Comprehensive Information Security Program

ANY REFERENCE TO “COMPANY” WITHIN THIS POLICY SHALL BE UNDERSTOOD TO MEAN INSYNC BUSINESS GROUP, LLC.

 

In Accordance With (IAW) Massachusetts State Regulation 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, this document contains the policies and procedures implemented by the Company, its partners, and advisers to protect any and all information stored or provided specifically by residence of the Commonwealth, and in addition any and all clients or vendors of the Company.

 

1. DEFINITIONS. For purposes of this policy, the following definitions shall apply:

 

“Client” refers to clients, vendors, employees, and any other party that the Company may be storing information for or about.

 

“Worker” refers to the full-time, part-time, temporary, contracted, and freelance workers of the Company.

 

“Adviser” refers to any individual associated with the Company that does not have any ownership, power, or invested interest within the Company and is strictly designated as an adviser to provide suggestive guidance as to the course of action for the Company.

 

“Data” refers to any and all proprietary, confidential, or private information belonging to the client and/or the Company.

 

“Confidential Information” refers to any data, electronic or not, that the client or data owner has not identified as public or non-confidential information, or is otherwise considered protected information by the Company.

 

“Partner” refers to outsourced vendors providing storage or transmission of data.

 

“Commonwealth” refers to the state of Massachusetts, U.S.A.

 

“Hardware” refers to servers, desktops, terminals, routers, switches, mainframes, trunk lines, and any other physical device used in the transmission or storage of electronic data.

 

“Software” refers to any software application or virtual environment used in the transmission, display or storage of electronic data.

 

“Security” refers to the physical or virtual environments used for the protection of hardware, software or data. This can include facilities, CCTV, biometrics, Anti-Virus software, firewalls, etc.

 

2. SECTION A.

 

2.1. PROGRAM MANAGEMENT. This policy shall be maintained by the President & CEO of the Company. Enforcement of this policy directly falls on all Company management, however, it is the due diligence and protective measures taken by all Company vendors, partners, and workers that will ensure the implementation of this policy is successful.

 

3. SECTION B.

 

3.1. EDUCATION AND TRAINING. Annual Information Protection training will be conducted IAW established Worker Compliance Training.

 

3.2. DATA COMPLIANCE. Workers must comply with all Company policies and procedures IAW the established Worker Disciplinary Action and Termination Policy and Worker Confidentiality Agreement Policy.

 

Partners must comply with all Company policies and procedures IAW the established Partner/Vendor Confidentiality Agreement Policy as well as specific conditions outlined in the specific agreement or contract with the partner such as a Vendor Electronic Data Protection Agreement.

 

Advisers must comply with all Company policies and procedures IAW the established Adviser Confidentiality Agreement Policy as well as specific conditions IAW the established Adviser Agreement. 

 

3.3. SECURITY SYSTEM FAILURE DETECTION. The Company and its partners will utilize reasonably up-to-date hardware and software to detect security system failures.

 

4. SECTION C.

 

4.1. DATA STORAGE. All Hardware/Software owned and operated by either the Company, its Partners or its Advisers used to store, transmit or display data will be protected with the highest security required or available for the environment therein.

 

4.2. REMOVABLE STORAGE DEVICES AND CD/DVD. The use of a Removable Storage Device (RSD) or CD/DVD for storage or transport of any Company data is only permitted using an encrypted device with a minimum of 128-bit encryption.

 

4.3. DATA TRANSMISSION AND VIRTUAL PROTECTION. All data transmitted between external sources will be protected using 128-bit SSL encryption or higher.

 

5. SECTION D.

 

5.1. VIOLATIONS. Worker violations of this policy will be handled IAW the established Worker Disciplinary Action and Termination Policy as well as the established Worker Confidentiality Agreement Policy.

 

Partners violations of this policy will be handled IAW the established Partner/Vendor Confidentiality Agreement Policy as well as specific conditions outlined in the specific agreement or contract with the partner such as a Vendor Electronic Data Protection Agreement.

 

Advisers violations of this policy will be handled IAW the established Adviser Confidentiality Agreement Policy as well as specific conditions IAW the established Adviser Agreement.

 

Special Provision: Any violation of this policy by a worker that results in the release or misuse of Confidential Information or violates the established Worker Confidentiality Agreement Policy, will count as an Intentional Violation.

 

6. SECTION E.

 

6.1. AUTHORIZED ACCESS TERMINATIONS OR ACCESS LEVEL DOWNGRADES. It is at the discretion of personnel listed under Administration, Access & Authorization to maintain the appropriate access levels of any and all personnel or partners that require access to protected data. In the event that an individual or partner with access to protected data no longer requires this access, it will be the responsibility of the above mentioned personnel to ensure that the individual or partner can no longer access this information both internally and externally.

 

IAW the established Worker Confidentiality Agreement Policy, terminated workers must continue to adhere to the agreed upon confidentiality policy indefinitely or face legal prosecution by the Company.

 

IAW the established Partner/Vendor Confidentiality Agreement Policy, terminated partners must continue to adhere to the agreed upon confidentiality policy indefinitely or face legal prosecution by the Company.

 

IAW the established Adviser Confidentiality Agreement Policy, terminated advisers must continue to adhere to the agreed upon confidentiality policy indefinitely or face legal prosecution by the Company.

 

7. SECTION F.

 

7.1. PARTNERS. Partner relationships with the Company will be documented through agreements or contracts ensuring that both parties will adhere to the safety, security, and data protection policies required by the Company and IAW the established Partner/Vendor Confidentiality Agreement Policy.

 

7.2. ADVISERS. Adviser relationships with the Company will be documented through agreements ensuring that both parties will adhere to the safety, security, and data protection policies required by the Company and IAW the established Adviser Confidentiality Agreement Policy.

 

8. SECTION G.

 

8.1. ADMINISTRATION, ACCESS, AND AUTHORIZATION. Access to all data is strictly controlled and authorized by the President, CEO, CTO, or COO of the Company and by authorized personnel working for the partner. IAW the established Worker Confidentiality Agreement Policy as well as the established Partner/Vendor Confidentiality Agreement Policy, no information collected by the Company or stored by the partner can be sold, shared, used for malicious purposes or accessed for any reason other than those specifically expressed by the Company.

 

9. SECTION H.

 

9.1. REGULAR PROGRAM MONITORING. The Program Manager will periodically look for policy violations either on network drives, Intranet/Internet sites, remote storage locations, and removable storage devices. In addition, regular review of current access lists will be conducted to ensure the minimum amount of data exposure to the minimum amount of workers and partners is maintained.

 

10. SECTION I.

 

10.1. ANNUAL PROGRAM REVIEW. The Program Manager will review the procedures of this policy on an annual basis to ensure procedures set forth are still current and effective. In the event that changes are needed to the policy, the modifications must be presented to the CEO of the Company for final approval.

 

11. SECTION J.

 

11.1. UNAUTHORIZED ACCESS OR BREACH OF SECURITY. In the event of an unauthorized breach in security to any data, the Company and its partners will work closely together to find the root cause of the issue, take corrective measures to prevent a repeat event, and determine any compromised or affected data. In the event that client data is affected, the client will be notified immediately with an explanation of the event, the risk to them or their data, and next steps or actions if any are required on behalf of the client or the Company.

 

Revised February 1, 2016