Global Precast Inc. Cyber Security Program
The objectives of this comprehensive written cyber security program (CSP) include defining, documenting, and supporting the implementation and maintenance of the administrative, technical, and physical safeguards Global Precast Inc. has selected to protect the personal information it collects, creates, uses, and maintains. This CSP has been developed in accordance with the requirements of the New York State Shield Act.
In the event of a conflict between this CSP and any legal obligation or other Global Precast Inc. policy or procedure, the provisions of this CSP shall govern, unless the Information Security Coordinator specifically reviews, approves, and documents an exception (see Section 3).
2.Scope.
This CSP applies to [all employees, contractors, officers, and directors of Global Precast Inc. It applies to any records that contain personal or other sensitive information in any format and on any media, whether in electronic or paper form.
(a)For purposes of this CSP, “personal information” means either a US resident’s first and last name or first initial and last name in combination with any one or more of the following data elements, or any of the following data elements standing alone or in combination, if such data elements could be used to commit identity theft against the individual:
(i)Social Security number.
(ii)Driver’s license number, other government-issued identification number, including passport number, or tribal identification number.
(iii)Account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to the individual’s financial account.
(iv)Health insurance identification number, subscriber identification number, or other unique identifier used by a health insurer.
(v)Biometric data collected from the individual and used to authenticate the individual during a transaction, such as an image of a fingerprint, retina, or iris; or
(vi)Email address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.
(b)Personal information does not include lawfully obtained information that is available to the general public, including publicly available information from federal, state, or local government records.
(c)For purposes of this CSP, “sensitive information” means data that:
(i) Global Precast Inc. considers to be highly confidential information; or
(ii)If accessed by or disclosed to unauthorized parties, could cause significant or material harm to Global Precast Inc., its customers, or its business partners.
(iii)Sensitive information includes, but is not limited to, personal information.
3.Information Security Coordinator.
Global Precast Inc. has designated Porsha Sinclair to implement, coordinate, and maintain this CSP (the “Information Security Coordinator“). The Information Security Coordinator shall be responsible for:
(a)Initial implementation of this CSP, including:
(i)Assessing internal and external risks to personal and other sensitive information and maintaining related documentation, including risk assessment reports and remediation plans (see Section 4).
(ii)Coordinating the development, distribution, and maintenance of information security policies and procedures (see Section 5).
(iii)Coordinating the design of reasonable and appropriate administrative, technical, and physical safeguards to protect personal [and other sensitive] information (see Section 6).
(iv)Ensuring that the safeguards are implemented and maintained to protect personal and other sensitive information throughout Global Precast Inc., where applicable (see Section 6).
(v)Overseeing service providers that access or maintain personal and other sensitive information on behalf of Global Precast Inc. (see Section 7).
(vi)Monitoring and testing the information security program’s implementation and effectiveness on an ongoing basis (see Section 8).
(vii)Defining and managing incident response procedures (see Section 9); and
(viii)Establishing and managing enforcement policies and procedures for this CSP, in collaboration with Global Precast Inc. human resources and management (see Section 10).
(b)Employee training including:
(i)Providing periodic training regarding this CSP, Global Precast Inc.’s safeguards, and relevant information security policies and procedures for all employees and contractors who have or may have access to personal or other sensitive information.
(ii)Retaining training and acknowledgment records.
(c)Reviewing this CSP and the security measures defined here at least annually, or whenever there is a material change in Global Precast Inc.’s business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information (see Section 11).
(d)Periodically reporting to Global Precast Inc. management regarding the status of the information security program and Global Precast Inc.’s safeguards to protect personal and other sensitive information.
4.Risk Assessment.
As a part of developing and implementing this CSP, Global Precast Inc. will conduct a periodic, documented risk assessment, at least annually, or whenever there is a material change in Global Precast Inc.’s business practices that may implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information.
(a)The risk assessment shall:
(i)Identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of any electronic, paper, or other records containing personal [or other sensitive] information.
(ii)Assess the likelihood and potential damage that could result from such risks, taking into consideration the sensitivity of the personal [and other sensitive] information; and
(iii)Evaluate the sufficiency of relevant policies, procedures, systems, and safeguards in place to control such risks, in areas that include, but may not be limited to:
(A)Employee and contractor training and management.
(B)Employee and contractor compliance with this CSP and related policies and procedures.
(C)Information systems, including network, computer, and software acquisition, design, implementation, operations, and maintenance, as well as data processing, storage, transmission, retention, and disposal; and
(D) Global Precast Inc.’s ability to prevent, detect, and respond to attacks, intrusions, and other security incidents or system failures.
(b)Following each risk assessment, Global Precast Inc. will:
(i)Design, implement, and maintain reasonable and appropriate safeguards to minimize identified risks.
(ii)Reasonably and appropriately address any identified gaps; and
(iii)Regularly monitor the effectiveness of Global Precast Inc.’s safeguards, as specified in this CSP (see Section 8).
5.Information Security Policies and Procedures.
As part of this CSP, Global Precast Inc. will develop, maintain, and distribute information security policies and procedures in accordance with applicable laws and standards to relevant employees, contractors, and others as applicable to:
(a)Establish policies regarding:
(i)Information classification.
(ii)Information handling practices for personal and other sensitive information, including the storage, access, disposal, and external transfer or transportation of personal and other sensitive information.
(iii)User access management, including identification and authentication using passwords or other appropriate means.
(iv)Encryption.
(v)Computer and network security.
(vi)Physical security.
(vii)Incident reporting and response.
(viii)Employee and contractor use of technology, including Acceptable Use and Bring Your Own Device to Work (BYOD); and
(ix)Information systems acquisition, development, operations, and maintenance.
(b)Detail the implementation and maintenance of Global Precast Inc.’s administrative, technical, and physical safeguards (see Section 6).
6.Safeguards.
Global Precast Inc. will develop, implement, and maintain reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of personal or other sensitive information that Global Precast Inc. owns or maintains on behalf of others.
(a)Safeguards shall be appropriate to Global Precast Inc.’s size, scope, and business, its available resources, and the amount of personal [and other sensitive] information that Global Precast Inc. owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.
(b) Global Precast Inc. shall document its administrative, technical, and physical safeguards in Global Precast Inc.’s information security policies and procedures (see Section 5).
(c) Global Precast Inc.’s administrative safeguards shall include, at a minimum:
(i)Designating one or more employees to coordinate the information security program (see Section 3).
(ii)Identifying reasonably foreseeable internal and external risks and assessing whether existing safeguards adequately control the identified risks (see Section 4).
(iii)Training employees in security program practices and procedures, with management oversight (see Section 3).
(iv)Selecting service providers that can maintain appropriate safeguards, and requiring service providers to maintain safeguards by contract (see Section 7); and
(v)Adjusting the information security program considering business changes or new circumstances (see Section 11).
(d) Global Precast Inc.’s technical safeguards shall include maintenance of a security system covering its network including wireless capabilities and computers that, at a minimum, and to the extent technically feasible, supports:
(i)Secure user authentication protocols, including:
(A) Requiring each employee to have a unique password. Controlling user identification and authentication with a reasonably secure method of assigning and selecting passwords and ensuring that passwords are kept in a location or format that does not compromise security or by using other technologies, such as biometrics or token devices.
(B)Restricting access to active users and active user accounts only and preventing terminated employees or contractors from accessing systems or records; and
(C)Blocking a user identifier’s access after multiple unsuccessful attempts to gain access or placing limitations on access for the system.
(ii)Secure access control measures, including:
(A)Restricting access to records and files containing personal or other sensitive information to those with a need to know to perform their duties; and
(B)Assigning to each individual with computer or network access unique identifiers and passwords or other authentication means, but not vendor-supplied default passwords that are reasonably designed to maintain security.
(iii)Encryption of all personal or other sensitive information traveling wirelessly or across public networks.
(iv)Encryption of all personal or other sensitive information stored on laptops or other portable or mobile devices and to the extent technically feasible, personal, or other sensitive. information stored on any other device or media.
(v)Reasonable system monitoring for preventing, detecting, and responding to unauthorized use of or access to personal or other sensitive information or other attacks or system failures.
(vi)Reasonably current firewall protection and software patches for systems that contain or may provide access to systems that contain personal or other sensitive information; and
(vii)Reasonably current system security software or a version that can still be supported with reasonably current patches and malicious software (“malware”) definitions that (1) includes malware protection with reasonably current patches and malware definitions, and (2) is configured to receive updates on a regular basis.
(e)Company’s physical safeguards shall, at a minimum, provide for:
(i)Defining and implementing reasonable physical security measures to protect areas where personal or other sensitive information may be accessed, including reasonably restricting physical access and storing records containing personal or other sensitive information in locked facilities, areas, or container, including if saved to a removable hard drive or thumb drives keeping such drives in a locked area with restricted access;
(ii)Preventing, detecting, and responding to intrusions or unauthorized access to personal or other sensitive information, including during or after data collection, transportation, or disposal; and
(iii)Secure disposal or destruction of personal or other sensitive information, whether in paper or electronic form, when it is no longer to be retained in accordance with applicable laws or accepted standards.
7.Service Provider Oversight.
Global Precast Inc. will oversee each of its service providers that may have access to or otherwise create, collect, use, or maintain personal or other sensitive information on its behalf by:
(a)Evaluating the service provider’s ability to implement and maintain appropriate security measures, consistent with this CSP and all applicable laws and Global Precast Inc.’s obligations.
(b)Requiring the service provider by contract to implement and maintain reasonable security measures, consistent with this CSP and all applicable laws and Global Precast Inc.’s obligations.
(c)Monitoring and auditing the service provider’s performance to verify compliance with this CSP and all applicable laws and Global Precast Inc.’s obligations.
8.Monitoring.
Global Precast Inc. will regularly test and monitor the implementation and effectiveness of its information security program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal or other sensitive information. Global Precast Inc. shall reasonably and appropriately address any identified gaps.
9.Incident Response.
Information Security Coordinator will establish and maintain policies and procedures regarding information security incident response. An Information Security Incident means an actual or reasonably suspected (a) loss or theft of confidential or personal information; (b) unauthorized use, disclosure, acquisition of or access to, or other unauthorized processing of confidential or personal information that reasonably may compromise the privacy or confidentiality, integrity, or availability of confidential or personal information; or (c) unauthorized access to or use of, inability to access, loss or theft of, or malicious infection of Global Precast Inc.’s IT systems or third party systems that reasonably may compromise the privacy or confidentiality, integrity, or availability of confidential or personal information or Global Precast Inc.’s operating environment or services.
The Information Security Coordinator shall develop, implement, and maintain procedures to detect, discover, and assess potential information security incidents through automated means and individual reports.
- Automated Detection Global Precast Inc. shall develop, implement, and maintain automated detection means and other technical safeguards as described above.
- Reports from Employees or Other Internal Sources. Employees, or others authorized to access Global Precast Inc. IT systems, network, or data, shall immediately report any actual or suspected information security incident to the Information Security Coordinator. Individuals should report any information security incident they discover or suspect immediately and must not engage in their own investigation or other activities unless authorized.
- Reports from External Sources. External sources who claim to have information regarding an actual or alleged information security incident should be directed to the Information Security Coordinator. Employees who receive emails or other communications from external sources regarding information security incidents that may affect Global Precast Inc. or others, security vulnerabilities, or related issues shall immediately report those communications to the Information Security Coordinator and shall not interact with the source unless authorized.
The Information Security Coordinator shall assign resources and adopt procedures to timely assess automated detection results, screen internal and external reports, and identify actual information security events. The Information Security Coordinator shall document each identified information security incident with details.
Following identification of an information security incident, the information security coordinator, or a designate, shall perform an initial risk-based assessment and determine the level of response required based on the incident’s characteristics, including affected systems and data, and potential risks and impact to Global Precast Inc. and its customers/clients and employees
Based on the initial assessment, the Information Security Coordinator, or a designate, shall:
- Initial Notifications. Notify Global Precast Inc. leadership and any applicable business partners or service providers.
- Investigation and Analysis. The Information Security Coordinator shall investigate each identified information security incident, analyze its affects, and formulate an appropriate response plan to contain, remediate, and recover from the incident. The Information Security Coordinator shall document its investigation and analysis for each identified information Containment, Remediation, and Recovery.
- The Information Security Coordinator shall develop and execute a response plan to contain, remediate, and recover from each identified information security incident, using appropriate internal and external resources
- For each identified information security incident, the Information Security Coordinator shall determine, and direct appropriate internal and external communications and any required notifications as follows:
- Communications. The Information Security Coordinator shall prepare and distribute any internal communications it deems appropriate to the characteristics and circumstances of each identified information security incident.
- Organizational Leadership. The Information Security Coordinator shall alert organizational leadership to the incident and explain its potential impact on Global Precast Inc., its customers/clients, employees, and others as details become available.
- General Awareness and Resources. As appropriate, the Information Security Coordinator shall explain the incident to Global Precast Inc.’s employees and other stakeholders and provide them with resources to appropriately direct questions from customers, clients, media, or others.
- Notification to employees, customers, and clients: If a breach of personal information occurs, the Information Security Coordinator must prepare and distribute notifications as described in (a) below to affected individuals. The notification can be sent by mail, electronic notice if the individual has consented to electronic notification, telephone but a telephone log needs to be kept, conspicuous notice on your Company’s website or by email. However, if the security breach involves email information of employees and clients then notice must send notice by a method other than email.
- Communications. The Information Security Coordinator shall prepare and distribute any internal communications it deems appropriate to the characteristics and circumstances of each identified information security incident.
a) The Notifications must include the following information:
i) Telephone numbers and websites of state and federal agencies who can help with data breaches and identity theft.
ii)A list of the types of data that have been (or may have been) accessed or acquired.
iii)The specific elements of personal or private information that have been (or may have been) accessed or acquired
iv) The notification must include the Company’s name and contact information.
- If more than 500 customers/clients and/or employees have been affected, then the Information Security Coordinator will notify the NYS Attorney General within 10 days of the determination a breach occurred.
- The Information Security Coordinator shall report criminal activity or threats to applicable authorities, as Global Precast Inc. deems appropriate.
The Information Security Coordinator shall direct appropriate internal or external resources to capture and preserve evidence related to each identified information security incident during investigation, analysis, and response activities, (The Information Security Coordinator shall seek counsel’s advice, as needed, to establish appropriate evidence handling and preservation procedures and reasonably identify and protect evidence for specific information security incidents.
At a time reasonably following each identified information security incident, the information security coordinator and leadership shall review the incident and response. For the effectiveness in detecting and responding to the incident and identify any gaps or opportunities for improvement. The post-incident review shall also seek to identify one or more root causes for the incident and, according to risk, shall recommend appropriate actions to minimize the risks of recurrence.
Follow-Up Actions.
The information security coordinator shall monitor, and coordinate completion of any follow-up actions identified by the post-incident review.
10.Enforcement.
Violations of this CSP will result in disciplinary action, in accordance with Global Precast Inc.’s information security policies and procedures and human resources policies. Please see Global Precast Inc. HR POLICIES OR HANDBOOK for details regarding Global Precast Inc.’s disciplinary process.
11.Program Review.
Global Precast Inc. will review this CSP and the security measures defined herein at least annually, or whenever there is a material change in Global Precast Inc.’s business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing personal [or other sensitive] information.
(a) Global Precast Inc. shall retain documentation regarding any such program review, including any identified gaps and action plans.
12.Effective Date. This CSP is effective as of March 31st, 2020.