Information Security Policies

Data Protection
Policy # IS-XX Effective Date 20XX-XX-XX Email [Contact E-mail Address]
Version 1.X Contact [Name] Phone (xxx) xxx-xxxx

Table of Contents
1.0 PURPOSE............................................................................................................................................. 1
1.1 SCOPE.................................................................................................................................................. 1
1.2 POLICY.................................................................................................................................................. 1
1.2.1 Data Protection............................................................................................................................. 1
1.2.2 Confidential Data.......................................................................................................................... 2
1.3 PROCEDURES...................................................................................................................................... 2
1.3.1 Responsibility for Data Privacy..................................................................................................... 2
1.3.2 Data Storage/Encryption.............................................................................................................. 2
1.3.3 Consent for Disclosure................................................................................................................. 2
1.3.4 Mailing of Confidential Information............................................................................................... 2
1.3.4 Data Transmission/Transfer......................................................................................................... 3
1.3.5 Third Party Vendors/Service Providers........................................................................................ 3
1.3.6 Changes to Confidentiality Policy................................................................................................. 3
1.4 VIOLATIONS......................................................................................................................................... 3
1.5 REFERENCES...................................................................................................................................... 3
1.6 RELATED DOCUMENTS...................................................................................................................... 3
1.7 APPROVAL AND OWNERSHIP............................................................................................................ 4
1.8 REVISION HISTORY............................................................................................................................. 4
1.9 SOC 2 MAPPING................................................................................................................................... 4
DATA DISCLOSURE LOG.......................................................................................................................... 7

1.0 PURPOSE

To provide guidance pertaining the protection of confidential data including, but not limited to, storage,
transmission, and encryption.

1.1 SCOPE

This policy applies to all [Company] computer systems and facilities, with a target audience of [Company]
Information Technology employees and partners.

1.2 POLICY

1.2.1 Data Protection

Responsibility – [Company] Management shall formally appoint a person who is responsible for
establishing and maintaining the privacy of confidential information.
Management Consent – Certain types of confidential information require expressed consent from
Management, Supervisor, or the Security Officer prior to disclosure to an outside entity. Prior to emailing,
faxing, communicating via telephone, or any other transmission method, consent must be received.

Policy # IS-XX CONFIDENTIAL Page 1

Encryption Keys – Encryption keys for all systems shall be securely managed and stored by the Security
Officer. Keys shall not be stored in the cloud (i.e. at the cloud provider in question) but maintained by
[Company] or a trusted key management provider.

1.2.2 Confidential Data

Confidential Data Protection – Any confidential data being stored by [Company] shall be protected from
threats to confidentiality and integrity using an encryption method appropriate to the storage medium. If
Management opts to store confidential data un-encrypted, a business justification shall be documented,
approved, and maintained by the Security Officer or their designee.
Transmission of Confidential Data – Confidential data being transmitted across public networks to any
outside entity must be securely protected during transfer. The Security Officer shall ensure the methods
are in place for secure transfer of data to outside entities lawfully collecting data.
Removal of Confidential Data – Documents and media containing confidential information shall not be
removed from [Company] premises without express permissions from a supervisor of the Security Officer
or their designee. Confidential information requiring transport shall be packaged securely and tracked to
help protect against the unauthorized use or disclosure of the documents or media being sent.
Management shall maintain a listing of where confidential information can be stored.

1.3 PROCEDURES

1.3.1 Responsibility for Data Privacy

Management has appointed XX, [TITLE] as the workforce member responsible for the privacy of
confidential data in the [Company] environment.

1.3.2 Data Storage/Encryption

Any data stored, while at rest, shall be stored using an encryption method appropriate for the medium of
storage. The following encryption methods are in place for stored confidential data:

1.3.3 Consent for Disclosure

Consent must be obtained from Management, a Supervisor, or Security Officer prior to the disclosure of
the following types of confidential information via email, telephone, fax, or other communication method:
 [List the types of confidential data required to have consent for disclosure here.]
Disclosures of information shall be logged on the [Company] Disclosure Log.

1.3.4 Mailing of Confidential Information

Confidential information being removed from facilities requires express permission from a supervisor or
Security Officer or their designee.
Documents or media being mailed shall be packed in secure envelopes or other secure packaging
material so that no covered information is readable or obtainable by unauthorized parties.
Documents or media being mailed should be sent via certified US Postal Service (USPS) mail and a
tracking mechanism should be obtained to ensure delivery to the correct party.

Policy # IS-XX CONFIDENTIAL Page 2

1.3.4 Data Transmission/Transfer

Any data being transferred to an outside entity must be securely protected during transfer. A secure email
service is provided to all employees and is enabled by default for each user’s Exchange mailbox.
Additional encrypted file transfer methods, such as SFTP, can be put in place with approval from the
Security Officer or their designee.

1.3.5 Third Party Vendors/Service Providers

[Company] shall obtain confidentiality agreements from vendors and other third-party service providers
whose products and services are part of [Company]’s systems and compliance with [Company]’s
confidentiality commitments will be assessed on a periodic and as-needed basis with corrective actions
taken as determined necessary.

1.3.6 Changes to Confidentiality Policy

Changes made to internal or external confidentiality policies shall be approved by Management in

accordance with documented policies and procedures. Affected parties (including third-parties whose
products and services are part of the system and have access to confidential information) shall be notified
of relevant changes within two weeks of approval.

1.4 VIOLATIONS

Any violation of this policy may result in disciplinary action, up to and including termination of
employment. [Company] reserves the right to notify the appropriate law enforcement authorities of any
unlawful activity and to cooperate in any investigation of such activity. [Company] does not consider
conduct in violation of this policy to be within an employee’s or partner’s course and scope of
employment, or the direct consequence of the discharge of the employee’s or partner’s duties.
Accordingly, to the extent permitted by law, [Company] reserves the right not to defend or pay any
damages awarded against employees or partners that result from violation of this policy.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation
of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the
Human Resources Department as soon as possible.

1.5 REFERENCES

1.6 RELATED DOCUMENTS

Policy # IS-XX CONFIDENTIAL Page 3

1.7 APPROVAL AND OWNERSHIP
Created By Title
Approved By Title
1.8 REVISION HISTORY
Revision
Version Description
Date
1.0 Initial Version
1.9 SOC 2 MAPPING
Criteria # Criteria
CC6.1 The entity implements logical access
security software, infrastructure, and
architectures over protected information
assets to protect them from security events
to meet the entity's objectives.
CC6.3 The entity authorizes, modifies, or removes
access to data, software, functions, and
other protected information assets based on
roles, responsibilities, or the system design
and changes, giving consideration to the
concepts of least privilege and segregation
of duties, to meet the entity’s objectives.
CC6.5 The entity discontinues logical and physical
protections over physical assets only after
the ability to read or recover data and
software from those assets has been
diminished and is no longer required to
meet the entity’s objectives.
Policy # IS-XX CONFIDENTIAL
Date Signature
Date Signature
Reviewer/Approver
Review Date
Name
Points of Focus Summary
Logical access controls covering the
following:
 Identify and manage inventory of
information assets
 Restricts logical access to info assets,
software, mobile devices, and offline
systems
 Identifies and authenticates users
 Considers network segmentation
 Manages Points of Access
 Manages credentials for infrastructure
and software
 Uses encryption to protect data (at-
rest, and other)
 Protects encryption keys (generation,
storage, use, and destruction)
The entity authorizes, modifies, or revokes
logical access to protected information
assets based on a role-based access
control
Data disposal policies and procedures are
in place for information assets and
physical assets.
Page 4
 Criteria # Criteria
CC6.7 The entity restricts the transmission,
movement, and removal of information to
authorized internal and external users and
processes, and protects it during
transmission, movement, or removal to
meet the entity’s objectives.
CC8.1 The entity authorizes, designs, develops or
acquires, configures, documents, tests,
approves, and implements changes to
infrastructure, data, software, and
procedures to meet its objectives.
PI1.5 The entity implements policies and
procedures to store inputs, items in
processing, and outputs completely,
accurately, and timely in accordance with
system specifications to meet the entity’s
objectives.
C1.1 The entity identifies and maintains
confidential information to meet the entity’s
objectives related to confidentiality.
P4.2 The entity retains personal information
consistent with the entity’s objectives
related to privacy.
Policy # IS-XX CONFIDENTIAL
Points of Focus Summary
Restricts the transmission, movement, and
removal of information and protects during
transmission, movement, and removal.
 An SDLC is in place
 Application changes are identified,
tracked, authorized, developed, tested,
and approved to migrate to production
 System, infrastructure, data, and
procedure changes are identified as
part of the remediation for incidents
 A baseline configuration of IT
technology is in place
 A process for authorizing, developing,
testing, and approving changes is in
place
 Process protects confidential
information
 Process protects personal information
 System records are protected during
storage to prevent theft, corruption,
and deterioration
 System records are complete and
accurate
 Procedures are in place to identify
confidential information.
 Standards are set to define the
retention period for confidential
information.
 Procedures are in place to protect
confidential information from
destruction or erasure.
Retention of personal information is
defined, and policies and procedures are
in place to protect against erasure or
destruction of personal information within
the retention timeframe.
Page 5
 Criteria # Criteria Points of Focus Summary

P5.1 The entity grants identified and A data subject's access request to their
authenticated data subjects the ability to personal information requires
access their stored personal information for authentication prior to granting access to
information and is provided in a timely
review and, upon request, provides physical
manner. Denied access requests are
or electronic copies of that information to informed to the requestor with a reason for
data subjects to meet the entity’s objectives denial.
related to privacy. If access is denied, data
subjects are informed of the denial and
reason for such denial, as required, to meet
the entity’s objectives related to privacy.

Policy # IS-XX CONFIDENTIAL Page 6

 Data Disclosure Log

Date Name of Requestor Date Disclosure

Purpose Data Disclosed Disclosed By
Received (if applicable) Disclosed Method

2/28/19 John Doe Personal accounting of data. Name, DOB, SSN, and 3/4/19 Encrypted Jane Doe
address. email