 Program Objectives - We recognize the importance of security and the consequences of failure. We continually review aspects of our security procedures to reduce the risk of security compromises, anticipate them and react decisively when they do occur. Security protocols should ensure the security of internal networks, security of data store on those networks and reduce the effects of an incursion or compromise due to internal and external malfeasance. We recognize the importance of security and the consequences of failure. It should be noted that that the failure of security systems and the proper response to security failures is not only critical to our customers but to the health and survival of our organization. Below is a brief overview of Outsource Data Center’s objectives regarding information security systems and protocols. This overview does not provide a full summary of ODC’s Security program, rather is intended to introduce the reader to some of the issues addressed in the full program. The objectives set forth in ODC’s security program are:
|
- Ensuring the confidentiality of sensitive information processed by, stored in, and moved through ODC systems and applications belonging to ODC, Including:
- ODC company private or proprietary information,
- Sensitive non-public information privacy, as defined under the Gramm-Leach-Bliley Act information provided by companies under the assumption of confidentiality,
- protected health information
- and sensitive financial data
- Ensuring the integrity of data and information processed by, stored in, and moved through ODC systems:
- has not been compromised or manipulated,
- the information is not subject to dispute,
- and the source of the changes to information can be determined.
- Ensure compliance through ongoing efforts to develop protocols and systems that conform with requirements of the following:
- Current industry best practices,
- Customers requirements,
- PCI Data Security Standards
- Applicable rules and regulations of the Gramm-Leach-Bliley Act,
- Applicable rules and regulations of the Sarbanes-Oxley Act,
- Applicable rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA),
- 2005 Texas Identity Theft Enforcement and Protection Act (ITEPA)
- And any other state or federal statues.
|
|
Definition of Sensitive or Non-Public information - Sensitive information includes the following items whether stored in electronic or printed format:
|
|
Personal Information - Sensitive information consists of personal information including,
but not limited to: Financial and Credit Card Information, including any of the following:
|
- Bank or Lender Account Number
- Personal Account Numbers
- Credit Card Numbers(in part or whole)
- Credit Card Expiration Data
- Accountholder Name
- Accountholder Address
- Magnetic Stripe Data
- Sensitive Authentication Data
- PIN data
- Financial Institution
- Card Security Code
|
|
| Tax Identification Numbers, including: |
- Social Security Number
- Social Insurance Number
- Business Identification Number
- Employer Identification Numbers
|
|
| Payroll information, including, among other information |
- Paychecks
- Pay stubs
- Pay rates
|
| Medical Information for any Employees or Customers, including but not limited to: |
- Insurance Policy Numbers
- Doctor names and claims
- Insurance claims
- Prescriptions
- Any related personal medical information
- Cafeteria Plan Check Requests and associated paperwork
|
|
| Other Personal Information belonging to Customers, Employees and Contractors, examples of which include: |
- Date of Birth
- Address
- Phone Numbers
- E-mail Address
- Maiden Name
- Names
- Customer or Account Numbers
|
|
Corporate Information - Sensitive corporate information includes, but is not limited to the following
|
| Proprietary and/or confidential information: |
- Business methods
- Customer utilization information
- Retention information
- Sales information
- Marketing and other Company strategy
- Computer codes
- Information about, or received from
- Company’s current, former and prospective customers
- Company’s current, former employees or sales associates
- Suppliers or Vendors
- Specifics of any relationship between Customers or Vendors among them and the company
- Any document marked “Confidential,” “Sensitive,” “Proprietary,” or any document similarly labeled.
|
|
Organizational Practices and Procedures - Outsource Data Center (ODC) management is tasked with implementation of the ODC organizational security program, including defining and updating the policies and communication of those policies to all employees. The security program is not static; it is constantly reviewed and adjusted with the changing technological, security and business environment. A review of the security program is initiated as new systems are implemented, software is implemented or changes, due to new customer requirements, changes in personnel or any other events that might impact security. ODC’s security program was designed to address, but is not limited to all of the following issues:
|
- Employee Hiring Practices
- Employee Awareness
- Employee Training
- Reporting of Risks and Failures
- Security Classification
- Document and Handling Guidelines
- Access to Information
- Release of Information to Outside Parties
- Disposal of Information
- Disclosure of Security Information to Third Parties
- Network Authentication
- Network Log Files
- Account terminations
- Firewalls
- VPN
- SSL Encryption
- FTP
|
- Anti-Virus Protection
- New Software Products
- Software Downloads
- Security Updates
- Installation of New Hardware
- Custom Application Development
- Application Testing Protocols
- Electronic Mail
- Monitoring of Internet and Electronic Mail
- Prohibited Activities
- Environmental Security
- Visitors to Our Facility
- Building Access
- Video Monitoring
- Photography or Video Recording Devices
- Data Back-up Plan
- Disaster Recover Plan (DRP)
|
