Last Updated: August, 2018
This Information Security Policy (the “Policy”) describes the security policies that must be implemented, maintained, and followed in managing Noyo Technologies, Inc.’s (“Noyo”) information systems and by anyone who has access to Noyo’s information systems, including those systems that Noyo maintains for purposes of managing files, records, communications, and work product (the “System”) or information, data, or records maintained by Noyo (the “Information”).
This Policy describes the general principles that must be followed to help protect the System, the Resources, Personnel, Noyo’s customers and partners, and the Information. It is designed to reflect reasonable and appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of the Information and address the information security risks to Noyo and others. More detailed information security standards and guidelines may be developed in accordance with this Policy to supplement specific needs, risks, and requirements on a case-by-case basis.
Failure to follow the Policy including through inappropriate or improper use of the System, Resources, or Information may expose Noyo to risks including cyber-attacks, compromise of the System, Resources, and Information, harm to Personnel, customers, or partners, liability, and legal or regulatory issues.
This Policy applies to all Noyo personnel, regardless of employment status or location, who has been granted access to Information, Systems, or Resources (the “Personnel”). This includes employees, staff, contractors, interns, vendors, and visitors. The System includes Noyo offsite facilities. It also applies to any computing or storage device used to connect to the System (the “Resources”) which may include:
Information includes information stored in electronic or physical form. This Policy has been adopted considering Noyo’s existing and reasonably anticipated legal, regulatory, professional, and contractual obligations. To the extent that any of Noyo’s legal, regulatory, professional, and contractual requirements from time to time are stricter than what is contained in the Policy or any other policy or guidelines relating to Information, Personnel must abide by those stricter requirements. If any Personnel encounter such requirements that they are unable to comply with using the resources currently available to them, they must immediately contact the Chief Security Officer to determine the appropriate steps to be taken.
Noyo has designated its Chief Security Officer (CSO) to oversee and maintain this Policy. The CSO shall ensure that this Policy and corresponding information security objectives are: (i) compatible with the strategic direction of Noyo, (ii) integrated into Noyo’s organizational processes and implemented successfully; (iii) defined and assigned appropriate resources, (d) communicated to management and Personnel; and (e) continually improved and updated in accordance with this Policy. The CSO shall ensure that the applicable responsibilities outlined in this Policy are assigned to the appropriate personnel and effectively communicated to all Personnel and relevant contractors and vendors.
Noyo’s Chief Security Officer and HIPAA Security Officer is:
Name: Dennis Lee
Contact Information: firstname.lastname@example.org
2.0 Information Resource Management
2.1 Inventory of Information Resource
Resources, including applicable hardware, software, records, systems, documents, storage media, portable devices and other equipment, devices, or documents where, or through which, Noyo’s Information is processed, recorded stored, or transmitted must be inventoried. All items in the inventory must have an assigned custodian.
2.2 Information Classification
2.2.1 Categories of Information Classification. Information must be classified as follows:
Sensitive Information: This classification category must be assigned to information where accidental or unauthorized access to or loss or disclosure of could cause material, severe, or catastrophic harm or impact to Noyo, any data subjects, customers or partners, or relying parties. Sensitive Information includes:
§ Passwords, authentication/authorization credentials, and/or other information that can be used to access the System or Confidential or Sensitive Information,
§ Information under strict regulatory or contractual handling requirements (e.g., PCI, HIPAA, GDPR, and other data security laws) including:
§ Business secrets deemed highly confidential (e.g., highly-confidential business strategies and communications, sensitive attorney-client privileged and confidential communications).
Confidential Information. This classification category must be assigned to information asset types where accidental or unauthorized access to or loss or disclosure of could cause loss or harm to Noyo, any data subjects, customers or partners, or relying parties. Confidential Information includes:
§ Internal communications and documents not specifically described as Sensitive Information,
§ Non-sensitive attorney-client privileged and confidential communications, and
§ Personal information related to Noyo’s Personnel, customers, partners, or any other individuals of the type not specifically described as Sensitive Information.
Non-Confidential Information. This classification category must only be assigned to information asset types where unauthorized disclosure could result in no loss or harm to Noyo, Noyo customers or partners, or relying parties. Non-Confidential Information includes:
§ Information required to be accessible to the public under law, and
§ Information generally accessible in the public domain (but not including internal compilations of public information).
2.2.2 Responsibility for Classification. “Information Classification Managers” are individuals or departments that are accountable for the protection of the Information. Individuals may be considered Information Classification Managers of any Information they have created, have been assigned, have knowingly received, or are responsible for (e.g., business unit or department leaders).
Information Classification Managers must ensure that Information for which they are responsible is identified, properly classified, and protected in accordance with the guidelines associated with the assigned classification.
All Information created or used by a particular business unit within Noyo must have a designated Information Classification Manager. Information Classification Managers for Confidential or Sensitive Information are responsible for controlling authorized access to this Information and ensuring that inventories are maintained that document the Confidential or Sensitive Information used within their business unit or department. If an Information Classification Manager leaves Noyo, management must ensure that all relevant Confidential and Sensitive Information is assigned to a new, appropriate Information Classification Manager.
2.2.3 Mixed Sets of Classification Information. If Resources contain mixed sets of Information, the resource must be treated in accordance with the most stringent requirement applicable to any component thereof. To the extent less sensitive Information is extracted from Resources containing Sensitive or Confidential Information, such limited extraction can be treated according to the standards that apply only to that extraction.
2.3 Information Collection/Retention/Destruction
2.3.1. Information Collection. Collection of Sensitive and Confidential Information must be limited to only information that is necessary and appropriate for Noyo’s legitimate business purposes.
2.3.2. Information Retention. Sensitive and Confidential Information must be kept only as long as needed or as necessary to comply with regulatory, contractual, professional, or ethical obligations or for such statutory periods as may warrant retention to protect and defend Noyo or its customers or partners. Appropriate retention periods must be followed in accordance with the Noyo Retention Policy.
2.3.3. Information Destruction. Subject to any applicable legal holds, Sensitive and Confidential Information must be properly destroyed when no longer needed. Resources containing Sensitive and Confidential Information must be properly destroyed or disposed of when no longer needed or subject to legal hold. Data destruction guidelines ensuring proper disposal must be implemented.
2.4 Information Recovery and Restoration
Sensitive and Confidential Information must routinely be backed up and properly stored to allow access to information needed to continue business operations in the event of equipment failure or disaster. Offsite storage must be considered and is required for any data that could result in material, severe, or catastrophic harm or impact to Noyo, any data subjects, customers or partners, or relying parties if the data were to become unavailable. Backup mechanisms must be tested regularly. As appropriate, Resources and Systems shall be implemented with redundancy sufficient to ensure appropriate availability and maintain organizational requirements. Noyo will establish and maintain appropriate policies and procedures designed to enable the back-up, retrieval, and continuation of Noyo’s access to Sensitive and Confidential as well as policies and procedures for responding to an emergency or other occurrence that damages systems collecting, processing, or storing Sensitive or Confidential Information.
3.0 Physical Security and Safeguards
3.1 Access Controls
Physical access to Sensitive or Confidential Information must be limited to Personnel for whom access is appropriate. Areas containing, or enabling access to, Resources containing Sensitive Information must be segregated from areas open to the general public and limited to those personnel with a need-to-know and/or need-to-use and access such information and information technology Personnel. In addition, such areas must be monitored by reasonable surveillance under the circumstances and any unauthorized individuals that must visit such areas must be escorted by authorized and appropriate Personnel to ensure that Sensitive or Confidential Information is not accessed. Procedures designed for working in secure areas shall be designed on a case-by-case basis and applied to all personnel with access.
3.2 Access Points
Access points such as reception, delivery, and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, where possible, isolated from activities involving the processing of Sensitive and Confidential information.
3.3 Protection from Theft or Unauthorized Use
Information Resources that contain Confidential or Sensitive Information must be physically safeguarded to prevent theft or unauthorized access or use. Equipment must not be left unattended and unattended desks and screens must be kept clear of Confidential and Sensitive Information. Physical documents, records, and files containing Confidential or Sensitive Information must be kept in locked facilities. Physical documents, records, and files containing Sensitive Information must also be kept in locked storage areas, containers, files or drawers. Access to or copies of keys for storage areas, containers, files or drawers containing physical documents and files containing Confidential or Sensitive Information must be limited to authorized personnel. Such keys must also be physically safeguarded to prevent theft or unauthorized access or use.
3.4 Protection from Environmental Threats
Resources must be protected from physical and environmental threats.
3.5 Equipment Safeguards
Appropriate steps must be taken with all Resources to protect against loss, damage, theft, or compromise, including, but not limited to, protection against power failure, interception or interference with telecommunications cabling, and removal of Resources from Noyo premises.
3.6 Physical Disposal or Destruction
Documents and files containing Sensitive or Confidential Information must be placed in locked destruction (shred and/or burn) bins for disposal. Recycling bins must not be used for disposal of Sensitive or Confidential Information.
4.0 Technical Security and Safeguards
4.1 Access Controls
Electronic access to Sensitive or Confidential Information will be limited to Personnel that need access. Each Personnel granted access must be given their own unique user ID and password. Strong authentication protocols must be used to control user IDs and other identifiers and to limit access to active Personnel accounts and active Personnel with authorized and appropriate access privileges. For example, access to Sensitive or Confidential Information, including whether such access is “read only”, must be controlled and documented by Noyo in a manner that takes into account job title, roles, and function of the owner of the user ID. Users shall only be provided with access to the Systems and Resources for which they have been specifically authorized and have a corresponding need-to-know and/or need-to-use. Access controls must be maintained by the applicable Noyo Resource and/or System owner and reviewed at regular intervals to ensure that allocation of access is appropriately restricted. Access to Sensitive or Confidential information must be terminated immediately upon termination of the corresponding need (e.g., if an employee leaves or is terminated from Noyo or leaves the position for another where access to such Information is not required). Processes must be established to ensure that redundant access controls are not issued to users.
4.1.1 Passwords and Credentials. Password guidelines, user ID guidelines, and remote access guidelines to help prevent unauthorized access to Sensitive or Confidential Information will be implemented and maintained. Unique identifications plus passwords or other credentialing technologies reasonably designed to maintain the integrity of the security of the access controls will be assigned to each person with access to the System. A reasonably secure method of assigning and selecting passwords or use of credentialing technologies will be implemented and maintained. For example, users must be required to change any issued passwords upon first accessing their unique user ID and all users must be required to update their passwords at regular and appropriate intervals. Vendor-supplied default identifications and passwords will not be used. Passwords and other credential technologies must be kept in a location and/or format that do not compromise the security of the data they protect. Noyo will design password and credential-protected systems to block access after multiple unsuccessful attempts to gain access or such other reasonable limitation placed on access for the particular system.
4.1.2 Production Environments. Appropriate steps shall be taken to segregate development, testing, and production environments for all Systems. Development and testing environments should not use Sensitive or Confidential Information unless necessary for the System to function and only if in compliance with the applicable security policies.
4.1.3 Information and Resource Segregation. Appropriate steps shall be taken to logically segregate Noyo’s Confidential or Sensitive Information from other data sources. Appropriate steps shall be taken to segregate groups of information services, users, and information systems on Systems. As appropriate, systems that house Confidential or Sensitive Information must be segregated from other systems, particularly those that are publicly accessible or subject to lower access controls.
4.2 Electronic Safeguards
Resources and Systems that contain Sensitive or Confidential Information must be technically safeguarded to prevent, detect, and remove any security threats to Systems, Resources, and Sensitive and Confidential Information.
4.2.1 Encryption. Encryption must be used when Sensitive Information is at rest or in transit within or into or out of Systems or when stored on any portable device or media. Cryptographic keys and passwords must be stored securely and separately from the encrypted Information and disclosed only to those individuals with a need to access or maintain the underlying information. Encryption must be maintained in compliance with all applicable contractual commitments, legislation, and regulation. Noyo shall have internal policies regulating the selection of cryptographic techniques, key management, and encryption and decryption procedures for any type of encryption utilized under this Policy.
4.2.2 Firewall Protection and Patches. Reasonably up-to-date firewall protection and operating system security patches reasonably designed to maintain the confidentiality and integrity of personal information must be implemented and maintained to protect files containing Sensitive and Confidential information on any parts of the System connected to the Internet. Systems and Resources must be segregated as appropriate to minimize security risks. Reasonable measures must be employed to restrict the installation of insecure software on Resources.
4.2.3 Security Software. Reasonably up-to-date versions of system security agent software (which include malware detection and protection and reasonably up-to-date patches and virus definitions, or versions of such software that can still be supported with up-to-date patches and virus and malware definitions, and is set to receive the most current security updates on a regular basis) must be implemented and maintained on all Resources.
4.2.4 Resource Monitoring. Reasonable logs and audit trails for tracking authorized and unauthorized access to, use of, or changes to, Systems and Resources which store, process, or enable access to Sensitive or Confidential Information must be implemented and maintained (e.g., a record of the unique user IDs used to access any internal computer servers or systems). Appropriate logs and audit trails must account for user activities, exceptions, faults, and security events and protected against unauthorized access and tampering. Information about specific technical vulnerabilities that affect Resources and Systems shall be regularly researched and maintained. Noyo will implement and maintain a process for receiving and reviewing internally and externally reported security vulnerabilities. Applicable vulnerabilities must be evaluated and mitigated to address associated risks.
4.2.5 Remote Access. Any Sensitive or Confidential Information passing over public or third-party networks shall be protected from unauthorized disclosure and modification using reasonable security measures including, as appropriate, encryption. Sensitive Information passing over public or third-party networks or transmitted wirelessly must be encrypted. For shared networks, especially those extending across Noyo’s network boundaries, the capability of individual users to connect to the network shall be restricted in line with appropriate access controls. Virtual desktop access shall prevent processing and storage of information on privately owned equipment.
4.2.6 Mobile and Personal Devices. When using mobile or personal devices, special care must be taken to ensure the Confidential and Sensitive Information is not compromised. Unencrypted Sensitive Data shall never be stored on an unencrypted mobile or portable device. Personnel shall be required to register mobile and personal devices with access to Confidential or Sensitive Information. Mobile and personal devices will be required to employ security measures designed to (a) restrict the installation of insecure software capable of accessing the Information, System, or the Resources, (b) require that the latest security and operating system software updates be installed, (c) restrict connection to Resources, (d) establish passcode and device access requirements, (e) mandate cryptographic controls and remote deletion, and (f) create secure backups. Personnel using mobile or personal devices shall undergo training designed to encourage physical and electronic security practices.
4.2.7 Removable Media. Confidential or Sensitive Information is prohibited from storage on removable media (e.g. USB or flash drives, portable back-up drives, CD-ROM, DVD, SD card, etc). If required by applicable Noyo customer or partner agreements, responsible personnel must be notified of any requirements related to storage of Confidential or Sensitive Information on removable media. Removable media shall be disposed of securely when no longer required and appropriate steps must be taken to ensure that any data previously stored on the media is no longer recoverable.
5.0 Administrative Safeguards
Noyo’s Resources that contain Sensitive or Confidential Information must be administratively safeguarded to prevent theft or unauthorized access or use.
5.1 Policy, Standards and Guidelines
Information security standards and guidelines that describe proper use, handling, and safeguarding of Systems and Resources will apply to all collection, use, retention, transmission, and disposal of Sensitive and Confidential Information. This Policy and any such corresponding information security standards and guidelines will be updated from time-to-time as needed to reflect changes in the law, technology, security threats, environmental or operational changes, and business operations. This Policy will be reviewed at planned intervals to ensure its sustainability, adequacy, and effectiveness.
5.2 Human Resources
5.2.1 Background Screening. Adequate background screening must be used for all Personnel with access to Systems, Resources, and any Sensitive or Confidential Information. Background screening must be conducted in accordance with relevant laws, regulations, and ethics and shall be proportional to the applicable business requirements, classification of Sensitive or Confidential Information available for access by the applicable employee, and corresponding assessed risks.
5.2.2 Contractual Requirements. Employees will be required to agree to this Policy as a part of their contractual agreement with Noyo.
5.2.3 Training. This Policy must be made available to Personnel and appropriately communicated in a manner that articulates the purposes of the Policy and the consequences of not complying. Employees will be educated and trained to comply with this Policy and any information security standards and guidelines and in the proper use and safeguarding of Systems and Resources and the collection, handling and disposal of Sensitive and Confidential information. Personnel with information security responsibilities assigned under this Policy must be evaluated for competence to ensure they have appropriate education, training, and experience.
5.2.4 Compliance. Employee compliance with the Policy will be enforced using appropriate disciplinary measures up to and including termination of employment.
5.2.5 Termination of Access. Employee access to Noyo’s Systems and Resources must be terminated immediately when employment with the Noyo ceases or when access to certain Systems or Resources is no longer necessary as part of the employee’s role and responsibility.
5.3 Internal Development
Any internal or contracted development of software and systems must be subject to rules for secure development and appropriate formal change control procedures. Applicable rules must take into account any adverse impact that might result to organizational operations and security and must be documented, maintained, and applied to any applicable development. Appropriate testing of Resources and Systems must be conducted in accordance with such rules.
5.4 Vendor Security
Appropriate and reasonable steps must be taken to select and retain Vendors that are capable of maintaining appropriate security measures to protect such personal information consistent with these security policies and any applicable industry standards, laws or contractual requirements. Vendors with access to Sensitive or Confidential Information must be contractually required to implement and maintain adequate and appropriate measures to protect Systems, Resources, and any Sensitive and Confidential information it controls, handles, processes, or transfers and to notify Noyo in the event of a breach or suspected breach. Vendor performance shall be monitored to ensure compliance with these requirements. Any new acquisitions of technology or technological services, together with enhancements to existing resources, shall be appropriately analyzed and vetted by specifically designated personnel. Corresponding requirements must be developed, documented, and communicated to the applicable vendor. To the extent that vendors are provided access to Systems and Resources, access controls and security precautions shall be employed consistent with the requirements in this Policy.
5.5 Security Assessment
Regular assessments must be conducted to identify and evaluate internal and external risks to the security, confidentiality, integrity and/or availability of any Sensitive or Confidential Information and to evaluate and improve, where necessary, the effectiveness of Noyo’s safeguards for limiting such risks, including:
(1) Ongoing employee (including temporary and contract employee) training;
(2) Employee compliance with policies and procedures; and
(3) Means for detecting and preventing security system failures.
Such an assessment will be conducted and documented at least annually under the direction and analysis of the CSO using methodology that ensures reproducible results that measure the conformance of security practices to this Policy. Each assessment shall take into account risk criteria specific to Noyo and the Confidential and Sensitive Information it holds. Any nonconformities shall be documented with clear steps for remediation and new methods of monitoring compliance assigned to the specific Personnel responsible for mitigating such risk. As applicable, designations must be provided that indicate the consequences and likelihood of a given risk. Mitigation of nonconformities must be prioritized for remediation accordingly and carried out by designated Personnel according to the documented steps for remediation.
5.6 Security Testing and Monitoring
Regular testing and monitoring, including through the collection and analysis of electronic logs as appropriate, must be conducted to ensure that Noyo’s information security program is operating in a manner reasonably designed to prevent unauthorized access to or unauthorized use of Sensitive and Confidential Information. Upgrades and improvements to information safeguards will be made as necessary to limit risks. The scope of security measures will be reviewed at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. Vendors shall be regularly monitored and audited to ensure compliance with their security obligations.
5.7 Information Security Incident Management
A detailed Incident Response Plan will be implemented, maintained, and reviewed on a regular basis. Incident response team members must document responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices, including if appropriate to this Policy and related policies and guidelines, relating to protection of Sensitive Information and Confidential Information.
All documentation prepared pursuant to this Policy must be appropriately identified using version control and available for review and approval for suitability and adequacy and for use when needed. All documentation must be retained as necessary and required by applicable law, regulation, and professional obligations. All documentation must be adequately protected, and access must be limited to those with a strict need to know.