POLICY AND PROCEDURE
Name: Information Security and Privacy
Effective Date: January 19, 2021
PURPOSE OF POLICY: The purpose of this policy is to (i) ensure the privacy of personal data received by AgilQuest from third parties, (ii) ensure compliance with contracts under which AgilQuest has agreed to meet certain data protection requirements, and with applicable laws, (iv) to protect the security of customer data and other data stored electronically by AgilQuest, and (v) to ensure that all employees responsible for privacy and security understand and comply with their responsibilities in this regard.
This policy applies to all AgilQuest Forum interfaces, including, but not limited to: Forum for Android, Forum for iOS, AgilQuest Forum Exchange Add-In, Windows Forum Lobby Kiosk, and Windows Forum Room Kiosk.
I. Personal Responsibility of Each Employee.
Each employee who (i) has access to Personal Data or Confidential Information, (ii) has access to or uses AgilQuest computer equipment or systems, or (iii) has any responsibility for the transmittal of, or allowing third-party access to, Personal Data or Confidential Information is responsible for compliance with this policy to the extent that compliance is within his or her ability to control. Compliance may require the action or cooperation of different individuals or job functions in different situations. Compliance, and cooperation in compliance, is the direct responsibility of each employee involved to the extent that his or her job function allows, especially of individuals who have supervisory authority over personnel who need to be trained, for whom background checks should be required, or for whom compliance with this policy requires participation of a supervisor.
II. Protecting Personal Data and Confidential Information:
2.1 Definitions:
Personal Data: “Personal Data” for purposes of this policy means data which relates to a living individual who can be identified from those data, or from those data and other information that is in the possession of, or is likely to come into the possession of, the data controller. This definition is based on definitions in the Data Protection of Act of England and Wales and the EU Directive on protection of personal data,but is broad enough to cover any definition of personal data that has appeared, or is likely to appear, in any contract between AgilQuest and any of its customers.
Confidential Information: “Confidential Information” for purposes of this policy means all information learned by an employee of AgilQuest by virtue of employment other than information (a) the employee knew prior to, or outside of the scope of, your employment by AgilQuest, (b) in the public domain, or (c) lawfully obtained from any third party who is under no obligation not to disclose it, or (d) independently developed by the employee without reference to the Confidential Information of the other Party. “Confidential
Information” includes Personal Data.
2.2 Protection of Confidential Information Generally:
2.2.1 Procedures for Protection of Personal Data: AgilQuest shall provide Customers a secure HTTP site for the purpose of transferring Personal Data to AgilQuest and shall transfer such data to Customer only via a secure HTTP Personal Data of any customer will be password protected so that only the account manager, customer support staff who need to have access to perform services for the customer and the Chief Technology Officer will have access. Each of such persons shall be responsible for maintaining the security of their passwords.
2.2.2 Restrictions on Use and Disclosure: No AgilQuest employee who has access to any Personal Data may use any of such data for any purpose other than fulfilling AgilQuest’s obligations, or exercising its rights, under its contract(s) with the Customer who provided that data. No AgilQuest employee who has access to any Personal Data may disclose it to anyone other than another AgilQuest employee who has been granted access by password to such data by the Director of Consulting Services. No AgilQuest employee who has been given password access to Personal Data provided by a Customer shall disclose the password to any person except as authorized by the Director of Consulting Services. No employee who has access to any other Confidential Information of AgilQuest may access or use such information, or any computer or AgilQuest asset of any kind, for any purpose other than to fulfill his or her responsibilities as an employee of
2.2.3 Destruction of Electronic Information: All Confidential Information provided by a Customer shall be eliminated from AgilQuest’s physical and electronic records within thirty (30) days of the earlier of (i) termination of the contract under which such data was used by AgilQuest, (ii) the date that the Customer who provided the data requests destruction, provided that such data is no longer needed by AgilQuest for legitimate business purposes in connection with the contract under which such data was provided to it, or (iii) when required by AgilQuest’s contract with the customer. Destruction of electronic information under this provision shall be performed in a manner consistent with NIST Special Publication 800-88 and DOD 5220.22M, or such other standard as may become current best practice in the industry after the date of this Policy and that provides at least as much protection to the owner of the information as that provided by such
2.2.4 Shipment and Handling.
2.2.4.1 Non-Electronic Confidential Information. Confidential Information should be converted to electronic form, the non-electronic form being destroyed, where Any shipment of Confidential Information in non-electronic form should be made by U.S. Postal Service Registered Mail with return receipt requested, or by nationally recognized overnight courier or delivery service with signature required.
2.2.4.3 Confidential Information on Laptops. Receipt and storage of personally identifiable information on laptops should be avoided where possible. If the customer delivers such information via e-mail, it should be deleted from the laptop as soon as possible. Other Confidential Information should never be transferred from the laptop except via a secure, encrypted
2.3 Subcontractors. AgilQuest shall require all subcontractors to which AgilQuest grants access to Personal Data and/or other Confidential Information of AgilQuest or any of its customers to comply with portions of this policy and procedure that relate to the Personal Data and Confidential Information held by the subcontractor.
2.4 Protection of Confidential Data. AgilQuest shall ensure that data gathered by it in the course of providing SaaS services is used in a manner consistent with the privacy policies applicable to those
III. Security Systems:
3.1 Fire Wall and Virus Protection: AgilQuest will maintain fire wall and anti-virus protection consistent with current industry practice to monitor, control and protect against threats resulting from transmission or receipt of information at external and key internal boundaries of its information systems, and employ architectural designs, software development techniques and systems engineering principles that promote effective information security within its information systems. Such protection shall be maintained, monitored and updated on an ongoing basis, and AgilQuest shall regularly assess reasonably foreseeable risks to the security and confidentiality of Personal Data and other Confidential Information of AgilQuest and its customers, and ensure that AgilQuest’s security systems are operating in a manner reasonably calculated to prevent unauthorized access to, or use of, such information and for maintaining control over all tools, techniques, mechanisms and personnel used to conduct information systems maintenance and protection. Such efforts shall include, regular monitoring of AgilQuest’s information technology systems, auditing each AgilQuest computer to be sure that it has the antivirus and firewall capabilities, and current updates to the same. Records of such audits shall be maintained for at least three
3.2 Configuration Management and Maintenance. AgilQuest will establish and maintain baseline configurations and inventories of organizations information systems (including hardware, software, firmware and documentation), enforce security configuration settings for information technology used by its employees, and maintain the elements of such systems on a timely basis
3.3 Passwords and Other Access Controls:
3.3.1 Passwords. AgilQuest shall require password protection of access to AgilQuest’s computer systems that allow access to Personal Data and/or other Confidential Information and shall maintain written authentication rules for the format, content and usage of passwords that (i) allow access to any AgilQuest systems, and for limiting access of each employee appropriately based on his or her job function,
(ii) disallow sharing of passwords. Review of access rights will be conducted at least annually to ensure that restrictions on access are kept current with employee needs for information, and (iii) are consistent with best practices as they change from time to time. AgilQuest shall confirm that all passwords and any other means of access of any employee to any system of AgilQuest or any of its customers have been deactivated upon termination of employment, and record the date of deactivation of each such means of access in the applicable personnel folder.
3.3.2 Physical Access AgilQuest shall require physical access controls reasonably appropriate to the risk of unauthorized access to Personal Data and Confidential Information stored on AgilQuest computers.
3.3.3 Environmental Controls AgilQuest shall provide appropriate environmental controls for AgilQuest’s information systems.
3.4 Personnel Security. AgilQuest will (i) seek to ensure that individuals who have access to Confidential Information, and those responsible for their oversight, are trustworthy by conducting background and/or credit checks as required by contract or as reasonably otherwise determined by AgilQuest, (ii) before and after personnel actions such as terminations or transfers, collect information and equipment from employees, limit their access to information and disabling passwords or other means of access to AgilQuest, customer or third party systems as appropriate to the circumstances, (iii) train employees not to leave confidential information of AgilQuest or any third party unattended on desktops or elsewhere, and not to use an open network to transfer any such confidential information; and (iii) employ appropriate formal sanctions for violation of AgilQuest’s security policies and procedures;
3.5 Destruction of AgilQuest shall establish procedures for ensuring the sanitizing of all media and hardware prior to disposal or release for reuse, make such procedures accessible to all employees and all employees shall comply with such procedures
3.6 Incident Response. AgilQuest shall (i) handle incident detection, analysis, containment, recovery of security breach incidents, and prepare for the same, (ii) track and document incidents and report them to the officers and directors of AgilQuest on a regular basis, (iii) coordinate with other appropriate personnel to respond to intra-company users and to customers and any other affected third parties as appropriate; (iv) preserving evidence, with the aid of legal counsel and forensic specialists, as reasonably necessary for working with law enforcement
3.7 Risk Assessment. AgilQuest will periodically assess the risk to its operational functions, assets and customer relationships and reputation resulting from its information systems and the associated processing, storing and transmission of information by means including (i) submitting all contracts with third parties that have access to, or store, AgilQuest information to personnel responsible for legal, technology and relevant functional departments to review and compile a list of the risks involved and decide the best way to mitigate them, (ii) conducting an annual review of such risks and the appropriate means of mitigating such risks; and (iii) assessing the effectiveness of security controls in place and developing and implementing plans to correct deficiencies and reduce or eliminate vulnerabilities as much as reasonably
3.8 Record Keeping. AgilQuest shall create and retain system records needed (i) to enable the monitoring, analysis, investigation and reporting of unlawful, unauthorized or inappropriate, and (ii) to enable tracing of the actions of individual information system users.
3.9 Third Party Systems. AgilQuest shall (i) employ software usage and installation restrictions designed to avoid use or installation of software that may pose security risks, and (i) attempt to ensure that third-party providers employ adequate security measures to protect AgilQuest information software or services provided by such third
IV. Product Development
AgilQuest will implement a development methodology including (i) satisfying- industry standards in terms of a secure development environment, (ii) periodic code reviews for all externally-facing applications developed by it; (iii) periodic vulnerability scans for all externally- facing applications developed by it;, and (iv) penetration testing of all externally-facing applications at least annually.
V. Training of Personnel:
5.1 Training Required: All personnel who have, or may have, access to Personal Data of any Customer, or to confidential information of any customer, and/or who have any authority or responsibility for having, maintaining or changing any password protection related to protection of such data, will be advised prior to being given any such access, authority or responsibility of the contents of this policy and required to agree to comply with it, and will receive training in this Privacy and Security policy at least annually, including training in the security risks associated with their activities and of applicable laws, policies, standards and procedures with which they need to
5.2 Records of Training: AgilQuest shall keep a record of the persons trained, including a copy of this policy signed as indicated below to confirm that each such person has been Each recipient of training shall be required by the person giving the training to execute an acknowledgment of adherence to this policy in the form attached as Exhibit A.
VI. Consequences of Noncompliance
Failure to comply with this policy may result in discipline up to and including termination.
VII. Policy Update and Review
At least annually, AgilQuest shall review its security measures to assess reasonably foreseeable internal and external risks to the security and confidentiality of records containing Personal Data or other Confidential Information of AgilQuest and its customers.