Policy Owner: Managing Director

Effective Date: 2023-03-21

Purpose

To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles.

Scope

This policy applies to all employees of CloudCard, consultants, contractors and other third-party entities with access to CloudCard production networks and system resources.

Policy

Screening

Background verification checks on CloudCard personnel shall be carried out in accordance with relevant laws, regulations, and shall be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. Background screening shall include criminal history checks unless prohibited by local statute. All third-parties with technical privileged or administrative access to CloudCard production systems or networks are subject to a background check or requirement to provide evidence of an acceptable background, based on their level of access and the perceived risk to CloudCard.

Competence & Performance Assessment

Human resources staff and the hiring manager or his or her designees shall assess the skills and competence of employees and contractors as part of the hiring process. Required skills and competencies shall be listed in job descriptions and requisitions and/or aligned with the responsibilities outlined in the Roles and Responsibilities Policy. Competency evaluations may include reference checks, education and certification verifications, technical testing, and interviews.

All CloudCard employees will undergo an annual performance review which will include an assessment of job performance, competence in the role, adherence to company policies and code of conduct, and achievement of role-specific objectives.

Onboarding

The following are required for employees upon starting employment at CloudCard and before being granted access to customer data:

1. A multi-state criminal background check

2. Sign a non-disclosure agreement

3. Review all relevant policies

Once the above activities are completed, the employee can be granted access to systems according to the following process:

1. Access requests are submitted for the systems for which the employee has a business need, and at the lowest level of privilege the employee needs to accomplish their duties.

2. System owners approve the access requests and grant the access.

3. An employee is typically issued a laptop, and the device volumes are encrypted.

4. Employees also receive annually refreshed Security Awareness training.

Terms & Conditions of Employment

Company policies and information security roles and responsibilities shall be communicated to employees and third-parties at the time of hire or engagement, and employees and contractors are required to formally acknowledge their understanding and acceptance of their security responsibilities. Employees and third-parties with access to company or customer information shall sign an appropriate non-disclosure, confidentiality, and appropriate code-of-conduct agreements. Contractual agreements shall state responsibilities for information security as needed. Employees and relevant third-parties shall follow all CloudCard information security policies.

Management Responsibilities

Management shall ensure that information security policies and procedures are reviewed annually, distributed and available, and that employees and contractors abide by those policies and procedures for the duration of their employment or engagement. Annual policy review shall include a review of any linked or referenced procedures, standards or guidelines.

Management shall ensure that information security responsibilities are communicated to individuals through written job descriptions, policies, or some other documented method that is accurately updated and maintained. Compliance with information security policies and procedures and fulfilling information security responsibilities shall be evaluated as part of the performance review process wherever applicable.

Management shall consider excessive pressures and opportunities for fraud when establishing incentives and segregating roles, responsibilities, and authorities.

Information Security Awareness, Education & Training

All CloudCard employees and third-parties with administrative or privileged technical access to CloudCard production systems and networks shall complete security awareness training at the time of hire and annually thereafter. Management shall monitor training completion and shall take appropriate steps to ensure compliance with this policy. Employees and contractors shall be aware of relevant information security and data privacy policies and procedures. The company shall ensure that personnel receive security and data privacy training appropriate to their role and data handling responsibilities.

The above security awareness training will include (but not be limited to) identification of social engineering, including phishing and spear phishing.

Work Locations

Employees must be physically located in the United States or Canada in order to access Customer Data or CloudCard Confidential Data. Employees must not perform any work for CloudCard from outside the United States and Canada without prior written approval from management. Even when approval is granted to work from outside the United States and Canada, employees must not access customer data from these locations.

Offboarding Process

Employee and contractor termination and offboarding processes shall ensure that physical and logical access is promptly revoked in accordance with company SLAs and policies and that all company-issued equipment is returned.

Any security or confidentiality agreements that remain valid after termination shall be communicated to the employee or contractor at the time of offboarding to ensure their is no breach of confidential information by a former employees or contractors after their employment.

When offboarding, the employee’s laptop is returned to CloudCard and erased prior to disposal or reuse. The employee’s access is reviewed, and system owners are instructed to revoke access, which must be done within 24 business hours.

Disciplinary Process

Employees and third-parties who violate CloudCard information security policies shall be subject to the CloudCard progressive disciplinary process, up to and including termination of employment or contract.

Exceptions

Requests for an exception to this policy must be submitted to the Managing Director for approval.

Violations & Enforcement

Any known violations of this policy should be reported to the Managing Director. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company policies up to and including termination of employment.