This policy is to ensure compliance risks are identified, and adequately mitigated.
CipherCloud’s compliance policy is in accordance with ISO27001 standard and all legal, regulatory and statutory requirements. It is also included within CipherCloud ISMS locations, CipherCloud’s employee structure, roles, responsibilities and any other appropriate information.
Compliance with Legal Requirements
Identification of Applicable Legislation
To avoid any legal or security breaches, CipherCloud will define, document, and comply with all relevant statutory, regulatory, and contractual requirements for each information system.
Each system owner shall implement controls to comply with all relevant statutory, regulatory and contractual requirements for their information system.
System owners shall seek the advice of the Legal or Information Security Officers for all relevant legal and security information.
Care shall be taken to account for different requirements in different locations. CipherCloud’s Legal Officer will determine differences from standing policy for those locations that have differing legal requirements and will work with the Chief Information Security Officer to create exceptions to general policy and specific policies for those jurisdictions.
Intellectual Property Rights
All users at CipherCloud will comply with the legal aspects of intellectual property protection and the rights and limitations of license agreements associated with proprietary software products.
The purpose of the policy is to ensure that users are aware of and comply with such restrictions as copyrights, trademarks, and design rights. Users are responsible for not violating applicable copyright, intellectual property, or other licensing rights of electronic media or software that is not the property of CipherCloud. Furthermore, users are responsible for not using CipherCloud intellectual property outside the limits of CipherCloud policy or licensing.
Failure to abide by these policies will subject the user to disciplinary actions up to and including termination or criminal/civil charges.
Intellectual Property Standards and Training
IT will publish the organization’s standards for software acquisition.
Intellectual Property Rights Protection policies shall be included in all security awareness training.
The Chief Information Security Officer, along with each system owner, shall establish, document and educate applicable users on:
Using Software from Outside Sources
IT will publish the organization’s policies and procedures for obtaining software from public networks.
Users will not download or install any third party pirated software on CipherCloud systems.
Users will not download or install any non-approved software from the Internet. The Chief Information
Security Officer will approve specific software for use from the Internet if there is a business need.
Copyrighted Material and Peer-To-Peer File Sharing at CipherCloud
CipherCloud respects the copyrights of those involved in creating and distributing copyrighted material, including music, movies, software and other literary and artistic works. It is the policy of CipherCloud to fully comply with all copyright laws.
CipherCloud provides its employees access to computer systems and the Internet to allow them to do their jobs on behalf of CipherCloud. Employees may make occasional use of the Company’s computer systems and network for personal use.
When CipherCloud employees need to use copyrighted materials to do their jobs, CipherCloud acquires appropriate licenses.
CipherCloud employees may not:
Please note – this is not a policy against MP3 files, or electronic music and video files as such. Rather, the policy is targeted at unauthorized – that is, unlicensed – electronic music and video files. If you downloaded the files from an unlicensed peer-to-peer site (i.e., Morpheus, Grokster, KaZaA, etc.) or other source, then those files are almost certainly not authorized and most likely violate the copyright laws.
CipherCloud reserves the right to:
Data Protection and Privacy of Personal Information
CipherCloud will comply with all applicable laws and regulations regarding the protection of personal data. This will ensure that CipherCloud is collecting personal information (that information that can be used to identify living individuals) in a manner that complies with laws as well as processing and disseminating that data in a lawful manner.
The Chief Information Security Officer or a nominated information protection officer shall document policies and procedures that comply with applicable laws and regulations for the handling of personal information for each such instance.
The Chief Information Security Officer shall distribute policies and educate users, managers and service providers on their responsibilities for compliance.
Information owners shall inform the appropriate information protection officer about proposals to keep information in a structured file. The information protection officer shall advise information owners on policies and procedures concerning their protection and storage of such data.
Confidential information entrusted to CipherCloud by members, business partners, suppliers, and other third parties shall be protected in accordance with CipherCloud’s Security Policies and shall be protected with at least the same care as CipherCloud’s confidential information.
Prevention of Misuse of Information Processing Facilities
Users of CipherCloud information processing facilities will utilize these facilities for only management authorized business purposes. CipherCloud reserves the right to legally monitor facilities for compliance.
The purpose of this policy is to protect the availability and integrity of the organization’s information processing facilities as well as protect the organization against legal sanction against the misuse of computers.
The Chief Information Security Officer shall provide managers with guidelines for the legal monitoring of computer facilities.
Managers of information processing facilities shall monitor the use of such facilities.
If misuse is detected, it shall be brought to the attention of the person’s manager for disciplinary action.
An acceptable use policy will be communicated to users. This policy will be included in the acceptance of policy letter that employees will sign during orientation. The acceptable use policy will govern permitted and forbidden activities for their location. In all cases, any activity not expressly permitted is forbidden.
At logon, a message shall appear to warn users that they are entering a private system and that unauthorized access is not permitted.
Regulation of Cryptographic Controls
Cryptographic solutions are governed by various export control and use laws and regulations, which vary from country to country. CipherCloud will comply with all applicable agreements, laws, regulations or other instruments that control the use or access of cryptographic controls.
The Legal Officer shall document the restrictions on the use of cryptographic controls including:
The Chief Information Security Officer shall publish, distribute and educate users on applicable restrictions.
Before any encrypted information or cryptographic controls are sent to another country the Legal
Officer shall be consulted.
Reviews of Security Policy and Technical Compliance
Compliance with Security Policy
To maintain the security, integrity and availability of the organization’s information processing assets,
CipherCloud will continually monitor the organization’s compliance with its security policies.
The Chief Information Security Officer shall ensure that an annual internal audit takes place. The scope of this audit is a Security Posture assessment for all external/internal routers, firewalls, access points, hosts and offsite facilities for Disaster Recovery and media storage.
Managers shall continually monitor their user’s compliance with the organization’s security policies, procedures, standards and requirements.
Technical Compliance Checking
The Chief Information Security Officer will monitor the organization’s technical compliance with its security implementation standards.
A specialist shall be used for technical compliance checking to ensure that hardware and software security controls have successfully been implemented in operational systems.
The technical compliance checking will be done manually (by a qualified system engineer), with automated software tools or in combination.
A qualified technical specialist shall interpret results of subsequent technical reports.
Penetration testing shall be done by third party experts as necessary (care shall be taken that a successful penetration test does not compromise they system or exploit other vulnerabilities).
The Chief Information Security Officer shall oversee all technical compliance testing.
Internal Audit Process
CipherCloud IT is instituting internal audit to add value and improve CipherCloud’s operations. This process helps to accomplish CipherCloud’s objectives with systematic and disciplined approach.
Internal Audit Committee is formed with members from Engineering, Operations, Service and Support,
Backoffice, and Chief Information Security Officer. The meeting is held once per month and intermediate meeting(s) may be held with higher frequency for closer process controls.
As external audit process, observation, comments and recommendations will be provided in the audit report follow up meeting will be held to ensure the correction action(s) are taken.
The Chief Information Security Officer shall oversee all technical compliance progresses.
Share information to 3rd parties
Information that are intended to share to any non-Ciphercloud employees are required to be in readonly format. It is also requiring having NDA signed prior release of information and pre-approval from executives.
System Audit Considerations
System Audit Controls
Any agency conducting system audits will carefully plan, agree upon, and expedite system audits so as to minimize the risk of disruptions to operational business processes. This will ensure the organizations security requirement compliance while maximizing the availability, integrity and security of the organization’s information resources.
The scope and requirements of all audits shall be controlled and agreed to by management.
Access to any files beyond read only shall be approved by the Chief Information Security Officer. This includes isolated copies of system files. If isolated copies of system files are used, the files shall be destroyed as soon as the audit is completed.
Requirements for additional testing shall be identified and agreed upon by appropriate management.
IT resources shall be identified and made explicitly available for audit assistance.
All access to system shall be logged to produce a reference trail.
All procedures, responsibilities, requirements and scope shall be documented.
Protection of System Audit Tools
Any agency conducting system audits will protect access to system audit tools (i.e. software or data files). This will protect the security, availability and integrity of the organization’s information resources by ensuring that the organization’s system audit tools are protected from misuse or compromise.
System audit tools shall be separated from operational and development systems unless they are given the added appropriate protection and are authorized by the Chief Information Security Officer.
Users must not test, or attempt to compromise computer or communication system security measures unless specifically approved in advance by the Director of Information Security.
Breach Notification Policy
This policy will outline the process of notifying affected parties and/or individuals of a breach of protected information, unsecured protected health information (PHI) for the purpose of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for
Economic and Clinical Health Act (HITECH), and/or state breach notification purposes.
Breach Notification Procedure
Any employee who becomes aware of a possible breach of privacy involving Private Information in the custody or control of CipherCloud will immediately inform their supervisor/manager, and the Privacy
Notification should occur immediately upon discovery of a possible breach or before the end of reporter shift if other duties interfere, however, in no case should notification occur later than twenty-four (24) hours after discovery.
Containing the Breach
The Privacy Officer will work with departments to take appropriate steps to limit the scope and effect of the breach. Steps may include, stopping the affected operation process, recovery of affected data, shutting down breached system and disconnecting them from the network without destroying any evidence to help investigate the breach, mitigating the breach, correcting weaknesses in the security protocol, applications, infrastructure and processes. Also notify appropriate internal and external authorities if criminal activity is involved.
Investigation and Risk Assessment
To determine what other steps are immediately necessary, the Privacy Officer in collaboration with
CipherCloud Legal Counsel and affected department(s) and administration, will investigate the circumstances of the breach. Based on the investigation, the team will determine the root cause(s), evaluate risks and develop a resolution path. Based on the risk assessment, size of breach, legal implications, and other factors, the Privacy Officer will determine the type of notification to be crafted, if any.
The Privacy Officer will work with the department(s) involved, CipherCloud’s Legal Counsel and Security
Incident Response Team to decide the best approach for notification and to determine what may be required by law such as notice to HHS (Health and Human Services) if breach involves data for more than 500 individuals. Notices, if required, will be provided no later than 60 days after the discovery of the breach.
Once immediate steps are taken to mitigate the risks associated with the breach, the Privacy Officer will investigate the cause of the breach and put into effect adequate safeguards against further breaches.
Processes and procedures will be reviewed and recommendations of a security audit of physical, organizational and technical measures or recommendations will be incorporated within a reasonable timeframe.
Breach Notification Scope
All managers and supervisors are responsible for enforcing these procedures. Employees who violate these procedures are subject to discipline up to and including termination in accordance with
CipherCloud’s Sanction Policy.
All exception breach that are processed required executive pre-approval and it is handled on case-by-case basis.
Please refer to the following URL for additional registry of regulatory, statutory, and contractual requirements.