Endpoint Technology, will not divulge or make public any of your bank information gained or received during network testing, audit, or auditing procedures. Additionally, Endpoint’s organizational policies forbid the disclosure of any bank or audit information.
EndPoint members handle a variety of proprietary and private information concerning your bank systems, internal bank issues, as well as your bank employee and customer financial information. This material may include (but is not limited to) payroll figures, personal data such as employee home addresses, or account or loan records or financial information. It is the responsibility of all EndPoint employees to respect the highest level of privacy for their colleagues and other members of the banking community. Disclosure and discussion of confidential information obtained from EndPoint or Your bank records, either during or after employment with the corporation, is impermissible.
Guidelines for Privacy, Security,
and Confidentiality of Data Files:
EndPoint employees shall not: Make unauthorized use of any information in files maintained, stored, or processed by EndPoint or Your management systems, or permit anyone else to make unauthorized use of such information. Seek personal benefit or permit others to benefit personally from any confidential information that has come to them by virtue of their work assignment.
Exhibit or divulge the contents of any record or report to any person except in the conduct of their work assignment and in accordance with EndPoint and Your bank policies. Knowingly include or cause to be included in any record or report a false, inaccurate, or misleading entry. Divulge personal IDs or passwords to anyone.
Any violations of these guidelines are cause for immediate dismissal or other appropriate personnel action.
The purpose of the Data Security Policy is to provide governance for protecting “company”-owned information to ensure that data is protected in all of its forms on all media during all phases of its lifecycle. Protection includes control over unauthorized or inappropriate access, use, modification, disclosure, or destruction.
“company” data assets are at risk from potential threats such as system configuration errors, programming flaws, malicious or criminal activity, system failure, user behavior and natural disasters. Such events could result in compromise to data confidentiality, corruption or loss of data integrity, loss of data availability, or interruptions to business operations. The Data Security Policy also defines the framework to classify data assets into three distinct types to allow appropriate handling.
The Data Security Policy applies to all employees, contractors, consultants and users of all components of the “company” computing infrastructure or computing services and all organizations that have physical or logical access to EndPoint Technology’s facilities or IT resources.
Definitions of terms and concepts not otherwise contained within the text of this document can be found in the Appendix within this document.
Roles and Responsibilities:
Each manager and supervisor is responsible for implementing the Data Security Policy within his or her area of responsibility. It is the responsibility of all “company” users to follow the provisions of this policy.
By articulating data stewardship roles and responsibilities, the Data Security Policy assists “company” users or personnel to identify their role(s) and responsibilities in relationship to the data in their custody and determine what actions are required in order to fulfill their duties for managing and protecting EndPoint Technology’s data assets. Although some parts of data management process requires specialized training, tools and processes to perform, all data users and data owners shall otherwise perform any or all of the following depending on each person’s relationship to a specific data set.
The Security groups within “company” include the Information Security and Physical Security departments. These organizations are responsible for data security policy creation, advocacy, and leadership. The roles and responsibilities of the security groups include: Implement and maintain “company” Data Security Policy.
Promote best practices for the management, use, and protection of EndPoint Technology data assets based upon pertinent regulation and policies.
Implement and maintain user awareness and education program detailing EndPoint Technology Data Security Policy, and related policies, standards, procedures, and guidelines.
Ensure all administrative and technical controls provided and supported by “company” are commensurate with the level of protection needed to adequately protect EndPoint Technology data assets.
Conduct data security assessments to ensure EndPoint Technology data assets are being secured and managed in compliance with EndPoint Technology Data Security Policy.
Establish and implement standards and procedures to ensure that all data resources are managed consistent with the needs and requirements set forth by the Data Owner, recommending technical solutions to the Data Owner as needed.
The data security standards and procedures may include, but are not limited to, implementing business rules, following a security plan, managing the flow of data, implementing changes to data, executing appropriate back-up procedures, authentication of users and meeting data retention requirements.
The Data Owners within “company” are the principal accountable people responsible for Data Security Policy execution. Data Owners will generally be an integral part of the business unit creating and using the data. Data Owners have a close partnership role shared with the Security Groups and are directly accountable for the security of data within their organizations. The roles and responsibilities of the Data Owners include:
Make a determination whether the data in question is “company” Confidential or Customer Restricted or Customer Sensitive per the definitions herein
Determine the initial data classification for all of the data assets for which they are the designated owner and assure the proper classification is maintained for data, Downgrade a data asset classified as Restricted to Confidential; only Corporate Communications can classify data assets as Public.
Establish the base level of administrative and technical access controls and authorization for access to data. In the case where data has by nature of content, special handling or access controls stipulated by statute, regulation or business case, assure such access is compliant. (This specifically applies to certain technology as regulated for export by the US Department of Commerce – see the Export Compliance Management Policy, FIN-0014 and the customer information in “company” custody – see Customer Confidential Information Protection, BOP-1000)
Ensure Data Users are adequately and consistently trained in proper data management, use, tools and protection mechanisms in accordance with data security policies, standards, procedures and guidelines.
Develop and maintain an accurate inventory of data assets for which they own, use, create or manage within their organization.
Practice and promote proper data management, use, and protection in accordance with data security policies, standards, procedures and guidelines.
Oversee the implementation of processes which assure the confidentiality, integrity and availability of data generated under their control.
Perform regular risk assessments for their designated critical data assets to ensure compliance with data security policies, standards, procedures and guidelines. Immediately report any significant findings to the appropriate Security group for remediation guidance and assistance.
Determine the data asset’s criticality to business operations and assure appropriate retention, backup and disaster recovery requirements are provided. Determine the value of data assets and the level of controls needed to provide adequate safeguards and access controls.
Classify particularly important data as a critical data asset or associated with a critical asset per the requirements as detailed in Security Program Policy, GSD-1010, section 4.0, Such assets shall be included in the Critical Assets Registry using the procedure defined in Critical Asset Registry Procedure, GSD-1505.Classify “company” customer data in the possession of “company” as defined in Customer Confidential Information Protection, BOP-1000, and assure appropriate labeling and protection is used.
All data users are required to understand and follow this policy and familiarize themselves with the relevant aspects as it relates to their job function. Users are the first line of defense in protecting “company” data assets. User’s responsibilities include:
Follow Data Security Policy within his/her area of responsibility.
Ensure data security roles and responsibilities are included in performance evaluations by supervising management.
Department managers are responsible for communicating to users the value of data assets, the sensitivity of such information and enforcing controls needed to provide adequate safeguards, backup and access controls.
Inventory of Assets
All Data Owners are responsible for developing and maintaining a current and accurate inventory of all data assets for which they are the owner. This inventory shall include where the data is physically stored, how the data is accessed (if an application is in use), the logical structure of the data and any special access controls in place.
Ownership of Data Assets
All information possessed by or used by a particular organizational unit must have a designated Data Owner who is responsible for determining appropriate sensitivity classifications, making decisions about who can access the information, listing the asset on the Critical Assets Registry (where required) and ensuring that appropriate controls are utilized in the storage, handling, distribution, and regular usage of information.
Data Asset Classification
All of EndPoint Technology data assets must be classified using one of the following classifications.
“company” Public Data
This classification applies to information which has been explicitly approved by EndPoint Technology corporate communications department for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be freely disseminated without potential harm. Examples for this classification include:
Product and service
Job opening announcements
Press releases“company” Confidential Data
This classification applies to less sensitive business information which is intended for general business use internally by “company” or its authorized agents. By default, all data collected, created, managed, and in custody of “company” is Confidential until classified otherwise. Examples for this classification include:
- Unpublished market
- Works in progress
- Internal corporate documents not classified as “Restricted”
- Internal audit reports
- General employee information
- Organizational structure and/or changes
- Policies and procedures
- Customer information (labeled “Customer Confidential” or “Customer Sensitive”)
- Activity occurring under non-disclosure agreements (NDA) permitting access to all internal
“company” users“company” Restricted Data
The Restricted classification applies to the most sensitive business information which is intended strictly for use by “company” or its authorized agents and where there is a business need to restrict general internal or external access. Unauthorized disclosure of restricted data is prescribed by regulation or could seriously damage “company” , its banking relationships, reputation, competitive position, business partners and/or its customers. Examples for this classification include:
- Operations Leadership Team, (OLT), Chief Executive Officer (CEO), and Board of Director (BOD)
information and development data
- Strategic alliance agreements
- Product development
- Licensable data
- “company” customer data in EndPoint Technology custody, generally under NDA and labeled as
- Export restricted technology
- Executive strategy data
- System audit logs
- Personal private information (PII)
- Mergers and acquisition data
- Litigation strategy memos
- Internal investigations
- Trade secrets
- Intellectual property and pre-patent information
- Revenue forecasts and pre-public financial information
- Information relating to networking resources including, but not limited to, infrastructure design
- Security countermeasure designs
Customer Restricted Information
Customer Confidential Information that is disclosed to “company” for a particular purpose or that has restrictions on the use of that information as stated in NDA requirements or other written or verbal communication. Typically, these restrictions limit which employees are allowed to access the information, based on the employees’ functions/responsibilities within “company” (for example, members of an account team). The employees that are allowed access to Customer Restricted Information are often determined on a case-by-case basis depending on the use restriction and the purpose of the disclosure. Restrictions to access may or may not use the same control methods used for “company” Restricted Information
Whether Customer Confidential Information is Restricted is not defined by a “company” employee or contractor’s personal opinion. Customer Restricted Information is determined by the customer in written documents and unwritten communication (verbal or behavioral).
Customer Sensitive Information
Information that may originate from “company”, the customer, or even a third party, but it is treated with care because we believe the customer expects it to be treated confidentially. Although the circumstances may be difficult to define, you should consider whether the customer would be concerned about how the information is used and if the information was disclosed to a third party.
Data Asset Labeling and Handling
The requirement to classify data specified in the Data Security Policy shall require specific measures for managing and protecting EndPoint Technology data assets accordingly. Specific protection standards for each type of data are defined in the Data Security Standards, GSD-1502. For example, Restricted data shall be evaluated for sensitivity and risk and where appropriate protected using encryption technology per the Data Encryption Standard, GSD-1508. Restricted data is required to be labeled; all other data is assumed to be Confidential and generally documents and document templates shall be labeled accordingly. Such labeling is fundamental to enable users to exercise proper care for most sensitive data, to comply with critical regulations (TRE trade restrictions) and in the case of IP, to preserve EndPoint Technology rights over this property.
Specific procedures for how to implement this standard shall be created to include how to classifying data, how data is to be labeled to reflect its classification and how each class of data is to be handled (GSD-1502). This documented procedure shall define how to implement the data classification process. Specifically, data shall at a minimum be classified and labeled when newly created or previously existing data that is accessed or redistributed. The procedure shall specify roles and responsibilities for types of system users based on working relationships to the data, the user’s roles and the user’s responsibilities defined in the Data Security Policy. Each system user may perform any or all of the handling procedures depending on each person’s relationship to a specific data set.
Detailed procedures for classification and handling of “company” customer data are defined in Customer Confidential Information Protection, BOP-1000, and may or may not use the same access controls as used for “company” Restricted data.
Non Compliance with EndPoint Technology data security policies will be enforced per the “company” Security Program Policy, Section 6.0, GSD-1010.