Outbooks Data Security Policy
The Data Security Policy provides definitive information on the prescribed measures used to establish and enforce the Information Security Program at Outbooks. Outbooks is committed to protecting its Clients confidential data from damaging acts, whether intentional or unintentional.
Outbooks is entrusted with the responsibility to provide professional Accounting services to clients who provide us with confidential data. Inherent in this responsibility is an obligation to provide appropriate protection against Data Security. The purpose of this policy is to establish standards for the base configuration of equipment that is owned, operated, equipment that accesses Outbooks internal systems. Effective implementation of this policy will minimize unauthorized access to Outbooks information and technology and protect confidential client information.
These policy standards and procedures apply to all Outbooks & Outbooks Clients' data, information systems, activities, and assets owned, controlled, or used by Outbooks.
Personnel supporting or processing Outbooks that are found to have violated the Data Security policy will be subject to disciplinary action, up to and including termination of employment and/or termination with Outbooks. Violators will be reported to the appropriate law enforcement agency for civil and/or criminal prosecution.
Outbooks shall protect the confidentiality, integrity, and availability of their data and information systems. Security controls will be tailored accordingly so that cost-effective controls can be applied appropriately with the risk and sensitivity of the data and information.
Access controls are designed to reduce the risk of unauthorized access to Outbooks data and to preserve and protect the confidentiality, integrity, and availability of Outbooks systems. All assigned access shall be reviewed and audited for accuracy to ensure employees only have access to the data required for them to perform their assigned operational duties. Audits shall occur, at a minimum, annually; access to Restricted or Highly Restricted data shall be audited at a minimum quarterly.
User Access Management
IT team is responsible for ensuring proper user identification and authentication management by enforcing procedures as follows:
- Only the Authorized team controls the addition, deletion, and modification of user accounts and credentials.
- Outbooks Devices controlled centrally and monitored.
- Firewalled network
- Password protected user account & individuals password sharing is prohibited.
- UBS Ports should be blocked.
- Verifying user identity and receiving appropriate management before creating or modifying accounts.
- Immediately revoke access for any terminated user.
- Limit repeated access attempts by locking out an account after no more than six failed attempts.
- Only Authorized users have printer access.
- Require an administrator to unlock any disabled account.
- Authorized users are allowed for Mobile devices.
- External Email websites & data Storge websites are blocked. If any user needs access, then the website is allowed for some time after appropriate approvals.
Emails sent from Outbooks email account must be addressed and sent carefully. Users should keep in mind that the Outbooks loses any control of email once it is sent externally to the Outbooks network. Users must take extreme care when typing in addresses, particularly when email address auto-complete features are enabled, using the reply-all function or using distribution lists to avoid inadvertent information disclosure to an unintended recipient.
Email systems were not designed to transfer large files and, as such, emails should not contain attachments of excessive file size. Users should limit email attachments to 10 Mb or less. For external email systems, the company reserves the right to further limit this email attachment limitation. Users must use care when opening email attachments. Viruses, Trojans, and other malware can be easily delivered as an email attachment Sensitive data should be sent via an encrypted attachment and not in plain text within an email.
Identification and Authorization
Each employee is provided with a unique user identifier for identification, authorization, and authentication to systems processing Outbooks data. This unique identity, associated credentials, and password is considered Highly Restricted information and will only be used by the individual it is assigned. Sharing unique user identities, associated credentials, or passwords is not permitted.
Passwords are considered Highly Restricted information and therefore, will not be written down or stored in an unencrypted format. Passwords, password complexity, and password lifecycle will, at a minimum, adhere to current industry best practices. Forbidden actions related to passwords include, but are not limited to, the following:
- Do not use default passwords
- Do not reveal a password over the phone to anyone
- Do not share or tell your password to others
- Do not write your password down
Anti Virus & Patch Management
A routine installation of Antivirus, updates, and patches are necessary to protect systems and data from compromise and erroneous function. All systems (workstations, servers, network devices, firewalls, routers, mobile devices, etc.) will routinely and regularly have Antivirus patches installed. At a minimum, general patches are installed regularly while critical security patches are applied as soon as possible.
Outbooks personnel shall protect assets associated with Outbooks operations by ensuring appropriate handling requirements are followed to prevent unauthorized disclosures regardless of if assets or data are being stored or transmitted. All assets associated with data or with data processing shall be inventoried and tracked. The inventory shall include, but not limited to:
- A list of all devices
- Method to accurately and quickly determine the owner.
- Contain contact formation for the asset owner.
- Be updated promptly as necessary.
Disaster Recovery refers to responding to an operational interruption through the implementation of a recovery plan. The recovery plan accounts for applications deemed critical for business operations, service delivery, and ensures the timely restoration of Outbooks’ capability to deliver services. The Disaster Recovery plan will be tested, at a minimum annually to ensure the plan is up to date and capable of sustaining business operations during a period of disruption.
Physical security is the protection of people, property, and physical assets from actions and events that could cause damage or loss. CCTV monitoring, Security guard operation & Fire and safety system are installed in office premises.
Incident response refers to the actions taken to address an event that creates service disruption, incidents can range from minor to business crippling in scale. Incident response procedures are, at a minimum annually, reviewed to ensure the defined steps are current and applicable to the existing environment. To have an effective response to an incident, there must be a defined, repeatable process that is followed. Outbooks addresses incident response by applying these main steps to all encountered incidents.
Ensuring staff is properly trained and knows what steps to take.
- Identification and Prioritization
- Determine that an incident has occurred and assigned the priority/urgency.
- Isolate the impacted items to prevent additional damage.
- Remove the disruption from the environment and perform root cause analysis.
- Return impacted items to normal operations.
- Lessons Learned
Equipment and System Usage Users shall:
- Immediately report all lost or stolen equipment, known or suspected privacy or security incidents.
- Log off or lock systems when leaving them unattended.
- Completed all required security and privacy training.
- Follow appropriate data handling procedures.
- Be vigilant when the access the internet and verify all material is safe before viewing.
- Follow all defined record retention policies.
- Only connect to known and trusted networks.
- Only use Outbooks systems and equipment for their intended business purpose.
- Follow the “Clean Screen, Clean Desk” mentality to protect sensitive data, including customer data.
Users shall not:
- Copy or store sensitive/proprietary information or customer information on removable media devices.
- View material that is: sexually explicit, profane, obscene, harassing, fraudulent, racially offensive, defamatory, or otherwise unlawful in nature.
- Download material or software from the internet or unknown sources.
- Install the software on Outbooks systems or equipment.
- Modify, revise, transform, or adapt any Outbooks software installed on equipment and systems.
- Transfer Outbooks or Outbooks customer data through an unsecured network.
- Use any utility program which allows the circumventing of Outbooks applied controls.
- Send unsolicited emails or send spam emails.
- Use Outbooks systems or equipment for any activity that violates local, state, federal, or international law.
- Introduce any malicious software (virus, trojan, malware, etc.) into or onto Outbooks systems or equipment, Remove Outbooks systems or equipment from the organization without prior management approval.
- Post information on social media sites or other public forums which: are derogatory to Outbooks or its management.