Security Policy Document: Global Distributions, Inc.
The purpose of this document is to establish key security parameters and guidelines for Global Distributions, Inc. (GDI) in order to protect the interests of the company and its clients.
These policies apply to all operations managed by GDI, including interactions and interfaces with client companies that are managed by GDI. All communication networks, database systems, and servers full under the purview of this policy.
Definition of Sensitive Information
All information that could identify a client of GDI, monetary values of client goods or contracts, physical addresses of client goods or business locations, physical addresses of GDI company locations, any details of client-specific services rendered by GDI to clients, and any personally identifying information for any client or GDI personnel shall be considered sensitive information and treated as such. This designation applies to this policy document and to other documents, guidelines, and directives issued by GDI as they may be from time to time.
Rationale: This definition is necessary for simplifying further security policies and future guidelines. The definition of sensitive information is purposefully broad, as over-conclusion is far less problematic than under-inclusion.
3.1.2 Definition of GDI/GDI Client Personnel and Property
All movable items located on or within GDI buildings, grounds, and/or transportation vehicles (whether owned, leased, or contracted to GDI) as well as the buildings, grounds, and vehicles themselves shall be considered GDI property for the purposes of this document. All employees, contracted workers, and any other personnel with legitimate business-related tasks to perform on or with GDI property shall be considered GDI personnel for the purposes of this document. All physical items owned by GDI clients that GDI is in possession of, has contracted for possession of, is monitoring, or is in any other way connected to GDI services, shall be considered client property for the purposes of this document. All employees, contract workers, and other individuals with legitimate business tasks related to client property shall be considered GDI client personnel for the purposes of this document.
Rationale: This definition is necessary for simplifying, clarifying, and making explicit those properties and personnel included in this document's security policies.
3.1.3 Safety of Personnel and Property as Overriding Concerns
All GDI personnel are primarily tasked first with acting in a manner that ensures the safety of all personnel and other individuals, and second with acting in a manner that protects the property of GDI and GDI clients. No security policy in this document or any other shall supersede these primary tasks.
Rationale: Ensuring the security and safety of personnel and property must be central to overall security, as there are no company interests or security concerns without the personnel and property with which company operations are concerned.
3.1.4 General GDI Personnel Conduct
No GDI personnel shall engage in tasks, access information, or enter areas of GDI operation that are not directly pertinent to the performance of the tasks for which they are responsible and that they have been expressly authorized to perform. No deviations from this policy are allowed save in cases of emergency situations that cause threat to the safety of personnel or of GDI/GDI client property, and reviews shall be conducted following all such emergency exceptions.
Rationale: Limiting the scope of activities for all personnel to those they have been expressly authorized to perform limits the potential for security breaches, both purposeful and accidental, and also greatly simplifies and eases investigations carried out in the wake of potential security breaches.
3.2 INFORMATION SECURITY
3.2.1 Limitations on the Communication of Sensitive Information
No sensitive information shall be transmitted via any medium, including direct oral communication, without verifying the authorization of the receiving party(ies) to receive the sensitive information. Regular authorization verification of common GDI communication partners need not be obtained for every communication, so as to maintain practicality in daily operations, however all non-GDI communication partners must be verified on a per-communication basis.
Rationale: Ensuring authorization for the receipt of sensitive information will help to ensure that sensitive information does not reach those who do not have a proper and legitimate use for this information. Stringent verification procedures will also limit incorrect assumptions of a legitimate need to communicate sensitive information.
3.2.2 Communication of Sensitive Information Using Physical Media
Sensitive information stored on physical media, including directly-readable media (e.g. ink and paper) as well as information stored electronically on physical media (e.g. computer disks) shall be transported only in sealed GDI-provided envelopes marked "confidential." This policy applies to inter-office communications, communications between separate GDI departments, communications with GDI clients, and communications with such governmental agencies that might require such communication from time to time.
Rationale: Controlling the means by which physical media are transmitted will help to track the movement of sensitive information, and will greatly reduce the potential for accidental unauthorized access of sensitive information.
3.2.3 Communication of Sensitive Information Using Non-Physical Media
Sensitive information that is to be communicated via non-physical means, including emails, faxes, and all other means of electronic transmission shall be appropriately encrypted, and encryption shall be tested and ensured prior to the transmission of such information. This shall also include communication with electronic entities, as in the storage and retrieval of sensitive information from databases.
Rationale: Proper encryption and regular monitoring of encryption by all personnel involved in the communication of sensitive information will reduce individual instances of potential security breaches while also assisting in the rapid identification of system problems with encryption and the potential for unauthorized access.
3.2.4 Set-Up and Maintenance of Information Security Systems and Programs
Identified information technology specialists are tasked with developing, implementing, maintaining, and regularly testing encryption systems, password locks, and other systems meant to prevent unauthorized access to sensitive information and to prevent any accidental release of sensitive information.
Rationale: Identifying and directly tasking specific personnel to not only develop but also maintain the working order of security systems clarifies the role that these specialists play in a system in which all are responsible for information security.
3.2.5 Maintenance of Password and Access Code Security
All GDI personnel are responsible for maintaining the security of any and all passwords or other access codes that enable access to sensitive information or to systems/programs/areas (both physical and computer-based) on/in which sensitive information is stored, through the regular changing of such passwords and access codes no less frequently than every 180 days, through refraining from the recording of these passwords and access codes in any media, and through refraining from communicating any personal codes for any circumstance.
Rationale: Password and access code violations are a major security problem in all industries and settings, and controlling this will greatly enhance information security.
3.2.6 Destruction of Communications Containing Sensitive Information
All communications sent or received that contain sensitive information shall be destroyed when they are no longer needed, provided that the information contained is first stored/verified to be stored in an appropriately controlled environment. Communications that must be kept for legitimate and authorized business purposes shall be properly encrypted (for electronic communications) or physically secured (for physical media) in a manner that ensures only authorized personnel will be able to access the communications and the sensitive information contained therein.
Rationale: The destruction and securing of communications that contain sensitive information limits the potential for unauthorized access of such information through carelessness and through willful security breaches.
3.3 PHYSICAL SECURITY
3.3.1 Security of GDI Grounds and Buildings
Access to all GDI grounds and buildings is limited to those GDI personnel whose specifically-assigned and authorized tasks require their presence in those specific buildings/grounds. All GDI personnel are tasked with the responsibility to immediately report any unauthorized presence on GDI grounds/property, and to monitor and report and suspicious activity by authorized GDI personnel.
Rationale: Tasking all GDI personnel with maintaining the security of GDI grounds and buildings decreases the risk of unauthorized access and/or activities, and will increase the speed with which such access/activity is responded to, limiting potential harm.
3.3.2 Security of Movable GDI and GDI Client Property
No GDI personnel shall move, touch, or in any way engage with GDI or GDI client movable property unless it is directly necessary for the completion of authorized duties. All GDI personnel are tasked with immediately reporting any unauthorized engagement with GDI and/or GDI client movable property.
Rationale: Again, limiting property engagement limits the potential for harm and tasking all personnel with monitoring duties increases the speed with which unauthorized engagement will be noticed and responded to, while also serving as a deterrent.
3.3.3 Security of GDI Transportation Vehicles
No GDI personnel shall enter, operate, or otherwise engage with any GDI transportation vehicle unless such engagement is necessary for the completion of specifically authorized tasks. All GDI personnel are tasked with immediately reporting any unauthorized engagement with GDI transportation vehicles.
Rationale: Not only is direct security of GDI/GDI client property better protected through limited access to transportation vehicles, but GDI's liability is greatly reduced by reducing those that have authorized access to transportation vehicles.