...
This Information Security Policy is intended to protect CloudCard’s employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
Information Technology systems, including, but not limited to, computer equipment, software, operating systems, storage media, and network accounts providing electronic mail, web browsing, and file transfers, are the property of CloudCard. These systems are to be used for business purposes in serving to serve the interests of the company , and of our clients and customers in the course of normal operations.
Effective security is a team effort involving the participation and support of every CloudCard employee or contractor who deals with information and/or information systems. It is the responsibility of every team member to read and understand this policy , and to conduct their activities accordingly.
Purpose
The purpose of this document is to communicate This document communicates our information security policies and outline outlines the acceptable use and protection of CloudCard’s information and assets. These rules are in place to protect customers, employees, and CloudCard. Inappropriate use exposes CloudCard to risks, including virus attacks, compromise of network systems and services, financial and reputational risk, and legal and compliance issues.
...
This policy applies to employees, contractors, consultants, temporaries, and other workers at CloudCard, including all personnel affiliated with third parties. This policy applies to all CloudCard-controlled company and customer data as well as all equipment, systems, networks, and software owned or leased by CloudCard.
...
All users are required to report known or suspected security events or incidents, including policy violations and observed security weaknesses. Incidents shall be reported immediately or as soon as possible by sending an email to security@cloudcard.us.
In your email, please describe the incident or observation along with any relevant details.
...
All end-user devices (e.g., mobile phones, tablets, laptops, desktops) must comply with this policy. Employees must use extreme caution when opening email attachments received from unknown senders, which may contain malware.
System-level and user-level passwords must comply with the Access Control Policy. Providing access to another individual, either deliberately or through failure to secure a device, is prohibited.
All end-user, personal (BYOD) or company-owned devices used to access CloudCard information systems (i.e. email) must adhere to the following rules and requirements:
...
Users shall not leave confidential materials unsecured on their desk desks or workspace , and will ensure that screens are locked when not in use.
...
Personnel are responsible for reading and complying with all policies relevant to their roles and responsibilities.
Policy | Purpose |
To limit access to information and information processing systems, networks, and facilities to authorized parties in accordance with business objectives. | |
To identify organizational assets and define appropriate protection responsibilities. | |
To prepare CloudCard in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. | |
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. | |
To ensure that information is classified and protected in accordance with its importance to the organization. | |
To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles. | |
Policy and procedures for suspected or confirmed information security incidents. | |
Establishes the roles and responsibilities that ensure effective communication of information security policies and standards. | |
To ensure the correct and secure operation of information processing systems and facilities. | |
To prevent unauthorized physical access or damage to the organization’s information and information processing facilities. | |
To define the process for assessing and managing CloudCard’s information security risks in order to achieve the company’s business and information security objectives. | |
To ensure that information security is designed and implemented within the development lifecycle for applications and information systems. | |
To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements. |
Policy Compliance
CloudCard will measure and verify compliance to this policy through various methods, including but not limited to ongoing monitoring, and both internal and external audits.
...
CloudCard uses Amazon Web Services (“AWS”) to deliver a premium software as a service experience to its customers. AWS built their its entire product suite with security as the highest priority. All of the servers used by CloudCard are hosted in secure AWS facilities, which means that certain compliance and security policies and practices are provided by AWS. AWS follows a shared responsibility model (see https://aws.amazon.com/compliance/shared-responsibility-model/), in which AWS is responsible for the security “Of” the cloud infrastructure, while CloudCard is responsible for the security and compliance of our resources “In” the cloud. As a result, CloudCard maintains security policies and procedures that apply to resources we establish in the cloud , and will refer to AWS’s security and compliance certifications (see https://aws.amazon.com/security/), practices and policies where appropriate (security of the underlying cloud infrastructure that CloudCard leverages). CloudCard takes every reasonable measure to follow the configuration best practices , set forth by AWS , for their its products and services.
Revision History
Version | Date | Description | Author | Approved by |
1.0 | 2017-11-02 | Initial Version | Tony Erskine | |
1.1 | 2018-08-22 | Review / Minor Updates | Tony Erskine | |
1.2 | 2018-10-19 | Review / Minor Updates | Tony Erskine | |
1.3 | 2019-12-05 | Security Awareness Training Requirement | Luke Rettstatt | |
1.4 | 2020-03-17 | AWS Security References Multi Factor Authentication | Luke Rettstatt | |
2.0 | 2020-04-07 | Access Control Policy Data Management Policy Roles and Responsibilities Background Check Requirement | Luke Rettstatt | |
2.1 | 2020-04-20 | Encryption Standards Secure Deletion Standards | Tony Erskine | |
2.2 | 2020-11-24 | Patching Standards | Tony Erskine | |
2.3 | 2020-12-01 | Review / Minor Updates | Luke Rettstatt | |
2.4 | 2021-03-11 | Annual Review | Tony Erskine | |
2.5 | 2022-03-20 | Annual Review | Tony Erskine | |
2.6 | 2022-07-06 | Update Job Titles | Tony Erskine | |
3.0 | 2023-03-15 | Converted to SOC Compliant Template | Ryan Heathcote | Luke Rettstatt |
3.1 | 2024-07-16 | Spelling and grammar improvements | Ryan Heathcote | Luke Rettstatt |