Data Security Policy

Download Data Security Policy

Introduction

The Data Security Policy (DSP) provides definitive information on the prescribed measures used to establish and enforce the Information Security Program at UniGroup, C.A. (UniGroup).

UniGroup is committed to protecting its customers, members, employees, companies, and partners from damaging acts, whether intentional or unintentional. Security is a collaboration requiring the participation and support of everyone who interacts with data and information systems. Therefore, it is the responsibility of every user to know these policies and to conduct their activities in accordance with these policies.

Protecting UniGroup, member, client, and partner information and systems that collect, process, and store this information is critical. The security of data and information systems must include controls and safeguards to offset threats and reduce exposure to risk as well as ensure the confidentiality, integrity, and availability of data. Security measures must be taken to guard against unauthorized access, alteration, disclosure or destruction of data and information systems; this includes accidental loss or destruction.

Purpose

The purpose of the DSP is to prescribe a comprehensive framework for:

  • Protecting the confidentiality, integrity, and availability of UniGroup data and information systems.
  • Protecting UniGroup, its employees, members, and clients, from illicit use of UniGroup information systems and data.
  • Ensuring the effectiveness of security controls over data and information systems that support

UniGroup’s business operations.

  • Recognizing the highly networked nature of the current computing environment and providing effective enterprise-wide management and oversight of those related information security risks.
  • Providing for the development, review, and maintenance of minimum-security controls required to protect UniGroup’s data, information systems, and business operations.

Implementing consistent security controls across all systems processing UniGroup data, to include member locations and third-party supply chain partners, help UniGroup comply with current and future legal obligations to ensure long term due diligence in protecting the confidentiality, integrity, and availability of UniGroup data.

Scope and Applicability

These policies, standards, and procedures apply to all UniGroup data, information systems, activities, and assets owned, leased, controlled, or used by UniGroup, its members, contractors, or other business partners on behalf of UniGroup. These policies, standards, and procedures apply to all UniGroup employees, contractors, sub-contractors, and their respective facilities supporting UniGroup business

operations, wherever UniGroup data is stored or processed, including any third-party contracted by UniGroup to handle, process, transmit, store, or dispose of UniGroup data.

All personnel supporting or processing UniGroup business functions shall comply with this DSP. UniGroup business units, partners, or members may create and use a more restrictive policy, but not one that is less restrictive, less comprehensive, or less compliant than this policy. This policy does not supersede any other applicable law, existing labor management agreement, or government regulation in effect as of the effective date of this policy.

Violations

Personnel supporting or processing UniGroup business that are found to have violated this DSP will be subject to disciplinary action, up to and including termination of employment and/or termination of association with UniGroup. Violators of local, state, Federal, and/or international law will be reported to the appropriate law enforcement agency for civil and/or criminal prosecution.

1.0  Information Security Program

UniGroup will maintain a privacy and information security program to ensure a level of security appropriate to the risk, nature, and scope of its activities, which protects against reasonably foreseeable forms of compromise. Such program will include reasonable and appropriate administrative, technical, and physical measures including a comprehensive set of policies, systems and services based on best practices to ensure: (1) the ongoing confidentiality, integrity, and availability of its data; (2) the resiliency of systems or services handling its data and the ability to restore such systems in a timely manner; (3) regular testing, assessment, and evaluation of the effectiveness of such measures; and (4) incorporation of any other policies and measures as needed to comply with applicable legal obligations.

Dedicated security, privacy, information governance, and compliance professionals will maintain the program with oversight provided by senior management. An independent, annual risk assessment reviews risks regularly and tracks risks using a process compliant with ISO 27005.

1.1  Management Commitment to Information Security

UniGroup management is committed to the protection of information assets. Management demonstrates its commitment to information security through its adherence to the following fundamental principles:

  • Treating information as a critical business asset.
    • Incorporating high standards of corporate governance to all data elements stored, processed, and transmitted.
    • Demonstrating to customers and business partners that the enterprise handles information security in a professional manner.
    • Ensuring that the enterprise has a set of security policies that implement controls over information and systems that address confidentiality, integrity, and availability.

Management further demonstrates its commitment to information security by engaging in the following actions:

  • Assigning overall responsibility for information security to a member of senior management.
    • Allocating dedicated organizational resources to information security.
    • Providing a review of information security risk to the board of directors at least annually.
    • External review (third party) of the Information Security (IS) policies to ensure they are meeting or exceeding industry best practices.

1.2  Organization of Information Security

The authority and responsibility for managing the information security program are delegated to

UniGroup’s Information Security Officer (ISO) who has responsibility for:

  • Establishing, documenting, and distributing information security policies, procedures, and guidelines.
    • Defining, implementing, and supporting a set of security services which provide a range of security capabilities.
    • Providing expert advice on all aspects of information security.
    • Overseeing the investigation of information security incidents.
    • Escalate security alerts to appropriate personnel.
    • Contributing to information security awareness programs and developing security skills for staff.
    • Evaluating the security risks and implications of business initiatives and procurement of services.
    • Working cooperatively with internal and external auditors in the auditing of security practices.
    • Partnering with internal groups that have related responsibilities (i.e., Law, Treasury/Audit, Human Resources).
    • Monitoring and analyzing security alerts and information.
    • Reviews standards for applicability.
    • Revises standards to address organizational changes.

1.3  Information Security General Awareness and Training

Specific activities are undertaken to promote security awareness to all associates who have access to information and systems that are supporting UniGroup business. These activities are:

  • Endorsed and promoted by management.
    • Delivered as part of associate new-hire orientations and as part of on-going associate training, to occur at minimum annually.
    • Aimed at providing associates with specific expectations of their role in securing, protecting, and handling information.
    • Aimed at reducing the frequency and magnitude of information security incidents.
  • Role-based security related training will occur before authorizing access to data or systems required for assigned job duties.

1.4  Identification of Information Security Controls

UniGroup uses the following sources for the identification of security requirements:

  • Risk assessments
    • Internal and external penetration tests
    • Internal and external vulnerability assessments
    • Statutory, regulatory, and contractual requirements that UniGroup must satisfy
    • Principles, objectives, and business requirements for information handling that UniGroup has developed to support its operations.

1.5  Assessments

The results of risk assessments, vulnerability assessments, and penetration tests assist in identifying threats to assets, vulnerabilities, their likelihood of occurrence, and potential estimated business impact. These assist in determining appropriate management action, priorities for managing risks, and implementation of controls selected to protect against these risks, vulnerabilities, and business impact. The following represents UniGroup’s approach to information security risk assessment:

  • The scope of assessments can be either the whole organization, parts of the organization, a specific information system, or a specific component of an information system.
    • Assessments will have a clearly defined scope to be effective and will include relationships with risk assessments from other areas as appropriate (i.e., Law, Human Resources, Finance, etc.).
    • Assessments may be performed internally, by a third-party, or a combination of both.
    • Expenditure on controls to address risk will be balanced against the business harm likely to result from security failures.
    • Before considering the control of a risk, criteria will be established for determining whether the risk can be accepted. Risks may be accepted if, for example, it is assessed that the risk is low or that the control is not cost-effective for the organization. Such decisions should be recorded.
    • Assessments shall be conducted, at a minimum, annually.

1.6  Data Classification and Handling

Determining how to protect and handle data and information depends on the type of information, importance, and usage. Classification is necessary to understand which security practices and controls should be applied to the data to provide the appropriate level of protection. The more sensitive the data, the tighter the controls needed on that data. All data is classified as Public, Proprietary, Restricted, and Highly Restricted as defined in Appendix 1. Data should be handled according to its classification.

Special data handling procedures may be required for Restricted or Highly Restricted data; in addition, specific customer data may have additional handling instructions that UniGroup has agreed to

contractually. Prior to handling or processing data, users should ensure they understand the proper and/or required handling procedures and are following them appropriately.

1.7  Legal, Regulatory, and Contractual Compliance

UniGroup will ensure compliance with relevant statutory, regulatory, and contractual requirements affecting information security. The information security organization will work collaboratively with other UniGroup entities, including Legal, Risk Management, Human Resources, and Contracts to evaluate the applicability of UniGroup information security controls to new and existing legislation or regulatory requirements.

1.8  Audits and Reviews of Information Security Controls

Information security controls are periodically monitored, reviewed, and improved to ensure that the specific security and business objectives of UniGroup are met. Thus, information security conditions and policies of UniGroup are subject to annual internal and independent audits or reviews. Security audits or reviews are:

  • Performed by individuals who have sufficient technical skills and knowledge of information security disciplines.
    • Focused on ensuring that information security controls function as intended and are effective enough to reduce risk to an acceptable level.
    • Provided to management so that risks can be reviewed and remediated, or controls can be modified.

2.0  Access Control

Access controls are designed to reduce the risk of unauthorized access to UniGroup data and to preserve and protect the confidentiality, integrity, and availability of UniGroup systems. All assigned access shall be reviewed and audited for accuracy to ensure employees only have access to the data required for them to perform their assigned operational duties. Audits shall occur, at a minimum, annually; access to Restricted or Highly Restricted data shall be audited at a minimum quarterly.

2.1  User Access Management

The security administration team is responsible for ensuring proper user identification and authentication management by enforcing a formal, documented, provisioning and de-provisioning procedure as follows:

  • Centralized control regarding addition, deletion, and modification of user accounts and credentials to ensure authorized use is maintained.
    • Verifying user identity and receiving appropriate management before creating or modifying accounts.
    • Immediately revoke access for any terminated user.
  • Disable or remove inactive accounts at least every 90 days.
    • Limit repeated access attempts by locking out an account after no more than six failed attempts.
    • Require an administrator to unlock any disabled account.
    • Track and monitor role assignments for privileged user accounts.
    • Enable accounts used by vendors for remote access only during the time period they are needed.
    • Ensure assigned access provides adequate separation of duties for all employees.

2.2  Least Privilege

The principle of “least privilege” access, which states only the minimum level of access will be granted to perform the assigned operational duties, shall be used when granting employees access to systems or data. Access shall not be granted without an approved business requirement and management approval. Access to Restricted or Highly Restricted data may also require an additional level of approval from the data owner.

2.3  Identification and Authorization

Each individual user is provided a unique user identity for the purpose of identification, authorization, and authentication to systems processing UniGroup data or supporting UniGroup business functions. This unique identity, associated credentials, and password is considered Highly Restricted information and should only be used by the individual it is assigned. Sharing of unique user identities, associated credentials, or password is strictly prohibited. In the event of a locked account, individuals are only permitted to request their unique account to be unlocked and the individual’s identity will be verified prior to the account being unlocked.

2.4  Password Management

Passwords are considered Highly Restricted information and therefore, should not be written down or stored in an unencrypted format. Passwords, password complexity, and password lifecycle should, at a minimum, adhere to current industry best practices. Forbidden actions related to passwords include, but are not limited to, the following:

  • Do not use default vendor passwords.
    • Do not reveal a password over the phone to anyone.
    • Do not send your password to anyone via email.
    • Do not share or tell your password to others.
    • Do not write your password down.

3.0  Operational Security

Operational security processes are used to identify critical data and information, the vulnerabilities associated with them, and to determine the appropriate risk mitigations that are needed to ensure UniGroup operations are not negatively impacted.

3.1  System Hardening

System hardening procedures should be defined and followed for all systems and platforms (workstations, servers, databases, etc.), both production and development, to reduce the risk of systems being compromised. These procedures should be consistent with industry-accepted hardening standards and include, but not limited to:

  • Procedures and standards updated as new vulnerabilities are identified
    • Applied when new systems are configured, prior to being connected to the production network
    • Follow the ‘least privilege’ access model
    • Remove unnecessary functionality
    • Implementing security features as relevant (SSH, TLS, etc.)
    • Removal of all default vendor accounts and passwords
    • Installation of anti-virus software where feasible
    • Appropriate levels of monitoring and logging are enabled and retained to allow review after a service impacting event is encountered.

In addition to the above hardening standards, the following steps shall be taken to further protect systems and reduce risk:

  • Establishing owners of each system and assigning responsibility to personnel that are technically capable
    • Ensuring that privileged access to systems is restricted to authorized personnel only
    • Following defined access management procedures when generating system access
    • Designing systems to operate with current and predicted load levels
    • Separating production and testing systems
    • Limiting the use of production data in test environments when possible
    • Monitoring and supervising the activities of personnel responsible for systems
    • Ensuring the appropriate level of replication and/or backups are configured
    • Using industry accepted levels of encryption for data at rest, transit, and processing when technically feasible
    • Identifying end of life components and planning appropriately for migrations to supported versions prior to end of support/life
    • Ensuring the appropriate level of redundancy is configured to reduce single points of failure in accordance with system availability requirements
    • The installation of software on systems is restricted to authorized personnel only
    • Processing and storage capacity planning is conducted appropriately to ensure business growth needs are met
    • Where possible, automated system provisioning and deprovisioning processes will be implemented to reduce the occurrence of hardening variations
  • Multi-factor authentication shall be configured where defined
    • Appropriate use of firewalls, intrusion detection, and intrusion prevention, and log aggregation systems
    • Unnecessary services, application, network protocols and communications are removed or disabled.

3.2  Patch Management

Routine installation of vendor-issued updates and patches (operating system, security, etc.) are necessary to protect systems and data from compromise and erroneous function. All systems (workstations, servers, network devices, firewalls, routers, mobile devices, etc.) will follow published patch schedules to routinely and regularly have patches installed. At a minimum, general patches should be installed quarterly while critical security patches should be applied as soon as possible. Proper testing of patches in a test environment, prior to release on production systems, is crucial to ensure interruptions to operations are not encountered.

3.3  Change Control

Change control processes are followed to maintain the integrity of production and non-production systems, to ensure that standardized methods are used for handling of all changes, and to minimize the impact of change related incidents. A defined and documented change management process should be followed that includes, at a minimum, the following:

  • Logged change request
    • Prioritization of the change
    • Documentation of the impact
    • Documented approval for the change
    • Functionality testing to verify the change does not have a negative impact
    • Back-out procedures.

3.4  Asset Management

UniGroup personnel, business partners, agents, and contractors shall protect assets associated with UniGroup operations by ensuring appropriate handling requirements are followed to prevent unauthorized disclosures, regardless of assets or data are being stored or transmitted. All assets associated with data or with data processing shall be inventoried and tracked. The inventory shall include, but not limited to:

  • A list of all devices
    • Method to determine the owner accurately and quickly
    • Contain contact formation for the asset owner
    • Be updated promptly as necessary.

3.5  Physical Security

A defined and documented physical security program and procedures shall be used to ensure the physical protection of all systems associated with UniGroup business. The physical security program shall include, but not limited to:

  • Security perimeters should be defined and used to protect areas that contain UniGroup data or systems.
    • A list of personnel with authorized access to the facility and promptly remove access, as necessary.
    • Use of access control mechanisms (access badge, biometrics, etc.) where possible.
    • Issue authorization for physical access.
    • Strictly limit access to sensitive areas and/or areas that contain systems processing UniGroup data.
    • Use video cameras and other recording and/or logging devices when possible.
    • Register and log all visitors to the facility.

4.0 Business Continuity and Disaster Recovery

Business Continuity (BC) and Disaster Recovery (DR) refers to responding to an operational interruption through the implementation of a recovery plan. The recovery plan accounts for applications deemed critical for business operations, service delivery, and ensures the timely restoration of UniGroup’s capability to deliver services. The BC/DR plan is tested, at minimum, annually to ensure the plan is up to date and capable of sustaining business operations during a crisis or period of disruption.

UniGroup, and those conducting UniGroup business shall:

  • Develop a contingency plan for business-critical systems that
    • Provides recovery objectives and restoration priorities
    • Determines contingency roles, responsibilities, and assigned individuals
    • Addresses maintaining essential business functions during a disruption
    • Addresses full system restoration
    • Is reviewed and approved by designated company officials
  • Communicate contingency plans throughout the organization and ensure assignments are understood
  • Coordinate contingency planning and plan reviews at least annually
  • Modify the plan accordingly to address business changes
  • Establish procedures to access data and systems during periods of disruption
  • Ensure defined plans and procedures meet and adhere to contractually obligated recovery timelines and/or objectives.

5.0 Incident Response

Incident response refers to the actions taken to address an event that either creates service disruption or impacts a customer and incidents can range from minor to business crippling in scale. Incident response procedures should be periodically reviewed to ensure the defined steps are current and applicable to the existing environment. To have an effective response to an incident, there must be a defined, repeatable process that is followed. UniGroup addresses incident response by applying these main steps to all encountered incidents:

  • Preparation
    • Ensuring staff are properly trained and know what steps to take
  • Identification and Prioritization
    • Determine that an incident has occurred, and assign the priority/urgency
  • Containment
    • Isolate the impacted items to prevent additional damage
  • Neutralization
    • Remove the disruption from the environment and perform root cause analysis
  • Recovery
    • Return impacted items to normal operations
  • Lessons Learned
    • Determine ways to prevent the incident from reoccurring.

6.0 Software Development Life Cycle

A Software Development Life Cycle (SDLC) is a series of steps that provides a framework for developing and managing software throughout its life cycle. When implemented correctly, an SDLC ensures that the highest quality software is delivered in the least amount of time, for the lowest overall cost. All development activities at UniGroup follow a defined SDLC which considers the following items:

  • Plan
  • Build
  • Test
  • Deploy
  • Maintain

During this process, attention is given to clearly identify the functional requirements, remedy the code of vulnerabilities and bugs, ensure it meets the stakeholder’s needs, and is safe to deploy into the production environment. The SDLC is followed for all feature enhancements, upgrades, etc. until the product is discontinued and removed from service.

7.0  Acceptable Use

Employees are granted access to UniGroup equipment, systems, and data to assist them in performing their job. The equipment, systems, and data belong to UniGroup, and use is intended only for legitimate business purposes in the fulfillment of services. Employees should not have an expectation of privacy in

anything they create, store, send, or receive on UniGroup systems or equipment. Without prior notice, UniGroup may review any material created, stored, sent, or received on its systems or equipment. All employees using UniGroup equipment, systems and/or data are obligated to use these items responsibly, professionally, ethically, and lawfully to process, protect, and secure UniGroup, members, employees, companies, partners, and its customers.

7.1  Equipment and System Usage

Users shall:

  • Immediately report all lost or stolen equipment, known or suspected privacy or security incidents.
    • Log off or lock systems when leaving them unattended; set screen saver to lock system after inactivity.
    • Complete all required security and privacy training.
    • Follow appropriate data handling procedures.
    • Be vigilant when accessing the Internet and verify all material safe before viewing.
    • Follow the “Clean Screen, Clean Desk” mentality to protect sensitive data, to include customer data.
  • Follow all defined record retention policies.
    • Only connect to known and trusted networks.
    • Speak only for yourself on social media accounts as you could mistakenly be viewed as a spokesperson for UniGroup in your online communications.
    • Only use UniGroup systems and equipment for their intended business purposes.
    • Adhere to UniGroup’s privacy policy, code of conduct, mobile device use agreement and data security policy.
    • Only use customer data for the purpose it was collected and in accordance with UniGroup’s privacy policy.
  • Report all policy violations to: integritymatters@unigroup.com. Users shall not:
    • Copy or store sensitive/proprietary information or customer information on removal media devices or unapproved storage.
    • View material that is: sexually explicit, profane, obscene, harassing, fraudulent, racially offensive, defamatory, or otherwise unlawful in nature.
    • Download material or software from the Internet or unknown sources.
    • Install software on UniGroup systems or equipment.
    • Modify, revise, transform, or adapt any UniGroup licensed software installed on equipment and systems.
    • Transfer UniGroup or UniGroup customer data through any unsecure network.
    • Use any utility program which allows the circumventing of UniGroup applied controls.
  • Send unsolicited emails or spam emails.
    • Use UniGroup systems or equipment for any activity that violates local, state, federal, or international law.
    • Introduce any malicious software (virus, trojan, malware, etc.) into or onto UniGroup systems or equipment.
    • Use UniGroup equipment or systems in support of “for-profit” activities or outside employment/business activity (such as consulting for pay, sale of goods, etc.).
  • Use UniGroup systems or equipment for malicious activities to acquire, use, reproduce, transmit, or distribute any controlled information including computer software and data that includes information subject to the Privacy Act, copyrighted, trademarked or material with other intellectual property rights (beyond fair use), proprietary data, or export-controlled software or data.
    • Remove UniGroup systems or equipment from the organization without prior management approval.
    • Post information on social media sites or other public forums which: are derogatory to UniGroup or its management, contrary to UniGroup’s code of conduct and mission, or brings discredit to UniGroup.

7.2  Record Retention

Information created, received, or maintained in the transaction of UniGroup business, whether in paper or electronic form, is considered a formal record and is subject to UniGroup’s Control of Record Procedure. This procedure defines the process for identification, storage, protection, retrieval, retention, hold, and disposition of records.

UniGroup will not keep personal information in a form that permits identification of data subjects for longer than necessary for the purposes for which it was collected or to which the data subject has consented, except for legitimate purposes permitted by law, such as regulatory compliance. All record disposals will follow UniGroup Derelict Media Collection and Destruction Process.

7.3  Remote Working

Associates identified as critical to business continuity will have the ability to work remotely. In addition, remote working may be a viable alternative work arrangement for some employees. In addition to the acceptable use policy, employees working remotely should take additional precautions to ensure the protection of data by properly securing, both logically and physically, all equipment, data, and communications as previously outlined in the DSP.

8.0  Special Topics

This section is reserved for additional topics.

8.1  Vendor Management

Vendors, third parties, and supply chain partners will be held to the same standards contained within UniGroup’s Data Security Policy, Privacy Policy, and Code of Conduct. Additionally, they may be required to meet customer contractual controls if/when processing customer data. Audits will be conducted on these parties as applicable to ensure compliance is met and the required protections are provided.

Relationships with vendors, third parties, and supply chain partners will be governed by mutually accepted contractual requirements.

8.2  Procurement

The procurement of new systems and software will follow a defined process to ensure an unbiased and comprehensive review of the offering is conducted prior to purchase. The review process will specifically include a data security review to ensure the offer has appropriate security controls and features. Annual reviews of systems and software will be performed to ensure continued adherence to UniGroup data security policies.

Appendix 1: Data Classification and Handling

All information assets are assigned a sensitivity level based on the data element’s level of sensitivity, value, and criticality to UniGroup, its customers, agents, contractors, or business partners. If the information has been previously classified by regulatory, legal, contractual, or company directive, then that classification will take precedence. The sensitivity level then guides the selection of protective measures to secure the information. All data elements are to be assigned one of the following four sensitivity levels:

HIGHLY RESTRICTED:

  • Definition: Highly Restricted information is highly valuable, highly sensitive business information and the level of protection is dictated externally by legal and/or contractual requirements. Highly Restricted information must be limited to only authorized employees, contractors, and business partners with a specific business need.
  • Potential Impact of Loss: SIGNIFICANT DAMAGE would occur if Highly Restricted information were to become available to unauthorized parties either internal or external to UniGroup. Impact could include negatively affecting UniGroup’s competitive position, violating regulatory requirements, damaging the company’s reputation, violating contractual requirements, and posing an identity theft risk. Impact could include negatively affecting UniGroup’s competitive position, violating regulatory requirements, damaging the company’s reputation, violating contractual requirements, and posing an identity theft risk.

RESTRICTED:

  • Definition: Restricted information is highly valuable, sensitive business information and the level of protection is dictated internally by UniGroup and contractual requirements.
  • Potential Impact of Loss: MODERATE DAMAGE would occur if Restricted information were to become available to unauthorized parties either internal or external to UniGroup. Impact could include negatively affecting UniGroup’s competitive position, damaging the company’s reputation, violating contractual requirements, and exposing the geographic location of individuals.

PROPRIETARY:

  • Definition: Proprietary information is information originated or owned by UniGroup or entrusted to it by others. Proprietary information may be shared with authorized employees, contractors, and business partners who have a business need, but may not be released to the general public, due to the negative impact it might have on the company’s business interests.
  • Potential Impact of Loss: MINIMAL DAMAGE would occur if Proprietary information were to become available to unauthorized parties either internal or external to UniGroup. Impact could include damaging the company’s reputation and violating contractual requirements.

PUBLIC:

  • Definition: Public information is information that has been approved for release to the general public and is freely shareable both internally and externally.
  • Potential Impact of Loss: NO DAMAGE would occur if Public information was to become available to parties either internal or external to UniGroup. Impact would not be damaging or a risk to business operations.

DOWNLOAD DATA SECURITY POLICY