Professional Documents
Culture Documents
Company, Inc.: Privacy and IT Security Policy
Company, Inc.: Privacy and IT Security Policy
Definitions
“Company” means [INSERT].
Employees shall shred (rather than bulk recycle) all work notes, client-provided files and printed
copies of documents that contain Protected Information.
Intentional disclosures of Protected Information in violation of this Policy may be basis for civil
or criminal penalties. For an Employee’s intentional or negligent disclosure of Protected
Information, Company may impose disciplinary action up to or including termination with cause
of the responsible Employee’s employment or consultant’s contract with Company.
To prevent unauthorized access, Employees shall password protect all computers and electronic
devices under their control. Prior to leaving unattended, Employees shall physically secure all
desktop and portable electronic devices in which Protected Data is stored.
Employees shall password protect any database, spreadsheet, or word processing files that
contain Personal Data.
Employees shall keep all operating systems up to date with the latest software security updates
and patches.
Employees shall keep virus protection and anti-malware software on all computers and
electronic devices under their control and keep such software up-to-date.
Employees shall keep all potentially vulnerable software (Flash, Java, etc.) up to date with the
latest security updates and patches.
To protect against intrusion, Employees shall maintain all browsers at the latest version,
provided, however, where upgrades affect only functionality and not security, Employees may
delay upgrades for purposes of coordinating functionality upgrades with software upgrades
necessary for the ongoing performance of Company’s operating systems or applications used for
the performance of Company’s products or services.
When transmitting data that includes Protected Information, Employees shall employ
encryption technology, as appropriate based upon the information being transmitted.
Employees shall promptly report all cyber security incidents of which they become aware.