Defines standards for appropriate and secure use of the company’s hardware and electronic systems including storage media, communication tools and internet access.
Defines requirements for access and removal of access to company data, systems, facilities, and networks.
Guides the company in the event of a significant business disaster or other disruption to normal service.
Defines how changes to applications and systems are planned and implemented. The goal of change management is to increase awareness and understanding of proposed changes across the company and ensure that all changes are made in a thoughtful way that minimize negative impact to services and customers.
Outlines the companies expectations measured against the highest possible standards of ethical business conduct. Committing to the highest standards helps the company hire great people, build great products, and attract loyal customers.
Provides procedures supporting effective organizational asset management, specifically focused on electronic devices within the organization and baseline configurations for company assets and systems.
Provides the basis for protecting the confidentiality of data at the company by establishing a data classification system.
Addresses how a customer's data is retained and disposed of and to ensure this is carried out in a consistent manner.
Provides guidance on the types of devices and media that need to be encrypted, when encryption must be used, the minimum standards of the software used for encryption, and the requirements for generating and managing keys at the company. Mistakes in selecting keys, implementing the encryption/decryption process, and managing keys and other secrets are common causes of data exposure.
Addresses the basic information security policy topics which maintain the security, confidentiality, integrity, and availability of company applications, systems, infrastructure, and data.
Guides the company in the maintenance of a system of internal controls in order to safeguard its assets against loss, promote operational efficiency, and encourage adherence to prescribed managerial policies.
Defines basic rules and requirements for network security and ensure the protection of information within and across networks and supporting information processing facilities. This document is applied to the security of all services, architecture, software and systems that make up the company's product/service. Users of this document are all employees and applicable contractors who work on network engineering, security, and maintenance at the company.
Provides a means for discussing, planning and reviewing the performance of each team member. This provides both the employee and the department manager with the opportunity to discuss job tasks, identify and correct weaknesses, encourage and recognize strengths, and discuss methods for improving performance. Performance evaluations may influence salaries, job responsibilities, promotions and transfers, and it is critical that supervisors are objective in conducting performance reviews and in assigning overall performance ratings.
Specifies the requirements for physically protecting assets and their data via physical controls and safeguards. The company maintains reasonable steps to ensure that its facilities, information systems, and data are accessed only by authorized personnel or authorized third party visitors to prevent unauthorized access, damage, theft, and interference. All physical security requirements are applicable to both remote and in-office work.
Guides the company in performing risk assessments to account for threats, vulnerabilities, likelihood, and impact to company assets, team members, customers, vendors, suppliers, and partners based upon the company services considering security, availability, and confidentiality needs.
Defines basic rules for secure development of software and systems. This document is applied to the development and maintenance of all services, architecture, software and systems that make up the company's product/service. Users of this document are all employees and applicable contractors who work on development and maintenance at the company.
Provides a systematic incident response process for all Information Security Incidents that affect any of the company's information technology systems, network, or data, including company data held or services provided by third- party vendors or other service providers.
Guides the company in the execution, management, and termination of vendor and other third party agreements. This policy applies to all company assets utilized by employees and contractors acting on behalf of the company or accessing its applications, infrastructure, systems or data.
Defines an approach for vulnerability management to reduce system risks and integrate with patch management. This policy applies to all company assets utilized by personnel acting on behalf of the company or accessing its applications, infrastructure, systems or data.