Concord Direct Cybersecurity policy
Last updated 06/30/2022
Document Definitions
“Policy” refers to the Information Security Policy.
“Agency” refers to Concord Direct.
“Clients” refers to the Agency’s clients, former & prospective clients.
“Information System” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information.
“Nonpublic Information” shall mean all electronic information that is not Publicly Available Information and is:
- Business related information of a covered entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity;
- Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records;
- Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.
“Passwords” refers to a string of characters that, when possible, is at least 8 characters long and contains at least three of the following: upper case letter, lower case letter, a number, a special character (%, &, #, etc.).
“Person” means any individual or non-governmental entity, including but not limited to any non-governmental partnership, corporation, branch, agency or association.
“Third Party Servicer Providers” refers to a person that is not an affiliate of the Agency that provides services to the Agency and maintains, processes or is otherwise permitted access to Nonpublic Information through its provision of services to the Agency.
Information Security
This Policy for Concord Direct (hereinafter referred to as “Agency”) is intended to create effective administrative, technical, electronic and physical protections to safeguard the personal information of the Agency’s Clients and employees, the Agency’s proprietary and confidential information, and the integrity of our electronic systems so that they are best positioned to function smoothly without interruption.
This Policy sets forth the Agency’s procedures for electronic methods of accessing, collecting, storing, using, transmitting, destroying, and protecting Nonpublic Information of Clients, the Agency and/or Agency employees and also the use of the Agency’s Systems by Agency employees and any authorized third parties, as deemed appropriate and/or required by applicable laws and regulations.
In formulating and implementing this Policy, we have:
- Considered reasonably foreseeable internal and external risks to Agency’s security, confidentiality and/or integrity of electronic or other records containing Private Information
- Assessed the likelihood and potential danger of these threats, taking into consideration the sensitivity of the Nonpublic Information
- Evaluated the sufficiency of existing Agency policies, procedures, and other safeguards in place to minimize those risks
- Designed and implemented an approach that puts safeguards in place to minimize those risks, consistent with the requirements of applicable laws/regulations
- Included regular monitoring of the effectiveness of those safeguards
All security measures contained in this Policy shall be reviewed and re-evaluated annually or when there is a change in applicable laws or regulations or in the business activities of the Agency. The Agency reserves the right to modify this Policy at any time, with or without prior notice.
Employee Responsibility
It shall be the responsibility of each Agency employee to carefully read, understand and adhere to this Policy. Each employee with access to Nonpublic Information shall receive training as necessary on this Policy.
Information Security Coordinator
The Agency has designated the Controller as the “Information Security Coordinator” to oversee implementation of this Policy.
The Information Security Coordinator will be responsible for:
- Initial implementation and maintaining responsibility for implementation of this Policy;
- Appropriate testing and evaluation of this Policy’s safeguards;
- Reviewing the security measures in this Policy annually or when there is a change in applicable laws or regulations or in business activities of Agency; and
- Coordinating training as necessary for Agency employees with access to Nonpublic Information.
- Implementing policies and procedures to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers
Data Governance & Classification
Special Protection for Nonpublic Information
Nonpublic Information is to be accorded the highest level of confidentiality by the Agency and employees.
Examples of Nonpublic Information include, but are not limited to – first name and last name, or first initial and last name, AND any one or more of the following:
- Social Security number
- Driver’s license number, passport number, or state-issued identification card number
- Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password
- Personal or protected health information
- Biometric records
The information listed in 1-4 above, even if it is not connected with a name, should each be treated as Nonpublic Information.
Where Nonpublic Information is Stored
The Agency and its employees recognize that the Agency possesses Nonpublic Information in the following places, whether in the Agency’s premises or off site, and whether created or maintained by Agency or third parties on behalf of Agency:
- Hard copy and electronic files on Clients and employees, located at desks, in file drawers, storage areas and on the Agency’s Systems
- Personnel files, Form I-9s, benefits information, payroll information, and direct deposit information for employees wherever located, including but not limited to hard copies at desks, in file drawers and other storage areas, and in electronic form on the Agency’s Systems
- Off-site back-ups, in any form
- Third Party Service Providers entrusted with Nonpublic Information from the Agency
This Policy is intended to protect Nonpublic Information possessed by the Agency from unauthorized access, dissemination and/or use.
Nonpublic Information may not be disseminated, communicated or stored on or through any social media websites or services, at any time or for any reason .
Employees will adhere to the Agency document retention schedule and requirements. When it is appropriate to destroy Agency records, paper and electronic records containing Nonpublic Information must be destroyed in a manner in which they cannot be read or reconstructed.
Unless otherwise directed by the Information Security Coordinator, a shredder will be used to destroy paper documents. When computers, digital copiers, scanners and/or printers with electronic storage capacity, or portable electronic devices and media are discarded, such disposal should be coordinated with the Information Security Coordinator, and care needs to be taken to ensure that the hard drives or other storage media are destroyed in a manner that all data becomes unreadable.
Asset Inventory & Device Management
- Employees will not keep or have access to Nonpublic Information on mobile electronic communications devices (such as PDAs, smart phones, etc.
- Employees will not put any Agency data on thumb drives, laptops or other portable media, drives and devices unless authorized by the Agency. If so authorized, the thumb drives, laptops or other portable media, drives and devices should be password-protected, and the portable mobile electronic communications devices and laptops should be password-protected .
- Employees that no longer work for the Agency must: (1) return to Agency all Agency information (including, but not limited to, any Nonpublic Information) in any form, whether stored on computers, laptops, portable devices, electronic media, or in files, records, work papers, cloud- or web-based storage, etc.; (2) return all keys, IDs, access codes and/or badges; and (3) not access Nonpublic Agency information (including, but not limited to, any Private Information).
- In accordance with the Agency’s human resources manual, access by the former employee to Agency email and voice mail accounts can be immediately disabled and access transferred to other Agency staff to assure a continuity of work, and inactivated when determined appropriate by Agency.
- Employees are required to report all actual or potential unauthorized access to, use of or disclosure of Nonpublic Information to the Information Security Coordinator.
Access Controls & Identity Management
Internal Controls
- Agency computers will require a user ID and password and Agency mobile devices should require a password (and be encrypted, if reasonably feasible). Employee log-ins and passwords should be appropriately strong (with the minimum number of characters and other elements required by the Agency’s Systems).
- Electronic files containing Nonpublic Information will not be left accessible to others, such as on computers or portable storage devices accessible (e.g., computer screens must be locked when an employee using such files leaves his or her computer, even briefly). Paper and electronic files must not be removed from the Agency premises or accessed remotely unless authorization has been provided, and then, the security of that Nonpublic Information must be maintained.
- Employees are expected to log off or lock their computers when they leave them unattended (such as when on breaks, at lunch, in a meeting or out of the office).
- Employees should not open any email attachment, link, or application where the employee does not reasonably believe the information expected to be accessed is from a trustworthy source. Employees will not use Agency equipment to access any application or software not approved by the Agency.
- The Agency will retain only the last four digits of credit card numbers and all credit- and banking-related information will be managed in accordance with applicable law and Agency-designated business practices.
External Controls
In addition to the measures taken to combat internal risks, the following measures will be taken to minimize external risks to the security, confidentiality and/or integrity of records containing Nonpublic Information:
- Visitors to the Agency will be escorted within the office and will not have access to Agency computers or property that may contain Nonpublic Information. Guests’ wireless access should be fire-walled off from the Agency’s Systems.
- The Agency will maintain security measures so that its wireless networks cannot be accessed remotely by the public.
- Servers and other equipment at the Agency’s premises containing Nonpublic Information will be maintained in a secure location.
Systems & Network Security, Operations, & Availability
- The Agency will employ an email filter (hardware, software, or third-party provided) that works to restrict and eliminate viruses, spyware and other malware before getting to Agency desktop and portable computers.
- The Agency will maintain up-to-date network and firewall protection and operating system security patches on its Systems, servers and desktop and laptop computers, as well as other security measures deemed appropriate.
- The Agency will maintain security software, which includes malware protection with up-to-date patches and virus definitions, on its Systems and its servers, desktop and laptop computers, and all mobile devices, which is updated as frequently as possible.
- All back-ups will be password-protected and encrypted and kept in a secured location off site.
- Agency employees should use care in communications (e.g., outgoing email and attachments) to ensure: first, that the Nonpublic Information needs to be sent by email and, if so, that it is transmitted using secure email in accordance with Agency policy.
- When an employee accesses Agency Systems and/or Nonpublic Information from a remote location, the Agency’s secure SSL connection must be used (such as Virtual Private Network (VPN), GoToMyPC, LogMeIn).
- Employees should not access Agency Systems or Nonpublic Information using non-Agency equipment (e.g., a home computer) unless authorized by the Agency and provided with appropriate firewalls and virus protection, and done through the Agency’s secure SSL connection. Employees will not store any Nonpublic Information on any non-Agency equipment.
Systems & Network Monitoring
- The Agency will monitor its Systems and equipment for any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System, including but not limited to implementing hardware, software and/or procedural mechanisms to record and report activity for the Systems and equipment.
- The Agency will exercise due diligence in making sure third-party service providers that are provided Nonpublic Information have the requisite security controls and written policy in place, provide the Agency a written commitment to safeguard and store Nonpublic Information with at least the same level of security controls as the Agency maintains (as outlined in this Policy), and advise the Agency as to any actual, suspected or potential breaches of Private Information.
If a Breach of Nonpublic Information (Cybersecurity Event) Occurs of is Suspected
A security breach occurs when there is an unauthorized acquisition, dissemination, use or loss of Nonpublic Information. Each employee shall be responsible for notifying the Information Security Coordinator whenever he or she learns that there has been or may have been a security breach that may have compromised Nonpublic Information or other Agency information about Clients, employees or Agency business.
The Agency will take the following actions in the event of a security breach:
- assess the security breach
- take and document corrective actions to contain and control the problem
- review the requirements of the applicable state laws and regulations
- notify individuals, regulatory and law enforcement authorities (if and as required and further as deemed appropriate by Agency management)