MINDIT SERVICES proprietary information stored on electronic and computing devices whether owned or leased by MINDIT SERVICES, the employee or a third party, remains the sole property of MINDIT SERVICES. All employees, suppliers, contractors and other partners must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.
All employees, suppliers, contractors and other partners have a responsibility to promptly report the theft, loss, or unauthorized disclosure of MINDIT SERVICES proprietary information.
Employees, suppliers, contractors and other partners may access, use, or share MINDIT SERVICES proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.
Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Operations for individual projects or programs are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by the organizational policies on personal use, and if there is any uncertainty, employees should consult the CTO Role or the Business Support Functions Manager Role.
For security and network maintenance purposes, authorized individuals within MINDIT SERVICES may monitor equipment, systems, and network traffic at any time, per Infosec's Audit Policy.
MINDIT SERVICES reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
All mobile and computing devices that connect to the internal network must comply with the Minimum Access Policy.
System level and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.
Postings by employees from a MINDIT SERVICES email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of MINDIT SERVICES, unless posting is during business duties.
Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware. In case of doubt or an identified malicious e-mail, please contact support@risksoft.ro.
The following activities are, in general, prohibited. Employees may be exempted from these restrictions during their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
Under no circumstances is an employee of MINDIT SERVICES authorized to engage in any activity that is illegal under national or international law while utilizing MINDIT SERVICES-owned resources.
The lists below are by no means exhaustive but attempt to provide a framework for activities which fall into the category of unacceptable use.
The following activities are strictly prohibited, with no exceptions:
Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by MINDIT SERVICES.
Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which MINDIT SERVICES or the end user does not have an active license is strictly prohibited.
Accessing data, a server, or an account for any purpose other than conducting MINDIT SERVICES business, even if you have authorized access, is prohibited.
Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
Using a MINDIT SERVICES computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
Making fraudulent offers of products, items, or services originating from any MINDIT SERVICES account.
Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
Port scanning or security scanning is expressly prohibited unless prior notification to Infosec is made.
Executing any form of network monitoring which will intercept data not intended for the employee's host unless this activity is a part of the employee's normal job/duty.
Circumventing user authentication or security of any host, network, or account.
Introducing honeypots, honeynets, or similar technology on the MINDIT SERVICES network.
Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).
Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.
Providing information about, or lists of, MINDIT SERVICES employees to parties outside MINDIT SERVICES.
When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that "the opinions expressed are my own and not necessarily those of the company". Questions may be addressed to the CTO Role and Business Support Functions Role.
Any form of harassment via email or telephone, whether through language, frequency, or size of messages.
Unauthorized use, or forging, of email header information.
Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
Use of unsolicited email originating from within MINDIT SERVICES's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by MINDIT SERVICES or connected via MINDIT SERVICES's network.
Blogging by employees, whether using MINDIT SERVICES’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of MINDIT SERVICES’s systems to engage in blogging is acceptable, if it is done in a professional and responsible manner, does not otherwise violate MINDIT SERVICES’s policy, is not detrimental to MINDIT SERVICES’s best interests, and does not interfere with an employee's regular work duties. Blogging from MINDIT SERVICES’s systems is also subject to monitoring.
MINDIT SERVICES’s Confidential Information policy also applies to blogging. As such, Employees are prohibited from revealing any MINDIT SERVICES confidential or proprietary information, trade secrets or any other material covered by MINDIT SERVICES’s Confidential Information policy when engaged in blogging.
Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of MINDIT SERVICES and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by MINDIT SERVICES’s Non-Discrimination and Anti-Harassment policy.
Apart from following all laws pertaining to the handling and disclosure of copyrighted or export controlled materials, MINDIT SERVICES’s trademarks, logos and any other MINDIT SERVICES intellectual property may also not be used in connection with any blogging activity without prior approval from the company.
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Policy Confirmed theft, data breach or exposure of MINDIT SERVICES Protected data or MINDIT SERVICES Sensitive data
As soon as a theft, data breach or exposure containing MINDIT SERVICES Protected data or MINDIT SERVICES Sensitive data is identified, the process of removing all access to that resource will begin.
The Executive Director will chair an incident response team to handle the breach or exposure.
The team will include members from:
IT Infrastructure
IT Applications
Finance (if applicable)
Legal
Communications
Member Services (if Member data is affected)
Human Resources
The affected unit or department that uses the involved system or output or whose data may have been breached or exposed
Additional departments based on the data type involved, Additional individuals as deemed necessary by the Executive Director
Confirmed theft, breach, or exposure of MINDIT SERVICES data
The Executive Director will be notified of the theft, breach, or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.
Work with Forensic Investigators
As provided by MINDIT SERVICES cyber insurance, the insurer will need to provide access to forensic investigators and experts that will determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause.
Develop a communication plan.
Work with MINDIT SERVICES communications, legal and human resource departments to decide how to communicate the breach to a) internal employees, b) the public, and c) those directly affected.
In case personal data is involved, the Procedure for Personal Data breach of Mindit Services will be applied.
Roles & Responsibilities:
Sponsors - Sponsors are those members of the MINDIT SERVICES community that have primary responsibility for maintaining any information resource. Sponsors may be designated by any MINDIT SERVICES Executive in connection with their administrative responsibilities, or by the actual sponsorship, collection, development, or storage of information.
Information Security Administrator is that member of the MINDIT SERVICES community, designated by the Executive Director or the Director, Information Technology (IT) Infrastructure, who provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources in consultation with the relevant Sponsors.
Users include virtually all members of the MINDIT SERVICES community to the extent they have authorized access to information resources, and may include staff, trustees, contractors, consultants, interns, temporary employees, and volunteers.
The Incident Response Team shall be chaired by Executive Management and shall include, but will not be limited to, the following departments or their representatives: IT-Infrastructure, IT-Application Security; Communications; Legal; Management; Financial Services, Member Services; Human Resources.
Any MINDIT SERVICES personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third-party partner company found in violation may have their network connection terminated.
MINDIT SERVICES staff may only use MINDIT SERVICES removable media in their work computers. MINDIT SERVICES removable media may not be connected to or used in computers that are not owned or leased by the MINDIT SERVICES without explicit permission of the MINDIT SERVICES InfoSec staff. Sensitive information should be stored on removable media only when required in the performance of your assigned duties or when providing information required by other state or federal agencies. When sensitive information is stored on removable media, it must be encrypted in accordance with the MINDIT SERVICES Acceptable Encryption Policy.
Exceptions to this policy may be requested on a case-by-case basis by MINDIT SERVICES-exception procedures.
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
All use of email must be consistent with MINDIT SERVICES policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
MINDIT SERVICES email account should be used primarily for MINDIT SERVICES business-related purposes; personal communication is permitted, but non-MINDIT SERVICES related commercial uses are prohibited.
All MINDIT SERVICES data contained within an email message or an attachment must be secured according to the Data Protection Standard.
Email should be retained only if it qualifies as a MINDIT SERVICES business record. Email is a MINDIT SERVICES business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
The MINDIT SERVICES email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any MINDIT SERVICES employee should report the matter to support@risksoft.ro
Users are prohibited from automatically forwarding MINDIT SERVICES email to a third-party email system (noted in 4.8 below). Individual messages which are forwarded by the user must not contain MINDIT SERVICES confidential or above information.
Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct MINDIT SERVICES business, to create or memorialize any binding transactions, or to store or retain email on behalf of MINDIT SERVICES. Such communications and transactions should be conducted through proper channels using MINDIT SERVICES-approved documentation.
Using a reasonable amount of MINDIT SERVICES resources for personal emails is acceptable, but non-work-related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a MINDIT SERVICES email account is prohibited. Prior to closing the collaboration with Mindit Services, any personal e-mail should be deleted, and any personal newsletters should be unsubscribed. Also, as the e-mail might be forwarded for business continuity reasons, any expected sender or personal information should be notified to send it to another e-mail address.
MINDIT SERVICES employees shall have no expectation of privacy in anything they store, send, or receive on the company’s email system.
MINDIT SERVICES may monitor messages without prior notice. MINDIT SERVICES is not obliged to monitor email messages.
When confidential information is sent via e-mail, all reasonable actions shall be taken, including, but not limited to:
Mark the message as confidential in the signature, e-mail body text and/or subject
Protect any confidential attachment with a secure password which is transmitted in a separate communication tool
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
All user-level and system-level passwords must conform to the Password Construction Guidelines.
Users must use a separate, unique password for each of their work-related accounts. Users may not use any work-related passwords for their own, personal accounts.
User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user to access system-level privileges. In addition, it is highly recommended that some form of multi-factor authentication is used for any privileged accounts.
The passwords must be created according to the secure standards:
Length of at least 8 characters
Complex passwords – to contain numbers, capital letters and special characters
Should not contain: username, other users’s password, the name of the user, the name of family members, nicknames, CNP, birthday date, car registration number, the address of the user or of the company, city, phone number, department name, car names, technical terms, slang, obscene terms, logos and mottos of certain organizations, information about the user that are easy to be guessed ( preferred food/color/sport, etc), popular acronims or words from the dictionary.
Passwords should be changed only when there is reason to believe a password has been compromised.
Password cracking or guessing may be performed on a periodic or random basis by the Infosec Team or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it to follow the Password Construction Guidelines.
Passwords must not be shared with anyone, including supervisors and coworkers. All passwords are to be treated as sensitive, Confidential MINDIT SERVICES information. Corporate Information Security recognizes that legacy applications do not support proxy systems in place. Please refer to the technical reference for additional details.
Passwords must not be inserted into email messages, Alliance cases or other forms of electronic communication, nor revealed over the phone to anyone.
Passwords may be stored only in “password managers” authorized by the organization.
Do not use the "Remember Password" feature of applications (for example, web browsers).
Any user suspecting that his/her password may have been compromised must report the incident to support@risksoft.ro and change all passwords.
Application developers must ensure that their programs contain the following security precautions:
Applications must support authentication of individual users, not groups.
Applications must not store passwords in clear text or in any easily reversible form.
Applications must not transmit passwords in clear text over the network.
Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.
Multi-Factor Authentication
Multi-factor authentication is highly encouraged and should be used whenever possible, not only for work related accounts but personal accounts also.
Policy Compliance
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec Team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Mobile Device Encryption Policy
All mobile devices containing stored data owned by MINDIT SERVICES must use an approved method of encryption to protect data at rest. Mobile devices are defined to include laptops, tablets, and phones.
Users are expressly forbidden from storing MINDIT SERVICES data on devices that are not issued by MINDIT SERVICES, such as storing MINDIT SERVICES email on a personal phone or tablet.
Laptops
Laptops must employ full disk encryption with an approved software encryption package. No MINDIT SERVICES data may exist on a laptop in plaintext.
Tablets and phones
Any MINDIT SERVICES data stored on a phone or tablet must be saved to an encrypted file system using MINDIT SERVICES-approved software. MINDIT SERVICES shall also employ remote wipe technology to remotely disable and delete any data stored on a MINDIT SERVICES tablet or phone which is reported lost or stolen.
Keys
All encryption keys and passphrases must meet complexity requirements described in MINDIT SERVICES’s Password Protection Policy.
Loss and Theft
The loss or theft of any mobile device containing MINDIT SERVICES data must be reported immediately to the Office Admin Role and Project Manager Role.
Policy Compliance
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec Team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Mobile Employee Endpoint Responsibility Policy
All employees shall assist in protecting devices issued by MINDIT SERVICES or storing MINDIT SERVICES data. Mobile devices are defined to include desktop systems in a telework environment, laptops, PDAs, and cell phones.
Users may use their personal devices for doing business on behalf of Mindit Services as long as they follow the rules as expressed under this policy and inform the company of such use. Users are expressly forbidden from storing MINDIT SERVICES data on devices that are not issued by MINDIT SERVICES, such as storing MINDIT SERVICES email on a personal cell phone or PDA.
Anti-Virus and Endpoint Security Software
MINDIT SERVICES will issue computers with Anti-virus and Endpoint security installed. Employees are to notify the security department immediately if they see error messages for these products. Employees shall run on online malware scanner at least once a month for a “second opinion”, see MS Endpoint Privacy & Security Guidelines for recommended scanners.
Browser Add-ons
In general, MINDIT SERVICES does not recommend using Browser Add-ons, however we do not forbid the use of these tools if they enhance productivity. After installing a Browser Add-on, employees shall run a browser testing tool. See MS Endpoint Privacy & Security Guidelines for recommended testing tools.
Policy Compliance
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Security Response Plan Policy
The development, implementation, and execution of a Security Response Plan (SRP) are the primary responsibility of the specific business unit for whom the SRP is being developed in cooperation with the Infosec Team. Business units are expected to properly facilitate the SRP for applicable to the service or products they are held accountable. The business unit security coordinator or champion is further expected to work with the MINDIT SERVICES in the development and maintenance of a Security Response Plan.
Service or Product Description
The product description in an SRP must clearly define the service or application to be deployed with additional attention to data flows, logical diagrams, architecture considered highly useful.
Contact Information
The SRP must include contact information for dedicated team members to be available during non-business hours should an incident occur, and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document must include all phone numbers and email addresses for the dedicated team member(s).
Triage
The SRP must define triage steps to be coordinated with the security incident management team in a cooperative manner with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.
Identified Mitigations and Testing
The SRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations as well as the remediation process.
Mitigation and Remediation Timelines
The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumer, brand, and company. These response guidelines should be carefully mapped to level of severity determined for the reported vulnerability.
Policy Compliance
Compliance Measurement
Each business unit must be able to demonstrate they have a written SRP in place, and that it is under version control and is available via the web. The policy should be reviewed annually.
Exceptions
Any exception to this policy must be approved by the Infosec Team in advance and have a written record.
Non-Compliance
Any business unit found to have violated (no SRP developed prior to service or product deployment) this policy may be subject to delays in service or product release until such a time as the SRP is developed and approved. Responsible parties may be subject to disciplinary action, up to and including termination of employment, should a security incident occur in the absence of an SRP.
Software Installation Policy
Employees may decide what software to install on MINDIT SERVICES computing devices operated within the MINDIT SERVICES network as long as the software follows the following criteria:
It is included in Mindit Services approved tools
It is open source or licensed tool and it is considered secure according to international law
Software requests that are not included in the approved tools must first be approved by the requester’s manager and then be made to the Information Technology department via email to conform security. Should there be needed to buy a license, the Project Manager role will send a written request to accounting@mindit.io for budget approval and acquisition.
The Information Technology and Office Admin team will obtain and track the licenses, test new software for conflict and compatibility, and may perform the installation in case the employee needs assistance.
Policy Compliance
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Clean Desk Policy
Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
Computer workstations must be locked when workspace is unoccupied.
Computer workstations must be shut completely down at the end of the workday.
Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the workday.
File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.
Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
Printouts containing Restricted or Sensitive information should be immediately removed from the printer.
Upon disposal Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.
Whiteboards containing Restricted and/or Sensitive information should be erased.
Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer.
All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.
Policy Compliance
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Social Engineering Awareness Policy
This policy has two purposes:
To make employees aware that (a) fraudulent social engineering attacks occur, and (b) there are procedures that employees can use to detect attacks.
Employees are made aware of techniques used for such attacks, and they are given standard procedures to respond to attacks.
Employees know who to contact in these circumstances.
Employees recognize they are an important part of MINDIT SERVICES’s security. The integrity of an employee is the best line of defense for protecting sensitive information regarding MINDIT SERVICES’s resources.
To create specific procedures for employees to follow to help them make the best choice when:
Someone is contacting the employee - via phone, in person, email, or online - and elusively trying to collect MINDIT SERVICES’s sensitive information.
The employee is being “socially pressured” or “socially encouraged or tricked” into sharing sensitive data.
Sensitive information of MINDIT SERVICES will not be shared with an unauthorized individual if he/she uses words and/ or techniques such as the following:
An “urgent matter”
A “forgotten password”
A “computer virus emergency”
Any form of intimidation from “higher level management”
Any “name dropping” by the individual which gives the appearance that it is coming from legitimate and authorized personnel.
The requester requires release of information that will reveal passwords, model, serial number, or brand or quantity of MINDIT SERVICES resources.
The techniques are used by an unknown (not promptly verifiable) individual via phone, email, online, fax, or in person.
The techniques are used by a person that declares to be "affiliated" with MINDIT SERVICES such as a sub-contractor.
The techniques are used by an individual that says he/she is a reporter for a well-known press editor or TV or radio company.
The requester is using ego and vanity seducing methods, for example, rewarding the front desk employee with compliments about his/her intelligence, capabilities, or making inappropriate greetings (coming from a stranger).
All employees MUST attend the security awareness training within 30 days from the date of employment and every 6 months thereafter.
If one or more circumstances described in sections above is detected, then the identity of the requester MUST be verified before continuing the conversation or replying to email, phone, or online.
If the identity of the requester described in section above CANNOT be promptly verified, the employee MUST immediately contact his/her supervisor or direct manager.
If the supervisor or manager is not available, that employee MUST contact the security personnel.
If the security personnel are not available, the employees MUST immediately drop the conversation, email, online chat with the requester, and report the episode to his/her supervisor before the end of the business day.
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
All wireless infrastructure devices that reside at a MINDIT SERVICES site and connect to a MINDIT SERVICES network, or provide access to information classified as MINDIT SERVICES Confidential, or above must:
• Abide by the standards specified in the Wireless Communication Standard.
• Be installed, supported, and maintained by an approved support team.
• Use MINDIT SERVICES approved authentication protocols and infrastructure.
• Use MINDIT SERVICES approved encryption protocols.
• Maintain a hardware address (MAC address) that can be registered and tracked.
• Not interfere with wireless access deployments maintained by other support organizations.
Home Wireless Device Requirements
Wireless infrastructure devices that provide direct access to the MINDIT SERVICES corporate network, must conform to the Home Wireless Device Requirements as detailed in the Wireless Communication Standard.
Wireless infrastructure devices that fail to conform to the Home Wireless Device Requirements must be installed in a manner that prohibits direct access to the MINDIT SERVICES corporate network. Access to the MINDIT SERVICES corporate network through this device must use standard remote access authentication.
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Senior leaders and executives within MINDIT SERVICES must set a prime example. In any business practice, honesty and integrity must be top priority for executives.
Executives must have an open-door policy and welcome suggestions and concerns from employees. This will allow employees to feel comfortable discussing any issues and will alert executives to concerns within the work force.
Executives must disclose any conflict of interests regard their position within MINDIT SERVICES.
MINDIT SERVICES employees will treat everyone fairly, have mutual respect, promote a team environment, and avoid the intent and appearance of unethical or compromising practices.
Every employee needs to apply effort and intelligence in maintaining ethics value.
Employees must disclose any conflict of interests regard their position within MINDIT SERVICES.
Employees will help MINDIT SERVICES to increase customer and vendor satisfaction by providing quality product s and timely response to inquiries.
Employees should consider the following questions to themselves when any behavior is questionable:
Is the behavior legal?
Does the behavior comply with all appropriate MINDIT SERVICES policies?
Does the behavior reflect MINDIT SERVICES values and culture?
Could the behavior adversely affect company stakeholders?
Would you feel personally concerned if the behavior appeared in a news headline?
Could the behavior adversely affect MINDIT SERVICES if all employees did it?
Promotion of ethical conduct within interpersonal communications of employees will be rewarded.
MINDIT SERVICES will promote a trustworthy and honest atmosphere to reinforce the vision of ethics within the company.
MINDIT SERVICES will reinforce the importance of the integrity message and the tone will start at the top. Every employee, manager, director needs consistently maintain an ethical stance and support ethical behavior.
Employees at MINDIT SERVICES should encourage open dialogue, get honest feedback, and treat everyone fairly, with honesty and objectivity.
MINDIT SERVICES has established a best practice disclosure committee to make sure the ethical code is delivered to all employees and that concerns regarding the code can be addressed.
Employees are required to recertify their compliance to Ethics Policy on an annual basis.
MINDIT SERVICES will avoid the intent and appearance of unethical or compromising practice in relationships, actions, and communications.
MINDIT SERVICES will not tolerate harassment or discrimination.
Unauthorized use of company trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of our company will not be tolerated.
MINDIT SERVICES will not permit impropriety at any time and we will act ethically and responsibly in accordance with laws.
MINDIT SERVICES employees will not use corporate assets or business relationships for personal use or gain.
Compliance Measurement
The MINDIT SERVICES employees will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback.
Exceptions
None.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
MINDIT SERVICES will authorize, develop, and maintain a Pandemic Response Plan addressing the following areas:
The Pandemic Response Plan leadership will be identified as a small team which will oversee the creation and updates of the plan. The leadership will also be responsible for developing internal expertise on the transmission of diseases and other areas such as second wave phenomenon to guide planning and response efforts. However, as with any other critical position, the leadership must have trained alternates that can execute the plan should the leadership become unavailable due to illness.
The creation of a communications plan before and during an outbreak that accounts for congested telecommunications services.
An alert system based on monitoring of World Health Organization (WHO), the Centers for Disease Control (CDC) and other Federal, State and Local sources of information on the risk of a pandemic disease outbreak.
A predefined set of emergency policies that will preempt normal MINDIT SERVICES policies for the duration of a declared pandemic. These emergency policies are to be organized into different levels of response that match the level of business disruption expected from a possible pandemic disease outbreak within the community. These policies should address all tasks critical to the continuation of the company including:
How people will be paid
Where people will work – including staying home with or bringing kids to work
How people will accomplish their tasks if they cannot get to the office
What work will be suspended during the pandemic
Communication plan and cadence throughout the pandemic
Alternate means to communicate during the pandemic
What operational procedures may need to be altered, amended, or suspended, such as those over facilities, visitors, and non-essential activities and events
A set of indicators to management that will aid them in selecting an appropriate level of response bringing into effect the related policies discussed above —for the organization. There should be a graduated level of response related to the WHO pandemic alert level or other authoritative indicators of a disease outbreak.
An employee training process covering personal protection including:
Identifying and broadly communicating the symptoms of exposure
The concept of disease clusters in daycares, schools, or other large gatherings
Basic prevention - limiting contact closer than 6 feet, cover your cough, hand washing
When to stay home along with encouragement to do so
Avoiding travel to all areas with high infection rates
A process for the identification of employees with first responders or medical personnel in their household. These people, along with single parents, have a higher likelihood of unavailability due to illness or childcare issues.
A process to identify key personnel for each critical business function and transition their duties to others in the event they become ill or unable to perform their respective duties.
A list of supplies to be kept on hand or pre-contracted for supply, such as face masks, hand sanitizer, fuel, food, and water.
IT related issues:
Ensure enterprise architects are including pandemic contingency in planning
Verification of the ability for significantly increased telecommuting including bandwidth, VPN concentrator capacity/licensing, ability to offer voice over IP and laptop/remote desktop availability
Increased use of virtual meeting tools that facilitate video conference and desktop sharing capabilities
Identify what tasks cannot be done remotely
Pre-negotiated arrangements with key vendors in the event current licensing will not meet this change in work force habits
Determine if any IT colleagues need to remain onsite to support critical operations
Plan for how customers will interact with the organization in different ways
Expectations concerning printing work documents on personal printers
Expectations about sending work emails and documents to personal email accounts
The creation of exercises to test the plan.
Performing a retrospective review to identify and solve for issues encountered in the test
The process and frequency of plan updates and review at least annually with appropriate approvals or sign-off from organizational leadership or oversight.
Guidance for auditors indicating that any review of the business continuity plan or enterprise architecture should assess whether they appropriately address the MINDIT SERVICES Pandemic Response Plan.
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to this policy must be approved by the MINDIT SERVICES leadership team in advance and revalidated annually.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.