Walker SCM Information Asset Protection & Privacy Practice/Safeguards
A. Policy Overview
Walker SCM and each of our affiliated companies are committed to protecting the organization’s assets, including employees, information, client data and work environment, to enable us to achieve our business goals. As such, we have established this information asset protection (IAP) policy. It sets forth our guiding principles with respect to protecting the organization’s information assets. Information is a key organizational asset and will be protected commensurate with its value and based on the results of periodic risk assessments. The protection strategy is based on the following principles:
- Protecting information assets will consist of identifying, valuating, classifying, and labeling in an effort to guard against unauthorized access, use, disclosure, modification, destruction, or denial.
- Controls will represent cost-effective, risk-based measures consistent with other policies and the strategic goals of the organization.
- The IAP strategy integrates traditional security, information technology security, legal and administrative functions.
- Responsibility and accountability extends to all employees as well as consultants, contractors, subcontractors, part-time employees, temporary employees, interns, teaming partners and associates.
- We will meet all applicable legal and regulatory requirements.
B. IAP Program Manager
All questions, issues, and concerns related to this policy will be directed to the IAP program manager(s) at corporate headquarters (VP General Administration and Corporate Security Manager).
The IAP policy applies to all employees and to the extended enterprise, that is, individuals and entities with access to the organization’s information assets, people and facilities.
D. Information Assets
Our information assets fall into a variety of categories, some of which are subject to specific laws and regulations. In those cases, we will comply with all applicable laws and regulations. This may become complicated in some circumstances when laws and regulations at the local, state, federal and international levels may all apply. Contact the organizations counsel or IAP program manager for guidance in specific cases. E. Information Classification and Sharing It is essential to share information both internally and externally to achieve our business objectives.
However, it is also our responsibility to ensure that sensitive information assets are protected from loss or compromise. All employees and members of our extended enterprise are responsible for sharing information assets appropriately and protecting them from inappropriate disclosure, modification, misuse or loss.
To protect information (paper, electronic, oral, etc) according to its business value, we have developed policies, practices and procedures as part of our IAP program. Included is a mechanism to classify our information assets into four categories: highly restricted, restricted, internal use and unrestricted.
- Highly restricted is used for proprietary information that could allow a competitor to take action that could seriously damage our competitive position or that , if disclosed, could significantly damage the organization’s financial or competitive position. Strict precautions are used to eliminate accidental or deliberate disclosure and to detect unauthorized individuals. Access for non-employees is limited to individuals who are approved, have a need to know and are covered by a nondisclosure agreement (NDA).
- Restricted is used for information that is organizationally or competitively sensitive or that could introduce legal or employee privacy risks. Precautions are taken to reduce accidental or deliberate disclosure. Access for non-employees is limited to individuals who are approved, have a need to know and are covered by an NDA.
- Internal use is used for information generated within the organization that is not intended for public distribution. Commonsense precautions are used to reasonably protect this information. Access is generally limited to employees. Access for non-employees is limited to individuals or organizations that are approved and are covered by an NDA.
- Unrestricted is used for information that can be shared inside and outside the organization. Everyone is required to take these steps:
- Follow all procedures and practices regarding the protection of information assets.
- Participate in incident management, risk assessments, work processes and control mechanisms that support the policy.
- Ensure that proper access controls are in place for any information you create or own.
- Use common sense and forethought in the release of organization-related information. Employees in designated roles have been assigned specific responsibilities for the deployment, implementation and maintenance of the IAP policy. These roles and responsibilities are as follows:
- The IAP program manager is responsible for overall policy, including
- determining the levels and the protection required within each level
- providing baseline information security through the organization’s technology infrastructure
- providing IAP management reports as appropriate
- coordinating the program with other members of the organization
- Other managers and directors are responsible for employees’ understanding of and compliance with the IAP policy as well as organizational practices and procedures. These managers and director may be responsible for
- training employees on all classification levels
- ensuring that work processes and controls support the policy
- ensuring that risk assessments are conducted as needed and that incidents are managed within the framework of the IAP policy
F. Employee Privacy
Employee data is a resource to be protected against alteration, loss or unauthorized disclosure. Walker guards information that is essential to running the business and protects this information from disclosure to anyone other than those who have a legitimate business need of legal right to have it.
The privacy and confidentiality of personnel records must be assured. Any personal information collected by the organization will be necessary and relevant and will be obtained and maintained using methods that respect the individual’s right to privacy as well as applicable laws and regulations. In addition, each employee has the right to know what type of personal information the organization maintains about him or her and how it is or may used.
Periodic audits may be conducted to ensure compliance with organizational policy as well as laws and regulations regarding privacy and personal information management.
G. Securing Our Property
Walker is committed to providing security for our tangible and intangible assets to avoid loss. Each of us should do the following:
- Help ensure that access to the organization’s facilities is limited to authorized persons or approved visitors.
- Wear and display appropriate identification as defined by organizational policy.
- Address security issues in a proactive manner, seeking early involvement of the security department in new initiatives, program launches, construction projects and related issues.
- Be aware of and take appropriate action on potential security risks at work.
- Managers in company branches will ensure that facilities meet recommended access control standards and comply with other security guidance and will respond to security incidents or concerns, ensuring they are properly reported to the security department.
The security department, in conjunction with other departments, has the responsibility to conduct any investigative activities in cases of known or suspected information loss, compromise, theft, manipulation, denial of access, fraud or conflict of interest. Security also has the responsibility for involving local authorities as appropriate. Specialized expertise should be engaged through trusted external providers when appropriate.
Specific measures for handling, marking, storage, transmission and transport, copying, declassification and destruction of sensitive information are provided in our organization’s practices and procedures, are available.
H. Security Awareness and Training
Each employee and member of the extended enterprise is responsible for protecting our information assets. Each individual must also be aware of the reasons or need for controls, as well as the practices and procedures that comprise our IAP program. Security, in conjunction with IAP program manager, will provide periodic security awareness training that will include up-to-date information on the risks to information assets and prudent defensive measures. Awareness will also be facilitated through regular newsletter articles, reminders and Web-based resources.
I. New Projects and Initiatives
All new research, development, product line or brand initiatives should be protected using the security principles and strategies detailed in the IAP policy and the supporting practices and procedures. An IAP plan should be considered for a projects involving highly restricted or restricted information.
J. Trusted Relationships (Extended Enterprise)
Specific obligations, practices, and procedures for IAP will be documented in written agreements prior to the execution of any contract, consulting engagement or other business relationship that may involve the exchange of or access to sensitive information. The agreements may include NDA, contract clauses, memoranda of understanding or other formats. The agreement should specify the type of information to which it applies, the identity of the parties involved, the purpose of the agreement, and the time period for which it will remain valid. Specific reference to the IAP policy and other relevant organizational policies, practices and procedures will be made in all such agreements.
Individuals and entities in a trusted relationship with our organization should be made aware that their obligation to protect certain information may extend beyond the period of their relationship with us or the end of a particular project. In addition t our written agreement, local state, federal or international laws and regulations may also apply to information protection and disclosure matters.
Quick Reference Guide for Information Asset Protection
This information can be shared within the organization and outside of the organization.
- Read access is unrestricted within the company. Version control and updates are managed by the content owner.
- Share externally without a nondisclosure agreement (NDA) requires a clear understanding between the parties that the information is to be treated as confidential.
- This information is not to be shared with the public.
- Content owners manage access lists and authorize sharing.
- Access is limited to certain organizations, groups or people in certain roles (i.e. legal, engineering, marketing etc.).
- Breadth and type of information access (e.g. create, read-only, update or delete) is limited and is based on role and fraud control requirements.
- A signed NDA and an established “need to know” policy are required to share this information with the Extended Enterprise.
- Contents owners manage access lists for type of access and authorized sharing.
- Access is restricted to specifically named individuals with an established “need to know”.
- Authorizing a fellow employee requires verification of employee status and a clear understanding of intended use.
- In authorizing sharing information with an individual from the Extended Enterprise, verify that a signed NDA and an appropriate contractual agreement are in place.
- A quarterly review of continued access.