Académique Documents
Professionnel Documents
Culture Documents
Overview
This policy applies to all employees, officers, and contractors of HIC, Inc. and its affiliates (the Company).
Our information and information systems are an essential asset and they are vitally important to our business operations and
long-term viability. In the course of carrying out our activities, we collect many different types of information, including
financial, academic, medical, human resources and other personal information. We value the ability to communicate and
share information appropriately. Such information is an important resource of the Company and any person who uses
information collected by the Company has a responsibility to maintain and protect this resource. Federal and state laws and
regulations, as well as industry standards, also impose obligations on us to protect the Authenticity, Availability,
Confidentiality, Integrity, Possession, and Utility of this information.
We must ensure that its information assets are protected in a manner that is cost-effective and that reduces the risk of a Data
Breach. We have adopted a risk management approach to managing our Company Information and Information Systems.
The risk management approach requires the identification, assessment, and appropriate mitigation of vulnerabilities and
threats that can adversely impact our information assets.
This Cyber Security Program Charter serves as the capstone document for the Companys Information Security Program.
Policies further define the Information Security objectives in topical areas.
I. Scope
This Cyber Security Program Charter and associated policies, standards, guidelines, and procedures apply to all employees,
contractors, part-time and temporary workers, and Vendor Associates who perform work on Company premises or who have
been granted access to Company Information or Systems.
The Information Security Program will protect information assets by developing policies to identify, classify, define protection
and management objectives, and define acceptable use of Company information assets. The Information Security Program
will reduce vulnerabilities by developing policies to assess, identify, prioritize, and manage vulnerabilities. The management
activities will support organizational objectives for mitigating the vulnerabilities as well as developing and using metrics to
gauge improvements in vulnerability mitigation.
The Information Security Program will counter threats by developing policies to assess, identify, prioritize, and monitor
threats. The monitoring activities will support organizational objectives for deterring, responding to, and recovering from
threats. The monitoring activities also will support the development and use of metrics to gauge the level of threat activity
and the effectiveness of the Company threat detection and response capabilities.
In addition to the above policies, the Information Security Program shall also maintain:
1. Security Awareness: Defines the activities to increase security awareness corporate wide, from the new employee
to the long-tenured employee to anyone with physical or logical access
The CIO implement and manage the Information Security Program across the organization. The CIO is responsible for the
development of Company Information Security policies, standards and guidelines. The CIO must approve Information Security
standards and guidelines, and ensure their consistency with approved Information Security policies. The CIO also will establish
an Information Security Awareness Program to ensure that the Cyber Security Charter and associated policies, standards,
guidelines, and procedures are properly communicated and understood across the organization.
Company management is accountable for the execution of the Company Information Security Program and ensuring that the
Cyber Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated
and understood within their respective organizational units. Company management is also responsible for defining, approving
and implementing Information Security procedures in their organizational units, and ensuring their consistency with
approved Information Security policies and standards.
All individuals, groups, or organizations identified in the scope of this Charter are responsible for familiarizing themselves
with the Company Cyber Security Program Charter and complying with its associated policies and following the approved
procedures as appropriate.
Requests for exceptions to Company Information Security policies, standards, and guidelines should be submitted to the
approval authorities designated in the policies, standards, and guidelines. Exceptions shall be permitted only on receipt of
written approval from an authorized approval authority.
Definitions
1. Affiliate means a person or entity that directly, or indirectly through one or more intermediaries, controls or is
controlled by, or is under common control with, the Vendor.
2. Authenticity is usefulness of information for a purpose.
3. Availability is making information assets available to authorized users when they need them.
4. Company consists of all employees, officers, and contractors of HIC, Inc. and its affiliates.
5. Confidential means spoken, written, transmitted, stored or kept in strict privacy or secrecy and is not generally
known to the public.
6. Credentials means access codes, passwords, pass codes/pins, security keys, security tokens, key cards and user
accounts that allow access to Information Systems or Company Information.
7. Data means information provided in any form to Vendor by or on behalf of Company in connection with the
Services performed pursuant to the Agreement.
8. Data Breach (also referred to under various state laws as Breach of Security or Violation of the Systems Security)
means the or unauthorized or unlawful:
a. Access to or acquisition of Credentials, Company Information, Personal Information, or Information
Systems;
b. Transmission, disclosure, storage, alteration or disposal of Company Information or Personal Information
in an unencrypted or unsecured format that compromises the security, confidentiality or integrity of
Personal Information; or
c. As otherwise defined under applicable state or federal law.
9. CEO stands for Chief Executive Officer
10. CIO is either the Chief Information Officer or, if none exists at Company, then the executive with overall
responsibility for technology at Company (e.g. Vice President of Information Technology)
11. Company Information means both electronic and physical information, including but not limited to, Data, files,
strategies, lists, plans and knowledge related to Company operations (past, present, or future) and, if applicable,
includes Confidential and Personal Information.
12. Confidentiality is ensuring that information is accessible only to authorized users.
13. Cyber Security Program Charter means the overall mission statement for the Information Security Program. The
charter outlines key program management issues, such as policy enforcement and management responsibility.
14. Information Security Program means all associated policies, standards, guidelines, and procedures related to
securing Credentials, Information Systems to prevent, detect, and manage a Data Breach.
15. Information Systems means electronic systems (e.g., computers, servers, networking devices), operating system,
applications, databases, networks, and configuration settings, whether in a Company licensed or managed system
or in a Vendor managed or Vendor owned system or solution, whether on Companys premises, Vendors premises,
Cloud based or Software as a Service, and the hardware and software necessary to run, maintain or support the
Information Systems whether physical or virtual in nature.
16. Integrity is safeguarding the accuracy and completeness of information and information-processing methods.
17. Personal Information means Data or information that identifies or can be used to identify, contact, or locate the
individual to whom such information pertains, or from which identification or contact information of an individual
person may be derived. It includes an individuals first name or first initial and last name plus one or more of the
following data elements: (i) Social Security Number, (ii) drivers license number or state-issued ID card number, (iii)
account number, credit card number or debit card number combined with any security code, access code, PIN or
password needed to access an account, or any other form of Personal Information as defined by applicable state or
federal law, and generally applies to computerized data (but also includes information maintained or recorded in
other forms) that includes Personal Information. Personal Information does not include publicly available
information that is lawfully made available to the general public from federal, state or local government records, or
widely distributed media. Personal Information includes Personally Identifiable Information or PII, as it is commonly
understood in the processing of credit and debit cards or for other purposes.
18. Possession refers to holding, controlling, and having the ability to use information.
19. Threats means the activities or actions that could exploit the vulnerabilities in an organization and place
information assets at risk.
20. Utility represents the usefulness of information for a purpose.
21. Vendor Associates means Vendors employees, [staff,] agents, contractors and subcontractors.
22. Vulnerabilities means the holes and weaknesses in information systems and procedures that intruders can
exploit.