JPA / Johnston, Parker & Associates Inc.
JPA Information, Cybersecurity and Privacy
Unlike the European Union, the US has no single federal law regulating cybersecurity and privacy.
Several states have their own cybersecurity and data breach notification laws.
This poses a considerable challenge for organizations conducting business across all 50 states and worldwide This page summarizes the compliance requirements for US cybersecurity laws and federal cybersecurity laws.
GLBA: Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) is both an information security and a privacy law.
Applicability:
The law applies to financial institutions, but the definition is very broad and includes banks, insurance companies, securities firms, non-bank mortgage lenders, auto dealers, and tax preparers.
There is a Security Rule and a Privacy Rule. The Security Rule (16 CFR Part 314) requires organizations to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” (15 USC §6801 (a))
Penalties and enforcement:
JPA Policy:
sign and return
2. JPA Information Security Policy
Policy Purpose
The purpose of the Information Security Policy is to protect sensitive, confidential and/or proprietary information belonging to consumers, clients and to the Company and to ensure compliance with our Gramm-Leach-Bliley Act (“GLBA”) and Red Flag Policies.
Applicability
The Policy applies to all individuals who have access to the Company’s information and resources.
Definitions
Non Public Personal Information (NPPI) includes the following, whether contained in printed or electronic format:
-
Bank account information, including:
-
Date of Birth
-
Bank account numbers, including checking, savings and trust accounts, loan accounts, medical savings account or any other account numbers held in a financial institution, etc.
-
Certificate of Citizenship
-
Copies Passports
-
Non-Public phone numbers or phone records
-
Credit Card information including: Credit Card Number (in part or whole),Expiration Date, Cardholder Name, Address
-
Payroll information, including: Paychecks, Pay stubs, Pay rates
-
Child Support information
-
Credit Information, including copies of credit reports
-
Drivers license number or photo copies of drivers license and/or abstract
-
Taxpayer ID numbers, including: Social Security Number, Social Insurance Number, Business Identification Number, Employer Identification Numbers
-
Unemployment information
-
Medical information, including but not limited to: doctor name(s) and medical claims, insurance claims, prescriptions, treatment(s) or diagnoses, and any related personal medical information.
-
Bankruptcy information.
-
Financial information, including bank balances, payment amounts, past due amounts, etc.
Procedures: Physical Documents
All documents containing Personal Identifiable Information, sensitive, confidential or proprietary information must be stored in a secure location on Company property such as a securely locked drawer or cabinet. In accordance with the records retention policy, information no longer needed must be shredded by an
authorized vendor or in-house approved shredding device.
Electronic Information
Password Policies
All Company electronic devices must be password protected. Company passwords must be single user, non-trivial, hard-to-guess, and non-repetitive passwords that have no direct relationship to the password user and/or creator.
Initial passwords will be unique and must require a password change upon first login.
Passwords used will be of sufficient complexity that they are not easily guessed. This includes such characteristics as:
-
Passwords will use at least eight alphanumeric characters, articulating a semi-pronounceable string where possible.
-
Passwords must contain at least 3 of the 4 following characters: Number, special character, upper case and lower case letters.
-
Passwords should not be obviously related to the user. This includes such items as spouse, children, or pet names or nicknames, license numbers, or phone numbers.
Passwords will not be shared across multiple users, or across multiple computer systems.
Passwords will be changed periodically as determined by the password policy for each system--in general this will be every 60 days. On automated systems with the capability, users should receive prior notice that their password is about to expire so that they are provided ample opportunity to change their password.
Passwords will not be re-used for at least 1 year, regardless of the number of times a password is changed in that year.
Administrator passwords will not be shared.
Training in proper password selection, protection, and in administration password policies should be conducted with all new employees and reviewed annually as part of the Company’s annual Security Awareness Training.
Company users will protect their passwords from any and all other individuals, and users should also respect this requirement of co-workers. This guideline is intended to include such items as:
• Disclosure of a Company user's password to any person other than the password’s owner is prohibited
• A Company user should not enter his or her password if someone else is watching. Respect personal privacy zones.
-
Company users should not watch any other Company user enter their password.
-
Passwords will not be written down in any readable form, or programmed into any computer system or key for automatic login, recall, display or other use.
-
Passwords created for training purposes will be unique and changed regularly and will be restricted to access from systems designated as training resources.
-
All training systems will have passwords. Training passwords will be activated only when training is in session.
Unattended User Equipment
• Company equipment will be kept in controlled Company spaces.
• Mobile devices will not be left unattended unless they are logged off
and kept in a secure area such as a hotel room or home.
• Unattended systems will automatically lock after 10 minutes of no
activity.
• Sessions will automatically terminate on systems that have not been
accessed for 30 minutes or more.
• All Company laptops will use appropriate full disk encryption
technology.
Firewalls
• A firewall shall be used to protect computers from hackers while
connected to the Internet.
• The computer network shall have a “border” where it connects to the
Internet. Access controls shall be set to allow only trusted employees
with an authorized business need to access the network.
• Additional firewalls shall be used to protect computers containing
Personally Identifiable Information.
• Firewalls shall be reviewed periodically.
Laptop Security
• Laptop use is restricted to employees who need them to perform their
job responsibilities.
• Laptops shall be stored in a secured area.
• Authorized laptop users will have access to Personally Identifiable
Information but shall not store such information on laptops.
• Laptops containing Personally Identifiable Information shall be
encrypted and configured so users cannot download software or
change security settings without approval from the company’s IT
specialist(s).
• Laptops shall be configured with an “auto-destroy” function so that
data on a computer that is reported stolen will be destroyed when the
computer is used to try to access to Internet.
• Employees must not leave a laptop visible in an automobile, residence
or hotel luggage stand or in “checked” luggage at an airport unless
directed to do so by airport security.
• If a laptop must be left in a vehicle, it must be locked in the trunk.
Remote Access (Computers & Laptops)
This policy applies to all Company employees, contractors and vendors that are
required to connect to the Company network from outside sources.
Any outside access to all or any part of the Company networks are to be done
through secure, hardened & verified electronic equipment. Secure equipment is
limited to computers, laptops, and mobile devices that must meet the following
requirements:
• Updated and current Anti-virus software.
• Locally installed firewall software.
• Remote manage software.
• Updated OS and application patches.
• Authorized VPN or Citrix client software.
• RSA SecurID two factor authentication.
Storing or printing Company or Client information from remote devices is strictly
prohibited
Mobile Device Management solutions must be configured to meet and enforce the
document MDM Baseline standard as a minimum.
It is the responsibility of Company employees, contractors and vendors with
remote access privileges to the Company’s network to ensure that their remote
access connection is given the same consideration as the user's on-site connection
to Company.
General access to the Internet for recreational use by employees and their
immediate household members on firm provided computers is not permitted.
Employee contractors and vendors with remote access privileges to the Company’s
network bear all responsibility for the consequences should the access be found to
be misused.
Sharing passwords, access codes or any other identification for purposes of gaining
access to the Company network is strictly prohibited.
Company employees and contractors with remote access privileges must ensure
that their Company owned computer, laptop, or other mobile device, which is
remotely connected to the Company’s network, is not connected to any other
network at the same time (split tunneled or dual homing), unless it is under
complete control and same security guidelines are applied and monitored.
Home wireless networks must use acceptable security measures to include
WPA/WPA2 encryption and access lists. These home networks are the sole
personal responsibility of the owner and will not be supported by the Company.
Company employees and contractors with remote access privileges to the
Company’s network must not use non Company email accounts (i.e., Hotmail,
Gmail, Yahoo, AOL, Blackberry Internet Server), or other external resources to
conduct Company business, thereby private data is not shared across public
networks and official business is never confused with personal business.
Static entry of a user ID and/or password to permit mobile device synchronization
is explicitly prohibited.
Reconfigurations of provided equipment is strictly prohibited.
Non-standard hardware configurations must be reviewed and approved by security
and network managers prior to connection to any and all parts of the Company’s
network.
Activation of services must be an active process. Automated discovery processes
to search for and connect to available Wi-Fi access points must be shut off. The
use of Wi-Fi services must be an active user action.
Remote Access (iPhones, PDA’s & Smartphones)
Portable communications devices have become an essential part of business
operations. The following guidelines apply:
• Only Company owned devices will be permitted to connect to the
network.
• Use of Blackberry Internet Service or any other external providers
where an email or network user ID and password are statically entered
into setup are strictly prohibited.
• Communication paths must be secured and/or encrypted using a
minimum of 128 bit encryption.
• Personal devices will not be tethered to Company computers or
laptops for sharing/synchronizing outlook information.
-
2021 Additional Information