Sensitive Information Policy
The Sensitive Information Policy provides guidelines for the safe and appropriate access to and protection of data and information collected, maintained or destroyed by the company. This includes:
~ Guidelines for determining what information is to be treated as sensitive
~ Standards of protection for sensitive information
~ Access control standards (who is allowed to see what) for sensitive information
~ Standards for training and education, including content and frequency
This policy covers the appropriate access to and protection of paper and electronic information related to clients, employees, company Intellectual Property, information or data entrusted to this company by another organization (for use or for storage), and any other information so designated. Persons responsible for following this policy include employees, contacts, vendors, service providers, temporary or seasonal employees, volunteers and other individuals who have reason to be provided or gain access to covered sensitive information, hereafter referred to as "employees."
3. DETERMINING SENSITIVE INFORMATION
Sensitive information is any information that, if released, could be considered to represent a threat or risk to the company's employees or clients, the company itself, the company's reputation or the company's ability to conduct business. This includes, but is not limited to:
Personally Identifiable Information - This term includes any data point that may reasonably be considered, either singly or in combination, to individually identify a client or employee, such that the information could potentially lead to Identity Theft.
~ Name, Address, SSN, Drivers License Number, date of birth, phone numbers, email address
Account Information - Any information that is used for or is the result of business transactions, financial or otherwise. This also includes client history, to include details about products or services rendered as part of such transaction.
~ Credit Card numbers, Bank Account and loan details, Insurance Numbers, internal identifiers, client histories, information seen that comes from outside sources (loan database, etc.)
Company Information - Any information that might reasonably be considered to be proprietary data, company secrets, work products, or information that may be of substantive value to the company or its clients.
~ Company Intellectual Property, processes or information that may provide a business advantage
Other Information - Any information not covered by other categories or information designated as sensitive by the Information Security Officer.
~ Information covered by attorney-client privilege, information belonging to a client taht the company has access to for the purposes of providing services to the client.
4. STANDARDS OF PROTECTION
Sensitive information is to be protected at all times. Only information which is vital to the conduct of company business or required by law shall be picked up and used like cash. In many cases it can.
NOTE: A good way to think about sensitive information is to think about it as if it were loose cash. Protect information as if it could be picked up and used like cash. In many cases it can.
Hard copy information - Any sensitive information that is collected, maintained or stored on paper shall be kept under lock. Where possible, storage shall be in locked file cabinets. If this is not possible, any office or room where it is maintained shall be locked when unoccupied. When in use, information shall be kept in a folder or under a cover sheet. Information shall not be left unattended on desks or tables.
Electronic information - Company networks shall be maintained with appropriate security including, as appropriate, firewalls, anti-virus, anti-spyware, anti-spamware, and full-disk encryption. Any laptops or other portable devices shall be protected with encryption, when possible. The following footer shall be included on all emails indicating proper handling.
This message (including any attachments) contains confidential information intended for a specific individual and purpose and is protected by law. If you are not the intended recipient, you should delete this message.
Any disclosure, copying or distribution of this message or the taking of any action based on it is strictly prohibited. [Adjust as necessary.]
Information destruction - Sensitive information shall be properly destroyed when no longer required. CDs and DVDs shall be broken or rendered inoperable by an appropriate mechanical device. Hard copies shall be shredded by a certified vendor or in a cross-shredding device. Hard drives or data storage devices shall be rendered inoperable consistent with industry standards. Be sure to check with your attorney regarding your data retention requirements before deciding to destory data.
In the event that the company is bought or goes out of business, the Sensitive Information associated with clients and employees shall only be retained or used for the specific purpose of continuing existing relationships. Any other use of this information may only be made with express consent of the individual.
5. ACCESS CONTROL STANDARDS
Access to sensitive information shall be limited to the greatest extent possible. Sensitive information shall be positively controlled and access shall be granted on either a job (role)-based or resonsibility (individual) based profile. Scope of access to information shall be changed immediately upon any changes to positions or responsibilities. Employees shall be properly trained on the handling of sensitive information prior to being given access. As soon as it is apparent that an employee will be separated from the company, all access to sensitive information shall be restricted.
6. TRAINING AND EDUCATION
Every employee shall be trained on the proper handling of sensitive information. This includes, but is not limited to the appropriate ways to collect, maintain and destroy sensitive information so as to minimize the chance of exposure.
To properly understand why sensitive information is treated so carefully, all employees shall be educated about the types of Identity Theft and how they can be affected. This education will help employees to act appropriately, even when policy and practices are insufficient guidance in given situations, to protect themselves, the company and it clients.
Periodic refresher training shall be conducted as needed, but a least annually, to ensure that this policy is maintained at the highest possible standard.
Completion of training and education shall be appropriately documented along with a signed agreement to follow company sensitive information protection requirements.
Periodic checks shall be conducted to ensure that this policy is being followed. This shall include, but is not limited to, walkthroughs, interviews and security checks.
Any employee found to have violated this policy may be subject to disciplinary action, including termination of employment.
8. ROLES AND RESPONSIBILITIES
The Information Security Officer is responsible for overseeing and enforcing all aspects of this policy and ensuring that the policy is updated on a periodic basis.
All employees are responsible for understanding and following this policy. Any employee found to have violated this policy may be subject to disciplinary action, including termination of employment.