts. Reactivation may be based on a timeout or manual reset according to risk and technical feasibility. Secure remote access points and require multi-factor authentication. Encrypt authentication credentials during transmission across any network, either internal or external.
(b) Passwords and User Credentials. Select strong passwords and protect all user credentials, including passwords, tokens, badges, smart cards, or other means of identification and authentication. Implement password rules so that users select and use strong passwords. Automate password rule enforcement to the extent technically feasible.
(i) Minimum Password Rules. SKUx does not use passwords for most applications. These rules apply when passwords are necessary. At minimum passwords must:
(A) be at least 12 characters;
(B) be comprised of a mix of letters (upper and lower case), numbers, and special characters (punctuation marks and symbols);
(C) not be comprised of or use words that can be found in a dictionary;
(D) not be comprised of an obvious keyboard sequence or common term (i.e., “qwerty,” “12345678,” or “password”); and
(E) not include easily guessed data such as personal information about yourself, your spouse, your pet, your children, birthdays, addresses, phone numbers, locations, etc.
Several techniques can help you create a strong password. Substituting numbers for words is common. For example, you can use the numerals two or four with capitalization and symbols to create a memorable phrase. Another way to create an easy-to-remember strong password is to think of a sentence and use the first letter of each word as a password.
Treat passwords as Highly Confidential Information. You may be required to change your password periodically according to current SKUx standards. Change your password immediately and report the incident (see Section 6.1, Incident Reporting and Response: Incident Reporting) if you have reason to believe that it has been compromised.
(ii) Password Protection. Protect your passwords at all times by:
(A) Not disclosing your passwords to anyone, including anyone who claims to be from SKUx;
(B) Not sharing your passwords with others (including co-workers, managers, clients, or family);
(C) Not writing down your passwords or otherwise recording them in an a manner that is not secure;
(D) Not using save password features for applications, unless provided or authorized by SKUx;
(E) Not using the same password for different systems or accounts, except where single sign on features are automated; and
(F) Not reusing passwords or using the same passwords for SKUx and personal accounts.
(c) SKUx procedures and technical standards may define additional steps to protect passwords for administrative or device-specific accounts. Perimeter Controls. SKUx may implement additional perimeter controls including intrusion detection and prevention services, data loss prevention software, specific router or other network configurations, or various forms of network monitoring according to risks. Perimeter controls secure SKUx’s network against external attacks.
(d) Data and Network Segmentation. SKUx may use technical controls, such as firewalls, access control lists, or other mechanisms, to segment some data or areas of its network according to risks. Segment Highly Confidential Information from the rest of SKUx’s network, including on approved cloud-based solutions from third-party service providers, to the extent technically feasible and reasonable (see Section 3.3, Data; Highly Confidential Information). Do not alter network segmentation plans without approval from SKUx.
(e) Encryption. SKUx uses encryption to protect Confidential and Highly Confidential Information according to risks. Encryption may be applied to stored data (data-at-rest) and transmitted data (data-in-transit). Encrypting personal information may protect SKUx against a data breach.
Only use generally accepted encryption algorithms and products approved by SKUx. Periodically review encryption products and algorithms for any known risks.
Laws may limit exporting some encryption technologies. Seek guidance from SKUx prior to exporting or making any encryption technologies available to individuals outside the US.
(f) Encryption Key Management. Encryption algorithms use keys to transform and secure data. Because they allow decryption of the protected data, proper key management is critical. Select encryption keys to maximize protection levels, to the extent feasible and reasonable. Treat them as Highly Confidential Information.
Ensure that keys are available when needed to support data decryption by using secure storage methods and creating and maintaining secure backups. Track access to keys. Keys should never be known or available to only a single individual. Change encryption keys on a periodic basis according to risks.
(g) Data and Media Disposal. When SKUx retires or otherwise removes computing, network, or office equipment (such as copiers or fax machines) or other information assets that may contain Confidential or Highly Confidential Information from the business, specific steps must be taken to scrub or otherwise render the media unreadable.
Simply deleting files or reformatting disks is not sufficient to prevent data recovery. Either physically destroy media, according to applicable waste disposal regulations, or scrub it using data wiping software that meets generally accepted data destruction standards. For example, see the National Institute of Standards and Technology’s Special Publication 800-88, Guidelines for Media Sanitation.
(h) Log Management and Retention. SKUx logs system and user activities on network, computing, or other information assets according to risks. Security controls or other network elements, including approved cloud-based solutions from third-party service providers, may also produce logs.
Secure log data and files to prevent tampering and retain them according to applicable law and best practices. For any questions regarding records retention, contact the Information Security Coordinator. Regularly review logs, using automated means where feasible, to identify any anomalous activities that may indicate a security incident.
(i) Physical (Environmental) Security. SKUx uses physical safeguards to avoid theft, intrusions, unauthorized use, or other abuses of its information assets. You must comply with SKUx’s current physical security policies and procedures and:
(i) position computer screens where information on the screens cannot be seen by unauthorized parties;
(ii) not display Confidential and Highly Confidential Information on a computer screen where unauthorized individuals can view it;
(iii) log off or shut down your workstation when leaving for an extended period or at the end of your work day;
(iv) house servers or other computing or network elements (other than end-user equipment) in secure data centers or other areas approved by SKUx;
(v) deactivate network ports that are not in use; and
(vi) store end-user devices that are not in use for an extended period in a secure area or securely dispose of them (see Section 5.1(g), Information Assets: Data and Media Disposal).
(j) Disaster Preparedness (Business Continuity and Disaster Recovery). SKUx’s Information Security Coordinator periodically tests disaster preparedness and business continuity. SKUx’s Information Security Coordinator is responsible for ensuring sufficient financial, personnel, and other resources are available as necessary to maintain technological business continuity and disaster recovery. SKUx periodically updates and reviews its internal and external contacts for these situations; conducts disaster recovery simulation/table top exercises; and verifies alternate site technology to ensure it meets SKUx’s legal and contractual obligations. Treat disaster preparedness plans as Confidential Information.
System administrators must perform regular data backups for the information assets they maintain. When selecting a backup strategy, balance the business criticality of the data with the resources required and any impact to users and network resources. Protect backups according to the information classification level of the data stored. Document and periodically test restoration procedures.
5.2 Managing Information Assets. The Information Security Coordinator manages IT operations and related activities at SKUx.
(a) Procurement. Only the Information Security Coordinator, or those authorized by the Information Security Coordinator, may procure information assets for use in or connection to SKUx’s network, including approved cloud-based solutions from third-party service providers. This Policy applies whether software or other assets are purchased, open source, or made available to SKUx at no cost. Before using cloud computing services to access, store, or manage Confidential or Highly Confidential Information, you must obtain authorization from the Information Security Coordinator.
(b) Asset Management. The Information Security Coordinator will track and document all information assets, including hardware, software, and other equipment, which . should include operating system levels and all installed software and software versions to support vulnerability identification and mitigation (see Section 9.3, Risk and Compliance Management: Vulnerability Management). The Information Security Officer will update the asset inventory as assets are removed from the business.
(c) Authorized Environments and Authorities. Only authorized SKUx personnel, including the Information Security Coordinator or other project personnel that the Information Security Coordinator approves, may install and connect hardware or software, including application programming interface (“API”) or third-party applications, in SKUx’s IT environment, including approved cloud-based solutions from third-party service providers. Limit administrative or privileged systems access to those individuals with a business need to know. The Information Security Coordinator, or any other authorized personnel to whom the Information Security Coordinator delegates authority, must distribute administrative access and information regarding administrative processes to more than one individual to minimize risks.
Internet connections and internet-facing environments present significant information security risks to SKUx. The Information Security Coordinator or those authorized by the Information Security Coordinator, must approve any new or changed internet connections or internet-facing environments.
(d) Change Management. SKUx is a responsible, but nimble company. Currently, the Information Security Coordinator approves all change requests to SKUx’s IT environment in consultation with the Chief Technology Officer and Chief Architect. If you have any questions, please contact the Information Security Coordinator.
6. Incident Reporting and Response. The Information Security Coordinator maintains a security incident reporting and response process that ensures management notifications are made based on the seriousness of the incident. The Information Security Coordinator investigates all reported or detected incidents and documents the outcome, including any mitigation activities or other remediation steps taken. The Information Security Coordinator coordinates with the Compliance Officer to determine regulatory or external reporting obligations depending on the nature and scope of the incident.
6.1 Incident Reporting. Immediately notify the Information Security Coordinator if you discover a security incident or suspect a breach in SKUx’s information security controls. SKUx maintains various forms of monitoring and surveillance to detect security incidents, but you may be the first to become aware of a problem. Early detection and response can mitigate damages and minimize further risk to SKUx.
Treat any information regarding security incidents as Highly Confidential Information and do not share it, internally or externally, without specific authorization.
(a) Security Incident Examples. Security incidents vary widely and include physical and technical issues. Some examples of security incidents that you should report include, but are not limited to:
(i) loss or suspected compromise of user credentials or physical access devices (including passwords, tokens, keys, badges, smart cards, or other means of identification and authentication);
(ii) suspected malware infections, including viruses, Trojans, spyware, worms, or any anomalous reports or messages from anti-virus software or firewalls;
(iii) loss or theft of any device that contains SKUx information (other than Public Information), including computers, laptops, tablet computers, smartphones, USB drives, disks, or other storage media;
(iv) suspected entry (hacking) into SKUx’s network or systems by unauthorized persons;
(v) any breach or suspected breach of Confidential or Highly Confidential Information;
(vi) any attempt by any person to obtain passwords or other Confidential or Highly Confidential Information in person or by phone, email, or other means (sometimes called social engineering, or in the case of email, phishing); and
(vii) any other any situation that appears to violate this Policy or otherwise create undue risks to SKUx’s information assets.
(b) Compromised Devices. If you become aware of a compromised computer or other device:
(i) immediately deactivate (unplug) any network connections, but do not power down the equipment because valuable information regarding the incident may be lost if the device is turned off; and
(ii) immediately notify the Information Security Coordinator.
6.2 Event Management. The Information Security Coordinator defines and maintains a security incident response plan to manage information security incidents. Report all suspected incidents, as described in this Policy, and then defer to the incident response process. Do not impede the incident response process or conduct your own investigation unless the Information Security Coordinator specifically requests or authorizes it.
6.3 Breach Notification. Applicable law may require SKUx to report security incidents that result in the exposure or loss of certain kinds of information or that affect certain services, to various authorities, affected individuals or organizations whose data was compromised, or both. Breaches of Highly Confidential Information (and especially personal information) are the most likely to carry these obligations (see Section 1.5, Introduction: Regulatory Compliance). The Information Security Coordinator has an incident response plan that includes a step to review all incidents for any required breach notifications. Coordinate all external notifications with the Information Security Coordinator. Do not act on your own or make any external notifications without prior guidance and authorization.
7. Service Providers: Risks and Governance. The Information Security Coordinator maintains a service provider governance program to oversee service providers that interact with SKUx’s systems or Confidential or Highly Confidential Information. The service provider governance program includes processes to track service providers, evaluate service provider capabilities, and periodically assess service provider risks and compliance with this Policy.
7.1 Service Provider Approval Required. Obtain approval from the Information Security Coordinator before engaging a service provider to perform functions that involve access to SKUx’s systems or Confidential or Highly Confidential Information.
7.2 Contract Obligations. Service providers that access SKUx’s systems or Confidential or Highly Confidential Information must agree by contract to comply with applicable laws and this Policy or equivalent information security measures. SKUx may require service providers to demonstrate their compliance with applicable laws and this Policy by submitting to independent audits or other forms of review or certification based on risks.
8. Client Information: Managing Intake, Maintenance, and Client Requests. SKUx frequently creates, receives, and manages data on behalf of our clients. The Information Security Coordinator develops, implements, and maintains an appropriate process and procedures to manage client data intake and protection.
Client data intake and protection processes may vary, SKUx will defer to the Information Security Coordinator to decide on reasonable intake procedures and processes.
8.1 Requirements Identification. Identify any pertinent client data requirements prior to data intake or creation according to the applicable client data intake and protection process. Requirements may be contractual, the result of applicable law or regulations, or both (see Section 1.5, Introduction: Regulatory Compliance).
8.2 Intake Management. Client data intake processes and procedures must provide for secure data transfer. Maintain a log of client data that includes, at a minimum:
(a) a description of the client data;
(b) the location(s) where the data is stored;
(c) who is authorized to access the data (by category or role, if appropriate);
(d) whether the data is Confidential or Highly Confidential Information;
(e) how long the data is to be retained (using criteria, if appropriate); and
(f) any specific contractual or regulatory obligations or other identified data protection or management requirements.
Treat any client-provided personal information as Highly Confidential Information (see Section 3.3, Data: Highly Confidential Information). To minimize risks for clients and SKUx, engage clients in an ongoing dialogue to determine whether business objectives can be met without transferring personal information to SKUx.
8.3 Client Data Protection. Protect all client data SKUx creates or receives in accordance with this Policy and the data’s information classification level, whether Confidential or Highly Confidential Information, in addition to any specific client-identified requirements.
8.4 Client Data and Media Disposal. Ensure that any client data or media containing client data is securely disposed of when it is no longer required for SKUx business purposes, or as required by client agreement (see Section 5.1(g), Data: Data and Media Disposal). Update the applicable client data inventory accordingly.
9. Risk and Compliance Management. SKUx supports an ongoing risk management action cycle to (1) enforce this Policy; (2) identify information security risks; (3) develop procedures, safeguards, and controls; and (4) verify that safeguards and controls are in place and working properly.
9.1 Risk Assessment and Analysis. SKUx maintains a risk assessment program to identify information security risks across its IT environment, including application software, databases, operating systems, servers, and other equipment, such as network components. The Information Security Coordinator coordinates risk assessment activities that may take several forms, including analyses, audits, reviews, scans, and penetration testing. Do not take any actions to avoid, impact, or otherwise impede risk assessments.
Only the Information Security Coordinator is authorized to coordinate risk assessments. Seek approval from the Information Security Coordinator prior to engaging in any risk assessment activities or disclosing any assessment reports outside SKUx.
9.2 Remediation and Mitigation Plans. The Information Security Coordinator maintains and oversees remediation and mitigation plans to address risk assessment findings according to risk levels.
9.3 Vulnerability Management. Manufacturers, security researchers, and others regularly identify security vulnerabilities in hardware, software, and other equipment. In most cases, the manufacturer or developer provides a patch or other fix to remediate the vulnerability. In some situations, the vulnerability cannot be fully remediated, but configurations can be changed or other steps taken to mitigate the risk created.
The Information Security Coordinator maintains a process to identify and track applicable vulnerabilities and advise SKUx employees to schedule any necessary updates using standard change management processes (see Section 5.2(d), Information Assets: Change Management) and according to risk level.
10. Effective Date. This Information Security Policy is effective as of March 9, 2022.
10.1 Revision History. Original publication.
Other related resources may be found here.