Information Security & Privacy
1. Each User must have their own user account consisting of a unique user name and password. User name and password sharing is not allowed.
2. Each operating system and firmware that this business has authorized access to must have an administrative account.
3. Administrative accounts are restricted use accounts. They are to be used only by designated device or software administrators, not by standard users.
4. Administrative accounts must not be used for day-to-day business activities such as, email, website searches, or banking.
5. Administrative accounts must only be used for computing administrative duties, such as, assigning and changing administrative passwords, creating user accounts, loading updates, patches, firmware and software.
6. Standard user accounts shall not have the ability to download and install software or make changes to the operating system or device firmware.
1. All passwords used on computing devices and software shall be at least eight (8) characters in length with administrative passwords at least twelve characters (12) in length.
2. Passwords must have at least one upper case alpha character, at least one lower case alpha character, at least one numeral, and at least one special character.
Note: Hardware or software may limit the specific special characters that may be used.
3. Passwords must be changed at least every 180 days, when compromise has been suspected or when the user's employment has been terminated.
4. Firmware and software that have default passwords must have the default password changed immediately upon installation or at first use.
5. Passwords must not contain more than 2 repeats of a character. (ss – not ssss)
6. Passwords must not contain dictionary words from any language dictionary.
7. The use of government-level encrypted (AES 256) password safes are allowed.
8. PINs shall be at least 6 characters (if device allows) and contain numeric and alpha characters (if device allows).
1. All business computing assets must be inventoried. This includes hardware and business software.
2. Business software inventory shall include, if available, operating system, application, and the hardware it's housed in.
3. The hardware inventory shall include, if available, the type, name, and whether it's directly connected to the modem by network cable (patch panel or ethernet [RJ45]) or if it uses a wireless connection.
1. All devices that have the capability of using Virtual Private Network (VPN) must have VPN installed and functioning.
2. Websites must use at least TLS protocol. SSL is to disabled (if possible) and if business functions are not disrupted.
1. Firmware, hardware, and software updates, patches, and upgrades must be installed within 30 days of availability.
1. All devices that have the capability of installing and using anti-malware must have it installed and functioning.
2. Anti-malware scans must be performed regularly and on-demand when infection is suspected.
3. Anti-malware scans must be set-up and performed on email and downloads to scan automatically (if that functionality
4. All anti-malware software must be kept up-to-date with the most current dat files. Automatic update must be turned on
1. Proprietary encryption must not be used.
2. Encryption level must be at least AES-256.
3. Encryption must be used where available, such as on devices, hard drives, databases, email, and applications.
1. Wireless gateways and modems must use at least WPA-2 security, when available WPA-3 is to be used.
2. You must change the default wireless gateway administrator user name and password once installed and at least every 180 days thereafter.
1. If vulnerability scanning software is available*, scans shall be run at least quarterly.
2. Vulnerabilities discovered from scans shall be remediated as soon as possible.
3. It is understood that some vulnerabilities may be the responsibility of others to fix (such as the Internet Service Provider (ISP), hardware manufacturer or an application creator). Reasonable effort will be expended to notify third-party vendors of discovered vulnerabilities and request remediation.
1. If the computer, notebook, smart phone has a firewall available, the firewall must be operational and is to be set for at least medium security.
2. If the gateway/router is not controlled by a third-party, you have administrative access to the gateway/router and if this device has WPA 3 security, set up the VPN at this device. Otherwise, install a third-party industry recognized VPN solution on all devices that allow VPN and that connect to the Internet.
3. Use at least 2-step authentication wherever compatible and available.
4. Full disk encryption is to be used if your device offers it and it doesn’t interfere with the operation of your device or business software.
5. If possible, limit access to your device and applications to only those who need it to perform their job duties. If this is not possible, each individual that accesses your device and network must have their own user account or a guest account.
6. Limit permission to make changes to your device, its password(s) or PIN(s) to only those individuals that have been assigned this duty and applications that need it to perform its processes.
7. Limit the ability to use your location services to only applications that need this information to perform its processes.
Note: Most retail websites or apps don’t need location information to perform its processes.
8. At least quarterly, clear your browsing history from your smartphones and devices.
9. Set a screen saver password or code for each device that allows it. Change your screen saver password at least every 180 days.
10. Set your screen saver to display after at least 10 minutes of non-activity.
11. Set your screen saver to require a user password to clear the screen saver and access your device.
12. Set your email to encrypt your client correspondence if your email application has this function.
13. Set up user accounts to allow downloads or changes to your device only with administrator user credentials.
1.This business never records your online session.
1. Information Security content from a source known within the cyber industry as authoritative and authentic is to be reviewed at least once per month.
* One vulnerability scanning vendor’s community scanner (specified by the vendor as for personal or small business use) access can only be used on 32 bit computers, none of the computers in my network are 32 bit, they are all 64 bit.
Another vulnerability scanning vendor’s community scanner (specified by the vendor as for personal or small business use) won’t recognize my gmail email account as a business email account therefore, I’m not allowed to set up an account.
All of the other vulnerability scanners require separate hardware that use a Linux operating system. This presents an unacceptable risk to my environment as I neither have the hardware, knowledge nor expertise to install, maintain, and run these types of scanners.
Conclusion-there is no vulnerability scanner available to this business other than the Wi-Fi inspector scanner within my security software.
Special Note: The PCI website states that merchants are to check with their bank to find out or verify that you are using the correct Self-Assessment Questionnaire for your business. I went to 2 branches of my bank and they said they heard of PCI but had no answer other than to tell me that they would have someone call me. No one ever did.
It is the intention of this business to protect the privacy of business data and customers' non-public information using data protection resources reasonably available and at the knowledge-level of a non-cyber technology administrator or developer sole proprietor or small business with 5 or fewer employees.
You may opt-out of contact at any time by emailing your business email address here and stating that you would like to opt-out of all contact, of newsletters, or of events notifications. Please state Contact Opt-Out in the subject of the email.
Once the email is received and processed, your requested removal of contact information will be permanently removed.
This business never shares your contact information with anyone without your written permission. However, there may be third-party applications and programs (such as Facebook, Google) that do share your information. Opting out of being contacted by this business does not opt you out of these third-party applications and programs. You must follow the third-party's process for opting out of their sharing of your information.
If you would like to know exactly what information this business has on its contact list for you, email me at email@example.com with the subject: My Contact Information
Every effort is made to encrypt business emails sent from this business. However, if your computing device doesn't accept encrypted email or messages, the email or message may not be readable for you or it may not arrive encrypted. Contact this business if your email is unreadable or if you feel it hasn't arrived. You will have to agree, in writing, that your contact information can be sent to you unencrypted.
There will never be a circumstance where this business will ask for your identity numbers (such as social security number or health care insurance number) or your payment card number by phone, text, or using email. This business doesn't take health insurance nor does it use social security numbers. Credit cards are processed by a third party payment card processing provider. This business will never have your credit card number at any time. Any requests for these types of information by email, phone, or text from this business is from another source masquerading as this business.
All purchase transactions are handled by third-party software at PayPal's website. If you send me your identity or payment card numbers in email or text they will promptly be deleted and you will receive a return email re-directing you to PayPal.
Please note: My deleting this email does not eradicate this electronic record from all sources. It will simply be gone from my equipment and software. It may still reside in your sent mail, on an email provider's server, or in the Internet Service Provider's servers. This business does not have the ability to delete information you send me from all sources that have it.
This business does not have or save your credit card information. Credit card information is never input on the business website. All payment transactions are forwarded to and performed by the payment processor at the payment processor's website.
Incident Response and Recovery Plan
If you suspect that this business has had a data breach, please notify us at firstname.lastname@example.org explaining why you think we were the source of the data breached. Our insurance carrier will be notified as soon as possible and they will handle the case once notified.
All files are backed up regularly.
Processes to clean and eradicate infections are contained in the anti-malware products used in this business. Detected infections will be quarantined and then eliminated automatically by the software.
In the case of an infection that cannot be quarantined or eliminated, the drive will be wiped, a clean operating system will be loaded, the backup files will be scanned and cleaned if possible, and then loaded to the newly restored machine. If the backup files cannot be cleaned they will be deleted and a clean default operating system and applications will be loaded.
Detected vulnerabilities found on equipment or software that this business controls will be mitigated as soon as detected and as soon as an update is available from the vendor. It may be the case that discovered vulnerabilities are within equipment and/or software that I do not have permission to remediate. In this case, I will inform the vendor of the vulnerability and request remediation.