Data Security Policy

Purpose

BRT must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of data in scope is a critical business requirement, yet flexibility to access data and work effectively is also critical. It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. The primary objectives here are user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.

With new technology, (software or hardware) comes new potential for data security breach. At BRT we take our information management very seriously.

Scope

1. Any employee, contractor or individual with access to systems or data.

2. Definition of data to be protected (you should identify the types of data and give examples so that your users can identify it when they encounter it;

  • Personally identifiable information 
  • Financial information,
  • Restricted/Sensitive, 
  • Confidential, and
  • Intellectual Property.

3. This data security policy refers only to the information in the care, custody and control of BRT. Such information consists of:

Client Information:

  • Name
  • Email address

Professional Information:

  • Name
  • Gender
  • Date of Birth
  • Year of Call or Commencement of Professional Practice
  • Profession
  • Professional License Number
  • Photo
  • Business Address
  • Contact Phone number
  • Languages Spoken
  • Hours Available
  • Payment Method

Client contact information is the ONLY information shared between BRT, the professional and the client.

NOTE: At no time does BRT come in contact with any confidential, client information.

Safeguard Your Personal Information

Professionals are entrusted with protecting confidential client information. Most client information is available in electronic format for accessibility in and out of the office. Preventing client information from mysteriously disappearing is crucial to your professional practice.

BRT advises you to:

  • Protect your devices and networks by keeping them up to date:
    • use the latest supported versions,
    • use anti-virus software, and
    • scan your devices regularly to guard against known malware threats.
  • Use multi-factor authentication to reduce the impact of password compromises.
  • Tell staff:
    • how to report suspected ‘phishings’ emails,
    • ensure they feel comfortable doing so, and
    • investigate their reports promptly and thoroughly.
  • Set up a security monitoring capability so you are collecting the data that will be needed to analyse network intrusions.
  • Prevent and detect lateral movement in your organisation’s networks.

Data Security Policy

I. Overview

a. Purpose

BRT is entrusted with the responsibility to provide electronic services to connect professionals and the general public who do not provide us with confidential information.

Inherent in this responsibility is an obligation to provide appropriate protection against theft of data and malware threats, such as viruses and spyware applications.

The purpose of this policy is to establish standards for the base configuration of equipment that is owned and/or operated by or equipment that accesses ’s internal systems. Effective implementation of this policy will minimize unauthorized access to proprietary information and technology and protect confidential client information.

b. Scope

This policy applies to equipment owned and/or operated by BRT, and to employees connecting to any BRT-owned network domain.

II. Network/Server Security

a. Server Configuration Guidelines

  1. The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.
  2. Servers should be physically located in an access-controlled environment.
  3. Servers are specifically prohibited from being operated from uncontrolled cubicle areas.

b. Security-related Events

BRT Security-related events will be reported to the IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:

  1. Port-scan attacks
  2. Evidence of unauthorized access to privileged accounts
  3. Anomalous occurrences that are not related to specific applications on the host.

c. Router Security

  1. The enable password on the router must be kept in a secure encrypted form. The router must have the enable password set to the current production router password from the router’s support organization.
  2. Disallow the following:
    • IP directed broadcasts
    • Incoming packets at the router sourced with invalid addresses such as RFC1918 address
    • TCP small services
    • UDP small services
    • All source routing
    • Web services running on router
  3. Access rules are to be added as business needs arise.
  4. Each router must have the following statement posted in clear view: “UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device.”

d. Server Malware Protection

1. Anti-Virus

All servers MUST have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions:

  • Non-administrative users have remote access capability
  • The system is a file server
  • Share access is open to this server from systems used by non-administrative users
  • HTTP/FTP access is open from the Internet
  • Other “risky” protocols/applications are available to this system from the Internet at the discretion of the IT department.

2. Mail Server Anti-Virus

If the target system is a mail server it MUST have either an external or internal anti-virus scanning application that scans all mail destined to and from the mail server. Local anti-virus scanning applications MAY be disabled during backups if an external anti-virus application still scans inbound e-mails while the backup is being performed.

3. Anti-Spyware

All servers MUST have an anti-spyware application installed that offers real-time protection to the target system if they meet one or more of the following conditions:

  • Any system where non-technical or non-administrative users have remote access to the system and ANY outbound access is permitted to the Internet
  • Any system where non-technical or non-administrative users have the ability to install software on their own.

4. Notable Exceptions

Exceptions to above requirements may be deemed acceptable with proper documentation if one of the following notable conditions applies to this system:

  • The system is a SQL server
  • The system is used as a dedicated mail server
  • The system is not a Windows based platform.

e. Backup Procedures

  1. Daily Backups: Backup software shall be scheduled to run nightly to capture all data from the previous day.
    • Backup logs are to be reviewed to verify that the backup was successfully completed.
    • One responsible party should be available to supervise backups each day. If the designated backup specialist is not available, an alternative should be named to oversee the process.
  2. Backup data storage shall not be on BRT ’s premises. In case of a disaster, backup tapes should be available for retrieval and not subject to destruction.
  3. Data on hard drives will be backed up daily, and mobile devices shall be brought in to be backed up on a weekly basis or as soon as practical if on an extended travel arrangement.
  4. Test restoration process regularly and create written instructions in the event IT personnel are not available to restore data when needed.

III. Workstation Security

a. Authorized Users

Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information is restricted to authorized users.

b. Safeguards

BRT will implement physical and technical safeguards for all workstations that access electronic confidential information to restrict access to authorized users. Appropriate measures include:

  1. Restricting physical access to workstations to only authorized personnel.
  2. Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
  3. Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected.
  4. Complying with all applicable password policies and procedures.
  5. Ensuring workstations are used for authorized business purposes only
  6. Never installing unauthorized software on workstations.
  7. Storing all confidential information on network servers.
  8. Keeping food and drink away from workstations in order to avoid accidental spills.
  9. Securing laptops that contain sensitive information by using cable locks or locking laptops up in drawers or cabinets.
  10. Complying with the Portable Workstation Encryption policy.
  11. Complying with the Anti-Virus policy.
  12. Ensuring that monitors are positioned away from public view. If necessary, install privacy screen filters or other physical barriers to public viewing.
  13. Ensuring workstations are left on but logged off in order to facilitate after-hours updates. Exit running applications and close open documents.
  14. Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup).
  15. If wireless network access is used, ensure access is secure by following the Wireless Access policy.

c. Software Installation

  1. Employees may not install software on BRT computing devices operated within the BRT network. Software requests must first be approved by the requester’s manager and then be made to the IT department in writing or via e-mail. Software must be selected from an approved software list, maintained by the IT department, unless no selection on the list meets the requester’s need. The IT department will obtain and track the licenses, test new software for conflict and compatibility, and perform the installation.
  2. This policy covers all computers, servers, and other computing devices operating within BRT’s network.

d. Malware Protection

Anti-Virus – All BRT computers must have BRT’s standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into BRT’s networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited. in accordance with Section V: Acceptable Use.

IV. Password Security

a. Requirements

  1. All system-level passwords (Administrator, etc.) must be changed on a quarterly basis, at a minimum.
  2. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months.
  3. All user-level and system-level passwords must conform to the standards described below.

b. Standards

All users at BRT should be aware of how to select strong passwords. Strong passwords have the following characteristics:

  1. Contain at least three of the five following character classes:
    • Lower case characters
    • Upper case characters
    • Numbers
    • Punctuation
    • “Special” characters (e.g. @#$%&*()_+|~-=‘{}[]:”;’<>/ etc)
  2. Contain at least eight to fifteen alphanumeric characters.
  3. the password is not a word found in a dictionary (English or foreign).
  4. the password is not a common usage word such as:
    • Computer terms and names, commands, sites, companies, hardware, software. Passwords should NEVER be “Password1” or any derivation.
    • the words “BRT“ “BeRightThere” or any derivation.
    • Names of family, pets, friends, co-workers, etc.birthdays and other personal information such as addresses and phone numbers.
    • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
    • Any of the above spelled backwards.
    • Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
  5. try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase.

c. Protective Measures

  1. Do not share BRT passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential BRT information.
  2. Passwords should never be written down or stored on-line without encryption.
  3. Do not reveal a password in email, chat, or other electronic communication.
  4. Do not speak about a password in front of others.
  5. Do not hint at the format of a password (e.g., “my family name”).
  6. Do not reveal a password on questionnaires or security forms.
  7. If someone demands a password, refer them to this document and direct them to the It Department.
  8. Always decline the use of the “Remember Password” feature of applications.

d. Passphrases

Access to the BRT Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.

  1. A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: “Joe&Me1Rbudz”
  2. All of the rules above that apply to passwords apply to passphrases.

V. Acceptable Use

a. General Use and Ownership

  1. While BRT’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of BRT.
  2. Any information that users consider sensitive or vulnerable be encrypted.
  3. For security and network maintenance purposes, authorized individuals within BRT may monitor equipment, systems and network traffic at any time.

b. Security and Proprietary Information

  1. The user interface for information contained on BRT’s systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines. Employees should take all necessary steps to prevent unauthorized access to this information.
  2. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months.
  3. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when unattended.
  4. All PCs, laptops and workstations used by the employee that are connected to the BRT network, whether owned by the employee or BRT, shall be continually executing approved virus-scanning software with a current virus database unless overridden by departmental or group policy.
  5. Employees must use extreme caution when opening e-mail attachments received from unknown senders, may contain viruses, e-mail bombs, or trojan horse code.

c. Unacceptable Use

The following activities are, in general, prohibited. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use:

  1. Under no circumstances is an employee of BRT authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing BRT owned resources.
  2. Violations of the rights of any person or Firm protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by BRT.
  3. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which BRT or the end user does not have an active license is strictly prohibited.
  4. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
  5. Introduction of malicious programs into the network or server (e.g., viruses, worms, trojan horses, e-mail bombs, etc.).
  6. Revealing your account password to others or allowing use of your account by others. this includes family and other household members when work is being done at home.
  7. Using a BRT computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
  8. Making fraudulent offers of products, items, or services originating from any BRT account.
  9. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
  10. Port scanning or security scanning is expressly prohibited unless prior notification to the IT department is made.
  11. Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
  12. Circumventing user authentication or security of any host, network or account.
  13. Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
  14. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet.
  15. Providing information about, or lists of, BRT employees to parties outside BRT.

d. Wireless Access

  1. BRT Device Requirements – All wireless devices that reside at a BRT site and connect to a BRT network must:
    • be installed, supported, and maintained by the It department.
    • Use BRT approved authentication protocols and infrastructure.
    • Use BRT approved encryption protocols.
    • Maintain a hardware address (MAC address) that can be registered and tracked.
  2. Home Wireless Device Requirements
    • Wireless devices that provide direct access to the BRT corporate network, must conform to the security protocols as detailed for BRT wireless devices.
    • Wireless devices that fail to conform to security protocols must be installed in a manner that prohibits direct access to the BRT corporate network. Access to the BRT corporate network through this device must use standard remote access authentication.

VI. Encryption

a. Standards

Proven, standard algorithms should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. Key lengths must be at least 128 bits. BRT’s key length requirements will be reviewed annually and upgraded as technology allows.

b. Mobile Device Encryption

  1. Scope – All mobile devices containing stored data owned by BRT must use an approved method of encryption to protect data at rest. Mobile devices are defined to include laptops, tablets, and smartphones.
  2. Laptops – Laptops must employ full disk encryption with an approved software encryption package. No BRT data may exist on a laptop in cleartext.
  3. tablet and smartphones – Any BRT data stored on a smartphone or tablet must be saved to an encrypted file system using BRT-approved software. BRT shall also employ remote wipe technology to remotely disable and delete any data stored on a BRT tablet or smartphone which is reported lost or stolen.
  4. Keys – All keys used for encryption and decryption must meet complexity requirements described in Section IV: Password Security.

VII. Email

a. Prohibited Use

BRT e-mail system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any e-mails with this content from any BRT employee should report the matter to their supervisor immediately. the following activities are strictly prohibited, with no exceptions:

  1. Sending unsolicited e-mail messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (e-mail spam).
  2. Any form of harassment via e-mail, telephone or paging, whether through language, frequency, or size of messages.
  3. Unauthorized use, or forging, of e-mail header information.
  4. Solicitation of e-mail for any other e-mail address, other than that of the poster’s account, with the intent to harass or to collect replies.
  5. Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.
  6. Use of unsolicited e-mail originating from within BRT’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by BRT or connected via BRT’s network.
  7. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

b. Personal Use

Using a reasonable amount of BRT resources for personal e-mails is acceptable, but non work related e-mail shall be saved in a separate folder from work related e-mail. Sending chain letters or joke e-mails from a BRT e-mail account is prohibited. Virus or other malware warnings and mass mailings from BRT shall be approved by BRT It department before sending. These restrictions also apply to the forwarding of mail received by a BRT employee.

c. E-mail Retention

  1. Administrative Correspondence – BRT Administrative Correspondence includes, though is not limited to clarification of established Firm policy, including holidays, time card information, dress code, work place behavior and any legal issues such as intellectual property violations. All e-mail with the information sensitivity label Management Only shall be treated as Administrative Correspondence. BRT Administration is responsible for e-mail retention of Administrative Correspondence.
  2. Fiscal Correspondence – BRT Fiscal Correspondence is all information related to revenue and expense for the Firm. BRT bookkeeper is responsible for all fiscal correspondence.
  3. General Correspondence – BRT General Correspondence covers information that relates to customer interaction and the operational decisions of the business. BRT is responsible for e-mail retention of General Correspondence.
  4. Ephemeral Correspondence – BRT Ephemeral Correspondence is by far the largest category and includes personal e-mail, requests for recommendations or review, e-mail related to product development, updates and status reports.
  5. Encrypted Communications – BRT encrypted communications should be stored in a manner that protects the confidentiality of the information, but in general, information should be stored in a decrypted format.
  6. Recovering Deleted E-mail via backup Media – BRT maintains backups from the e-mail server and once a quarter a set of backups is taken out of the rotation and they are moved offsite. No effort will be made to remove e-mail from the offsite backups.

d. Monitoring

BRT employees shall have no expectation of privacy in anything they store, send or receive on the Firm’s e-mail system. BRT may monitor messages without prior notice. BRT is not obliged to monitor e-mail messages.

VIII. Metadata

a. Definition

When you create and edit your documents, information about you and the edits you make is automatically created and hidden within the document file. Metadata can often be sensitive or confidential information, and can be potentially damaging or embarrassing. On the Web site, Microsoft indicates that the following metadata may be stored in documents created in all versions of Word, Excel and PowerPoint:

  1. your name and initials (or those of the person who created the file)
  2. the name of your computer
  3. your firm or organization name
  4. the name and type of the printer you printed the document on
  5. document revisions, including deleted text that is no longer visible on the screen
  6. document versions
  7. information about any template used to create the file
  8. hidden text
  9. comments

b. Removing Metadata

  1. Microsoft
    • Disable “allow fast saves” feature.
    • “Inspect Document” and remove flagged items. “Inspect Document” will vary depending on your software version. In 2020, it is located under File->Info->Check For issues.
    • Third party software will help identify and clean metadata from your documents if it is necessary to send documents in native format. Verify appropriate software with the IT department.
  2. WordPerfect
    • Uncheck Save Undo/Redo items with document. It can allow you to view hundreds of past changes in terms of what text was cut, copied and even deleted from the document.
    • there is no software program that easily and automatically removes metadata from WordPerfect documents.
  3. Converting to PDF
    • Converting files to PDF format with Adobe Acrobat or other PDF creators will usually strip out most metadata.
    • In Acrobat, Select File, then Document Properties to view the summary metadata information within a PDF file. Add further restrictions on how the document can be accessed, used, copied and printed in the Security Options settings as needed.