Information Technology (IT) is an integral and critical component of Polymatiks LTD. (“Polymatiks“) daily business. This policy seeks to ensure that Polymatiks’ IT resources efficiently serve the primary business functions of Polymatiks, provide security for Polymatiks and members’ electronic data, and comply with federal and other regulations.
IT resources include hardware (computers, servers, peripherals), software (licensed applications, operating systems), network equipment (routers, firewalls, wiring), and IT personnel. The integrity of all IT resources is extremely important to the successful operation of Polymatiks’ business. All computer equipment, peripherals, and software are Polymatiks property and are provided for business purposes.
Proper use and control of computer resources is the responsibility of all employees. Intentional or reckless violation of established policies or improper use of Polymatiks computers will result in corrective action up to and including termination. Employees should also be aware that any work completed on Polymatiks computers is subject to monitoring and review, and they should not expect their communications to be private.
This Policy supersedes any previous security policies of Polymatiks.
Data, electronic file content, information systems, and computer systems at Polymatiks must be managed as valuable organization resources.
The intentions of this policy are not to impose restrictions that are contrary to Polymatiks’ established culture of openness, trust, and integrity. The policy is committed to protecting Polymatiks’ authorized users, partners, and the company from illegal or damaging actions by individuals either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including, but not limited to, computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and File Transfer Protocol (FTP) are the property of Polymatiks. These systems are to be used for business purposes in serving the interests of Polymatiks and of its clients and members during normal operations.
Effective security is a team effort involving the participation and support of every Polymatiks employee, volunteer, and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines and to conduct activities accordingly.
This policy applies to the use of information, electronic and computing devices, and network resources to conduct Polymatiks business or interacts with internal networks and business systems, whether owned or leased by Polymatiks, the employee, or a third party.
All employees, volunteer/directors, contractors, consultants, temporaries, and other workers at Polymatiks, including all personnel affiliated with third parties, are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with Polymatiks policies and standards, local laws, and regulations.
The purpose of this section is to outline the acceptable use of computer equipment at Polymatiks. These rules are in place to protect the authorized user and Polymatiks.
Inappropriate use exposes Polymatiks to risks including virus attacks, compromise of network systems and services, and legal issues.
Authorized users are accountable for all activity that takes place under their username. Authorized users should be aware that the data and files they create on the corporate systems immediately become the property of Polymatiks. Because of the need to protect Polymatiks’ network, there is no guarantee of privacy or confidentiality of any information stored on any network device belonging to Polymatiks. For security and network maintenance purposes, authorized individuals within the Polymatiks IT Department may monitor equipment, systems, and network traffic at any time. Polymatiks’ IT Department reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Polymatiks’ IT Department reserves the right to remove any non-business related software or files from any system. Examples of non-business related software or files include, but are not limited to; games, instant messengers, pop email, music files, image files, freeware, and shareware.
Authorized users may access, use, or share Polymatiks proprietary information only to the extent it is authorized and necessary to fulfill the users assigned job duties.
All PCs, laptops, and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less. All users must lockdown their PCs, laptops, and workstations by locking when the host will be unattended for any amount of time. Employees must log-off, or restart their PC after their shift.
Polymatiks proprietary information stored on electronic and computing devices, whether owned or leased by Polymatiks, the employee, or a third party, remains the sole property of Polymatiks. All proprietary information must be protected through legal or technical means. All users are responsible for promptly reporting the theft, loss, or unauthorized disclosure of Polymatiks proprietary information to their immediate supervisor and/or the IT Department.
All users must report any weaknesses in Polymatiks computer security and any incidents of possible misuse or violation of this agreement to their immediate supervisor and/or the IT Department. Authorized users must use extreme caution when opening email attachments received from unknown senders, which may contain viruses, email bombs, or Trojan Horse codes.
Users must not intentionally access, create, store, or transmit material which Polymatiks may deem to be offensive, indecent, or obscene. Under no circumstances is an employee, volunteer/director, contractor, consultant, or temporary employee of Polymatiks authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing Polymatiks-owned resources.
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Polymatiks’ entire corporate network. As such, all Polymatiks employees or volunteers/directors (including contractors and vendors with access to Polymatiks systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The purpose of this section is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.
Passwords for Polymatiks network access must be implemented according to the following guidelines:
Computer accounts are the means used to grant access to Polymatiks’ information systems. These accounts provide a means of providing accountability, a key to any computer security program, for Polymatiks usage. This means that creating, controlling, and monitoring all computer accounts is extremely important to an overall security program.
The purpose of this section is to establish a standard for the creation, administration, use, and removal of accounts that facilitate access to information and technology resources at Polymatiks.
The purpose of this section is to establish standards for periodic vulnerability assessments. This policy reflects Polymatiks’ commitment to identify and implement security controls, which will keep risks to information system resources at reasonable and appropriate levels.
The operating system or environment for all information system resources must undergo a regular vulnerability assessment. This standard will empower the IT Department to perform periodic security risk assessments for determining the area of vulnerabilities and to initiate appropriate remediation. All employees are expected to cooperate fully with any risk assessment.
Vulnerabilities to the operating system or environment for information system resources must be identified and corrected to minimize the risks associated with them. Audits may be conducted to:
To ensure these vulnerabilities are adequately addressed, the operating system or environment for all information system resources must undergo an authenticated vulnerability assessment. The frequency of these vulnerability assessments will be dependent on the operating system or environment, the information system resource classification, and the data classification of the data associated with the information system resource.
The following security assessment levels shall be established:
Retesting will be performed to ensure the vulnerabilities have been corrected. An authenticated scan will be performed by either a Third-Party vendor or using an in-house product.
All data collected and/or used as part of the Vulnerability Assessment Process and related procedures will be formally documented and securely maintained. IT leadership will make vulnerability scan reports and on-going correction or mitigation progress to senior management for consideration and reporting to the Board of Directors.
The purpose of this section is to establish rules for the use of Polymatiks email for sending, receiving, or storing of electronic mail.
Individuals involved may be held liable for:
Corporate email is not private. Users expressly waive any right of privacy in anything they create, store, send, or receive on Polymatiks’ computer systems. Polymatiks can, but are not obliged to, monitor emails without prior notification. All emails, files, and documents – including personal emails, files, and documents – are owned by Polymatiks, may be subject to open records requests, and may be accessed in accordance with this policy.
Incoming email must be treated with the utmost care due to the inherent information security risks. An anti-virus application is used to identify malicious code(s) or files. All email is subjected to inbound filtering of email attachments to scan for viruses, malicious code, or spam. Spam will be quarantined for the user to review for relevancy. Introducing a virus or malicious code to Polymatiks systems could wreak havoc on the ability to conduct business. If the automatic scanning detects a security risk, IT must be immediately notified.
Anti-spoofing practices have been initiated for detecting spoofed emails. Employees should be diligent in identifying a spoofed email. If email spoofing has occurred, IT must be immediately notified.
Incoming emails are scanned for malicious file attachments. If an attachment is identified as having an extension known to be associated with malware, or prone to abuse by malware or bad actors or otherwise poses heightened risk, the attachment will be removed from the email prior to delivery.
Email rejection is achieved through listing domains and IP addresses associated with malicious actors. Any incoming email originating from a known malicious actor will not be delivered. Any email account misbehaving by sending out spam will be shut down. A review of the account will be performed to determine the cause of the actions.
Email is to be used for business purposes and in a manner that is consistent with other forms of professional business communication. All outgoing attachments are automatically scanned for virus and malicious code. The transmission of a harmful attachment can not only cause damage to the recipient’s system, but also harm Polymatiks’ reputation.
The following activities are prohibited by policy:
Users must not email passwords, social security numbers, account numbers, pin numbers, dates of birth, mother’s maiden name, etc. to parties outside the Polymatiks network without encrypting the data. All user activity on Polymatiks information system assets is subject to logging and review. Polymatiks has software and systems in place to monitor email usage.
Email users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of Polymatiks, unless appropriately authorized (explicitly or implicitly) to do so. Users must not send, forward, or receive confidential or sensitive Polymatiks information through non-Polymatiks email accounts.
Examples of non-Polymatiks email accounts include, but are not limited to, Outlook, Gmail, Yahoo mail, and email provided by other Internet Service Providers (ISP). Users with non-Polymatiks issued mobile devices must adhere to the Mobile/Personal Policy for sending, forwarding, receiving, or storing confidential or sensitive Polymatiks information.
This section was established to help prevent infection of Polymatiks computers, networks, and technology systems from malware and other malicious code. This policy is intended to help prevent damage to user applications, data, files, and hardware.
All computer devices connected to the Polymatiks network and networked resources shall have anti-virus software installed and configured so that the virus definition files are current and are routinely and automatically updated. The anti-virus software must be actively running on these devices.
The virus protection software must not be disabled or bypassed without IT approval. The settings for the virus protection software must not be altered in a manner that will reduce the effectiveness of the software.
The automatic update frequency of the virus protection software must not be altered to reduce the frequency of updates. Each file server, attached to the Polymatiks network, must utilize Polymatiks approved virus protection software and setup to detect and clean viruses that may infect Polymatiks resources.
All files on computer devices will be scanned periodically for malware. Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported to the Service Desk. If deemed necessary to prevent propagation to other networked devices or detrimental effects to the network or data, an infected computer device may be disconnected from the Polymatiks network until the infection has been removed.
Users should:
Back up critical data on a regular basis and store the data in a safe place. Critical Polymatiks data can be saved to network drives and are backed up on a periodic basis.
Each Polymatiks application must be accessed via HTTPS using Transport Layer Security (TLS). TLS is a cryptographic protocol designed to protect information transmitted over the internet, against eavesdropping, tampering, and message forgery.
All stored Data must be encrypted at rest, using at minimum AES-256, military grade encryption. This is done to protect Data in the event a Polymatiks server is compromised by an unauthorized party.
This section defines the requirement for reporting and responding to incidents related to Polymatiks information systems and operations. Incident response provides Polymatiks with the capability to identify when a security incident occurs. If monitoring were not in place, the magnitude of harm associated with the incident would be significantly greater than if the incident were noted and corrected.
Polymatiks management must prepare, periodically update, and regularly test emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service.
The Polymatiks incident response plan must include roles, responsibilities, and communication strategies in the event of a compromise, including notification of relevant external partners. Specific areas covered in the plan include:
At least once every year, the IT Department must utilize simulated incidents to mobilize and test the adequacy of response. Where appropriate, tests will be integrated with testing of related plans (Business Continuity Plan, Disaster Recovery Plan, etc.) where such plans exist. The results of these tests will be documented and shared with key stakeholders.
A security incident response capability will be developed and implemented for all information systems that house or access Polymatiks controlled information. The incident response capability will include a defined plan and will address the seven stages of incident response:
To facilitate incident response operations, responsibility for incident handling operations will be assigned to an incident response team. If an incident occurs, the members of this team will be charged with executing the incident response plan. To ensure that the team is fully prepared for its responsibilities, all team members will be trained in incident response operations on an annual basis.
Incident response plans will be reviewed and, where applicable, revised on an annual basis. The reviews will be based upon the documented results of previously conducted tests or live executions of the incident response plan. Upon completion of plan revision, updated plans will be distributed to key stakeholders.
Steps followed will vary based on scope and severity of a malicious code incident as determined by Information Security Management. They may include but are not limited to: malware removal with one or more tools, data quarantine, permanent data deletion, hard drive wiping, or hard drive/media destruction.
Polymatiks management should prepare, test, and annually update the Incident Response Plan that addresses policies and procedures for responding in the event of a breach of sensitive customer data.
The Incident Response Plan must be updated to reflect the lessons learned from actual incidents. The Incident Response Plan must be updated to reflect developments in the industry.
If a verifiable information systems security problem, or a suspected but likely information security problem, has caused third party private or confidential information to be exposed to unauthorized persons, these third parties must be immediately informed about the situation. If sensitive information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties, both its Owner and the Security Officer must be notified immediately.
Most components of the IT infrastructure at Polymatiks are capable of producing logs chronicling their activity over time. These logs often contain very detailed information about the activities of applications and the layers of software and hardware that support those applications. Logging from critical systems, applications, and services can provide key information and potential indicators of compromise and is critical to have for forensics analysis.
Log management can be of great benefit in a variety of scenarios, with proper management, to enhance security, system performance, resource management, and regulatory compliance. Polymatiks will perform a periodic risk assessment to determine what information may be captured from the following:
Logs often contain information that, if misused, could represent an invasion of the privacy of members of Polymatiks. While it is necessary for Polymatiks to perform regular collection and monitoring of these logs, this activity should be done in the least invasive manner.
When logs document or contain valuable information related to activities of Polymatiks’ information resources or the people who manage those resources, they are Polymatiks Administrative Records, subject to the requirements of Polymatiks to ensure that they are appropriately managed and preserved and can be retrieved as needed.
To facilitate investigations, as well as to protect privacy, the retention of log records should be well defined to provide an appropriate balance among the following:
Care should be taken not to retain log records that are not needed. The cost of long term retention can be significant and could expose Polymatiks to high costs of retrieving and reviewing the otherwise unneeded records in the event of litigation.
The purpose of this section is to define standards for connecting to Polymatiks’ network from any host. These standards are designed to minimize the potential exposure to Polymatiks from damages, which may result from unauthorized use of Polymatiks resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical Polymatiks internal systems, etc. Remote access implementations that are covered by this policy include, but are not limited to, VPN, SSH, and cable modems, etc.
Users are permitted to use only those network addresses assigned to them by Polymatiks’ IT Department. All remote access to Polymatiks will either be through a secure VPN connection on a Polymatiks owned device that has up-to-date anti-virus software, or on approved mobile devices (see the Mobile/Personal Device section of this Security Policy). Remote users may connect to Polymatiks Information Systems using only protocols approved by IT.
Users inside the Polymatiks firewall may not be connected to the Polymatiks network at the same time a remote connection is used to an external network. Users must not extend or re-transmit network services in any way. This means a user must not install a router, switch, hub, or wireless access point to the Polymatiks network without Polymatiks IT approval.
Users must not install network hardware or software that provides network services without Polymatiks IT approval. Non-Polymatiks computer systems that require network connectivity must be approved by Polymatiks IT. Users must not download, install, or run security programs or utilities that reveal weaknesses in the security of a system. For example, Polymatiks users must not run password cracking programs, packet sniffers, network mapping tools, or port scanners while connected in any manner to the Polymatiks network infrastructure. Only the IT Department is permitted to perform these actions.
Security vulnerabilities are inherent in computing systems and applications. These flaws allow the development and propagation of malicious software, which can disrupt normal business operations, in addition to placing Polymatiks at risk.
In order to effectively mitigate this risk, software “patches” are made available to remove a given security vulnerability. Given the number of computer workstations and servers that comprise the Polymatiks network, it is necessary to utilize a comprehensive patch management solution that can effectively distribute security patches when they are made available.
Effective security is a team effort involving the participation and support of every Polymatiks employee and the Board of Directors. This section is to assist in providing direction, establishing goals, enforcing governance, and to outline compliance.
Almost all operating systems and many software applications have periodic security patches, released by the vendor, that need to be applied. Patches, which are security related or critical in nature, should be installed as soon as possible.
IT is responsible for providing a secure network environment for Polymatiks. It is Polymatiks’ policy to ensure all computer devices (including servers, desktops, printers, etc.) connected to Polymatiks’ network, have the most recent operating system, security, and application patches installed.
Every user, both individually and within the organization, is responsible for ensuring prudent and responsible use of computing and network resources. IT is responsible for ensuring all known and reasonable defenses are in place to reduce network vulnerabilities, while keeping the network operating.
IT Management and Administrators are responsible for monitoring security mailing lists, reviewing vendor notifications and Web sites, and researching specific public Web sites for the release of new patches. Monitoring will include, but not be limited to:
The IT Security and System Administrators are responsible for maintaining accuracy of patching procedures which detail the what, where, when, and how to eliminate confusion, establish routine, provide guidance, and enable practices to be auditable. Documenting the implementation details provides the specifics of the patching process, which includes specific systems or groups of systems and the timeframes associated with patching. Once alerted to a new patch, IT Administrators will download and review the new patch. The patch will be categorized by criticality to assess the impact and determine the installation schedule.
The use of external social media (i.e. Facebook, LinkedIn, Twitter, YouTube, etc.) within organizations for business purposes is increasing. Polymatiks faces exposure of a certain amount of information that can be visible to friends of friends from social media. While this exposure is a key mechanism driving value, it can also create an inappropriate conduit for information to pass between personal and business contacts. Tools to establish barriers between personal and private networks and tools to centrally manage accounts are only beginning to emerge. Involvement by the IT Department for security, privacy, and bandwidth concerns is of utmost importance.
Polymatiks encourages the use of social media as a channel for business communication, consistent with its corporate marketing and communications strategy. It is the policy of Polymatiks to establish guidelines for safe social media usage with respect to protecting Polymatiks information. The safety and confidentiality of information is vital to Polymatiks’ success. Polymatiks has established this policy to set parameters and controls related to Polymatiks Official’s usage of social media websites.
All requests for a Polymatiks Official’s use of external social media, on behalf of Polymatiks, must be submitted to the Senior Management Team. Polymatiks may allow access to select pre-approved social media websites. Polymatiks Officials may only access these sites in a manner consistent with Polymatiks’ security protocols and Polymatiks Officials may not circumvent IT Security protocols to access social media sites.
Use of personal social media accounts and user IDs, for Polymatiks use, is prohibited. Use of Polymatiks social media user IDs, for personal use, is prohibited. Use of Polymatiks email addresses to register on social networks, blogs, or other online tools utilized for personal use is prohibited.
Examples of prohibited use of company User IDs include:
If these tools are accessed, incidental personal use of them is permitted. In general, Polymatiks will limit the access of social media sites to Polymatiks Officials who use it on behalf of Polymatiks. Excessive personal use of any Internet tool during work time is not permitted and access privileges may be revoked for abuse of the system.
Polymatiks prohibits taking negative action against any Polymatiks Official for reporting a possible deviation from this policy or for cooperating in an investigation. Any Polymatiks Official who retaliates against another Polymatiks Official for reporting a possible deviation from this policy or for cooperating in an investigation will be subject to disciplinary action, up to and including termination of employment at Polymatiks or removal from the Board of Directors.
This section defines the standards, procedures, and restrictions for end users who have legitimate business requirements to access corporate data using their personal device. This policy applies to, but is not limited to, any mobile devices owned by any users listed above participating in the Polymatiks BYOD program which contains stored data owned by Polymatiks, and all devices and accompanying media that fit the following device classifications:
The following criteria will be considered initially, and on a continuing basis, to determine if Polymatiks employees are eligible to connect a personal smart device to the Polymatiks network.
Polymatiks’ IT Department reserves the right to:
System monitoring and auditing is used to determine if inappropriate actions have occurred within an information system. System monitoring is used to look for these actions in real time while system auditing looks for them after the fact.
Information systems will be configured to record login/logout and all administrator activities into a log file. Additionally, information systems will be configured to notify administrative personnel if inappropriate, unusual, and/or suspicious activity is noted. Inappropriate, unusual, and/or suspicious activity will be fully investigated by appropriate administrative personnel and findings reported to the VP of IT or COO.
Information systems are to be provided with sufficient primary (on-line) storage to retain 30-days’ worth of log data and sufficient secondary (off-line) storage to retain one year’s worth of data. If primary storage capacity is exceeded, the information system will be configured to overwrite the oldest logs. In the event of other logging system failures, the information system will be configured to notify an administrator.
System logs shall be manually reviewed weekly. Inappropriate, unusual, and/or suspicious activity will be fully investigated by appropriate administrative personnel and findings reported to appropriate security management personnel. System logs are considered confidential information. As such, all access to system logs and other system audit information requires prior authorization and strict authentication. Further, access to logs or other system audit information will be captured in the logs.
Access to Polymatiks networks is permitted on wireless systems that have been granted an exclusive waiver by IT for connectivity to Polymatiks’ networks. This section covers any form of wireless communication device capable of transmitting packet data. Wireless devices and/or networks without any connectivity to Polymatiks’ networks do not fall under the review of this policy. All wireless LAN access must use Polymatiks approved vendor products and security configurations.
To maintain the security and privacy of employees’ and members’ personal information, Polymatiks employees should observe the “clean desk” rule. All employees should take appropriate actions to prevent unauthorized persons from having access to member information, applications, or data. Employees are also required to make a conscientious check of their surrounding work environment to ensure that there will be no loss of confidentiality to data media or documents.
The clean desk policy applies to: