Legal Corporate Cybersecurity Policy

In the digital age, protecting our information assets and technology infrastructure is paramount. This Cybersecurity Policy outlines the framework for managing and protecting against cyber threats. It reflects our commitment to securing our data, systems, and networks against unauthorized access, use, disclosure, disruption, modification, or destruction.

Policy Scope

This policy applies to all employees, contractors, and third-party service providers with access to our network and information systems. It encompasses all forms of data, including electronic and physical records, and all types of technology devices, whether owned by us or used for business purposes.

Objectives

Our objectives are to:

Protect the confidentiality, integrity, and availability of our information assets.
Ensure that we comply with applicable legal and regulatory requirements.
Minimize the risk of cybersecurity incidents and mitigate their impact.

Responsibilities

All Users: Responsible for adhering to this policy and related procedures. Users must report any suspected security incidents promptly.
IT Department: Responsible for implementing and maintaining security measures, including access controls, firewalls, and encryption.
Cybersecurity Team: Oversees the organization's cybersecurity strategy, conducts risk assessments, and responds to security incidents.
Management: Supports the enforcement of this policy and allocates resources for cybersecurity initiatives.

Policy Details

Access Control

Access to sensitive information and critical systems is limited to authorized personnel who have undergone rigorous security clearance and training. These individuals typically include members of our IT Department, select management personnel, and specific employees whose roles require access to such data for operational purposes. User access is governed by the principle of least privilege, meaning individuals are granted the minimum level of access or permissions needed to perform their job functions. This approach significantly reduces the risk of accidental or malicious data breaches.

Data Protection

To ensure the confidentiality and integrity of sensitive data, all such information must be encrypted during transmission over networks and when stored on devices or servers. This includes, but is not limited to, personal information of employees and customers, financial records, and proprietary business information. Our data retention and disposal procedures mandate that information is retained for no longer than seven years unless specified otherwise by legal or regulatory requirements. After this period, or when data is no longer required, it is securely destroyed using methods such as electronic wiping or physical shredding for paper records.

Incident Response

Our Incident Response Plan is structured to manage and mitigate cybersecurity incidents promptly and effectively. Upon detection of a potential security breach, the following steps are initiated:

Immediate Containment: The IT Department, in collaboration with the Cybersecurity Team, works to isolate affected systems to prevent further unauthorized access or damage.
Investigation: A thorough investigation is conducted to understand the scope, source, and impact of the breach. This includes identifying the specific data and systems compromised.
Eradication and Recovery: After identifying the breach's cause, steps are taken to remove the threat from affected systems. Systems are then restored to their operational state, and any lost data is recovered from backups.
Notification: In accordance with legal and regulatory requirements, affected parties and relevant authorities are notified about the breach, its potential impact, and the steps being taken to address it.
Post-Incident Review: After resolving the incident, a detailed review is conducted to identify lessons learned, with the aim of strengthening future security postures and incident response capabilities.

Security Awareness Training

To bolster our defense against cyber threats, all employees are required to complete security awareness training upon hire and then bi-annually. This training is designed to equip staff with the knowledge and tools needed to recognize and prevent cyber threats effectively. Key topics include identifying and responding to phishing attempts, best practices for password creation and management, and guidelines for safe internet usage. Specialized training sessions will also be provided for employees in roles with increased cybersecurity responsibilities. The goal is to create a culture of security mindfulness across the organization.

Third-Party Vendors

We recognize that third-party vendors play a crucial role in our operational ecosystem, and as such, their adherence to our cybersecurity standards is mandatory. Before engaging with any vendor, a security assessment is conducted to evaluate their cybersecurity practices and compliance with our requirements. Vendors must sign agreements that obligate them to maintain security measures that meet or exceed our standards, with regular audits conducted to ensure ongoing compliance. These measures are crucial in extending our cybersecurity perimeter beyond our immediate organization.

Compliance and Legal Requirements

Our cybersecurity policy is designed to comply with all relevant US laws and regulations, including, but not limited to:

Health Insurance Portability and Accountability Act (HIPAA)
Federal Information Security Management Act (FISMA)
Gramm-Leach-Bliley Act (GLBA)
California Consumer Privacy Act (CCPA)
Cybersecurity Information Sharing Act (CISA)

To ensure compliance, we conduct annual reviews of our policies and practices, adjusting as necessary to remain in line with legislative and regulatory changes. Our Legal and Compliance teams work closely with the IT Department to monitor these requirements and implement updates to our cybersecurity framework. Regular training sessions are also provided to relevant staff members to ensure they are aware of and understand their responsibilities under these laws and regulations.

Review and Update

This policy will be reviewed annually or as required by changes in technology, threats, or regulatory requirements. Any amendments will be communicated to all relevant parties promptly.