I. Policy Statement
The purpose of this policy is to provide a security framework that will ensure the protection of the Celebrate Strengths, LLC Information from unauthorized access, loss or damage while supporting information-sharing needs of our staff and customers. Information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked, used for administration, research, teaching, or other purposes. Standards and procedures related to this Information Security Policy will be developed and published separately.
Failure to comply with this policy may subject you to disciplinary action and to potential penalties.
II. Who Is Affected By This Policy
The Information Security Policy applies to all company staff, as well as to contractors and developers acting on behalf of the company through service on company bodies such as task forces, councils, development teams, boards and committees. This policy also applies to all other individuals and entities granted use of company Information, including, but not limited to, contractors, temporary employees, and volunteers.
III. Definitions
Authorization – the function of establishing an individual’s privilege levels to access and/or handle information.
Availability – ensuring that information is ready and suitable for use.
Confidentiality – ensuring that information is kept in strict privacy.
Integrity – ensuring the accuracy, completeness, and consistency of information. Unauthorized access – looking up, reviewing, copying, modifying, deleting, analyzing, or handling information without proper authorization and legitimate business need.
Company Information – information that Celebrate Strengths, LLC collects, possesses, or has access to, regardless of its source. This includes information contained in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation.
IV. Policy
The company appropriately secures its information from unauthorized access, loss or damage while supporting the open, information-sharing needs of daily business.
A. Classification Levels
All Information is classified into one of four levels based on its sensitivity and the risks associated with disclosure. The classification level determines the security protections that must be used for the information.
When combining information, the classification level of the resulting information must be
re-evaluated independently of the source information’s classification to manage risks.
The classifications levels are:
1. Restricted
The following Information is classified as Restricted:
• Social security number
• Bank account number
• Driver’s license number
• State identity card number
• Credit card number
• Federal Tax Payer ID
• Protected health information (as defined by HIPAA)
State and Federal laws require that unauthorized access to certain Restricted information must be reported to the appropriate agency or agencies. All reporting of this nature to external parties must be done by or in consultation with the company’s legal counsel.
Sharing of Restricted information within the company may be permissible if necessary to meet the company’s legitimate business needs. Except as otherwise required by law (or for purposes of sharing between law enforcement entities), no Restricted information may be disclosed to parties outside the company, including contractors, without the proposed recipient’s prior written agreement (i) to take appropriate measures to safeguard the confidentiality of the Restricted information; (ii) not to disclose the Restricted information to any other party for any purpose absent the company’s prior written consent or a valid court order or subpoena; and (iii) to notify the company in advance of any disclosure pursuant to a court order or subpoena unless the order or subpoena explicitly prohibits such notification. In addition, the proposed recipient must abide by the requirements of this policy. Any sharing of Restricted information within the company must comply with company.
2. Confidential
Company Information is classified as Confidential if it falls outside the Restricted classification, but is not intended to be shared freely within or outside the company due to its sensitive nature and/or contractual or legal obligations. Examples of Confidential Information include all non-Restricted information contained in personnel files, misconduct and law enforcement investigation records, internal financial data, confidential customer information protected by an NDA.
Sharing of Confidential information may be permissible if necessary to meet the company’s legitimate business needs. Unless disclosure is required by law (or for purposes of sharing between law enforcement entities), when disclosing Confidential information to parties outside the company, the proposed recipient must agree (i) to take appropriate measures to safeguard the confidentiality of the information:(ii) not to disclose the information to any other party for any purpose absent the company’s prior written consent or a valid court order or subpoena; and (iii) to notify the company in advance of any disclosure pursuant to a court order or subpoena unless the order or subpoena explicitly prohibits such notification. In addition, the proposed recipient must abide by the requirements of this policy
3. Unrestricted Within Celebrate Strengths, LLC (UWCS)
Company Information is classified as Unrestricted Within Celebrate Strengths (UWCS) if it falls outside the Restricted and Confidential classifications, but is not intended to be freely shared outside the company.
The presumption is that UWCS information will remain within the company. However, this information may be shared outside of the company if necessary to meet the company’s legitimate business needs, and the proposed recipient agrees not to re-disclose the information without the company’s consent.
4. Publicly Available
Company Information is classified as Publicly Available if it is intended to be made available to anyone inside and outside of the company.
B. Protection, Handling, and Classification of Information
1. Based on its classification, company Information must be appropriately protected from unauthorized access, loss and damage.
2. Handling of company Information from any source other than the company may require compliance with both this policy and the requirements of the individual or entity that created, provided or controls the information. If you have concerns about your ability to comply, consult the relevant senior executive or legal counsel.
3. When deemed appropriate, the level of classification may be increased or additional security requirements imposed beyond what is required by the Information Security.
V. Responsibilities
All company staff and others granted use of company Information are expected to:
• Understand the information classification levels defined in the Information Security Policy.
• As appropriate, classify the information for which one is responsible accordingly.
• Access information only as needed to meet legitimate business needs.
• Not divulge, copy, release, sell, loan, alter or destroy any company Information without a valid business purpose and/or authorization.
• Protect the confidentiality, integrity and availability of company Information in a manner consistent with the information's classification level and type.
• Handle information in accordance with the company Information Protection Standards and Procedures and any other applicable company standard or policy.
• Safeguard any physical key, ID card, computer account, or network account that allows one to access company Information.
• Discard media containing company information in a manner consistent with the information’s classification level, type, and any applicable retention requirement. This includes information contained in any hard copy document (such as a memo or report) or in any electronic, magnetic or optical storage medium (such as a memory stick, CD, hard disk, magnetic tape, or disk).
• Contact relevant senior executive or legal counsel prior to disclosing information or prior to responding to any litigation or law enforcement subpoenas, court orders, and other information requests from private litigants and government agencies.
• Contact the appropriate company office prior to responding to requests for information from regulatory agencies, inspectors, examiners, and/or auditors.