Level One Sites
Information Security Policy

Introduction

Level One Sites has developed this Information Security Policy to ensure that Level One Sites’s technical resources are properly protected, that the integrity and privacy of confidential information is maintained, that information resources are available when they are needed and that users of these resources understand their responsibilities.

The following policies are provided with detailed information, including a Discussion on the policy and Best Practices for compliance. This policy also references a Security Advisory Panel which shall be chaired by the President of Level One Sites and appointees shall be added as required.

1.1 Storing High-Risk Confidential Information

No employee of Level One Sites and no vendor to Level One Sites is permitted to store High-Risk Confidential Information (other than their own) in any way relating to Level One Sites or Level One Sites sponsored activities locally on any individual user computer or on a portable storage device. Servers storing high-risk confidential information must be protected as Target Computers.

Non-electronic records containing high-risk confidential information must kept in secure locked containers except when in use.

Any employee at Level One Sites who wishes to collect or work with High-Risk Confidential Information or to contract with a vendor to collect or work with such information must obtain prior approval from Security Advisory Panel of Level One Sites prior to data collection or contracting with vendor.

2.1 Obtaining Level One Sites Confidential Information

The Level One Sites Security Advisory Panel must be contacted to obtain access to the core databases containing confidential information about individuals. In addition, anyone working with or collecting similar information about individuals, even if they do not obtain this information from the core database(s), must also contact the Level One Sites Security Advisory Panel to discuss data policy and handling requirements before beginning application development.

2.2 Protecting Confidential Information on Networks

All confidential information must be encrypted when transported across any network.

Users should clearly understand that many common systems such as normal email cannot be considered a secure way to transport confidential information.

2.3 Making Information Available through Directories

Any application that provides public access to directory information collected by Level One Sites about individuals and any process that creates printed lists of people for public display or distribution must adhere to any privacy preferences established by the individuals.

2.4 Identifying Users With Access To Confidential Information

System owners must be able to identify individual users of systems that contain or access confidential information. Passwords used to access such systems must meet current industry standards for length and complexity. User passwords must not be shared and must not be retrievable by anyone, including the system operator.

2.5 Inhibit Password Guessing

There must be a mechanism to limit to the number of repeated unsuccessful attempts to log into an application or server that deals with confidential information.

2.6 Limit Application Availability Time

There must be a mechanism to time out a user’s access to applications that deal with confidential information.

2.7 Limit User Access to Confidential Information

Application owners must ensure that only users with a specific business reason to access an application can access that application and no more than that application. Access rights to applications that can access confidential information must reflect a user’s current login id (and company ID if applicable).

Administrative access rights to servers with confidential information must be limited to system administrators with a specific business reason for access and such access must be logged; any access rights must change if their employment status with Level One Sites changes.

All vendors who have administrative rights must be limited to system administrators with a specific business reason for access and such access must be logged; any access rights must change if their employment status with Level One Sites changes.

Access to non-electronic records containing confidential information must be restricted to people with a business need to access the records.

2.8 Confidential Information on Level One Sites Computing Devices

Level One Sites confidential Information must be protected if it resides on a Level One Sites user’s computer or a portable storage device. The theft of a computer or portable storage device must not put Confidential Information at risk of disclosure. See also Section 1.1: Storing High-Risk Confidential Information, which prohibits storing high-risk confidential information on such computer or device.

2.9 Internet Access to Confidential Information

No Level One Sites confidential information can be saved on any computer directly accessible from the Internet or from the open portions of Level One Sites’s internal network.

2.10 Confidentiality Agreements

Level One Sites employees who have access to confidential information are required by law or Level One Sites process to sign a confidentiality agreement.

3.1 Physical Environment

Whether in Level One Sites offices or at off-site locations, all confidential information in paper or magnetic media form must be properly protected. Computers containing confidential information must be physically secure.

Physical access to any facility that is sensitive for any reason should be appropriately secure.

4.1 Contracts

Level One Sites vendors dealing with Level One Sites confidential information, whether or not they obtain the data directly from Level One Sites, must have a written contract covering their services including Level One Sites the proper contract riders requiring the protection of Level One Sites’s information. The security design, policies, and procedures of vendors who will receive, collect, store or process high-risk confidential information must be reviewed by the Security Advisory Panel.

Any employee at Level One Sites who wishes to collect or work with High-Risk Confidential Information or to contract with a vendor to collect or work with such information must obtain prior approval from Security Advisory Panel of Level One Sites prior to data collection or contracting with vendor.

5.1 Computer Operation

Computer operators must ensure that the computer environment is secure, patches are up to date and the machines are operated in a way to minimize the chance of a security breach. Computer operators also must ensure that only required applications are enabled on a computer.

6.2 Computer Setup

Computer operators must ensure that the computer environment is properly protected by filters to ensure that malicious traffic does not reach the applications on the server.

6.3 Target Systems and Controllers

Systems that might be targets of special interest to hackers because of the information they contain or the resources they control need special protections. This category includes systems containing high-risk confidential information.

6.4 Network Take-down and Vulnerability Scanning

Network managers are to run vulnerability scans in order to identify security risks and to protect computing and networking resources. Network operators should monitor network activity for signs of attack and take action in the absence of action by the operators of a compromised computer.

7.1 IT Service Resumption

If the loss of a set of confidential data, or the extended loss of access to it, presents a substantial business risk, then the security and availability of this confidential information must be assured. Each business area using such confidential information must develop and document a business continuity plan containing data backup, disaster recovery timeline, methodology, documentation, procedures, and action steps.

8.1 Disposition and Destruction of Records

Electronic or physical records containing confidential information must be properly disposed of so that the confidential information cannot be retrieved.

8.2 Reporting Security Breaches

Known or suspected breaches in the security of Harvard Confidential Information must be immediately reported to the Security Advisory Panel.

9.3 Interacting with Legal Authorities

If you are approached by someone representing themselves as a law enforcement officer and who requests information about Level One Sites, it’s clients or vendors please refer them to the President of Level One Sites.

The President of Level One Sites is the only individual authorized to respond to such requests. An exception should be made if you conclude that a fast response is required to protect someone’s health or safety. In such a case please record the name and identification of the requester and the information that was requested. Contact the President of Level One Sites as soon as possible to let them know what happened.

10.1 Web Based Surveys

Data collection tools, such as web based surveys, that request confidential information must ensure that responses cannot be accessed by unauthorized persons and that personally identifiable information is not improperly disclosed or shared. If a vendor is involved in conducting the survey or analyzing results that include confidential information that can be linked to individuals, a contract must be in place that protects the confidential information.