The topic of data privacy
is often controversial and can have significant legal ramifications in Software Development Companies. Consult a
legal adviser before implementing this type of policy. The legal definition of data
ownership can be complex depending on how an organization’s computer systems
are used and what expectations have been communicated to employees.
Copyright
Notice: All information owned by
the organization and considered intellectual property, whether written,
printed, or stored as data, must be labeled with a copyright notice.
E-Mail
Monitoring: All e-mail must be monitored for the
following activity:
• Non-business use
• Inflammatory, unethical, or illegal content
• Disclosure of the organization’s confidential information
• Large file attachments or message sizes
Information
Classification: Information must be classified according to its intended
audience and be handled accordingly. Every piece of information must be
classified into one of the following categories:
• Personal: Information not owned by the organization, belonging to
private individuals
• Public: Information intended for distribution to and viewing by the
general public
• Confidential: Information for use by employees, contractors, and business
partners only
• Proprietary: Intellectual property of the organization to be handled
only by authorized parties
• Secret: Information for use only by designated individuals with a
need to know
Intellectual
Property: All
information owned by the organization is considered intellectual property. As
such, it must not be disclosed to unauthorized individuals. The organization’s
intellectual property must be protected and kept confidential. Forwarding
intellectual property to unauthorized users, providing access to intellectual
property to unauthorized users, distributing intellectual property to
unauthorized users, storing intellectual property in unauthorized locations,
and processing unauthorized intellectual property is prohibited. Any unauthorized
or inappropriate use must be reported immediately.
Clear
Text Passwords: Passwords may not be sent in clear text over the Internet
or any public or private network either by individuals or by software, nor may
they be spoken over public voice networks without the use of encryption.
Clear
Text E-mail: E-mail may be sent in clear text over the Internet, as long
as it does not contain secret, proprietary, or confidential corporate
information. E-mail containing sensitive or non-public information must be
encrypted.
Customer
Information Sharing: Corporate customer information may not be shared with
outside organizations or individuals.
Employee
Information Sharing: No employee information may be disclosed to outside
agencies or individuals, with the following exceptions:
• Date of hire
• Length of tenure
Employee
Communication Monitoring: The organization reserves the right to monitor employee
communications.
Examination
of Data on the Organization’s Systems: The organization reserves the right to
examine all data on its computer systems.
Search
of Personal Property: The organization reserves the right to examine the personal
property of its employees and visitors brought onto the organization’s
premises.
Confidentiality
of Non-Corporate Information: All customer and business partner
information is to be treated as confidential.
Encryption
of Data Backups: All data backups must be encrypted.
Encryption
of Extranet Connection: All extranet connections must use encryption to protect the
privacy of the information traversing the network.
Shredding of Private
Documents:
Sensitive, confidential, proprietary, and secret paper documents must be
shredded when discarded.
Destruction of
Computer Data: Sensitive, confidential, proprietary, and secret computer
data must be strongly overwritten when deleted.
Cell Phone Privacy: Private business
information may not be discussed via cell phone, due to the risk and ease of
eavesdropping in Software Development Companies.
Confidential
Information Monitoring: All electronic data entering or leaving the internal
network must be monitored for the following:
• Confidential
information sent via e-mail or file transfer
• Confidential
information posted to web sites or chat rooms
• Disclosure of source code
or other intellectual property
Unauthorized
Data-Access Blocking: Each individual user must be blocked by the system
architecture from accessing unauthorized corporate data. This separation must
be enforced by all systems that store or access electronic information.
Corporate information that has been classified as being accessible to a subset
of users, but not to all users, must be stored and accessed in such a way that
accidental or intentional access by unauthorized parties is not possible.
Data Access: Access to corporate
information, hard copy, and electronic data is restricted to individuals with a
need to know for a legitimate business reason. Each individual is granted access
only to those corporate information resources required for them to perform
their job functions.
Server Access: Access to operating
system components and system administration commands on corporate server
systems is restricted to system support staff only. End users will be granted
access only to commands required for them to perform their job functions.
Highly Protected
Networks: In
networks that have unique security requirements that are more stringent than
those for the rest of the corporate network and contain information that is not
intended for general consumption by employees and is meant only for a small
number of authorized individuals in the Software Development Companies (such as salary and stock
information or credit card information), the data on these networks must be
secured from the rest of the network. Encryption must be used to ensure the
privacy of communications between the protected network and other networks, and
access control must be employed to block unauthorized or accidental attempts to
access the protected network from the corporate network.
Thanks for sharing this post.
ReplyDeleteISO Certification