Security Policy

Level One Sites Inc. Information Security Policy

Introduction

Level One Sites Inc. has developed this Information Security Policy to ensure that Level One Sites Inc.’s technical resources are properly protected, that the integrity and privacy of confidential information is maintained, that information resources are available when they are needed and that users of these resources understand their responsibilities.
The following policies are provided with detailed information, including a Discussion on the policy and Best Practices for compliance. This policy also references a Security Advisory Panel which shall be chaired by the President of Level One Sites Inc. and appointees shall be added as required.

  1. Storing High-Risk Confidential Information

    No employee of Level One Sites Inc. and no vendor to Level One Sites Inc. is permitted to store High-Risk Confidential Information (other than their own) in any way relating to Level One Sites Inc. or Level One Sites Inc. sponsored activities locally on any individual user computer or on a portable storage device. Servers storing high-risk confidential information must be protected as Target Computers.
    Non-electronic records containing high-risk confidential information must kept in secure locked containers except when in use.
    Any employee at Level One Sites Inc. who wishes to collect or work with High-Risk Confidential Information or to contract with a vendor to collect or work with such information must obtain prior approval from Security Advisory Panel of Level One Sites Inc. prior to data collection or contracting with vendor.

  2. Obtaining Level One Sites Inc. Confidential Information

    The Level One Sites Inc. Security Advisory Panel must be contacted to obtain access to the core databases containing confidential information about individuals. In addition, anyone working with or collecting similar information about individuals, even if they do not obtain this information from the core database(s), must also contact the Level One Sites Inc. Security Advisory Panel to discuss data policy and handling requirements before beginning application development.

  3. Protecting Confidential Information on Networks

    All confidential information must be encrypted when transported across any network.
    Users should clearly understand that many common systems such as normal email cannot be considered a secure way to transport confidential information.

  4. Making Information Available through Directories

    Any application that provides public access to directory information collected by Level One Sites Inc. about individuals and any process that creates printed lists of people for public display or distribution must adhere to any privacy preferences established by the individuals.

  5. Identifying Users With Access To Confidential Information

    System owners must be able to identify individual users of systems that contain or access confidential information. Passwords used to access such systems must meet current industry standards for length and complexity. User passwords must not be shared and must not be retrievable by anyone, including the system operator.

  6. Inhibit Password Guessing

    There must be a mechanism to limit to the number of repeated unsuccessful attempts to log into an application or server that deals with confidential information.

  7. Limit Application Availability Time

    There must be a mechanism to time out a user’s access to applications that deal with confidential information.

  8. Limit User Access to Confidential Information

    Application owners must ensure that only users with a specific business reason to access an application can access that application and no more than that application. Access rights to applications that can access confidential information must reflect a user’s current login id (and company ID if applicable).
    Administrative access rights to servers with confidential information must be limited to system administrators with a specific business reason for access and such access must be logged; any access rights must change if their employment status with Level One Sites Inc. changes.
    All vendors who have administrative rights must be limited to system administrators with a specific business reason for access and such access must be logged; any access rights must change if their employment status with Level One Sites Inc. changes.
    Access to non-electronic records containing confidential information must be restricted to people with a business need to access the records.

  9. Confidential Information on Level One Sites Inc. Computing Devices

    Level One Sites Inc. confidential Information must be protected if it resides on a Level One Sites Inc. user’s computer or a portable storage device. The theft of a computer or portable storage device must not put Confidential Information at risk of disclosure. See also Section 1.1: Storing High-Risk Confidential Information, which prohibits storing high-risk confidential information on such computer or device.

  10. Internet Access to Confidential Information

    No Level One Sites Inc. confidential information can be saved on any computer directly accessible from the Internet or from the open portions of Level One Sites Inc.’s internal network.

  11. Confidentiality Agreements

    Level One Sites Inc. employees who have access to confidential information are required by law or Level One Sites Inc. process to sign a confidentiality agreement.

  12. Physical Environment

    Whether in Level One Sites Inc. offices or at off-site locations, all confidential information in paper or magnetic media form must be properly protected. Computers containing confidential information must be physically secure.
    Physical access to any facility that is sensitive for any reason should be appropriately secure.

  13. Contracts

    Level One Sites Inc. vendors dealing with Level One Sites Inc. confidential information, whether or not they obtain the data directly from Level One Sites Inc., must have a written contract covering their services including the proper contract riders requiring the protection of Level One Sites Inc.’s information. The security design, policies, and procedures of vendors who will receive, collect, store or process high-risk confidential information must be reviewed by the Security Advisory Panel.
    Any employee at Level One Sites Inc. who wishes to collect or work with High-Risk Confidential Information or to contract with a vendor to collect or work with such information must obtain prior approval from Security Advisory Panel of Level One Sites Inc. prior to data collection or contracting with vendor.

  14. Computer Operation

    Computer operators must ensure that the computer environment is secure, patches are up to date and the machines are operated in a way to minimize the chance of a security breach. Computer operators also must ensure that only required applications are enabled on a computer.

  15. Computer Setup

    Computer operators must ensure that the computer environment is properly protected by filters to ensure that malicious traffic does not reach the applications on the server.

  16. Target Systems and Controllers

    Systems that might be targets of special interest to hackers because of the information they contain or the resources they control need special protections. This category includes systems containing high-risk confidential information.

  17. Network Take-down and Vulnerability Scanning

    Network managers are to run vulnerability scans in order to identify security risks and to protect computing and networking resources. Network operators should monitor network activity for signs of attack and take action in the absence of action by the operators of a compromised computer.

  18. IT Service Resumption

    If the loss of a set of confidential data, or the extended loss of access to it, presents a substantial business risk, then the security and availability of this confidential information must be assured. Each business area using such confidential information must develop and document a business continuity plan containing data backup, disaster recovery timeline, methodology, documentation, procedures, and action steps.

  19. Disposition and Destruction of Records

    Electronic or physical records containing confidential information must be properly disposed of so that the confidential information cannot be retrieved.

  20. Reporting Security Breaches

    Known or suspected breaches in the security of Level One Sites Confidential Information must be immediately reported to the Security Advisory Panel.

  21. Interacting with Legal Authorities

    If you are approached by someone representing themselves as a law enforcement officer and who requests information about Level One Sites Inc., it’s clients or vendors please refer them to the President of Level One Sites Inc..
    The President of Level One Sites Inc. is the only individual authorized to respond to such requests. An exception should be made if you conclude that a fast response is required to protect someone’s health or safety. In such a case please record the name and identification of the requester and the information that was requested. Contact the President of Level One Sites Inc. as soon as possible to let them know what happened.

  22. Web Based Surveys

    Data collection tools, such as web based surveys, that request confidential information must ensure that responses cannot be accessed by unauthorized persons and that personally identifiable information is not improperly disclosed or shared. If a vendor is involved in conducting the survey or analyzing results that include confidential information that can be linked to individuals, a contract must be in place that protects the confidential information.

ready to take the first step

towards progress?