Information Security Policies
High-Level Security Policy
PUB#: L121 Effective Date: 07.01.2016
Version: 0.01 Contact Us.
This document provides a summary of the security policies of ParishSOFT LLC for the company’s customers, prospects, and partners. ParishSOFT may update this Information Security Policy as needed and without notice. For questions regarding information security, please contact us.
ParishSOFT is critically dependent on information and information systems. The good reputation that ParishSOFT enjoys is directly linked with the way that it manages both information and information systems. Public disclosure of private data would harm our reputation and impact our ability to retain new customers and new business. For these and other important business reasons, the leadership team has initiated and continues to support an information security effort. To be effective, information security must be a team effort involving the participation and support of everyone at ParishSOFT who deals with information and information systems. This document describes ways to prevent and respond to a variety of threats to information and information systems including unauthorized access, disclosure, duplication, modification, appropriation, destruction, loss, misuse, and denial of use.
Everyone at ParishSOFT must comply with the information security policies found in this and related information security documents. This policy applies to all computer systems, network systems, websites, and information products owned by or administered by ParishSOFT. This policy applies to all operating systems, computer sizes and application systems.
4. Roles and Responsibilites
Guidance, direction, and authority for information security activities are centralized for all ParishSOFT in the Information Technology Team under the direction of the Director of Development. The Information Technology Team, in conjunction with and under the guidance of the leadership team, is responsible for establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures. Compliance checking to ensure that departments are operating in a manner consistent with these requirements is the responsibility of the department head with the assistance of the IT Team.
5. Information Classification and Handling
ParishSOFT information, and information that has been entrusted to ParishSOFT, must be protected in a manner commensurate with its sensitivity and criticality. ParishSOFT has adopted an information classification system that categorizes information into four groupings. All information under ParishSOFT control, whether generated internally, or externally, falls into one of these categories: Secret, Confidential, Internal Use Only, or Public. For purposes of this policy, “sensitive information” is information that falls into either the Secret or Confidential categories.
6. Information Access Control
6.1 Need to Know
Access to information in the possession of, or under the control of ParishSOFT must be provided based on the need to know. Information must be disclosed only to people who have a legitimate business need for the information. The privileges granted to all workers must be periodically reviewed by information owners and Custodians to ensure that only those with a current need to know presently have access.
6.2 User IDs and Passwords
To implement the need-to-know process, ParishSOFT requires that each worker accessing multi-user information systems has a unique user ID and a private password. Users are prohibited from logging into any ParishSOFT system or network anonymously. Users must choose passwords that are difficult to guess. Users must not construct passwords that are identical or substantially similar to passwords they have previously employed or currently use in systems not belonging to ParishSOFT. Passwords must be changed every 90 days or at more frequent intervals. Whenever a worker suspects that a password has become known to another person or non-ParishSOFT sanctioned entity, that password must immediately be changed. Passwords must not be stored in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in computers without access control systems, or in other locations where unauthorized persons might discover them. Passwords must never be shared with or revealed to others. System administrators and other technical information systems staff must never ask a worker to reveal his or her personal password.
7. Third Party Data Handling
7.1 Release of Information to Third Parties
Unless it has specifically been designated as public, all ParishSOFT internal information must be protected from disclosure to third parties. Third parties may be given access to ParishSOFT internal information only when a demonstrable need to know exists, when a ParishSOFT non-disclosure agreement has been signed, and when such a disclosure has been expressly authorized by the relevant ParishSOFT information Owner.
7.2 Third-Party Requests for ParishSOFT Information
Unless a worker has been authorized by the information Owner to make public disclosures, all request for information about ParishSOFT and its business must be referred to the Department Head. Such requests include questionnaires, surveys, and newspaper interviews. This policy does not apply to sales and marketing information about ParishSOFT products and services, nor does it pertain to customer technical support calls. If a worker is to receive sensitive information from third parties on behalf of ParishSOFT, this receipt must be preceded by the third-party signature on a non-disclosure agreement, a ParishSOFT license agreement, or purchase agreement containing a relevant release.
8. Physical Security
Access to every office, computer machine room, and other ParishSOFT work area containing sensitive information must be physically restricted to those people with a need to know. All ParishSOFT local area network servers and other secured multi-user systems containing sensitive information must be placed in locked cabinets, locked closets, or locked computer rooms.
9. Network Security
All ParishSOFT computers, network equipment and multi-user information systems that store sensitive information and that are permanently or intermittently connected to internal computer networks must have a password-based access control system approved by the Information Technology Team. Regardless of the network connections, all stand-alone computers handling sensitive information must also employ an approved password-based access control system. ParishSOFT workers must not use unsecured network connections to access sensitive information. With the exception of emergency situations, all changes to ParishSOFT computer networks must be approved in advance by the Information Technology department. This process prevents unexpected changes from inadvertently leading to denial of service, unauthorized disclosure of information, and other problems.
10. Internet and Electronic Mail
Sensitive information, including passwords and credit card numbers, must not be sent across the Internet unless this information is in encrypted form. All personal computer users must keep the current versions of approved virus screening software enabled on their computers. ParishSOFT computers and networks must not run software that comes from sources other than ParishSOFT departments, knowledgeable and trusted user groups, well-known systems security authorities, or established computer, network or commercial software vendors. All computer and communications systems used for production processing must employ a documented change control process that is used to ensure that only authorized changes are made. For multi-user computer and communication systems, a system administrator is responsible for making periodic backups. All backups containing critical or sensitive information must be stored at an approved off-site location with either physical access controls or encryption. A contingency plan must be prepared for all applications that handle critical production information. It is the responsibility of the information Owner to ensure that this plan is adequately developed, regularly updated, and periodically tested.
11. User Rights and Expectations
ParishSOFT management reserves the right to monitor, inspect, or search at any time all ParishSOFT information systems. Because ParishSOFT computers and networks are provided for business purposes, workers must have no expectation of privacy associated with the information they store in or send through these information systems. ParishSOFT management retains the right to remove from its information systems any material it views in its sole discretion as offensive or potentially illegal. Incidents involving unapproved system hacking, password guessing, file decryption, bootleg software copying, or similar unauthorized attempts to compromise security measures may be unlawful and will be considered serious violations of ParishSOFT internal policy. All suspected policy violations must immediately be reported to the department head. All system intrusions, virus infestations, and other conditions that might jeopardize ParishSOFT information or ParishSOFT information systems must immediately be reported to the Information Technology Team. ParishSOFT workers who willingly and deliberately or negligently violate this policy will be subject to disciplinary action up to and including termination.