Information Security Plan
YAMA Security/Cyber Policy
"Yama Industrials, Inc."
will be referred to as “Company” or “Company’s,” for the purposes of this security document,
The following security policies constitute the Company’s official information security plan. The purpose of this document is to educate, instruct, and confirm the compliance of every employee, and any associated contractors and vendors, to the Company’s security policies.
To be in compliance with Company security, every employee, contractor, and vendor working closely with the Company's network or internal data, shall read and adhere to the following security policies. All parties shall sign and date the final page of the security policy document to confirm said Company’s policies and procedures.
Summary Policy Notes:
#1 There is no expectation of privacy; all "Company" systems/networks are logged & audited.
#2 Shut down your computer at the end of your day, unless instructed otherwise (to allow over night updates or other maintenance).
#3 Report a lost security key and/or company equipment immediately.
#4 Do Not load/connect personal/unauthorized hardware, software or make unauthorized configuration changes to any systems or web portals. Use only approved and procured software and hardware to keep your system(s) up to date and secure. Request and obtain approval for any non-standard software or hardware.
#5 Only "Company" Furnished/Vetted Equipment is allowed to connect to "Company" internal wired
and wireless business networks.
#6 Only "Company" Furnished/Vetted Equipment is allowed to connect to any "Company"-owned
peripheral equipment (e.g. projectors, video teleconference units, printers, etc.).
#7 Visitors and vendors presenting files or briefs on the internal network should email all files to their
"Company" sponsor/handler and present on "Company" owned/vetted equipment. These files will be scanned for vulnerabilities by "Company" approved security tools, policies and procedures.
The “Company” will verify compliance to this policy through various audit and logging methods.
Any exception to the policy must be approved by the “COMPANY.
An employee or 3rd party found to have violated this policy may be subject to disciplinary action, up to and including termination of employment/contract.
Policies Included in This Information Security Plan:
Access Control Policy
Account Management Policy
Secure Password Policy
Wireless Network Security Policy
Electronic Mail Policy
Clean Desk Policy
Data Handling and Disposal Policy
Physical Security Policy
Malware Protection Policy
Removable Media Policy
Remote Access Policy
The purpose of this policy is to outline the acceptable use of information technology at “Company”. These rules are in place to protect the employee(s) and “Company”. Inappropriate use exposes “Company” to risks including malware attacks, compromise of network systems and services, data loss, and associated legal issues.
This policy applies to the use of information, electronic and computing devices, and network resources used to conduct company business or interact with internal networks and business systems, whether owned or leased by “Company”, the employee(s), or a third party. All employees, contractors, consultants, temporary employees, and other workers at “Company” and its subsidiaries are responsible for familiarizing themselves with and following these policies, in accordance with “Company” policies and procedures.
General Use and Ownership:
- “Company” data stored on electronic and computing devices whether owned or leased by “Company”, the employee or a third party, remains the sole property of “Company”.
- You are to promptly report the theft, loss or unauthorized disclosure of “Company” data.
- You may access, use or share “Company” data only to the extent it is authorized and necessary to fulfill your assigned job roles and duties.
- The company reserves the right to monitor or block any website it deems as questionable or unsafe.
Security and Company Data:
- System-level and user-level passwords should comply with the company Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
- All computing devices will be secured with a password-protected screensaver with the automatic activation feature set after a certain amount of time deemed by compliance standard(s). You will lock the screen or log off when the device is unattended.
- Postings by employees from a company email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of “Company”, unless the posting is in the course of business duties.
The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities.
The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.
The following activities are strictly prohibited, with no exceptions:
- Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by “Company”.
- Accessing data, a server or an account for any purpose other than conducting “Company” business, even if you have authorized access, is prohibited.
- Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management, policies and/or procedures should be consulted prior to export of any material that is in question.
- Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, email bombs, etc.).
- Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
- Using a “Company” computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws.
- Making fraudulent offers of products, items, or services originating from any “Company” account.
- Affecting security breaches or disruptions of network communication, unless these duties are within the scope of regular duties. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access. For purposes of this section, "disruption" may include, network sniffing, packet spoofing, denial of service, and forged routing information for malicious purposes.
- Executing any form of network monitoring, which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
- Circumventing user authentication or security of any host, network or account.
- Providing information about, or lists of, “Company” employees to parties outside “Company”.
- Connection of unauthorized devices to the “Company” network(s).
Blogging and Social Media:
The following guidelines apply restrictions relating to blogging:
- Blogging by employees, whether using “Company” property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this policy.
- If an employee is expressing his or her beliefs or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of “Company”.
In regards to the use of social media sites, the following apply:
- Do not post any confidential, sensitive or proprietary information about “Company” or any of our clients and candidates.
- Speak respectfully about our current, former and potential customers, partners, employees and competitors. Do not engage in name-calling or behavior that will reflect negatively on your or “Company” reputation.
- Beware of comments that could reflect poorly on you and the “Company”.
- Use privacy settings when appropriate. Remember, the internet is immediate and nothing posted is ever truly private and does not expire.
- Be aware that you are not anonymous when you make online comments. Information on your networking profiles is published in public.
The purpose of this policy is to address the considerations that will help to ensure that “Company” IT resources and information assets are properly protected against unauthorized access, while meeting the access requirements for all authorized users.
The objective of implementing user access management is to ensure that authorized users are able to access information and resources, while preventing access for unauthorized users.
Human Resources/Management and IT will implement a formal user registration and removal procedure for granting and revoking access to all information resources and services.
Access control rules will take into account existing policies for information dissemination and authorization, while incorporating the principle of least privilege, which grants the lowest level of access, rights, privileges, and security permissions needed for the performance of authorized tasks to any “Company” data, resource or information.
Access control rules will differentiate between different roles that may be applicable for an individual commensurate with the classification of the resources. For example, a general user who accesses information from a website, the individual responsible for updating the content on a website, the administrator of the application, and the network hosting administrator each have different roles that necessitate different privileges.
Acceptable implementation of this principle will include allocation of user privileges on a need-to-use basis, per system, per application, based on resource and data classification, business requirements, and job function.
User Password Management:
All users will abide by the “Company” Secure Password Management Policy.
IT, in cooperation with Human Resources and management, will review user access, authorization, and privileges on an ongoing basis.
The objective of implementing user responsibility controls is to foster an informed and cooperative approach between users and the organization’s management for protecting “Company” resources and data from unauthorized user access.
Users are responsible for handling, using, and storing passwords in a manner that complies with all password management requirements noted under User Access Management.
Unattended User Equipment:
Users are responsible for ensuring that unattended equipment have appropriate protection.
The objective of Network Access Control is to provide access to internal and external network systems in a controlled manner that is consistent with security policies.
Access to the Company network will be protected through a combination of security controls to prevent and detect unauthorized access, while providing secure access to authorized users and systems.
Access to any given network service will only be granted to users who are specifically authorized to use that particular service.
Approved remote access methods will be used for and by employees, contractors, and business partners.
The objective of implementing operating system access controls is to enable the ability to restrict access to operating systems to only authorized users.
The “Company” IT department will restrict unauthorized access to operating systems by employing controls that will properly authenticate users, provide appropriate access by role (e.g. Administrator), log activities, and generate notifications in the event of a breach.
The scope of this policy includes all personnel who have or are responsible for an account or any form of access that supports or requires a password on any “Company” system.
- Users will be given individual (non-shared) accounts for applications.
- The addition, deletion, and modification of user IDs, credentials, changes to user privileges, and other account changes will be controlled and documented.
- An inactive account, which may occur when a user is on extended leave, will be removed or disabled within 90 days. Inactive accounts resulting from termination or resignation will be removed or disabled immediately.
- Third-party accounts will be enabled only during the time period needed, and disabled when not in use.
- Accounts will be logged and audited when in use.
The purpose of this policy is to establish a standard for creation of strong passwords, the protection and use of those passwords, and the frequency of change.
The scope of this policy includes all personnel who have or are responsible for an account or any form of access that supports or requires a password on any “Company” system.
General password construction guidelines are used for various purposes at “Company” (i.e. user-level accounts, web accounts, email accounts, and local router logins).
All passwords should not:
- Be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
- Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, and friends.
- Contain work-related information such as building names, system commands, sites, companies, hardware, or software.
- Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
- Contain common words spelled backward, or preceded or followed by a number (for example, terces, secret1 or 1secret).
- Be some version of “Welcome123” “Password123” “Changeme123”
Make use of a secured company authorized password manager to store “Company” password(s).
All user-level and system-level passwords will conform to the password construction guidelines found in this policy.
Users will not use the same password for “Company” accounts as for other non-Company personal access.
Where deemed possible, users will not use the same password for various “Company” access needs.
Passwords will not be shared with anyone. All passwords are to be treated as sensitive, confidential information.
Passwords will not be inserted into email messages or other forms of electronic communication.
The following guidelines must also be followed:
- Passwords will not be revealed over the phone to anyone (unless previously approved).
- Do not reveal a password on questionnaires or security forms.
- Do not hint at the format of a password (e.g. "my family name").
- Do not share Company passwords with anyone, including administrative assistants, secretaries, managers, co-workers while on vacation, or family members.
- Do not write passwords down and store them anywhere in your office.
- Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.
Any user suspecting that there password may have been compromised must report the incident immediately per company policy and procedure’s
This policy pertains to all devices - whether owned by “Company”, employees, guests, etc, - inclusive of smartphones, tablet computers, laptops, or any other device seeking access to the “Company” wireless network.
- All users of “Company” wireless local area networks, APs, and wireless clients will comply with all applicable company policies, standards, and guidelines.
- Any unauthorized use of the “Company” wireless network is prohibited. Unauthorized uses include: attempts to sniff or capture wireless data, attempts to disrupt or jam the wireless network, altering a wireless client media access control (MAC) address to attempt to evade security, attempts to break into or gain unauthorized access to any computer(s) or system(s) from a wireless or wired connection, installing a personal AP on the network, or any type of denial of service attack using the wireless network.
- Only managed “Company” devices are allowed to connect to the “Company” corporate wireless network. All other devices, including authorized employee devices and guest devices, must connect to the guest network.
- “Company” reserves the right to take whatever reasonable steps are necessary, including denial of network access, to protect the integrity and security of the company network and systems to protect the company from liability or otherwise.
When using “Company” resources to access and use the internet, employees and others represent the “Company”.
“Company” email accounts are to be used for official business only. Whenever employees state an affiliation to the “Company”, they will also clearly indicate that "the opinions expressed are my own and not necessarily those of the company.” Questions should be addressed to a supervisor, manager and/or policies and procedures.
In addition, the following are strictly prohibited:
- Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (i.e. email spam).
- Any form of harassment whether through language, frequency, or size of messages.
- Unauthorized use, or forging, of email header information.
- Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
- Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
- Posting the same, or similar, non-business-related messages to large numbers of Usenet newsgroups (i.e. newsgroup spam).
The purpose for this policy is to establish a culture of security for employees at “Company”. An effective clean desk effort involving the participation and support of “Company” employees can greatly protect paper documents that contain sensitive data about the “Company”, clients, customers and vendors.
- If you are unsure of whether a duplicate piece of sensitive documentation should be kept, ask your supervisor and/or follow policies and procedures.
- Use secured storage for sensitive documents when they are no longer needed.
- Employees are required to ensure that all sensitive/confidential information in hard-copy or electronic form is secure in their work area at the end of the day, and when they are expected to be gone for an extended period.
- File cabinets containing restricted or sensitive documents will be kept closed and locked when not in use or when not attended.
- Keys used for access to restricted or sensitive information will not be left at an unattended desk.
- Printouts containing restricted or sensitive information should be immediately removed from the printer.
- Whiteboards containing restricted or sensitive information should be erased.
- Protect mass storage devices such as CD ROM, DVD, or USB drives with sensitive data and secure them appropriately.
“Company” is bound by various obligations with regard to the data that is collected, retained, or that is in our custody or under our control. The obligations may arise from local laws or regulations, or from contracts and SLA’s that have been made to our employees, customers, service providers, and/or partners.
Broadly, when a Data Retention Period is over, and “Company” no longer needs the data, equipment, or documents, it should be destroyed according to followed compliance standard(s) and/or “Company” policies and procedures.
- Data includes all data created by, and collected by, “Company”, including proprietary data, as well as client and partner data.
- Data will only be created, collected, accessed, used, and stored for the purposes for which it was either created or collected.
- Data will only be accessed by those with an authorized role/duty.
- All partners, vendors, and employees will adhere to “Company” privacy standards of all data created or stored by “Company”.
- All data, shall be removed from equipment using appropriate media sanitizing methods.
- Computer equipment refers to desktop, laptop, tablet, printers, copiers, monitors, servers, handheld devices, telephones, cell phones, disc drives or any storage device, network switches, routers, wireless access points, etc.
- When computer equipment has reached the end of life, it should be sent to IT for proper disposal.
- All drives will be removed and rendered unreadable per followed industry standards.
Access to “Company” computers and devices will be controlled using secure methods and procedures in order to prevent damage to “Company” assets and reputation.
- Badge access restrictions are active in areas where critical infrastructure is located, restricting access to authorized staff only. These controls are periodically reviewed to ensure it is operating as intended.
- All visitors will sign in upon arrival. Visitors include vendors, job candidates, family and friends, contractors, business partners, etc. Visitors are issued an authorized visitor's badge when signing in, and upon leaving, any badges issued should be collected to prevent access at a later date.
- Appropriate recording mechanisms are in place to record the names, dates, times, and signatures for the signing in and out of visitors at “Company”. Visitors at “Company” may be required to sign a Non-Disclosure Agreement (NDA) prior to obtaining a visitor’s badge and entering the offices.
- At all times, staff and visitors will wear their employee and visitor ID badges (as deemed necessary), which have been issued to them.
- Observance and maintenance of the physical security of rooms and offices where computers or critical information processing equipment is located is a paramount consideration. For example, servers and business critical equipment should be located in locations with adequate environmental controls.
- All interfaces used for managing system administration and enabling access to information processing should be appropriately secured.
- Maintenance of “Company” equipment and infrastructure will be carried out by authorized personnel.
- Access to, and knowledge of, key fobs, door lock codes, or access to keys for locks, are restricted to authorized personnel only, and will not be shared with any unauthorized person.
- “Company” equipment should be taken off-site only once the device has been encrypted approved methods. Extreme care regarding loss, damage, or theft will be employed whilst the equipment is off-site. Staff will adhere to any relevant procedures and guidance regarding the use of and security of “Company” equipment being used off-site.
- ID cards, keys, or electronic door locks/key fobs or cards are issued to authorized staff on an as needed basis. They are fully registered to that individual, and only used by that individual. The key fob will be returned immediately when no longer required, and registration details updated accordingly. Any keys or fobs that are not being used should be securely stored, and a log maintained of these fobs.
- Direct access to secure locations, or access to adjoining offices which could provide access, will be locked and secured using appropriate locking mechanisms.
- Doors which provide access to “Company” network infrastructure equipment will not to be left open, unless for the purpose of taking delivery of equipment, to accommodate the movement of existing equipment, or the transportation of maintenance or cleaning equipment. In these cases, an authorized member of staff will be present at all times to supervise access when doors are left open.
- All Company contracted cleaners will have and display appropriate identification and be made aware of the requirements within this procedure.
The purpose of this policy is to outline which systems are required to have anti-malware applications. This policy applies to all “Company” information system(s)
Company operations staff will adhere to this policy to determine which systems will have anti-malware applications installed on them and to deploy such applications as appropriate.
Laptop and Desktop Computers
Managed malware protection will be installed on all laptop and desktop computers. The malware application installed will be configured to be tamper resistant by employees other than system administrators. Updates to the malware application should be set to update automatically as needed.
Servers will be assessed for their malware protection needs. The decision to install malware protection will be based on associated risk and the existence of any other mitigating controls.
The malware protection application will monitor for signs of threat, as well as periodically scanning the systems it protects.
The purpose of this policy is to minimize the risk of malware, data loss or exposure of sensitive data maintained by “COMPANY”.
This policy covers all information systems in “COMPANY”.
“COMPANY” staff may only use “COMPANY” approved or furnished removable media in their workplace systems. “COMPANY” removable media may not be connected to or used in systems that are not owned, leased or approved by the “COMPANY” without explicit permission of the “COMPANY”. Sensitive and/or propriety data should be stored on removable media only as required in the performance of your assigned roles/duties. When sensitive information is stored on removable media, it should encrypted in accordance with “COMPANY” polices, procedures and/or compliance standards.
Covers any and all used external physical media, both legacy (e.g. tape) and modern (e.g. usb drives)
The purpose of this policy is to define rules and requirements for connecting to “COMPANY”' network. These rules and requirements are designed to minimize the potential exposure to “unauthorized use of “COMPANY” resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical “COMPANY” internal systems, and other liabilities incurred as a result of those losses.
This policy applies to all “COMPANY” employees, contractors, vendors and agents with a “COMPANY” owned, provided or other systems used to connect to the “COMPANY” network. This policy applies to remote access connections used to do work on behalf of “COMPANY”, including viewing or sending email and viewing intranet web resources. This policy covers any and all technical implementations of remote access used to connect to “COMPANY” networks. Authorized Users will not use “COMPANY” networks to access the Internet for outside business use.
- Authorized users must not share their login credentials.
- All inbound connections to "COMPANY" internal networks must pass through an access control point before the user can reach a login banner.
- Remote users must be required to authenticate before being granted access to company information.
- Remote access must be logged and audited.
- All hosts connected to “COMPANY” internal networks must be equipped with up-to-date anti-malware software. Third-party hosts must comply with this requirement before connecting to the network.
- All hosts connected to “COMPANY” internal networks via remote access must be company-issued or approved third-party devices.
- Restricted company information must only be accessible via the "COMPANY" internal network or VPN. Access to the VPN must require multi-factor authentication.
- Authorized users shall not connect to the "COMPANY" VPN while the host is connected to a network that is not a trusted third-party network. Users shall not connect to the "COMPANY" VPN while also using another VPN (split-tunneling).
- Users must exercise caution when connecting to networks in public venues like airports, coffee shops, etc., and must not connect to the Company’s internal network (even via VPN) if on an unsecured, public network.
- Access accounts used by remote vendors must only be enabled during the required time period and must be disabled immediately thereafter. Vendor accounts must be closely monitored and approved by "COMPANY".
- Authorized third-party users must be required to authenticate before being allowed to access restricted information.
Used only as needed in job/role/assignment(s). Terminate network connections as needed at the end of the sessions or after a defined period.
Covers any and all remote connection standards (e.g. website, VPN software/hardware, SOCKS proxy, SSH, etc.
By signing below, I acknowledge that I have read, understand and will be held accountable to the above policies, procedures and agree to abide by them during the course of my employment and/or access with Company and/or resources.
Signature: ___________________ ____________________________ Date:__________________
Please sign and return this page to requester.