Data Security Policy
Last updated: October 11, 2021.
Print as PDF1. Data
Data, and the supporting processes, applications, systems and networks used to process, store, retrieve and transmit that data, play a vital role in the execution and success of TermLynx Solutions Inc.’s (“TermLynx”) mission. TermLynx views the protection and preservation of the confidentiality, integrity and availability of data as absolutely critical to maintaining TermLynx’s reputation and ensuring its ability to conduct its operations. TermLynx is committed to:
- achieving high standards of information security governance;
- treating information security as a critical business issue and creating a security conscious environment;
- demonstrating to third parties that TermLynx deals with information security in a proactive manner; and
- implementing controls that are proportionate to risk and insist on individual accountability. **
1.1. Objective
This Data Security Policy (this “Policy”) defines the fundamental principles of TermLynx’s data security program, establishes categories of data and their protection requirements and assigns roles and responsibilities for implementing and complying with such requirements.
The data that TermLynx uses to conduct its operations, whether owned or created by TermLynx, received from business partners or vendors, entrusted to TermLynx by its clients, or maintained by TermLynx about its employees, is a valuable asset that must be protected at all times.
Data can exist in many forms, it can be written or printed on paper, stored electronically or optically, transmitted by courier or using electronic means, recorded on magnetic disk or tape or spoken in conversation.
Whatever the form of such data or the means by which it is communicated or stored, the objective of this Policy is to ensure that it is always properly safeguarded.
1.2. Scope
Ensuring the continued security of data, independent of its source or owner, is of utmost importance to TermLynx and is a core business objective that applies to:
- all employees, contractors, consultants, temporary employees, guests and other affiliates who access or in any way make use of TermLynx’s information resources. For the purposes of this Policy, “information resources” includes data, in any form and recorded on any media, and all computer hardware, computer software, communications networks and technology infrastructure owned or operated by TermLynx or on its behalf;
- all of TermLynx’s information resources, including those used by TermLynx under license or contract; and
- any device, regardless of ownership and including equipment privately owned by employees, contractors, consultants, temporary employees and guests (e.g. laptop computers, tablet computers, smart phones, USB storage devices, etc.), but only with respect to the ways in which they connect to or access TermLynx’s information resources and the activities they perform with those resources.
The intent of this Policy is to protect against intentional and unintentional acts that could compromise the confidentiality, integrity or availability of TermLynx’s information resources, or interfere with access control mechanisms. It is intended to address both internal and external threats. This Policy should be reviewed at least annually by TermLynx’s Board of Directors.
1.2.1. Monitoring
All individuals should be aware that their use of TermLynx’s information resources, including accessing the Internet or using electronic mail, social media, instant messaging, telephone, or voice mail, are not private and individuals should not have an expectation of privacy while using TermLynx’s information resources. TermLynx may monitor the activity and accounts of individual users of TermLynx information resources, including individual login sessions, the content of individual communications, and the content of stored data, with or without notice, when:
- the individual has voluntarily made the information accessible to the public, by posting to a blog or a Web page;
- it reasonably appears necessary to do so to protect the integrity, security or functionality of TermLynx’s information resources or to protect TermLynx from liability;
- a complaint has been received, or there is reasonable cause to believe, that the individual has violated or is violating this Policy or any other TermLynx policy then in effect;
- an account appears to be engaged in unusual or unusually excessive activity; or
- it is otherwise required or permitted by law.
Any such monitoring of communications or stored information, other than what is made accessible by the individual, required by law, or necessary to respond to perceived emergency situations or threats, must be authorized in advance by the Chief Executive Officer, and as appropriate in consultation with legal counsel.
TermLynx, in its discretion, may disclose the results of any such general or individual monitoring, including the contents and records of individual communications or stored information, to appropriate personnel of TermLynx or law enforcement agencies and may use such results in appropriate proceedings.
1.2.2. Enforcement
TermLynx employs the use of JumpCloud to securely manage and connect TermLynx users to its information resources and to enforce the security measures set out in this Policy. Failure to comply with this Policy, whether deliberate or due to careless disregard, will be treated as serious misconduct and may result in actions including (but not limited to) disciplinary actions, dismissal and civil and/or criminal proceedings. In the case of a written complaint of serious misuse, or evidence indicating that malicious software may be present in certain material on the system, TermLynx reserves the right to temporarily remove material from the system for its review. In some situations, it may also be necessary to restrict or suspend access or account privileges to prevent ongoing misuse while the situation is under investigation. Alleged infractions of this Policy are handled via formal internal procedures, in consultation with legal counsel, as appropriate. Upon determination of misuse, individuals who are found to be in violation of this Policy may be subject to the following:
- restriction or suspension of computer access or privileges;
- disciplinary action up to and including termination;
- referral to law enforcement authorities for criminal prosecution; and
- other legal action, including action to recover civil damages and penalties.
All personnel subject to this policy shall be required to acknowledge receipt of this policy and agree, in writing, to be bound by its terms and conditions.
2. Principles of Data Security
The data security program contemplated in this Policy is built on the foundation of principles that reflect the information security goals and intent of TermLynx’s executive leadership. The principles provide the basis for:
- safeguarding critical and sensitive data in all formats, such as databases, electronic mail and paper documents;
- protecting critical business applications, both those under development and those in live production environments;
- securing all types of computing devices, ranging from server farms and storage systems, through desktop and laptop computers and hand-held computing devices such as tablets and smartphones, to portable storage devices;
- protecting TermLynx communication networks, including wireless, Voice over IP (VoIP), and Internet connectivity; and
- facilitating discussions with third parties when establishing contracts or service level agreements governing data security arrangements.
3. Data Protection
3.1. Password Policy
Passwords are a critical component of data security. A poorly chosen password may result in unauthorized access and/or exploitation of TermLynx’s information resources. All users, including contractors and vendors with access to TermLynx’s information resources, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
This password policy applies to all passwords including, but not limited to, user-level accounts, system level accounts, web accounts, e-mail accounts, screen saver protection, voicemail and local router logins. Passwords must be generated by, and stored in, a digital password safe that has been approved by the Chief Technology Officer (e.g. Dashlane) and the safe must be encrypted with a unique master password that meets the below stated requirements (see Special Cases below).
TermLynx personnel is forbidden from (1) using the same password(s) for personal and employment purposes and (2) sending any password via any communication channel (e.g. chat, email etc.), other than an initial user password subject to the conditions set forth below. Passwords may only be shared via the approved digital password safe.
Any personnel member that is notified of a data leak or breach must immediately replace all affected user passwords with passwords that meet the requirements below generated by the approved digital safe.
User Passwords
User passwords are used by TermLynx personnel to access TermLynx’s information resources such as e-mail, databases and the corporate network.
1. Password Complexity
(a) Passwords (other than the unique master password to the digital safe - see Special Cases below) must be at least 12 characters and must be generated by the digital safe.
(b) Password must have a least 2 special characters and at least 2 digits.
(c) Passwords can be changed as frequently as desired.
2. Password Expiration
(a) Passwords are set to expire every 180 days.
3. Passwords Entry Failures
(a) Temporary Account Lockout A user who fails to correctly enter a password more than five times in a row (consecutively), will result in a temporary password lockout of 10 minutes.
(b) Credential Owners. Credential owners may unlock accounts by using two-factor authentication through a designated portal.
4. Initial User Passwords
(a) Initial user passwords may be shared via chat or e-mail but recipients must change passwords immediately upon receipt.
(b) Where possible, forced password changes should be required for new accounts.
(c) Domain administrators – users with powerful access are subject to more stringent password policies.
5. Special Cases
(a) Administrators Domain administrators are users with powerful access and are therefore subject to more stringent password policies. Domain administrator passwords must respect the same password guidelines set forth below for the unique master password to the digital safe.
(b) Master Passwords to Digital Safe. Master passwords must respect the following format and guidelines:
(i) Password must be at least 24 characters.
(ii) Password must have a least 2 special characters and at least 2 digits.
(iii) Password must not contain characteristics of poor or weak passwords as noted below under the heading “Password Characteristics”.
(iv) Password must either be memorized by the user, or if written down on physical paper, stored in a secure location under lock and key.
Password Characteristics
Passwords must not be in the following formats:
- Contain less than 8 characters.
- Found in a dictionary, including foreign language, or exist in a language’s slang, dialect or jargon.
- Contain personal information such as birth dates, addresses, phone numbers, or names of family members, pets, friends and fantasy characters.
- Contain work-related information, such as building names, system commands, sites, companies, hardware or software.
- Contain number patterns such as aaabbb, qwerty, zyxwvuts or 123321.
- Contain common words spelled backward, or preceded or followed by a number (e.g. terces, secret1 or 1secret).
3.2. Clear Workspace, Desk and Clear Screen Policy
Clear workspace, desk and clear screen policy rules help to reduce the risk of a successful physical breach of TermLynx’s information resources. Maintaining these will mitigate risk related to social engineering attacks (i.e. manipulating a personnel member to gain access to sensitive information), malicious visitors, internal malicious employees and burglary.
The policy contemplated in this section applies in the following situations:
- periods when personnel is away from their workspace;
- the conclusion of meetings with whiteboards/easels where sensitive information was discussed; and
- the end of the workday. The following are the responsibilities of all personnel in support of clear workspace, desk and clear screen policy rules:
- all personnel must clear sensitive information and assets such as documents, physical keys and proximity access fobs from workspaces or desks at the end of the day and when away from the workspace for any period of time;
- all personnel must store documents containing sensitive information in locked drawers when not in use or when away from the workspace for any period of time;
- all personnel must immediately log out or activate a screen saver with password protection on laptops or workstation when away from their workspace or desk for any period of time; and
- all personnel must clear whiteboards/easels of written information or content after meetings have been concluded.
3.3. Cloud First Strategy
TermLynx leverages modern cloud hosting providers (Linode) for the development and deployment of its products and services in order to ensure the best in class experience for its clients. TermLynx’s “cloud-first” strategy allows for the minimization of the cost of applications and infrastructure and the delivery of digital services with the agility and speed necessary to keep pace with changing legislation. As part of the implementation of its cloud-first strategy, TermLynx ensures that:
- cloud services are identified and evaluated as a principal delivery option when initiating new IT investments, initiatives, strategies and projects;
- cloud services are adopted when they are the most effective option to meet business needs; and
- adopted cloud service(s) fully comply with appropriate privacy and security standards.
3.4. Additional Security Measures
1. Password-Protected Screensaver. All personnel computers and devices must be secured with a password-protected screensaver with a setting that activates after a period of inactivity defined by the Chief Technology Officer, upon logon/logoff or sleep/wake from sleep. That said, personnel should not leave their device unlocked when away from their workspace or desk for any period of time (see Section 3.2 entitled “Clear Workspace, Desk and Clear Screen Policy”).
2. E-mail Phishing. Personnel must use extreme caution when opening e-mails or attachments received from unknown senders or senders that pose as familiar users. Questionable e-mails may be deleted or forwarded to the Chief Technology Officer.
3. Multi-Factor Authentication (MFA). All personnel will need to complete a one-time enrollment in MFA to secure their user credentials when accessing TermLynx’s information resources on any device (most notably, and without exception, the user’s digital safe (i.e. Dashlane) and Microsoft account). MFA notifications are to be received exclusively via an approved Microsoft or Google authenticator.
4. Software Updates. The Chief Technology Officer will periodically review personnel devices to ensure that updates have been appropriately enabled. All computers and devices must have operating system security patches and updates applied as soon as such updates and patches have become “generally available” in the commercial marketplace as confirmed by the Chief Technology Officer.
5. Encryption Key Storage Restrictions. Recovery keys, passwords, authentication keys or logins must only be stored in a digital safe approved by the Chief Technology Officer (e.g. Dashlane).
6. Secure Transfer. File transfers that contain sensitive, proprietary or confidential information must always occur over an encrypted tunnel (e.g. SCP, SFTP, SSH, HTTPS) or encrypted e-mail. It is also encouraged to have files encrypted as well. Sensitive file transfers over external USB drives or thumb-drives are generally not permitted.
7. Application Execution Policy. Personnel are only permitted to download and install an application on a TermLynx information resource that has an independently validated code sign certificate which attests that the application’s code has not been altered or compromised by a third party. Any application that does not have such code sign certificate must be evaluated and approved by the Chief Technology Officer prior to installation on any TermLynx information resource.
8. VPN. All personnel must use a TermLynx approved VPN service (e.g. Dashlane) when accessing a TermLynx information resources from an unfamiliar or public network.
9. Internal Communications. All personnel must use an approved communication platform for all communications regarding TermLynx’s business or containing TermLynx data.
10. Secure Configuration. All personal computers and devices must be presented to the Chief Technology Officer for proper job provisioning and security configuration of standard apps, such as browsers, office productivity software and security.
11. Firewall. All TermLynx devices must have their firewall, Windows Defender, activated at all times. The Chief Technology Officer will ensure compliance with this security measure at all times using JumpCloud.
12. Root User Accounts. As root users on Mac devices enjoy a greater number of privileges and access to system files, root user accounts shall not be used for routine use.
13. Unacceptable Use. All data users are prohibited from using or otherwise accessing TermLynx information resources for any purpose other than conducting TermLynx business.
14. User Account Control (UAC) Policies. Users are prohibited from accessing an administrator account to complete routine tasks or any other tasks that do not require administrator privileges. UACs in Windows shall be configured so that a data user who wishes to perform administrative tasks will be required to enter an administrator password.
Users are prohibited from disabling security settings, such as firewalls and Windows Defender configurations. In this connection, all privileges required to disable such security settings will be removed from standard user accounts.
All TermLynx technology equipment must be stored and secured in a reasonable manner. Personnel that travel to high-risk destinations must notify management prior to their departure. Based on the target environment and threat assessment, management will make a determination on whether to (i) issue a temporary laptop; or (ii) allow the personnel member to use their own laptop and thoroughly scan and assesses the integrity of such member’s laptop upon return.
Re-sale of TermLynx hard drives, memory chips or any storage devices is strictly prohibited. Defective or damaged equipment will be disposed of using a certified equipment disposal vendor to include a certificate of satisfactory destruction of any writeable/readable media.
4. Software Security
4.1. Software Development Security
All software code developed by TermLynx must be stored in a Git repository hosted on Microsoft Azure DevOps. Such Git repository may only be accessed using SSH with an RSA 2048 encrypted key, which itself must be password protected and cannot be stored in the digital safe (must either be memorized by the user, or if written down on physical paper, stored in a secure location under lock and key). All deployment secrets must be stored exclusively on Microsoft Azure DevOps.
4.2. Software Deployment Security
Any SAS program or application developed by TermLynx must use HTTPS/SSL TLS for all of the communications with an API client.
All software developed by TermLynx which is available for download on a client’s device must have TermLynx’s designated code signed EV certificate signature.
5. Roles and Responsibilities
Implementation of this Policy requires a clear definition of security roles and responsibilities for all individuals with access to TermLynx’s information resources. All TermLynx personnel share in the responsibility to protect information resources to which they have access. This Policy also intends that individuals are accountable for their access to and use of information resources.
The following roles are defined and used throughout the policies, standards and procedures that constitute this Policy. The same individual may hold more than one of these roles.
5.1. Business Owners
Business owners are management personnel who have a primary responsibility for business processes through which information is received, created, stored, handled or discarded, whether in physical or electronic form. When information crosses multiple business processes, each business process owner is deemed a business owner under this Policy.
Business owners are responsible for:
- assigning data classification categories (e.g. restricted, confidential, internal, unclassified);
- maintaining records of classified resources, their locations and who has access to them;
- understanding risks associated with the information resource;
- reviewing and authorizing user access to data, information resources and systems based on business need;
- controlling changes to information;
- defining recovery time objectives and necessary levels of recovery for information resources and ensuring that backup and recovery processes can meet those objectives;
- planning that essential business functions and applications can continue in the event the existing environment is unavailable;
- ensuring compliance with applicable record retention policies and schedules; and
- ensuring that information resources that are no longer needed are disposed of securely.
5.2. System Owners
System owners are those management personnel who have a primary operational responsibility for physical and electronic systems that receive, create, store, handle or discard information. When information crosses multiple systems, each system manager is deemed a system owner under this Policy.
System owners are responsible for:
- implementing and applying the information protection levels specified by the business owner by using the data security controls specified by the policies, standards and procedures that constitute this Policy or notifying appropriate parties about known exceptions and impediments;
- granting and revoking user rights to information and privileged user access to information systems as specified by business owners;
- providing a method for the business owner to determine who has access to information and systems, and the level of access that they have; and
- implementing appropriate arrangements to recover information, applications and systems in the manner and timeframes specified by the business owner subject to normal infrastructure constraints and according to pre-established recovery objectives.
5.3. Data Users
Data users are individuals who have been granted access to specific information resources in the performance of their assigned duties. All TermLynx personnel and contractors are data users of some part of TermLynx’s information resources, even if they do not have responsibility for managing such resources. Data users include employees, contractors, consultants, temporary employees, guests and other affiliates of TermLynx who have been granted the authority to access TermLynx’s information resources. Data users must:
- review, understand and comply with the policies, standards and procedures that comprise this Policy and other implementing policies;
- agree, in writing, on an annual basis, to perform their work according to such policies, standards and procedures;
- comply with any applicable software licenses;
- participate in security awareness, training and education sessions as appropriate to their job functions and as directed by management;
- notify management of any known or suspected data security incident or issue; and
- conduct themselves in a manner consistent with this Policy. These responsibilities cover both computerized and non-computerized data and technology devices (paper, computers, smartphones, external memory devices, printers, fax machines, etc.) that are in an information user’s care or possession.
5.4. Business Partners and Vendors
Business partners and vendors must:
- comply with the data security and protection requirements of the contracts, service agreements and non-disclosure agreements that govern their relationship with TermLynx;
- exercise due care and caution when accessing TermLynx’s information resources; and
- ensure that the confidentiality and integrity of TermLynx’s data is adequately safeguarded.
5.5. Information Technology
The Chief Executive Officer is responsible for:
- facilitating the adoption and implementation of prescribed data security methodologies and processes within the department, and ensuring compliance with TermLynx’s security policies and standards;
- ensuring that information technology architecture components are designed and implemented to protect the information they process in accordance with the policies, standards and procedures that constitute this Policy;
- defining, implementing and testing disaster recovery plans and making contingency arrangements to manage the prolonged unavailability of critical computer facilities, equipment or communications services;
- maintaining an accurate and up-to-date inventory of information system hardware and software in use; and
- ensuring that all implementations, maintenance, enhancements and other project activities within its purview are conducted in accordance with the policies, standards and procedures that constitute this Policy.
5.6. Policies, Standards and Procedures
The Chief Executive Officer, the Chief Operating Officer and the Chief Technology Officer are responsible for (i) developing TermLynx’s data security vision strategy and program and (ii) championing, within TermLynx as a whole and within their respective departments, the idea that data security activities should be carried out in a timely and accurate manner and that data security issues are to be resolved effectively, which includes:
- monitoring and reporting on the state of data security, privacy and legal compliance within the department, both generally and with regard to specific issues that have been previously identified;
- identifying the need for development of new, or changes to existing, policies, standards, methodologies and processes to address new information security and privacy issues as they arise;
- performing independent oversight and governance functions for data assurance and protection, data risk management, security incident investigations, business continuity and disaster recovery across TermLynx;
- working in cooperation and with the assistance of legal counsel to interpret laws and regulations governing data security and privacy and provide appropriate compliance oversight;
- producing and maintaining TermLynx-wide data security policies and standards that specify required and recommended data security measures and controls;
- developing methodologies and processes to help departments comply with information security policies and standards in a consistent and effective manner;
- providing expertise and knowledge of current industry trends in information security and business continuity to ensure parity with peer organizations and improve control processes across TermLynx; and
- responding to, investigating and reporting on data security incidents.