YOUNG WELLS
Legal
Best Practice # 3: Privacy and Information Security Program
Purpose: Employ appropriate levels of physical, network and other security protocols to protect Non-public Personal Information. Young Wells Williams P.A. has taken measures to guard against unauthorized or unlawful processing of personal data and against accidental loss, destruction or damage. This includes:- Adopting an information security policy (this document is our policy)
- Taking steps to control physical security (projects and staff records are all kept in a locked filing cabinet)
- Putting in place controls on access to information (password protection on files and server access)
- Establishing a business continuity/disaster recovery plan (including, at a minimum taking regular back-ups of its computer data files and this is stored away from the office at a safe location)
- Training all staff on security systems and procedures
- Detecting and investigating breaches of security should they occur
- The Firm Administrator is responsible for all documentation and maintenance of all policies and procedures regarding Non-public Personal Information (and will review the same at least annually).
- The Privacy and Information Security Program must be reviewed and updated annually.
- Personal data is to be collected only for the purpose specified.
- Data collected is to be relevant but not excessive for the purposes required. On an annual basis, title insurance application forms and any other forms that we use are reviewed to confirm that we are not asking for irrelevant information.
- Data is not to be kept for longer than is necessary for the purposes collected, including complying with applicable laws. Within 30 days of closing:
- Files are scanned into our secure server and paper copies are shredded; or
- Files are moved to locked files in a secure location in our office
- Data is protected with appropriate technical and organizational measures to minimize the risk of unauthorized or unlawful processing and against accidental loss or destruction or damage to personal data.
- Restricts access to Non-public Personal Information to authorized employees who have undergone Background Checks at hiring. The Company has implemented the following physical security measures: (i) locked building, (ii) locked file cabinets, (iii) clean desk policy, and (iv) shredding of Non-public Personal Information.
- Prohibits or controls the use of removable media.
- Prohibiting the removal of paper files from the office except as needed for a remote closing.
- Uses only secure delivery methods, such as encrypted email or password-protected files, when transmitting Non-public Personal Information. Transmitting Non-public Personal Information by fax is prohibited.
- Requires all files containing Non-public Personal Information to be locked in a file cabinet or placed in a secure file room when not in use.
- Requires each employee to notify other employees in the office that he/she has left the office for the day or that he/she is on vacation by placing a sign in his/her inbox when he/she leaves the office for the day or is on vacation so that the other employees in the office know not to place any information containing Non-public Personal Information on that person’s work station and if the person is on vacation to whom to direct the incoming file or document in that employee’s absence.
- Requires the last remaining real estate paralegal to conduct a nightly sweep of the office to confirm that all files are secure, to ensure that no documents containing Non-public Personal Information to remain on any printer, copier, or fax machine, and to confirm that each person’s shred box has been emptied.
- Prohibits the collection of Non-public Personal Information via the Company website.
- Implements physical and technical safeguards for all workstations that access Non-public Personal Information to restrict access to authorized users, including, but not limited to, the following measures:
- Restricting physical access to workstations to only authorized personnel.
- Prohibiting remote access to workstations containing or with access to Non-public Personal Information, unless the following security measures are in place: It is a condition of remote access to the office network by staff that their home computers also have anti-virus software installed which is regularly updated with the latest virus definitions.
- Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
- Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected.
- Complying with all applicable password policies and procedures.
- Ensuring workstations are used for authorized business purposes only
- Never installing unauthorized software on workstations.
- Storing all Non-public Personal Information on network servers.
- Requiring all workstations to have standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into the network (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited.
- Ensuring workstations are left on but logged off in order to facilitate after-hours updates. Exit running applications and close open documents.
- Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup).
- Restricting employee’s ability to install software on workstations operated within the Company’s network. Software requests must first be approved by the requester’s manager in writing or via e-mail.
- If wireless network access is used, ensure access is secure by requiring all wireless devices that connect to the network (a) be installed, supported, and maintained by the IT department, (b) use Company-approved authentication protocols and infrastructure, (c) use Company-approved encryption protocols, and (d) maintain a hardware address (MAC address) that can be registered and tracked.
- Implements physical and technical safeguards for all servers that access Non-public Personal Information to restrict access to authorized users, including, but not limited to, the following measures:
- Restricting remote access to servers by employees.
- Ensuring that all servers are stored in locked facilities with access limited to: Tony Carlisle, Firm Administrator.
- Ensuring that all servers containing Non-public Personal Information receive the most recent security patches as soon as practical, the only exception being when immediate application would interfere with business requirements.
- Ensuring servers containing Non-public Personal Information are physically located in an access-controlled environment.
- Ensuring that servers MUST have an anti-malware and anti-spyware applications installed that offers real-time protection to the target system, including automated virus protection updates.
- Ensuring that no servers containing Non-public Personal Information can be operated from uncontrolled areas (e.g., lobby, conference room, etc.).
- Implements physical and technical safeguards for all network equipment that access Non-public Personal Information to restrict access to authorized users, including, but not limited to, the following measures:
- Ensuring that all internet connections are protected by firewalls.
- Ensuring that passwords on the router are kept in a secure encrypted form. The router must have the enable password set to the current production router password from the router’s support organization.
- Disallow the following on all internet connected routers:
- IP directed broadcasts
- Incoming packets at the router sourced with invalid addresses such as RFC1918 address
- TCP small services
- UDP small services
- All source routing
- Web services running on router
- Ensuring that access rules are added as business needs arise.
- Ensuring that each router has the following statement posted in clear view: “UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device.”
- Ensuring all access to the Internet by clients occurs through a separate “guest” network (e.g., does not allow access via the same network used to transmit Non-public Personal Information).
- Developed and maintains guidelines for the appropriate use of Company information technology.
- Ensures secure collection and transmission of Non-public Personal Information.
- With regard to passwords, requires:
- All servers, workstations and network equipment to be password protected.
- All system-level passwords (Administrator, etc.) be changed on a semi-annual basis, at a minimum.
- All user-level passwords (e.g., e-mail, web, desktop computer, etc.) be changed at least every twelve months.
- All user-level and system-level passwords conform to the following standards:
- Contain at least three of the five following character classes:
- Lowercase characters
- Uppercase characters
- Numbers
- Punctuation
- “Special” characters (e.g., @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc.)
- Contain at least eight to fifteen alphanumeric characters.
- The password is NOT a word found in a dictionary (English or foreign).
- The password is NOT a common usage word such as:
- Computer terms and names, commands, sites, companies, hardware, software. Passwords should NEVER be “Password1” or any derivation.
- The words “Young Wells Williams P.A.”, “Ridgeland”, or any derivation.
- Names of family, pets, friends, co-workers, etc.
- Birthdays and other personal information such as addresses and phone numbers.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Any of the above spelled backwards.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
- Contain at least three of the five following character classes:
- With regard to email accounts, requires all emails containing Non-public Personal Information to be sent using encryption.
- With regard to backups, requires:
- All servers to be backed up daily both on-site and off-site.
- All backup data to be encrypted at the source using AES 256-bit encryption, and remains encrypted in-transit and at rest.
- Adheres to Federal law which requires companies that possess Non-public Personal Information for a business purpose to dispose of such information in a manner that protects against unauthorized access to or use of the information.
- Uses a shredding company that has signed a confidentiality and non-disclosure agreement to dispose of all physical or electronic items containing Non-public Personal Information.
- Maintains a disaster recovery plan, a copy of which is attached hereto.
- Exercises appropriate management and training of employees to ensure compliance with the Company’s information security program.
- Requires all employees that access Non-public Personal Information to sign an acceptable use of information agreement annually in the form attached hereto.
- Requires all employees that access Non-public Personal Information to undergo a five (5) year criminal back ground check upon hiring.
- Requires all employees that access Non-public Personal Information to review this information security policy; and maintain a log documenting the date on which employees have reviewed same.
- Takes reasonable steps to select and retain service providers that are capable of appropriately safeguarding Non-public Personal Information.
- Requires all services providers that have access to Non-public Personal Information to sign a confidentiality and nondisclosure agreement.
- Reviews the privacy and information security procedures to detect the potential for improper disclosure of confidential information annually.
- Immediately, upon termination, inactivates the terminated employee’s credentials, including, but not limited to, workstation access, e-mail access, remote access, and any other access to the Company’s network or programs.
- Posts the privacy and information security program on all Company websites and provides program information directly to customers in useable form.
- Inform customers and law enforcement, as required by law, when a security breach affecting Non-public Personal Information is detected.
OFFICE
141 Township Avenue, Suite 300
Ridgeland, MS 39157
PHONE
CONTACT US
© 2020 Young Wells. All Rights Reserved. // Website Design by Raborn Media