Information Security Policy
CONTENTS
- Definitions.
- 1. Introduction: Policy Foundation and Regulatory Compliance.
- 2. Responsibilities: Security Organization, Authority, and Obligations.
- 3. Data: Information Classification and Risk-Based Controls.
- 4. People: Roles, Access Control, and Acceptable Use.
- 5. Information Assets: Protecting and Managing Zues’s Information Technology Environment.
- 6. Incident Reporting and Response.
- 7. Service Providers: Risks and Governance.
- 8. Client Information: Managing Intake, Maintenance, and Client Requests.
- 9. Risk and Compliance Management.
- 10. Whistleblower Anonymous Fraud Reporting
- 11. Policy Compliance.
- 12. Exceptions.
- 13. Violations & Enforcement.
- 14. Effective Date.
- 15. Acknowledgment of Receipt and Review
This Information Security Policy is intended to protect Zues Software Inc.’s (“Zues”) employees, partners, clients, Agents, affiliates, and other representatives, and You, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, web browsing, and file transfers, are the property of Zues. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Effective security is a team effort involving the participation and support of every Zues employee or contractor who deals with information and/or information systems. It is the responsibility of every team member to read and understand this policy, and to conduct their activities accordingly.
Definitions.
- “Business Associate” means Agent acting as a Business Associate as such term is defined in 45 CFR 160.103.
- “Computer Security Incident” or “Incident” as defined in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-61 Rev. means a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
- “Cardholder Data” means the full magnetic stripe data or the Primary Account Number (“PAN”) and any or all of the following: cardholder name, approval code, or expiration date.
- “CFR” means the United States Code of Federal Regulations which is the codification of the general and permanent rules and regulations published in the Federal Register by the executive departments and agencies of the federal government of the United States.
- Unless otherwise defined in the Agreement, “Confidential Information” means the following:
- trade secrets, all past, present and future business activities and all information related to the business of Catepult, its parent company and its subsidiaries and affiliated companies and its or their clients, members, employees and/or enrollees, that may be obtained from any source, whether written or oral, as well as all information on Catepult’s mainframe, networks, local-area networks (“LAN”) and workstations and all software, middleware, firmware, groupware and licensed internal code whether owned or licensed currently or in the future by Catepult and accessed by Agent or any of Agent’s employees, contingent workers and subcontractors (such Agent employees, contingent workers and subcontractors collectively referenced hereinafter as “Representatives”) by any direct or remote access method and also including, but not limited to, any information relating to the pricing, software or technical information, hardware, methods, processes, financial data, compilations, lists, apparatus, statistics, program, research, development or related information of Catepult, its subsidiaries or affiliated companies or its clients, patients, members and/or enrollees concerning past, present or future business activities of said entities, and/or the results of any analysis of any of the foregoing and outcome of any provision of Services by Agent and Representatives under this Agreement, provided that disclosure of the foregoing in response, and only to such extent and for such purpose, to a valid order by a court of competent jurisdiction or as otherwise required by law shall not be considered a breach of Agent’s duty under this ISA to hold Catepult Confidential Information in strict confidence.
- Confidential Information does not include information that:
- has been previously published or is now or becomes public knowledge through no fault or negligence of Agent or Representatives; or
- can be established by documentary evidence to have been made available to Agent or Representatives, without restriction on disclosure, by a third-party not under obligation of confidentiality with respect to the disclosed information; or
- can be established by documentary evidence to have been independently developed by Agent or Representatives.
- “Catepult Information Systems” means information systems resources supplied and operated by or on behalf of Catepult, including but not limited to, contracted cloud services, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, proprietary applications, printers, and internet connectivity that are owned, controlled, or administered by Catepult.
- “Information Security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
- “Multi-Function Device” means an office machine which incorporates the functionality of multiple devices in one. A typical Multi-Function Device may provide a combination of some or all of the following: Printing, scanning, photocopying, faxing, emailing.
- “Payment Card Industry Data Security Standards” or “PCI DSS” means the information security standard for organizations that handle Cardholder Data for the major debit, credit, prepaid, e-purse, ATM, and POS cards as defined by the Payment Card Industry Security Standards Council. The standard was created to increase controls around Cardholder Data to reduce credit card fraud via its exposure. A current version of the standard may be obtained from https://pcisecuritystandards.org/.
- “Personal Computer” or “PC” means any laptop, notebook, desktop, or other personal computing device which is used to access, process, store or display information. This definition does not include computing devices operating as servers in a hardened, controlled access, secured data center.
- “Protected Health Information” or “PHI” shall have the meaning as defined in 45 CFR 160.103, limited to the information created or received by Agent, acting as a Business Associate of Catepult, from or on behalf of Catepult.
- “Security Breach” means the unauthorized acquisition, access, use, or disclosure of information which compromises the security or privacy of such information, except where an unauthorized person, to whom such information is disclosed, would not reasonably have been able to retain such information. Security Breach does not include:
- Any unintentional acquisition, access, or use of Confidential Information by an employee or individual acting under the authority of Agent if:
- such acquisition, access or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with Agent; and
- such information is not further acquired, accessed, used, or disclosed by any person; or
- Any inadvertent disclosure from an individual who is otherwise authorized to access Confidential Information at a facility operated by Agent to another similarly situated individual at the same facility; and
- Any such information received as a result of such disclosure is not further acquired, accessed, used or disclosed without authorization by any person.
- “Services” shall have the same meaning as in the Terms of Service, available at https://catepult.com/terms-of-service.
- “Agent Representative” means an employee, contractor, or agent of Agent, or of its subcontractors and contingent workers, who provide Services to Catepult.
- “Agent Processing Resources” means information processing resources supplied or operated by Agent, including without limitation, contracted IaaS, PaaS, SaaS cloud services, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, printers, proprietary applications, Internet connectivity, printers and hard copies which are used, either directly or indirectly, in support of Agent processing.
- Introduction: Policy Foundation and Regulatory Compliance.
The purpose of this policy is to communicate our information security policies and outline the acceptable use and protection of Zues’s information and assets. These rules are in place to protect customers, clients, employees, partners, representatives, and Zues. Inappropriate use exposes Zues to risks including virus attacks, compromise of network systems and services, financial and reputational risk, and legal and compliance issues. The Zues Information Security Policy is comprised of this Policy and all Zues policies referenced and/or linked within this document, including, without limitation, the following policies, procedures, and other agreements:
- Terms of Service, available at https://catepult.com/terms-of-service;
- Privacy Policy, available at https://catepult.com/privacy-policy;
- Information Security Policy, available at catepult.com/information-security-policy;
- Business Associate Policy, available at catepult.com/business-associate-policy;
- Business Associate Agreement, available at catepult.com/business-associate-agreement
- Data Use Agreement, available at catepult.com/data-use-agreement
This Information Security Policy promotes an effective balance between information security practices and business needs. The Policy helps Zues meet our legal obligations and our clients’ expectations. From time to time, Zues may implement different levels of security controls for different information assets based on risk and other considerations.
You are expected to read, understand, and follow this Policy. However, no single policy can cover all the possible information security issues you may face. You must seek guidance from your manager or other designated Zues resource before taking any actions that create information security risks or otherwise deviate from this Policy’s requirements. Zues may treat any failure to seek and follow such guidance as a violation of this Policy.
This Policy is Confidential Information. Do not share this Policy outside Zues unless authorized by the Information Security Coordinator. You may share this Policy with an approved contractor that has access to Zues’s information or systems under a non-disclosure agreement or other agreement that addresses confidentiality (see Section 7, Service Providers: Risks and Governance).
Our clients, Agents, employees, and others rely on us to protect their information. A data breach or other cyber incident could severely damage our credibility. Security events can also cause loss of business and other harm to Zues. Strong information security requires diligence by all workforce members, including employees, contractors, volunteers, and any others accessing or using our information assets. It is part of everyone’s job.
1.1. Guiding Principles. Zues follows these guiding principles when developing and implementing information security controls:
- Zues strives to protect the confidentiality, integrity, and availability of its information assets and those of its clients.
- We will comply with applicable information security, privacy, and data protection laws.
- We will balance the need for business efficiency with the need to protect sensitive, proprietary, or other confidential information from undue risk.
- We will grant access to sensitive, proprietary, or other confidential information only to those with a need to know and at the least level of privilege necessary to perform their assigned functions.
- Recognizing that an astute workforce is the best line of defense, we will provide security training opportunities and expert resources to help individuals understand and meet their information security obligations.
1.2. Scope. This Policy applies across the entire Zues enterprise. This policy applies to the use of information, electronic and computing devices, and network resources to conduct Zues business or interact with internal networks and business systems, whether owned or leased by Zues, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at Zues and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with Zues policies and standards, and local laws and regulations. This policy applies to employees, contractors, consultants, temporaries, and other workers at Zues, including all personnel affiliated with third parties. This policy applies to all Zues-controlled company and customer data as well as all equipment, systems, networks and software owned or leased by Zues.
This Policy states Zues’s information security policy. In many cases, you are personally responsible for taking or avoiding specific actions as the Policy states. In some situations, the Information Security Coordinator, IT, or another Zues resource takes or avoids the stated actions.
From time to time, Zues may approve and make available more detailed or location or business unit-specific policies, procedures, standards, and processes to address specific information security issues. Those additional policies, procedures, standards, and processes are extensions to this Policy. You must comply with them, where applicable, unless you obtain an approved exception.
1.3. Resources. No single document can cover all the possible information security issues you may face. Balancing our need to protect Zues’s information assets with getting work done can also be challenging. Many effective administrative, physical, and technical safeguards are available. Do not make assumptions about the cost or time required to implement them. Ask for help.
You must seek guidance before taking any actions that create information security risks. Contact your manager.
- (a) For questions about this Policy or technical information security issues contact: admin@catepult.com; or
- (b) For guidance regarding legal obligations, including client agreements, contact: admin@catepult.com.
1.4. No Expectation of Privacy and Monitoring. Except where applicable law provides otherwise, you should have no expectation of privacy when using Zues’s network or systems, including, but not limited to, transmitting and storing files, data, and messages.
To enforce compliance with Zues’s policies and protect Zues’s interests, Zues reserves the right to monitor any use of its network and systems to the extent permitted by applicable law. By using Zues’s systems, you agree to such monitoring. Monitoring may include (but is not necessarily limited to) intercepting and reviewing network traffic, emails, or other messages or data sent or received and inspecting data stored on individual file directories, hard disks, or other printed or electronic media.
1.5. Regulatory Compliance. Various information security laws, regulations, and industry standards apply to Zues and the data we handle. Zues is committed to complying with applicable laws, regulations, and standards. Our clients expect nothing less from us.
This section lists the obligations that you are the most likely to encounter. Do not assume that these are the only laws that may apply. To identify specific obligations, you must seek guidance from Legal and the Information Security Coordinator when collecting, creating, or using new or different types of information.
- (a) Personal Information: Data Protection and Breach Notification Laws. Various laws protect individuals’ personal information, such as government-assigned numbers, financial account information, and other sensitive data. Many jurisdictions have enacted data breach notification laws that require organizations to notify affected individuals if personal information is lost or accessed by unauthorized parties. Some locations have data protection laws that require organizations to protect personal information using reasonable data security measures or more specific means. These laws may apply to personal information for Zues’s employees, clients, business partners, and others.
Before collecting, creating, or using personal information for any purpose, contact admin@catepult.com.
- Responsibilities: Security Organization, Authority, and Obligations.
Zues and its leadership recognize the need for a strong information security program.
2.1. Information Security Coordinator. Zues has designated Evan MacGuffie to be its Information Security Coordinator and accountable for all aspects of its information security program.
2.2. Policy Authority and Maintenance. Zues has granted the Information Security Coordinator the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes, as they may deem necessary and appropriate.
2.3. Policy Review. On at least an annual basis, the Information Security Coordinator will initiate a review of this Policy, engaging stakeholders such as individual business units, Human Resources, Legal, and other Zues organizations, as appropriate.
2.4. Exceptions. Zues recognizes that specific business needs and local situations may occasionally call for an exception to this Policy. Exception requests must be made in writing. The Information Security Coordinator must approve in writing, document, and periodically review all exceptions.
Do not assume that the Information Security Coordinator will approve an exception simply because they have previously approved a similar exception. Each non-compliant situation requires a review of the specific facts and risks to Zues’s information assets and those of our clients.
To request an exception, contact us admin@catepult.com.
2.5. Workforce Obligation to Comply. Employees and contractors are obligated to comply with all aspects of this Policy that apply to them. This Policy is not intended to restrict communications or actions protected or required by applicable law.
Zues may treat any attempt to bypass or circumvent security controls as a violation of this Policy. For example, sharing passwords, deactivating anti-virus software, removing or modifying secure configurations, or creating unauthorized network connections are prohibited unless the Information Security Coordinator has granted an exception as described in Section 2.4, Exceptions.
Zues takes steps to help employees and contractors understand this Policy. You are responsible for your own actions and compliance with this Policy. You should question and report any situation to your manager or the Information Security Coordinator that appears to violate this Policy or creates any undue information security risk.
2.6. Sanctions. Any violation of this Policy may result in disciplinary action or other sanctions. Sanctions may include suspension, access restrictions, work assignment limitations, or more severe penalties up to and including termination, in accordance with applicable law. If Zues suspects illegal activities, it may report them to the applicable authorities and aid in any investigation or prosecution of the individuals involved.
2.7. Acknowledgment. All employees and contractors must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process. Acknowledgment must be completed on a timely basis following a new hire or as otherwise designated by the Information Security Coordinator. Material changes to this Policy may require additional acknowledgment. Zues will retain acknowledgment records.
2.8. Training. Zues recognizes that an astute workforce is the best line of defense. We will provide security training opportunities and expert resources to help employees and contractors understand their obligations under this Policy and avoid creating undue risks. Employees must complete information security training within a reasonable time after initial hire. All workforce members must complete information security training on at least an annual basis. Managers must ensure that their employees complete all required training.
Zues may deem failure to participate in required training a violation of this Policy. Zues will retain attendance records and copies of security training materials delivered.
2.9. Client Policies. Zues may handle sensitive client information. In some cases, Zues may agree to comply with specific client information security policies or standards. To minimize special cases, Zues has developed this Policy to include the requirements common to most of our clients.
If Zues agrees to comply with additional client-specific information security policies or standards, we will notify affected workforce members. You must comply with any such policies or standards, including any related training or additional background screening requirements.
Legal and the Information Security Coordinator must review and approve any client agreements that require compliance with specific information security policies or standards.
- Data: Information Classification and Risk-Based Controls.
Zues has established a three-tier classification scheme to protect information according to risk levels. The information classification scheme allows Zues to select appropriate security controls and balance protection needs with costs and business efficiencies.
All Zues information is classified as (from least to most sensitive): (1) Public Information, (2) Confidential Information, or (3) Highly Confidential Information.
Unless it is marked otherwise or clearly intended to be Public Information, treat all Zues and client information as if it is at least Confidential Information, regardless of its source or form, including electronic, paper, verbal, or other information.
You must apply security controls appropriate for the assigned information classification level to all information you store, transmit, or otherwise handle. Use classification level markings, where feasible.
3.1. Public Information. Public Information is information that Zues has made available to the general public. Information received from another party (including a client) that is covered under a current, signed non-disclosure agreement must not be classified or treated as Public Information.
- (a) Public Information Examples. Some Public Information examples include, but are not limited to:
- press releases;
- Zues marketing materials;
- job announcements; and
- (iv)any information that Zues makes available on its publicly accessible website.
Do not assume that any information you obtain from Zues’s internal network or systems is publicly available. For example, draft marketing materials are typically Confidential Information until their release. Consider all information to be at least Confidential Information, and not available for public disclosure without authorization, until you verify it is Public Information.
3.2. Confidential Information. Confidential Information is information that may cause harm to Zues, its clients, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available. Harms may relate to an individual’s privacy, Zues’s marketplace position or that of its clients, or legal or regulatory liabilities.
Mark Confidential Information to denote its status when technically feasible. Applications or databases that contain Confidential Information may be marked with an initial banner shown upon system access.
You must have authorization to disclose Confidential Information to an external party. Seek guidance from your manager or Legal prior to disclosing Confidential Information and verify that an appropriate non-disclosure or other agreement is in effect.
- (a) Confidential Information Examples. Some Confidential Information examples include, but are not limited to:
- Zues financial data, client lists, revenue forecasts, program or project plans, and intellectual property;
- client-provided data, information, and intellectual property;
- client contracts and contracts with other external parties, including vendors;
- communications or records regarding internal Zues matters and assets, including operational details and audits;
- Zues policies, procedures, standards, and processes (for example, this Policy is Confidential Information and should not be shared without authorization from the Information Security Coordinator);
- any information designated as “confidential” or some other protected information classification by an external party and subject to a current non-disclosure or other agreement;
- (vii)information regarding employees (see also, Section 3.3, Highly Confidential Information, regarding personal information);
- (viii)any summaries, reports, or other documents that contain Confidential Information; and
- drafts, summaries, or other working versions of any of the above.
- (b) Safeguards. You must protect Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks, including (but not necessarily limited to):
- Authentication. Electronically stored Confidential Information must only be accessible to an individual after logging in to Zues’s network.
- Discussions. Only discuss Confidential Information in non-public places, or if a discussion in a public place is absolutely necessary, take reasonable steps to avoid being overheard.
- Copying/Printing/Faxing/Scanning. Only scan, make copies, and distribute Confidential Information to the extent necessary or allowed under any applicable non-disclosure agreement or other applicable agreement. Take reasonable steps to ensure that others who do not have a business need to know do not view the information. When faxing Confidential Information, use a cover sheet that informs the recipient that the information is Zues’s Confidential Information. Set fax machines to print a confirmation page after sending a fax. Locate copiers, fax machines, scanners, and other office equipment in physically secured areas and configure them to avoid storing Confidential Information.
- Encryption. You should encrypt Confidential Information when storing it on a laptop, smartphone, or other mobile device, including mobile storage devices. Consider encrypting Confidential Information when transmitting or transporting it externally, based on specific risks. Seek assistance from your manager or admin@catepult.cm, if needed.
- You shall require all transmissions of PHI to be secure and encrypted, including but not limited to: email, webmail, mobile device email, FTP, chat and instant messaging, web services, etc.
- Mailing. Use a service that requires a signature for receipt of the information when sending Confidential Information outside Zues. When sending Confidential Information inside Zues, use a sealed security envelope marked “Confidential Information.”
- Meeting Rooms. You should only share Confidential Information in physically secured meeting rooms. Erase or remove any Confidential Information that you write on a whiteboard or other presentation tool at the meeting’s conclusion.
- (vii)Need to know. Only access, share, or include Confidential Information in documents, presentations, or other resources when there is a business need to know.
- (viii)Physical Security. Only house systems that contain Confidential Information or store Confidential Information in paper or other forms in physically secured areas.
3.3. Highly Confidential Information. Highly Confidential Information is information that may cause serious and potentially irreparable harm to Zues, its clients, employees, or other entities or individuals if disclosed or used in an unauthorized manner. Highly Confidential Information is a subset of Confidential Information that requires additional protection.
Mark Highly Confidential Information to denote its status when technically feasible. Applications or databases that contain Highly Confidential Information may be marked with an initial banner shown upon system access.
You may not remove Highly Confidential Information from Zues’s environment without authorization.
You must have authorization to disclose Highly Confidential Information to an external party. Seek guidance from Legal and the Information Security Coordinator prior to disclosing Highly Confidential Information externally to ensure Zues meets its legal obligations.
- (a) Highly Confidential Information Examples. Some Highly Confidential Information examples include, but are not limited to the following:
- personal information for employees, clients, business partners, or others; and
- sensitive Zues business information, such as budgets, financial results, or strategic plans.
- (b) Safeguards. You must protect Highly Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks and as prescribed by applicable laws, regulations, and standards, including (but not necessarily limited to):
- Authentication. Electronically stored Highly Confidential Information must only be accessible to an individual after logging in to Zues’s network and with specific authorization.
- Discussions. Only discuss Highly Confidential Information in non-public places.
- Copying/ Printing/Faxing/Scanning. Do not scan, copy, or distribute Highly Confidential Information unless absolutely necessary. Take reasonable steps to ensure that others who do not have a specific business need to know do not view the information. When faxing Highly Confidential Information, use a cover sheet that informs the recipient that the information is Zues’s Highly Confidential Information. Set fax machines to print a confirmation page after sending a fax. Locate copiers, fax machines, scanners, and other office equipment in physically secured areas and configure them to avoid storing Highly Confidential Information.
- Encryption. You must encrypt Highly Confidential Information when transmitting it, whether externally or internally, or when storing it on a laptop, smartphone, or other mobile device, including mobile storage devices such as USB drives. You should also encrypt Highly Confidential Information when storing it on a server, database, or other stationary device.
- Mailing. Do not mail Highly Confidential Information unless absolutely necessary. Use a service that requires a signature for receipt of the information when sending Highly Confidential Information outside Zues. When sending Highly Confidential Information inside Zues, use a sealed security envelope marked “Highly Confidential Information.” If you use electronic media to mail Highly Confidential Information, you must encrypt and password protect it.
- Meeting Rooms. You must only share Highly Confidential Information in physically secured meeting rooms. Erase or remove any Highly Confidential Information that you write on a whiteboard or other presentation tool at the meeting’s conclusion.
- (vii)Need to know. Only access, share, or include Highly Confidential Information in documents, presentations, or other resources when there is a specific business need to know.
- (viii)Network Segmentation. You may only make Highly Confidential Information available to areas of Zues’s network where there is a specific business need. Highly Confidential Information must be segmented from the rest of Zues’s network using controls such as firewalls, access control lists, or other security mechanisms.
- Physical Security. Only house systems that contain Highly Confidential Information or store Highly Confidential Information in paper or other forms in physically secured areas, accessible only to those with a specific business need to know.
- People: Roles, Access Control, and Acceptable Use.
People are the best defense in information security. They are also the weakest link. Zues grants access to its systems and data based on business roles. Zues places limits on how you may use and interact with its information assets. These restrictions help lower risks and protect you and Zues.
4.1. Roles. Business roles and role-based access are based on the individual’s relationship with Zues and assigned activities.
- (a) Employees. Human Resources provides employee screening and background investigations. For more information, contact admin@catepult.com. Zues may require employees who handle Highly Confidential Information to undergo additional background screening and testing where permitted by applicable laws.
Supervising managers may request access for their employees only to those Zues systems and data required to meet business needs.
- (b) External Parties. Zues grants systems access to approved external parties, such as contractors, vendors, service providers, business partners, or others with a demonstrated business need that cannot be reasonably met through other means (see Section 7, Service Providers: Risks and Governance). Zues may support different access levels for different business situations.
A sponsoring employee must be designated for any external party before Zues grants access to its systems or data. The sponsoring employee is responsible for supervising the external party, including compliance with this Policy.
The sponsoring employee may request access only to those Zues resources necessary to meet business needs. The sponsoring employee must also request that any access granted be terminated when the business need ends.
4.2. Identity and Access Management. Zues uses identity and access management controls to provide user accounts with appropriate privileges to employees and others. Zues will assign each individual a unique identifier using a standard algorithm (the individual’s “primary ID”). You should only create device or application-specific identifiers if the primary ID cannot be used. Device or application-specific identifiers must be linked to an accountable individual.
- (a) Unique User Accounts. Zues assigns unique user accounts, passwords, and other authentication means and credentials to individuals, using their primary ID. You must not share your account, password, or other authentication means or credentials with others. If system or other administrative accounts cannot be uniquely assigned to specific individuals, use mediated access, audit logs, or other technical controls to provide individual accountability.
- (b) Add, Change, Terminate Access. Zues restricts access to specific resources to those with a business need to know. Responsible managers and sponsoring employees should direct requests to add or change access levels to IT. System and application administrators must periodically review user accounts and access levels to confirm that a legitimate business need for the access still exists.
When an employee leaves the business, Human Resources must immediately notify IT. IT will timely deactivate the individual’s account(s). For external parties, the sponsoring employee must notify IT when there is no longer a business need for access to support timely account termination. Managers should seek guidance from Human Resources and the Information Security Coordinator regarding access for employees on extended leaves.
- (c) Authorization Levels and Least Privilege. Proper authorization levels ensure that Zues only grants individuals the privileges they need to perform their assigned activities and no more. Known as least privilege access, this method minimizes risks. Least privilege applies to user and administrative access. You must not grant administrative privileges unless there is a specific business need and you limit them to the extent feasible.
- (d) Role-Based Access Controls. Use role-based access control methods whenever feasible to assign authorization levels according to business functions, rather than uniquely for each individual. This method supports the least privilege approach by standardizing access. It also simplifies periodic access reviews.
4.3. Acceptable Use Policy. Zues provides employees and others with network resources and systems to support its business requirements and functions. This section limits how you may use Zues’s information assets and explains the steps you must take to protect them.
If you have any questions regarding acceptable use of Zues’s resources, please discuss them with your manager or contact the Information Security Coordinator for additional guidance.
Zues proprietary and customer information stored on electronic and computing devices, whether owned or leased by Zues, the employee, Agent, representative, or a third party, remains the sole property of Zues for the purposes of this policy. Employees and contractors must ensure through legal or technical means that proprietary information is protected in accordance with the Data Management Policy. The use of Google Drive for business file storage is required for users of laptops or company issued devices. Storing important documents on the file share is how you “backup” your laptop. You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of Zues proprietary information or equipment. You may access, use or share Zues proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties. Employees are responsible for exercising good judgment regarding the reasonableness of personal use of company-provided devices. For security and network maintenance purposes, authorized individuals within Zues may monitor equipment, systems and network traffic at any time. Zues reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy
- (a) General Use of Information Technology Resources. Zues provides network resources and systems for business purposes. Any incidental non-business use of Zues’s resources must be for personal purposes only. Do not use Zues’s resources for commercial purposes, personal gain, or any purpose that may create a real or perceived conflict of interest with Zues.
- Do not use Zues’s resources in a manner that negatively impacts your job performance or impairs others’ abilities to do their jobs. Zues’s network and systems are subject to monitoring (see Section 1.4, No Expectation of Privacy and Monitoring).
- Do not use Zues’s network or systems for activities that may be deemed illegal under applicable law. If Zues suspects illegal activities, it may report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved.
- (i) Prohibited Activities. Zues prohibits using its resources to engage in activities such as (but not necessarily limited to) the following:
- hacking, spoofing, or launching denial of service attacks;
- gaining or attempting to gain unauthorized access to others’ networks or systems;
- sending fraudulent email messages;
- distributing or attempting to distribute malicious software (malware);
- spying or attempting to install spyware or other unauthorized monitoring or surveillance tools;
- committing criminal acts such as terrorism, fraud, or identity theft;
- downloading, storing, or distributing child pornography or other obscene or illegal materials;
- downloading, storing, or distributing materials in violation of another’s copyright;
- creating undue security risks or negatively impacting the performance of Zues’s network and systems;
- causing embarrassment, loss of reputation, or other harm to Zues;
- uploading, downloading, or disseminating defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene, or otherwise inappropriate or offensive messages or media;
- distributing joke, chain letter, commercial solicitations, or hoax emails or other messages (spamming);
- disrupting the workplace environment, creating a hostile workplace, or invading the privacy of others;
- using encryption or other technologies in an attempt to hide illegal, unethical, or otherwise inappropriate activities; and
- installing or distributing unlicensed or pirated software.
- Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Zues;
- Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Zues or the end user does not have an active license;
- Accessing data, a server, or an account for any purpose other than conducting Zues business, even if you have authorized access, is prohibited;
- Exporting software, technical information, encryption software, or technology, in violation of international or regional export control laws, is illegal. The appropriate management shall be consulted prior to export of any material that is in question;
- Introduction of malicious programs into the network or systems (e.g., viruses, worms, Trojan horses, email bombs, etc.);
- Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home;
- Using a Zues computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws;
- Making fraudulent offers of products, items, or services originating from any Zues account;
- Making statements about warranty, expressly or implied, unless it is a part of normal job duties;
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient, or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes;
- Port scanning or security scanning is expressly prohibited unless prior notification to the Zues engineering team is made;
- Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty;
- Circumventing user authentication or security of any host, network, or account;
- Introducing honeypots, honeynets, or similar technology on the Zues network;
- Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack)
- Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s session, via any means;
- Providing information about, or lists of: Zues employees, contractors, partners, or customers to parties outside Zues without authorization;
- (b) Desktop, Laptop, and End-User Controls. You may only access Zues’s network using approved end-user devices that support our current minimum information security standards. Standards for end-user devices may include protective controls and specific configurations, such as anti-virus software, patching levels, and required operating system or other software versions. Zues-owned machines may be configured to automatically receive upgrades. You may be denied remote access using non-Zues owned devices that do not meet current standards.
- Use your own Zues-provided account(s) to access Zues’s network and systems, unless you have been specifically authorized to use a device-specific, administrative, or other account (see Section 4.2, Identity and Access Management).
- Screen saver passwords, also known as “workstation timeouts” or “lock screens,” secure Confidential Information by protecting active computer sessions when you step away. Locking screen savers must activate after a maximum inactivity time of 15 minutes. If you handle Highly Confidential Information, lock your screen any time you leave it unattended.
- (c) Information Handling and Storage. You must properly handle, store, and securely dispose of Zues’s information in accordance with Zues’s Records Retention Schedule. You are responsible for any Confidential or Highly Confidential Information that you access or store. Do not allow others to view, access, or otherwise use any Confidential or Highly Confidential Information you control unless they have a specific business need to know.
- Store files or other data critical to Zues’s operations on regularly maintained (backed up) servers or other storage resources. Do not store business critical data only on end-user devices such as desktops, laptops, smartphones, or other mobile devices.
- Physically secure any media containing Zues information, including hard drives, CDs, disks, paper, voice recordings, removable drives (such as thumb drives, flash drives, or USB drives), or other media. You must store media containing Confidential or Highly Confidential Information in a locked area when not in use.
- Shred or otherwise destroy paper that contains Confidential or Highly Confidential Information prior to disposal. Return all electronic, magnetic, or optical media to IT for secure disposal when it is no longer required to meet business needs.
- (d) Internet Use: Email, Messaging, Social Media, and Cloud Computing. The internet offers a variety of services that Zues employees and contractors depend on to work effectively. However, some technologies create undue risks to Zues’s assets. Some uses are not appropriate in the workplace.
- Zues may block or limit access to particular services, websites, or other internet-based functions according to risks and business value. Recognize that inappropriate or offensive websites may still be reachable and do not access them using Zues resources.
- (i) General Internet Use. Limit your web browsing and access to streaming media (such as videos, audio streams or recordings, and webcasts) to business purposes or as otherwise permitted by this Policy. Internet use must comply with this Policy.
- Never use internet peer-to-peer file sharing services, given the risks to Zues’s information assets they create.
- Do not use internet-based remote access services to access Zues’s network or systems, including desktop computers. If you need remote access, use Zues-provided or authorized methods (see Section 4.3(f), Remote Access).
- Email and Social Media. Do not disclose Confidential or Highly Confidential Information to unauthorized parties on blogs or social media or transmit it in unsecured emails or instant messages (see Section 3, Data: Information Classification and Risk-Based Controls). Do not make postings or send messages that speak for Zues or imply that you speak for Zues unless you have been authorized to do so.
- Use good professional judgment when drafting and sending any communications. Remember that messages may be forwarded or distributed outside your control, and your professional reputation is at stake. Email signatures should be professional, appropriate for your business role, and not unreasonably long or complex. Zues provides standard email footer text that must be placed on all externally bound email messages. Do not alter or prevent application of the standard footer to your external messages.
- Never open an email attachment that you did not expect to receive, click on links, or otherwise interact with unexpected email content. Attackers frequently use these methods to transport viruses and other malware. Be cautious, even if messages appear to come from someone you know because attackers can easily falsify (spoof) email senders. Zues may block some attachments or emails based on risk.
- Do not respond to an email or other message that requests Confidential or Highly Confidential Information unless you have separately verified and are certain of its origin and purpose. Even then, always protect Confidential or Highly Confidential Information as described in Section 3, Data: Information Classification and Risk-Based Controls.
- If you have any doubts regarding the authenticity or risks associated with an email or other message you receive, contact IT immediately and before interacting with the message. Do not reply to suspicious messages, including clicking links or making unsubscribe requests. Taking those actions may simply validate your address and lead to more unwanted or risky messages.
- Cloud Computing. Zues may use internet-based, outsourced services for some computing and data storage activities based on business needs. Cloud computing services store data and provide services in internet-accessible data centers that may be located almost anywhere. Cloud services vary significantly in their service levels and security measures.
- While cloud services may offer an attractive cost model, they also present significant risks. Using them may also affect Zues’s ability to comply with some laws. Before using any cloud computing services to collect, create, store, or otherwise manage Zues’s Confidential or Highly Confidential Information, you must obtain approval from Legal and the Information Security Coordinator (see Section 7, Service Providers: Risk and Governance).
- This Policy applies to any document sharing or other internet-based services, if Zues Confidential or Highly Confidential Information is stored.
- (e) Mobile Devices and Bring Your Own Device to Work. Mobile devices, including laptops, smartphones, and tablet computers, can provide substantial productivity benefits. Mobile storage devices may simplify information exchange and support business needs. However, all these mobile devices also present significant risks to Zues’s information assets, so you must take appropriate steps to protect them.
All end-user devices (e.g., mobile phones, tablets, laptops, desktops) must comply with this policy. Employees must use extreme caution when opening email attachments received from unknown senders, which may contain malware.
System level and user level passwords must comply with the Access Control Policy. Providing access to another individual, either deliberately or through failure to secure a device is prohibited.
All end-user, personal (BYOD) or company owned devices used to access Zues information systems (i.e. email) must adhere to the following rules and requirements:
- Devices must be locked with a password (or equivalent control such as biometric); protected screensaver or screen lock after 5 minutes of non-use;
- Devices must be locked whenever left unattended;
- Users must report any suspected misuse or theft of a mobile device immediately to Zues’s IT Manager.
- Confidential information must not be stored on mobile devices or USB drives (this does not apply to business contact information, e.g., names, phone numbers, and email addresses)
- Any mobile device used to access company resources (such as file shares and email) must not be shared with any other person
- Upon termination users agree to return all company owned devices and delete all company information and accounts from any personal devices.
Zues may permit employees and others to use their own equipment to connect to its network and systems. If you choose to do so, you agree that your use of those devices is subject to this Policy and any additional policies, procedures, standards, and processes Zues implements. Zues may require you to install specific security controls on your device (for example, device management software, access controls, encryption, remote wiping in case your device is lost or stolen, or other security controls).
You must allow IT (or another Zues resource) to review your device and remove any Zues data, if your relationship with Zues terminates, you change devices or services, or in other similar situations. You must also promptly provide Zues with access to your device when requested for Zues’s legitimate business purposes, including any security incident or investigation.
Use encryption, other protection strategies (for example, device management software, access controls, remote wiping in case your device is lost or stolen, or other security controls), or both on any mobile device that contains Confidential or Highly Confidential Information. Mobile devices, including those that provide access to Zues email, must be protected using a password or other approved authentication method.
Physically secure any mobile devices you use to access or store Zues information. Never leave laptops or other devices unattended unless locked or otherwise secured. Do not leave mobile devices or the bags containing them visible in a parked car or check them as baggage on airlines or other public transportation.
Do not connect a mobile device containing Zues information to any unsecured network without an up-to-date firewall configured (or other security controls in place). Unsecured networks include home networks, hotel networks, open or for-pay wireless hotspots, convention networks, or any other network that Zues has not approved or does not control.
- (f) Remote Access. If you have a business need to access Zues’s network and systems from home, while traveling, or at another location, Zues may grant you remote access.
Laptops and other computer resources that are used to access the Zues network must conform to the security requirements outlined in Zues’s Information Security Policies and adhere to the following standards:
- Use multifactor authentication to access Zues’s network remotely. Configure remote access capabilities to limit access to only those assets and functions the Information Security Coordinator approves. You may only use Zues-provided means for remote access (for example, VPN or other secured network connections, dial-up modems, or a Zues portal). Do not install or setup any other remote connections, including remote desktop software, without the Information Security Coordinator’s authorization.
- Remote access connections should timeout (be disconnected) after a maximum of one hour of inactivity. Zues does not permit split tunneling or other mechanisms that bridge unsecure networks with Zues’s network.
- To ensure mobile devices do not connect a compromised device to the company network, Antivirus policies require the use and enforcement of client-side antivirus software;
- Antivirus software must be configured to detect and prevent or quarantine malicious software, perform periodic system scans, and have automatic updates enabled;
- Users must not connect to any outside network without a secure, up-to-date software firewall configured on the mobile computer;
- Users are prohibited from changing or disabling any organizational security controls such as personal firewalls, antivirus software on systems used to access Zues resources;
- Use of remote access software and/or services (e.g., VPN client) is allowable as long as it is provided by the company and configured for multifactor authentication (MFA);
- Unauthorized remote access technologies may not be used or installed on any Zues system;
- Users shall use a VPN when transmitting confidential information on public Wi-Fi;
- If you access from a public computer (e.g., from a business center, hotel, etc.), log out of the session and don’t save anything. Don’t check “remember me”, collect all printed materials and do not download files to a non-Zues controlled.
- (g) External Network Connections. Some business situations may require creating a secure connection from Zues’s network to an external party’s network (extranet). Examples include working extensively with client systems, outsourcing, or partnering with another organization for an extended period. Extranet connections allow the organizations to share information and technical resources in a secure manner by connecting the two networks at their respective perimeters.
- The Information Security Coordinator must review and approve all extranet and any other external connections to Zues’s network before implementation. A signed business agreement between the two organizations must accompany any extranet connection. Limit connectivity to only those assets required to perform the specified functions. Zues monitors extranet connections and may deactivate them if unusual or inappropriate traffic is detected.
- (h) Wireless Network Connections. Do not connect any wireless access points, routers, or other similar devices to Zues’s network unless the Information Security Coordinator has reviewed and approved them.
- Secure and maintain approved wireless network (Wi-Fi) connections according to current Zues technical and physical security standards. Do not connect wireless access points (WAPs) directly to Zues’s trusted network without going through a firewall or other protective controls. Deactivate WAPs when they are not in use, including during non-business hours.
- Only transmit, receive, or make available Highly Confidential Information through Wi-Fi connections using appropriate protective controls, including encryption. If you have questions regarding appropriate Wi-Fi security measures to take when handling Highly Confidential Information, contact the Information Security Coordinator.
- End-user devices that access wireless networks, such as laptops, must have personal firewalls installed and maintained according to current Zues standards. Deactivate your computer’s wireless networking interface when it is not in use.
- Information Assets: Protecting and Managing Zues’s Information Technology Environment.
This section describes key safeguards that Zues uses to protect and manage its information technology (IT) environment. You must support their use to the extent that they apply to you.
5.1. Protecting Information Assets. Install and configure Zues-owned computers according to current technical standards and procedures, including anti-virus software, other standard security controls, and approved operating system version and software patches. Zues supports preventive controls to avoid unauthorized activities or access to data, based on risk levels. Zues supports detective controls to timely discover unauthorized activities or access to data, including continuous system monitoring and event management.
- (a) End-User Computers and Access. Configure end-user computers to request authentication from Zues’s domain at startup and user login. Zues may deny network access to end-user computers if installed software versions do not match current standards. Users may not access Zues’s network unless they have been properly authenticated.
- Configure user accounts to require strong passwords and multifactor authentication, according to risks. To protect against password guessing and other brute force attacks, Zues will deactivate user accounts after five failed login attempts. Reactivation may be based on a timeout or manual reset according to risk and technical feasibility.
- Secure remote access points and require multifactor authentication. Encrypt authentication credentials during transmission across any network, either internal or external.
- (b) Passwords and User Credentials. Select strong passwords and protect all user credentials, including passwords, tokens, badges, smart cards, or other means of identification and authentication. Use multifactor authentication to minimize the risks of reusable passwords where reasonable. Implement password rules so that users select and use strong passwords. Automate password rule enforcement to the extent technically feasible.
- (i) Minimum Password Rules. At minimum passwords must:
- be at least eleven (11) characters;
- be comprised of a mix of letters (upper and lower case), numbers, and special characters (punctuation marks and symbols);
- not be comprised of or use only words that can be found in a dictionary;
- not be comprised of an obvious keyboard sequence or common term (i.e., “qwerty,” “12345678,” or “password”); and
- not include easily guessed or obtained data such as personal information about yourself, your partner, your pet, your children, birthdays, addresses, phone numbers, locations, etc.
- Several techniques can help you create a strong password. Substituting numbers for words is common. For example, you can use the numerals two or four with capitalization and symbols to create a memorable phrase. Another way to create an easy-to-remember strong password is to think of a sentence and use the first letter of each word as a password.
- Treat passwords as Highly Confidential Information. You may be required to change your password periodically according to current Zues standards. Change your password immediately and report the incident (see Section 6.1, Incident Reporting) if you have reason to believe that it has been compromised.
- Password and Other Authentication Means Protection. Protect your passwords and other authentication means at all times by:
- Not disclosing your passwords, one-time use codes, or other authentication means to anyone, including anyone who claims to be from IT;
- Not sharing your passwords, one-time use codes, or other authentication means with others (including co-workers, managers, clients, or family);
- Not writing down your passwords or otherwise recording them in an unsecure manner;
- Not using save password features for applications, unless provided or authorized by Zues;
- Not using the same password for different systems or accounts, except where single sign-on features are automated; and
- Not reusing passwords.
IT procedures and technical standards define additional steps to protect passwords and other authentication means for administrative or device-specific accounts.
- (c) Perimeter Controls. Perimeter controls secure Zues’s network against external attacks. Use firewalls, configured according to current technical standards and procedures, to separate Zues’s trusted network from the internet or internet-facing environments.
- Zues may implement additional perimeter controls including intrusion detection and prevention services, data loss prevention software, specific router or other network configurations, or various forms of network monitoring according to risks. Do not create internet connections outside perimeter controls.
- (d) Data and Network Segmentation. Zues may use technical controls, such as firewalls, access control lists, or other mechanisms, to segment some data or areas of its network according to risks. Segment Highly Confidential Information from the rest of Zues’s network, to the extent technically feasible and reasonable (see Section 3.3, Highly Confidential Information). Do not alter network segmentation plans without approval from the Information Security Coordinator.
- (e) Encryption. Zues uses encryption to protect Confidential and Highly Confidential Information according to risks. Zues may apply encryption to stored data (data-at-rest) and transmitted data (data-in-transit). Encrypting personal information may lower Zues’s liability in the event of a data breach.
- Only use generally accepted encryption algorithms and products approved by the Information Security Coordinator. Periodically review encryption products and algorithms for any known risks.
Laws may limit exporting some encryption technologies. Review Zues’s Export Control Policy. Seek guidance from Legal prior to exporting or making any encryption technologies available to individuals outside the US.
- (i) Encryption Key Management. Encryption algorithms use keys to transform and secure data. Because they allow decryption of the protected data, proper key management is crucial. Select encryption keys to maximize protection levels, to the extent feasible and reasonable. Treat them as Highly Confidential Information.
- Ensure that keys are available when needed to support data decryption by using secure storage methods and creating and maintaining secure backups. Track access to keys. Keys should never be known or available to only a single individual. Change encryption keys on a periodic basis according to risks.
- (f) Data and Media Disposal. When Zues retires or otherwise removes computing, network, or office equipment (such as copiers or fax machines) or other information assets that may contain Confidential or Highly Confidential Information from the business, specific steps must be taken to scrub or otherwise render the media unreadable.
- Simply deleting files or reformatting disks is not sufficient to prevent data recovery. Either physically destroy media, according to applicable waste disposal regulations, or scrub it using data wiping software that meets generally accepted data destruction standards. For example, see the National Institute of Standards and Technology Special Publication 800-88, Guidelines for Media Sanitization.
- (g) Log Management and Retention. Zues logs system and user activities on network, computing, or other information assets according to risks. Security controls or other network elements may also produce logs.
Secure log data and files to prevent tampering and retain them according to Zues’s Records Retention Schedule. Regularly review logs, using automated means where feasible, to identify any anomalous activities that may indicate a security incident.
- (h) Physical (Environmental) Security. Zues uses physical safeguards to avoid theft, intrusions, unauthorized use, or other abuses of its information assets. You must comply with Zues’s current physical security policies and procedures (see Zues’s Physical Security Policy) and:
- position computer screens where information on the screens cannot be seen by unauthorized parties;
- not display Confidential and Highly Confidential Information on a computer screen where unauthorized individuals can view it;
- log off or shut down your workstation when leaving for an extended period or at the end of your workday;
- house servers or other computing or network elements (other than end-user equipment) in secure data centers or other areas approved by the Information Security Coordinator;
- not run network cabling through unsecured areas unless it is carrying only Public Information or otherwise protected data, such as encrypted data;
- deactivate network ports that are not in use; and
- (vii)store end-user devices that are not in use for an extended period in a secure area or securely dispose of them (see Section 5.1(e), Data and Media Disposal).
- (i) Disaster Preparedness (Business Continuity and Disaster Recovery). Zues develops, maintains, and periodically tests disaster preparedness plans. These plans support continuity of operations and systems availability if a disaster or other unplanned business impacting event occurs. The plans must be developed, reviewed, and tested according to Zues’s Business Continuity Planning Policy and Procedures. Treat disaster preparedness plans as Confidential Information.
System administrators must perform regular data backups for the information assets they maintain according to Zues’s Backup Policy and Procedures. When selecting a backup strategy, balance the business criticality of the data with the resources required and any impact to users and network resources. Protect backups according to the information classification level of the data stored. Document and periodically test restoration procedures.
5.2. Managing Information Assets. IT manages IT operations and related activities at Zues.
Only Zues-supplied or approved software, hardware, and information systems, whether procured or developed, may be installed in Zues’s IT environment or connected to Zues’s network.
IT must approve and manage all changes to Zues’s production IT environment to avoid unexpected business impacts. Direct questions regarding IT operations to admin@catepult.com. Development environments must comply with this Policy and current IT standards to minimize information security risks.
- (a) Procurement. Only IT or those authorized by IT may procure information assets for use in or connection to Zues’s network. This Policy applies whether software or other assets are purchased, open source, or made available to Zues at no cost. Seek guidance from the Information Security Coordinator early in the software development process to identify and manage information security risks before implementation. Before using cloud computing services to access, store, or manage Confidential or Highly Confidential Information, you must obtain authorization from Legal and the Information Security Coordinator (see Section 4.3(e)(iii), Cloud Computing).
- (b) Asset Management. Track and document all information assets, including hardware, software, and other equipment, using Zues’s asset management system(s). This inventory tracking should include operating system levels and all installed software and software versions to support vulnerability identification and mitigation (see Section 9.2, Vulnerability Management and Disclosure). Update the asset inventory as assets are removed from the business. Confidential or Highly Confidential Information must have an assigned data owner who is responsible for tracking its location, uses, and any disclosures. Properly dispose of all data and media to help avoid a breach of Confidential or Highly Confidential Information (see Section 5.1(e), Data and Media Disposal).
- (c) Authorized Environments and Authorities. Only authorized IT personnel or other project personnel approved by IT may install and connect hardware or software in Zues’s IT environment. Do not convert end-user computers to servers or other shared resources without assistance from IT. Limit administrative or privileged systems access to those individuals with a business need to know. IT must distribute administrative access and information regarding administrative processes to more than one individual to minimize risks.
Internet connections and internet-facing environments present significant information security risks to Zues. The Information Security Coordinator must approve any new or changed internet connections or internet-facing environments.
- (d) Change Management. IT maintains a change management process to minimize business impact or disruptions when changes are made in Zues’s production IT environment. Change requests must be accompanied by an action plan that includes assigned roles and responsibilities, implementation milestones, testing procedures, and a rollback plan, if the change fails.
Implement and maintain a change management process to track identified problems, fixes, and releases during software development. Design these processes to include code archiving (versioning) tools so that earlier versions can be recovered and rebuilt, if necessary.
- (e) Application and Software Development. To avoid any undue or unexpected impact to Zues’s production IT environment, application and other software development activities, including system testing, must take place in reasonably segmented environments. Maintain segregation of duties between development and operations. Developers may be granted limited access to production environments where personnel and expertise availability is limited, but only for specific troubleshooting or support purposes. Software development must take place in authorized environments (see Section 5.2(c), Authorized Environments and Authorities).
Use security by design principles to identify potential information security risks and resolve them early in the development process. Seek guidance from the Information Security Coordinator, critical vendors, industry experts, and best practices to identify and avoid application-level security risks. Pay particular attention to protecting Highly Confidential Information through encryption or other appropriate means. Use defensive coding techniques and regular code review and application-level scanning to identify and remediate any information security issues before releasing software.
- Incident Reporting and Response.
The Information Security Coordinator maintains a cyber incident reporting and response process that ensures management notifications are made based on the seriousness of the incident. The Information Security Coordinator investigates all reported or detected incidents and documents the outcome, including any mitigation activities or other remediation steps taken.
6.1. Incident Reporting. Immediately notify Zues or admin@catepult.com if you discover a cyber incident or suspect a breach in Zues’s information security controls. Zues maintains various forms of monitoring and surveillance to detect cyber incidents, but you may be the first to become aware of a problem. Early detection and response can mitigate damages and minimize further risk to Zues.
Treat any information regarding cyber incidents as Highly Confidential Information and do not share it, internally or externally, without specific authorization.
- (a) Cyber Incident Examples. Cyber incidents vary widely and include physical and technical issues. Some examples of cyber incidents that you should report include, but are not limited to:
- loss or suspected compromise of user credentials or physical access devices (including passwords, tokens, keys, badges, smart cards, or other means of identification and authentication);
- suspected malware infections, including viruses, Trojans, spyware, worms, or any anomalous reports or messages from anti-virus software or personal firewalls;
- loss or theft of any device that contains Zues information (other than Public Information), including computers, laptops, tablet computers, smartphones, USB drives, disks, or other storage media;
- suspected entry (hacking) into Zues’s network or systems by unauthorized persons;
- any breach or suspected breach of Confidential or Highly Confidential Information;
- any attempt by any person to obtain passwords or other Confidential or Highly Confidential Information in person or by phone, email, or other means (sometimes called social engineering, or in the case of email, phishing); and
- (vii)any other any situation that appears to violate this Policy or otherwise create undue risks to Zues’s information assets.
- (b) Compromised Devices. If you become aware of a compromised computer or other device:
- immediately deactivate (or unplug) any network connections, but do not power down the equipment because valuable information regarding the incident may be lost if the device is turned off; and
- immediately notify us at admin@catepult.com.
6.2. Event Management. The Information Security Coordinator defines and maintains a cyber incident response plan to manage information security incidents. Report all suspected incidents, as described in this Policy, and then defer to the incident response process. Do not impede the incident response process or conduct your own investigation unless the Information Security Coordinator specifically requests or authorizes it.
6.3. Cyber Incident or Data Breach Notification. Applicable law may require Zues to report cyber incidents that result in the exposure or loss of certain kinds of information or that affect certain services or infrastructure to various authorities or affected individuals or organizations, or both. Breaches of Highly Confidential Information (and especially personal information) are the most likely to carry these obligations (see Section 1.5, Regulatory Compliance). The Information Security Coordinator’s incident response plan includes a step to review all incidents for any required notifications. Coordinate all external notifications with Legal and the Information Security Coordinator. Do not act on your own or make any external notifications without prior guidance and authorization.
- Service Providers: Risks and Governance.
The Information Security Coordinator maintains a service provider governance program to oversee service providers that interact with Zues’s systems or Confidential or Highly Confidential Information. The service provider governance program includes processes to track service providers, evaluate service provider capabilities, and periodically assess service provider risks and compliance with this Policy.
7.1. Service Provider Approval Required. Obtain approval from Legal and the Information Security Coordinator before engaging a service provider to perform functions that involve access to Zues’s systems or Confidential or Highly Confidential Information.
7.2. Contract Obligations. Service providers that access Zues’s systems or Confidential or Highly Confidential Information must agree by contract to comply with applicable laws and this Policy or equivalent information security measures. Zues may require service providers to demonstrate their compliance with applicable laws and this Policy by submitting to independent audits or other forms of review or certification based on risks.
- Client Information: Managing Intake, Maintenance, and Client Requests.
Zues frequently creates, receives, and manages data on behalf of our clients. With guidance from the Information Security Coordinator, each business unit develops, implements, and maintains an appropriate process and procedures to manage client data intake and protection.
Business unit-specific client data intake and protection processes may vary but must include, at minimum, means for (1) identifying client data and any pertinent requirements prior to data intake or creation; (2) maintaining an inventory of client data created or received; and (3) ensuring Zues implements and maintains appropriate information security measures, including proper data and media disposal when Zues no longer has a business need to retain the client data (or is no longer permitted to do so by client agreement).
8.1. Requirements Identification. Identify any pertinent client data requirements prior to data intake or creation according to your business unit’s client data intake and protection process. Requirements may be contractual or the result of applicable law or regulations, or both (see Section 1.5, Regulatory Compliance).
8.2. Intake Management. Business unit-specific client data intake processes and procedures must provide for secure data transfer. Maintain an inventory of client data that includes, at a minimum:
- a description of the client data;
- the location(s) where the data is stored;
- who is authorized to access the data (by category or role, if appropriate);
- whether the data is Confidential or Highly Confidential Information;
- how long the data is to be retained (using criteria, if appropriate); and
- (f) any specific contractual or regulatory obligations or other identified data protection or management requirements.
Treat any client-provided personal information as Highly Confidential Information (see Section 3.3, Highly Confidential Information). To minimize risks for clients and Zues, engage clients in an ongoing dialogue to determine whether business objectives can be met without transferring personal information to Zues.
8.3. Client Data Protection. Protect all client data Zues creates or receives in accordance with this Policy and the data’s information classification level, whether Confidential or Highly Confidential Information, in addition to any specific client-identified requirements.
8.4. Client Data and Media Disposal. Ensure that any client data or media containing client data is securely disposed of when it is no longer required for Zues business purposes, or as required by client agreement (see Section 5.1(e), Data and Media Disposal). Update the applicable business unit client data inventory accordingly.
- Risk and Compliance Management.
Zues supports an ongoing risk management action cycle to (1) enforce this Policy; (2) identify information security risks; (3) develop procedures, safeguards, and controls; and (4) verify that safeguards and controls are in place and working properly.
9.1. Risk Assessment and Analysis. Zues maintains a risk assessment program to identify information security risks across its IT environment, including application software, databases, operating systems, servers, and other equipment, such as network components and other connected devices. The Information Security Coordinator coordinates risk assessment activities that may take several forms, including analyses, audits, reviews, scans, and penetration testing. Do not take any actions to avoid, impact, or otherwise impede risk assessments.
Only the Information Security Coordinator is authorized to coordinate risk assessments. Seek approval from Legal and the Information Security Coordinator prior to engaging in any risk assessment activities or disclosing any assessment reports outside Zues.
9.2. Remediation and Mitigation Plans. The Information Security Coordinator maintains and oversees remediation and mitigation plans to address risk assessment findings according to risk levels.
9.3. Vulnerability Management and Disclosure. Manufacturers, security researchers, and others regularly identify security vulnerabilities in hardware, software, and other equipment. In most cases, the manufacturer or developer provides a patch or other fix to remediate the vulnerability. In some situations, the vulnerability cannot be fully remediated, but configurations can be changed or other steps taken to mitigate the risk created.
The Information Security Coordinator maintains a process to identify and track applicable vulnerabilities, scan devices for current patch status, and advise system administrators. Schedule any necessary updates using standard change management processes (see Section 5.2(d), Change Management) and according to risk level. Make all Zues-owned devices available to IT for timely patching and related activities.
Security researchers or others may also identify or disclose cyber vulnerabilities in Zues’s systems or products and services. You must immediately notify the Information Security Coordinator if you receive notice of a previously unknown cyber vulnerability in Zues’s systems or products and services and defer to them for subsequent communications and handling.
9.4. Compliance Management. Zues maintains compliance management processes to enforce this Policy. Zues may automate some monitoring and enforcement processes. If compliance management processes indicate that you may have acted contrary to this Policy, you may receive an automated notification or be contacted by the Information Security Coordinator to explain. In some cases, the Information Security Coordinator may contact your supervising manager or Human Resources to resolve the issue.
- Whistleblower Anonymous Fraud Reporting
Our Whistleblower Policy is intended to encourage and enable employees and others to raise serious concerns internally so that we can address and correct inappropriate conduct and actions. It is the responsibility of all employees to report concerns about violations of our code of ethics or suspected violations of law or regulations that govern our operations. It is contrary to our values for anyone to retaliate against any employee or who in good faith reports an ethics violation, or a suspected violation of law, such as a complaint of discrimination, or suspected fraud, or suspected violation of any regulation. An employee who retaliates against someone who has reported a violation in good faith is subject to discipline up to and including termination of employment. Anonymous reports may be submitted via email to admin@catepult.com.
- Policy Compliance.
Zues will measure and verify compliance to this policy through various methods, including but not limited to ongoing monitoring, and both internal and external audits.
- Exceptions.
Requests for an exception to this policy must be submitted to the IT Manager for approval.
- Violations & Enforcement.
Any known violations of this policy should be reported to the IT Manager. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination.
- Effective Date.
This Information Security Policy is effective as of 31 October 2023.
14.1. Revision History. Original publication.
- Acknowledgment of Receipt and Review
By registering for an account with Zues and using Zues’s Services, You acknowledge that you received and read a copy of Zues’s Information Security Policy, and understand that it is your responsibility to be familiar with and abide by its terms. This Policy is not promissory and does not set terms or conditions of employment or create an employment contract.