Security Policy

Security Policy

Introduction

This document provides a summary of the security policies of Theosys for its customers and users and may update this Information as needed and without notice. For questions regarding information security, please contact pport@Theosys.com

Scope

Everyone at Theosys must comply with the information security policies found in this and related information security documents. This policy applies to all computer systems, network systems, websites, and information products owned by or administered by Theosys. This policy applies to all operating systems, computer sizes and application systems.

Purpose

Theosys is critically dependent on information and information systems. The good reputation that Theosys enjoys is directly linked with the way that it manages both information and information systems. Public disclosure of private data would harm our reputation and impact our ability to retain new customers and new business. For these and other important business reasons, the executive team has initiated and continues to support an information security effort. To be effective, information security must be a team effort involving the participation and support of everyone at Theosys who deals with information and information systems. This document describes ways to prevent and respond to a variety of threats to information and information systems including unauthorized access, disclosure, duplication, modification, appropriation, destruction, loss, misuse, and denial of use.

Information Classification and Handling

Theosys information, and information that has been entrusted to Theosys, must be protected in a manner commensurate with its sensitivity and criticality. Theosys has adopted an information classification system that categorizes information into four groupings. All information under Theosys control, whether generated internally, or externally, falls into one of these categories: Secret, Confidential, Internal Use Only, or Public. For purposes of this policy, ?sensitive information? is information that falls into either the Secret or Confidential categories.

Roles and Responsibilities

Guidance, direction, and authority for information security activities are centralized for all Theosys in the Information Technology Team under the direction of the Vice President of Development. The Information Technology Team, in conjunction with and under the guidance of the executive team, is responsible for establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures. Compliance checking to ensure that departments are operating in a manner consistent with these requirements is the responsibility of the department head with the assistance of the IT Team.

Information Access Control

Access to information in the possession of, or under the control of Theosys must be provided based on the need to know. Information must be disclosed only to people who have a legitimate business need for the information. The privileges granted to all workers must be periodically reviewed by information owners and Custodians to ensure that only those with a current need to know presently have access.

User IDs and Passwords

To implement the need-to-know process, Theosys requires that each worker accessing multi-user information systems has a unique user ID and a private password. Users are prohibited from logging into any Theosys system or network anonymously. Users must choose passwords that are difficult to guess. Users must not construct passwords that are identical or substantially similar to passwords they have previously employed or currently use in systems not belonging to Theosys. Passwords must be changed every 90 days or at more frequent intervals. Whenever a worker suspects that a password has become known to another person or non-Theosys sanctioned entity, that password must immediately be changed. Passwords must not be stored in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in computers without access control systems, or in other locations where unauthorized persons might discover them. Passwords must never be shared with or revealed to others. System administrators and other technical information systems staff must never ask a worker to reveal his or her personal password

Release of Information to Third Parties

Unless it has specifically been designated as public, all Theosys internal information must be protected from disclosure to third parties. Third parties may be given access to Theosys internal information only when a demonstrable need to know exists, when a Theosys non-disclosure agreement has been signed, and when such a disclosure has been expressly authorized by the relevant Theosys information Owner.

Third-Party Requests for Theosys Information

Unless a worker has been authorized by the information Owner to make public disclosures, all request for information about Theosys and its business must be referred to the Department Head. Such requests include questionnaires, surveys, and newspaper interviews. This policy does not apply to sales and marketing information about Theosys products and services, nor does it pertain to customer technical support calls. If a worker is to receive sensitive information from third parties on behalf of Theosys, this receipt must be preceded by the third-party signature on a non-disclosure agreement, a Theosys license agreement, or purchase agreement containing a relevant release.

Physical Security

Access to every office, computer machine room, and other Theosys work area containing sensitive information must be physically restricted to those people with a need to know. All Theosys local area network servers and other secured multi-user systems containing sensitive information must be placed in locked cabinets, locked closets, or locked computer rooms.

Network Security

All Theosys computers, network equipment and multi-user information systems that store sensitive information and that are permanently or intermittently connected to internal computer networks must have a password-based access control system approved by the Information Technology Team. Regardless of the network connections, all stand-alone computers handling sensitive information must also employ an approved password-based access control system. Theosys workers must not use unsecured network connections to access sensitive information. With the exception of emergency situations, all changes to Theosys computer networks must be approved in advance by the Information Technology department. This process prevents unexpected changes from inadvertently leading to denial of service, unauthorized disclosure of information, and other problems.

Internet and Electronic Mail

Sensitive information, including passwords and credit card numbers, must not be sent across the Internet unless this information is in encrypted form. All personal computer users must keep the current versions of approved virus screening software enabled on their computers. Theosys computers and networks must not run software that comes from sources other than Theosys departments, knowledgeable and trusted user groups, well-known systems security authorities, or established computer, network or commercial software vendors. All computer and communications systems used for production processing must employ a documented change control process that is used to ensure that only authorized changes are made. For multi-user computer and communication systems, a system administrator is responsible for making periodic backups. All backups containing critical or sensitive information must be stored at an approved off-site location with either physical access controls or encryption. A contingency plan must be prepared for all applications that handle critical production information. It is the responsibility of the information Owner to ensure that this plan is adequately developed, regularly updated, and periodically tested.

User Rights and Expectations

Theosys management reserves the right to monitor, inspect, or search at any time all Theosys information systems. Because Theosys computers and networks are provided for business purposes, workers must have no expectation of privacy associated with the information they store in or send through these information systems. Theosys management retains the right to remove from its information systems any material it views in its sole discretion as offensive or potentially illegal. Incidents involving unapproved system hacking, password guessing, file decryption, bootleg software copying, or similar unauthorized attempts to compromise security measures may be unlawful and will be considered serious violations of Theosys internal policy. All suspected policy violations must immediately be reported to the department head. All system intrusions, virus infestations, and other conditions that might jeopardize Theosys information or Theosys information systems must immediately be reported to the Information Technology Team. Theosys workers who willingly and deliberately or negligently violate this policy will be subject to disciplinary action up to and including termination.