Security Policy

Last modified: Feb 1, 2021

Policy Statement

Product Security Group establishes this security policy to protect employees, our company, and our customers.

It is important to know:

  1. All employees, contractors, visitors, and vendors are responsible for following this policy.
  2. Violations of this policy may be subject to actions in our Sanctions standard.
  3. To send questions about this policy to the security team.

Company's Security Goals

  • C1 To maintain a standards-based program to manage security.
  • C2 Strive to build only secure applications.
  • C3 Strive to deploy and operate secure systems and networks.
  • C4 Strive to ensure everyone has the ability to work in the case of a disaster.

Everyone's Security Goals

  • E1 To complete security training at least once a year.
  • E2 To handle all data according to our standards.
  • E3 To use the company's assets according to our acceptable use standards.
  • E4 To ensure a secure and safe work environment.
  • E5 To help us meet all our legal, compliance, contractual, and regulatory requirements.
  • E6 To report insecure or suspicious activity to the security team.
  • E7 To maintain the privacy of the information they may use.
  • E8 To report risks to the security team who will manage them.
  • E9 To undergo background screening before starting employment at the company.
  • E10 To use only approved methods to access company assets.
  • E11 To have all new technology or services reviewed by the security team.
  • E12 To use their own device for business purposes as long as they follow our standards.
  • E13 To read and attest to the security policies every year.

Exception Management

The security team's exception management process handles exceptions to this policy.

Appendix A: ISO 27001 Crosswalk/Mapping

Policy Goals ISO 27002 Control #s
P0 This policy 5.1.1
C1 Program 6.1.1-6.1.5, 7.2.1, 7.2.3, 7.3.1, 12.7.1, 18.2.1-18.2.3
E1 Awareness Training 7.2.2
E2 Data Handling 8.2.1, 8.2.2, 8.3.2, 8.3.3, 12.3.1, 13.2.1-13.2.4
E3 Acceptable Use 8.1.3
E4 Safe Work All 11
E5 Legal 10.1.1, 18.1.1-18.1.3, 18.1.5
C2 Secure Applications 12.1.4, All 14
C3 Secure systems 10.1.2, 12.1.1-12.1.3, 12.2.1, 12.4.1-12.4.4, 12.6.1, 13.1.1-13.1.3
E6 Reporting/Response All 16
E7 Privacy 18.1.4
E8 Risk Management 8.1.1, 8.1.2, 8.1.4, 8.2.3, 8.3.1
E9 Background Screening 7.1.1, 7.1.2
E10 Access All 9
E11 Supply Chain 12.5.1, 12.6.2, All 15
C4 Disaster 6.2.2, All 17
E12 BYOD 6.2.1
E13 Annual Review 5.1.2