Personnel Security Policy
Effective starting: April 20, 2024
Busch Technology Solutions, LLC (referred to as “BTS”) is the owner and operator of BuschTechSolutions.com (referred to as “BuschTechSolutions”) and BTSValidation.com (referred to as “BTSValidation”), including any related websites, sub-domains of BTSValidation, and pages. BTS takes security seriously. The purpose of this document is to provide all employees with a single policy to secure our intellectual property and our clients’ data. This policy is not all-encompassing but is the minimum requirement for this company.
Topics:
- Organizational structure
- Scope
- Roles and responsibilities (RACI)
- Policy
- Employee and contractor access
- Need-to-know principle
- Responsibility for company data
- Unauthorized software
- Social media policy
- Protecting computer resources
Organizational structure
BTS is a small, privately held woman owned company. IT security is the responsibility of everyone, including the president, BTS members, clients, employees, and contractors.
Scope
The scope of this IT security policy is the BTS members, clients, employees, and contractors and its website BTSValidation.
Roles and responsibilities (RACI)
This section will review the BTS personnel and each member, employee, or contract’s roles and responsibilities regarding security.
Policy
It is the policy of BTS to secure its data. Since BTS is a very small organization, not all scenarios apply to BTS at the current time. As an example, transfers are not within scope. BTS has one location and if BTS would open up a second location, then the policy would have to adapt as BTS grows.
Types of employee / contractors
To protect BTS data, we segregate employees and contractors into two groups:
- Legacy (aka Grandfathered) – Any employee or contractor that has established a relationship with BTS for at least one full year from April 26, 2024.
- New – Any employee or contractor that is in a new relationship with BTS for less than one full year from April 26, 2024.
Hiring/contracting
- New employees are subject to a background check prior to beginning work or access to BTS or any of its systems.
- Any legacy employees are exempt from the background check due to their established relationship.
- No employee or contractor is allowed access to the financial system. Only members have access to this system.
Termination
Termination is defined as either short or long-term separation of an employee, contractor, or client.
- For all employee or contractor types,
- Upon voluntary termination, all system access will be removed.
- Upon involuntary termination, all system access will be removed immediately.
- A client who chooses not to extend their contract has 30 days of access to their data before the data access will be removed.
- It is the client’s responsibility to remove access to any end-user.
- BTS will retain ownership of all employees or contract’s computers, data, and computer accessories.
Termination process
Termination process is all of the step necessary to perform to ensure access to BTS’s system are removed:
- All access to the following will be removed
- production BTSValidation
- client database is removed
- MS Office
- GetHub
- DevExpress
Employee and contractor access
Physical Access:
All employees of BTS employees and contracts work remotely. There are no physical access locks or electronic security enabled IDs to return.
Need-to-know principle
BTS employees a “Need to know” principle of data access. Each internal data access request is reviewed and determined the minimal amount of access to meet the data requirement access.
Responsibility for company data
All clients, customers, employees, and contractors are responsible:
- For keeping data free from data breaches.
- Do not open any emails from someone that you do not expect.
- Do not open links from unknown email senders.
- Always question any email first before opening or acting on it.
- If something seems questionable, contact the BTS members for review.
- Keep antivirus updates on your PC.
- Do not write down passwords.
- Ensure that your PC or server has the latest software patches.
- Passwords should never be shared by anyone.
Unauthorized software
Unauthorized software is defined as software that is not expressly approved from BTS. Do not install unauthorized software on any BTS machine or server.
Social Media Policy
BTS doesn’t care if employees and contractors use social media. BTS has some very basic rules as it pertains to work related social media.
- Do not post anything related to BTS or acting on behalf of BTS unless you are expressly allowed.
- Do not post anything about our clients.
- Do not post anything that would be perceived at putting BTS in a bad light.
Protecting Computer Resources
Do your best to protect BTS computer and accessories. Please keep the BTS always access secure.
Client’s data at the end of the contract
For security purposes, clients have 30 days after the end of the contract to remove data or reports from BTSValidation. If this is not done within this time period, BTSValidation can start deleting and purging all data.
Steps:
- Retain the last backup.
- Remove client database.
- Remove client-associated data.