BluB0X Information Security Plan

Objective 

The objective of BluBØX Security in the development and implementation of this comprehensive information security program (“ISP”), is to create effective administrative, technical and physical safeguards for the protection of personal information of our customers, employees, and to comply with our obligations under local and federal laws. The ISP sets forth our procedure for evaluating and addressing our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information.  

For purposes of this ISP, “personal information” is as defined as:  a person’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. 

Purpose  

The purpose of the ISP is to better: (a) ensure the security and confidentiality of personal information; (b) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and (c) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.  

Scope 

In formulating and implementing the ISP, BluB0X Security has addressed and incorporated the following protocols: 

(1) identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information;  

(2) assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information;  

(3) evaluated the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks;  

(4) designed and implemented an ISP that puts safeguards in place to minimize those risks; and  

(5) implemented regular monitoring of the effectiveness of those safeguards. 

Data Security Coordinator  

BluBØX Security has designated Sean Dyer to implement, supervise and maintain the ISP. This designated employee (the “Data Security Coordinator”) will be responsible for the following:  

a. Implementation of the ISP including all provisions outlined in Section VII: Daily Operational Protocol;  

b. Training of all employees;  

c. Regular testing of the ISP’s safeguards;  

d. Evaluating the ability of any of our third party service providers to implement and maintain appropriate security measures for the personal information to which we have permitted them access, and requiring such third party service providers by contract to implement and maintain appropriate security measures; 

e. Reviewing the scope of the security measures in the ISP at least annually, or whenever there is a material change in our business practices that may implicate the security or integrity of records containing personal information; 

f. Conducting an annual training session for all owners, managers, employees and independent contractors, including temporary and contract employees who have access to personal information on the elements of the ISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with our requirements for ensuring the protection of personal information.  

Internal Risk Mitigation Policies

To guard against internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately:  

• We will only collect personal information of clients, customers or employees that is necessary to accomplish our legitimate business transactions or to comply with any and all federal, state or local regulations. 
   
• Access to records containing personal information shall be limited to those employees whose duties, relevant to their job description, have a legitimate need to access said records, and only for this legitimate job-related purpose. 
   
• Written and electronic records containing personal information shall be securely destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements.  
   
• A copy of the ISP is to be distributed to each current employee and to each new employee on the beginning date of their employment.  It shall be the employee’s responsibility for acknowledging in writing, by signing the attached sheet, that he/she has received a copy of the ISP and will abide by its provisions. Employees are encouraged and invited to advise the ISP Data Security Coordinator of any activities or operations which appear to pose risks to the security of personal information.   If the Data Security Coordinator is him or herself involved with these risks, employees are encouraged and invited to advise any other manager or supervisor or business owner.  
   
• A training session for all current employees will be held on Monday, January 22, 2018 to detail the provisions of the ISP. 
   
• All employment contracts, where applicable, will be amended to require all employees to comply with the provisions of the ISP and to prohibit any nonconforming use of personal data as defined by the ISP 
   
• Terminated employees must return all records containing personal data, in any form, in their possession at the time of termination.  This includes all data stored on any portable device and any device owned directly by the terminated employee 
   
• A terminated employee’s physical and electronic access to records containing personal information shall be restricted at the time of termination.  This shall include remote electronic access to personal records, voicemail, internet, and email access.  All keys, keycards, access devices, badges, company IDs, business cards, and the like shall be surrendered at the time of termination. 
   
• Disciplinary action will be applicable to violations of the ISP, irrespective of whether personal data was actually accessed or used without authorization. 
   
• All security measures including the ISP shall be reviewed at least annually beginning January 1, 2018 to ensure that the policies contained in the ISP are adequate meet all applicable federal and state regulations.   
   
• Should our business practices change in a way that impacts the collection, storage, and/or transportation of records containing personal information the ISP will be reviewed to ensure that the policies contained in the ISP are adequate to meet all applicable federal and state regulations. 
   
• The Data Security Coordinator or his/her designee shall be responsible for all review and modifications of the ISP and shall fully consult and apprise management of all reviews including any recommendations for improves security arising from the review. 
   
• The Data Security Coordinator shall maintain a secured and confidential master list of all passwords, and keys.  The list will identify which employee possess password, keycards, or other access devices and that only approved employee have been provided access credentials 
   
• The Data Security Coordinator or his/her designee shall ensure that access to personal information in restricted to approved and active user accounts. 
   
• Current employees’ user ID’s and passwords shall conform to accepted security standards.  
   
• Employees are required to report suspicious or unauthorized use of personal information to a supervisor or the Data Security Coordinator 
   
• Whenever there is an incident that requires notification, the Data Security Coordinator shall host a mandatory post-incident review of events and actions taken, if any, in order to determine how to alter security practices to better safeguard personal information 

 VI. External Risk Mitigation Policies 

• Firewall protection, operating system security patches, and all software products shall be reasonably up-to-date and installed on any computer that stores or processes personal information 
   
• Personal information shall not be removed from the business premises in electronic or written form absent legitimate business need and use of reasonable security measures, as described in this policy  
   
• All system security software including, anti-virus, anti-malware, and internet security shall be reasonably up-to-date and installed on any computer that stores or processes personal information.
   
• There shall be secure user authentication protocols in place that: 
  • Control user ID and other identifiers; 
  • Assigns passwords in a manner that conforms to accepted security standards, or applies use of unique identifier technologies; 
  • Control passwords to ensure that password information is secure. 

Daily Operational Protocol

This section of our ISP outlines our daily efforts to minimize security risks to any computer system that processes or stores personal information, ensures that physical files containing personal information are reasonable secured and develops daily employee practices designed to minimize access and security risks to personal information of our clients and/or customers and employees. 

The Daily Operational Protocol is effective January 1, 2018 and shall be reviewed and modified as deemed necessary at a meeting of the Data Security Coordinator and personnel responsible and/or authorized for the security of personal information. The review meeting shall take place on or before January 20, 2018.  Any modifications to the Daily Operational Protocol shall be published in an updated version of the ISP.  At the time of publication, a copy of the ISP shall be distributed to all current employees and to new hires on their date of employment. 

Breach of Data Security Protocol

Should any employee know of a security breach at any of our facilities, or that any unencrypted personal information has been lost or stolen or accessed without authorization, or that encrypted personal information along with the access code or security key has been acquired by an unauthorized person or for an unauthorized purpose, the following protocol is to be followed: 

• Employees are to notify the Data Security Coordinator or department head in the event of a known or suspected security breach or unauthorized use of personal information. 
   
• The Data Security Coordinator shall be responsible for drafting a security breach notification to be provided to the affected party and all required local and federal law enforcement agencies.  The security breach notification shall include the following: 
   
  • A detailed description of the nature and circumstances of the security breach or unauthorized acquisition or use of personal information; 
  • The number of persons affected at the time the notification is submitted; 
  • The steps already taken relative to the incident; 
  • Any steps intended to be taken relative to the incident subsequent to the filing of the notification; and 
  • Information regarding whether law enforcement officials are engaged in investing the incident 

Appendix A: Electronic Record Retention Policy By Table

To be distributed only to personnel who have direct access to SQL Server 

All stated retention periods are maximums and should be adjusted accordingly to local laws.