Security Policies

Sath Data Security Policies Summary

Revised: Nov 1 2017

Summary

Sath Data Security Policies (SDSP) is collection of documents that outlines specific requirements or rules that must be met to ensure Confidentiality, Integrity and Availability of all data and services under Sath control.

Details of each section is available to our customers upon request.

Acceptable Use Policy

Defines acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization’s corporate resources and proprietary information.

Acceptable Encryption Policy

Outlines the requirement around which encryption algorithms (e.g. received substantial public review and have been proven to work effectively) are acceptable for use within the enterprise.

Clean Desk Policy

Defines the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about our employees, our intellectual property, our customers and our vendors is secure in locked areas and out of sight.

Disaster Recovery Plan Policy

Defines the requirement for a baseline disaster recovery plan to be developed and implemented by the company, which describes the process to recover IT Systems, Applications and Data from any type of disaster that causes a major outage.

Data Breach Response Policy

Defines the goals and the vision for the breach response process. This policy defines to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms.

Digital Signature Acceptance Policy

Defines the requirements for when a digital signature is considered an accepted means of validating the identity of a signer in electronic documents and correspondence, and thus a substitute for traditional “wet” signatures, within the organization.

Email Policy

Defines the requirements for proper use of the company email system and make users aware of what is considered acceptable and unacceptable use of its email system.

Ethics Policy

Defines the guidelines and expectations of individuals within the company to demonstrate fair business practices and encourage a culture of openness and trust.

Pandemic Response Planning Policy

Defines the requirements for planning, preparation and performing exercises for pandemic disease outbreak over and above the normal business continuity and disaster recovery planning process.

Password Policy

Defines the standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

Security Response Plan Policy

Defines the requirement for business units supported by the Infosec Team to develop and maintain a security response plan.

End User Encryption Key Protection Policy

Defines the requirements for protecting encryption keys that are under the control of end users.

Acquisition Assessment Policy

Defines responsibilities regarding corporate acquisitions, and defines the minimum requirements of an acquisition assessment to be completed by the Infosec Team.

Bluetooth Baseline Requirements Policy

Defines the minimum baseline standard for connecting Bluetooth enabled devices to the enterprise network or company owned devices. The intent of the minimum standard is to ensure sufficient protection Personally Identifiable Information (PII) and confidential company information.

Remote Access Policy

Defines standards for connecting to the organization’s network from any host or network external to the organization.

Remote Access Tools Policy

Defines the requirements for what type of remote desktop software can be used and how it must be configured.

Router and Switch Security Policy

Defines standards for minimal security configuration for routers and switches inside a production network, or used in a production capacity.

Wireless Communication Policy

Defines the requirement for wireless infrastructure devices to adhere to wireless communication policy in order to connect to the company network.

Wireless Communication Standard

Defines the technical requirements that wireless infrastructure devices must satisfy in order to connect to the company network.

Database Credentials Policy

Defines the requirements for securely storing and retrieving database usernames and passwords (i.e., database credentials) for use by a program that will access a database running on one of companyâs networks.

Technology Equipment Disposal Policy

Defines the requirements for proper disposal of electronic equipment, including hard drives, USB drives, CD-ROMs and other storage media which may contain various kinds of company data, some of which may be considered sensitive.

Information Logging Standard

Defines the specific requirements for information systems to generate appropriate audit logs that will integrate with an enterprise’s log management function.

Lab Security Policy

Defines requirements for labs (both internal and DMZ) to ensure that confidential information and technologies are not compromised, and that production services and interests of the organization are protected from lab activities.

Server Security Policy

Defines standards for minimal security configuration for servers inside the organization’s production network, or used in a production capacity.

Software Installation Policy

Defines the requirements around installation of third party software on company owned devices.

Workstation Security (For HIPAA) Policy

Defines the requirements to ensure the HIPAA Security Rule “Workstation Security” Standard 164.310(c) can be met.

Web Application Security Policy

Defines the requirement for completing a web application security assessment and guidelines for completing the assessment.