F3 _ Doc_ 0 0 6 VER4 .0 Page 1 of 1 SECURITY POLICY Confidential Focal3 Softw are Pvt Ltd
F3 _ Doc_ 0 0 6 VER4 .0 Page 2 of 2 Background Focal3 and its Customers provide Focal3 Agents with Confidential and Proprietary information (collectively, “Information”). It is very important that all of this Information be handled with great care to prevent the inadvertent or intentional disclosure to anyone other than an authorized party. For both its own and its Customers’ benefit, Focal3 is committed to protecting the security and confidentiality of all Information. To that end, this policy addresses the necessary and appropriate procedures for maintaining data security and confidentiality. Scope This policy governs the procedures followed by all business units of the company who encounter Confidential and Proprietary Information. Together with Focal3’ Employee Handbook and related Human Resources documents, these establish all of the guidelines for the use and protection of this Information. Definitions The following terms used within this Policy are defined as follows: Active Use The actual or planned use of Information within a one-year period. Agent Any full- or part-time employee, temporary or contracted employee, consultant, vendor, volunteer, director or other person who is provided access by Focal3 or a Customer to Information whether or not in exchange for wages, salary or other remuneration. Authorized Use A situation in which either Focal3 or a Customer has granted specific permission to use Information for a particular purpose. Blinding The process whereby Information is shielded from identification by removing any direct and indirect identifying information which would allow a third party to directly observe or indirectly reconstruct the identity of party to the Information. Confidential Focal3 Softw are Pvt Ltd
F3 _ Doc_ 0 0 6 VER4 .0 Page 3 of 3 Classification Level Information is classified into one of three distinct levels as defined in the table below. The Classification Level determines the particular rules that govern the use, transmission, storage and disposal of the Information. By contrast, unclassified information (e.g., press releases, company address and phone) is fit for public consumption and has no rules for handling or protection, outside of appropriate business protocol. Representative Examples 1 Classification Level Level I - Information that necessitates the most Peer review data limited handling, is provided to individuals System passwords on a Need to Know basis only, and which, Confidential human resource when discarded, must be shredded or information otherwise destroyed in a manner that eliminates the practical ability to reconstruct that information from its component parts; Level II - Information that necessitates specific Blinded Customer data handling and that is provided to individuals Business plans and relationships on a Need to Know basis only, but which Proprietary analytic methods may be disposed of discreetly in a non- Blinded Customer case studies or Public trash can; analyses Level III - Information that is generally available to Sales presentation materials Focal3 Agents, but which is provided only Marketing Materials on limited terms to non-Agents; Com pany Confidential and Proprietary I nform ation Company Information includes, but is not limited to: analytic methods, software source code, research and software development methods, business plans and strategies, non-Public financial information and non-Public Human Resources information. In general, any information that is protected by regulation or law, that is deemed by Focal3 to be a proprietary component of one or more of its business units, that is not made publicly available by Focal3 and which Focal3 attempts to keep confidential in the routine course of its business is Information. 1 These examples are illustrative only and are specifically NOT meant to be all-inclusive. Confidential Focal3 Softw are Pvt Ltd
F3 _ Doc_ 0 0 6 VER4 .0 Page 4 of 4 I nactive The lack of actual or planned use of Information within a one-year period. I nform ation Collectively, Confidential and/ or Proprietary Information of either Focal3, a Customer or an Agent of either party. Need to Know Need to know is defined as the requirement, as a part of a direct job function, for an Agent to have access to the particular Information under consideration. Public areas Public areas consists of all areas outside of Focal3, and within Focal3, those areas with high visitor traffic, namely lobbies, waiting areas, kitchens and any other Company areas specifically designated by the Executive Council as Public. Security Officer The Director of Technical Services, who will provide implementation and overall security monitoring for Focal3. System s Adm inistrator An Agent with access to and responsibility for computer systems administration and maintenance. A Systems Administrator is distinguished from other Agents by the need to have widespread access to secure systems and materials as a routine part of his or her job. For the purposes of this Policy, Database Administrators are considered to be System Administrators. Policy It is Focal3’ policy to both explicitly and implicitly protect Confidential and Proprietary Information (collectively, “Information”) from unauthorized access, use, dissemination, or disclosure. Procedures General Principles It is impossible to define every possible interaction between Agents and Information. Therefore, the following general principles should govern all Agent interactions with Information unless specific procedures exist to the contrary: • Obtain proper authorization from a Manager before accepting any Information; Confidential Focal3 Softw are Pvt Ltd
F3 _ Doc_ 0 0 6 VER4 .0 Page 5 of 5 • When possible, avoid access to or possession of Information unless specifically required for the task; • Always keep Information for the shortest possible time required for the specific task at hand and then properly destroy or store that Information in accordance with the handling requirements; • Presume that others do not have proper authorization or the Need to Know unless proven otherwise; • Information may not be discussed in Public areas and may never be given to any party without proper Authorization for use; • When possible and reasonable, downgrade the Information to the lowest possible Classification Level consistent with your required task (e.g., by Blinding); • When Information of different Classification Levels is commingled, the entire Information bundle assumes the Classification Level of the highest individual component; • Information maintained for any purpose must be protected from accidental disclosure in accordance with the Information handling requirements; • Information may be removed from Company premises only for authorized business purposes and must be treated in the same manner as on-site data; by definition, family members do not have a Need to Know; • When it is not known whether or not information is Proprietary and Confidential, it should be presumed to be so until proven otherwise; Confidential Focal3 Softw are Pvt Ltd
F3 _ Doc_ 0 0 6 VER4 .0 Page 6 of 6 I nform ation handling requirem ents by Classification Level • Confidential and Proprietary Information has specific handling requirements defined by its Classification Level as specified in the table below: Level Locations Mediums Active Use within Focal3: Electronic transport: password personal desk area when not protected, marked “Confidential”; immediately visible to encrypted and blinded unless it is unauthorized persons, or in a impractical or dysfunctional to do so; I closed room; Hard copy: always marked Active Use outside of Focal3: only “Confidential”; blinded when if required and concealed during possible; use of common area transit; all Information must printers discouraged -- must retrieve remain in direct, personal printing as soon as possible; possession at all times; Mail: item tracking required; Inactive: destroyed or maintained Fax: discouraged strongly; when in a locked storage area; required, must have a confirmed, Authorized User waiting on opposite end; Verbal: allowed via standard telephone or in proper locations; White Boards: must be erased when not in use. Active Use within Focal3: personal desk area or in a closed room; II Active Use outside of Focal3: only Same as Level I if specifically authorized and concealed during transit; all Information must remain in direct, personal possession at all times; Inactive: discarded in a non- Public trash can or maintained in a non-visible area; Electronic: encrypted or password protected when possible; Same as Level II Hard copy: concealed; Mail: regular U.S. mail allowed; III Fax: allowed without standby; Phone: allowed via standard telephone or in proper locations; White Board: erase as appropriate. Confidential Focal3 Softw are Pvt Ltd
Recommend
More recommend