Information Security Policy

Version 3.1a

October, 2021

If we determine that there is an event that requires customer notification:

  1. Utilize separately maintained customer list to contact affected customers. List contains key contacts for each of our deployments.
  2. Communication will include:
      • cause of the crisis
      • brief description of what happened
      • timetable for future plans
      • expectation of when next communication will be sent or problem resolved.

Crisis management

The document names two crisis management roles:

      • Business Operations – manage and lead individuals, communicate important information to all departments and affected customers
      • Hosted Services / Software – analyze the problem and potential damages along with recovery plan execution


  5. Data Classification Labeling
  6. Relaying Information
  7. Third Party Disclosure
  8. Production and Delivery of Sensitive Documents
  9. Declassification And Downgrading
  10. Retention, Destruction and Disposal
  13. System Access Controls
  14. Access Granting Decisions
  28. Preventative Maintenance
  29. Backups
  30. Daily
  31. Weekly
  32. Monthly
  33. Restoration
  34. General Network
  35. VPN with St. Louis Office and San Francisco
  36. VPN Remote Client
  37. Termination Checklist



Information security means the protection of ITC Systems data, applications, networks, and computer systems from unauthorized access, alteration, or destruction.

The purpose of the information security policy is:

      • To establish a Company-wide approach for security.
      • To provide methods to secure, monitor and prevent security threats. This includes the misuse of company data, applications, networks and computer systems.
      • To provide methods to respond to such threats or reported threats.



The IT Manager is required to implement the information security policy that is reviewed by the Management Team.

The IT Manager must:

      • Ensure that the policy is up to date and current at all times Provide training to other team members that assist in implementing security.
      • Update team with regards to any potential security risk.
      • Implement restrictions based on owners’ requirements.
      • Implement network security and reviews.
      • Ensure backup and restoration policies are followed.
      • Verify that virus and routine maintenance is up to date.
      • Ensure that workstation usage policy is enforced.

Office Manager:

      • It is the responsibility of the building manager to ensure that physical access to the building enforced.
      • It is the responsibility of the office manager to ensure that employee termination and hires are addressed with the IT Manager.

Information Owners

      • It is the responsibility of information owners to verify that access to information they are responsible for is accurate and up to date.
      • Data is correctly labeled and classified.

ITC Staff

      • Report any security related or questionable occurrences following the reporting procedure.



      • Regular reviews of the VPN and Firewall is required. This includes review of the access logs and VPN Policies.
      • The IT Manager is responsible for regularly review the reports and logs to ensure that VPN and Firewall is secure.
      • A Record must be kept as to when the logs were last reviewed, and a description of what items required addressing and the outcome.
      • All changes to the VPN or Firewall must first be approved by the IT Manager to ensure they do not conflict with existing policies or security.
      • Vulnerability and risk assessment tests of external network connections should be conducted annually and recorded.
      • Staff should be trained on how to handle information/data and policies surrounding that data on an annual basis.
      • Those not adhering to policies will be disciplined accordingly.
      • All processes and duties must be listed within the master resource matrix. Each role or duty must have two or more capable individuals.
      • In the event that an individual leaves ITC their duties must be reviewed, and additional team member must be trained to perform their role.
      • Each process must be documented and stored within the procedure manual.
      • Upon termination the termination check list must be completed.


All stored data should be classified based on potential risk and sensitivity by the owner. Below are classifications on ITC Systems Data Storage.

Secret/High Risk – Any data that has legal requirements for confidentiality and could incur financial penalties for disclosure. These include financial information, Trade Secrets, payroll, personnel files or any information falling under privacy requirements. The data owners must ensure that High Risk information is not exposed.

Confidential – This is data that would not incur any penalties or reparations if exposed but is considered confidential in nature. This includes employee performance evaluations, computer passwords, internal audit reports and customer transaction data.

Internal Use Only – Information that is neither Secret nor Confidential, but disclosure is against company policy. This includes dialup access numbers, employee training material, and internal policy manuals.

Public – Information that is freely distributed such as newsletters, company announcements, job openings and brochures.


Data Classification Labeling

      • Information that is considered secret or confidential must be labeled as such from the time it is created until destroyed or reclassified. This includes hard copies, CDs, DVD or any external media.
      • Unclassified information is categorized as Internal use only and does not require labeling.
      • Information believed to be classified or incorrect must be treated as confidential. The recipient must report this possible classification error to the owner of the information.
      • Information fits under multiple classification levels will assume the classification of the highest Additionally, if a specific storage media contains multiple classification levels then it will assume the highest classification level. Therefore, if Secret files are placed on an existing CD without a label, then the CD will be labeled as classified.
      • Information provided from an external source must be classified appropriately. Label must preserve copyright notices, author credits, guidelines for interpretation and restricted dissemination.
      • All hard copies of sensitive information must be label as such in the top right-hand corner of the front cover, title page and rear cover.

Relaying Information

      • Information that will be displayed during a presentation to demo that is consider classified must be label as such.
      • All parties that are in attendance in a meeting must be made aware of the classification of information provided. Any members joining the meeting that have not been invited by the presenter must be introduced and their attendance must be approved by the presenter. Any presentation material such as PPT, slide or handouts must contain the proper classification. If a speaker phone is used during the meeting host must ensure that information discussed cannot be overhead.
      • During a verbal exchange of information or meeting if Dictation Machines and Tape Recorders are used then at the beginning of the segment it must be stated if it contains sensitive The tape must also be marked with the highest level of classification for information found on the media.


Third Party Disclosure

      • Any disclosure of items marked as secret, confidential to third parties must be preceded with a non-disclosure agreement. Information disclosed must be logged provide reference as to why the disclosure took place. This will be instrumental in recover or destroying documentation provided.
      • Nondisclosure agreements must not be signed by any ITC Employee without the authorization of ITC Systems Legal counsel designated to handle intellectual material.
      • Unless authorized by the Information Owner, requests that include questionnaires, surveys and interviews must be approved by the President. This does not include support or sales and marketing.
      • Speeches, presentations, technical papers or other communication to the public must be reviewed and approved by an employee’s immediate manager prior to release.
      • New products research results, corporate strategies, customer information and marketing approaches must receive prior approval of the owners.
      • If information is suspected of being divulged to any third party not authorized to receive such information the Owner and the IT Manager must be notified immediately.


Production and Delivery of Sensitive Documents

      • Making copies to media or paper can only be done with the approval of the Owner. Photo copiers and fax machines keep logs of such copies.
      • When printing sensitive documents all items must be attended to while printing. If sensitive information will be printed access to printer is restricted as with the accounting department.
      • Outside services are not to be used for printing sensitive information.
      • All of ITC Systems sensitive information must contain the current and last page number.
      • All backup media must be stored with the company safe.
      • Sensitive information that will be mailed by courier or by government run postal service must be contained within two envelopes. The external envelope must not contain the classification of the documents. The internal envelope must be classified and be address to a particular party that requires their signature upon its arrival.
      • Sensitive ITC Systems computer output must be delivered directly to the intended recipient. It must never be left unattended unless deposited into the company safe. Fax transmissions must be attended during the transmission of sensitive documents.
      • Sensitive ITC Systems information must not be removed for ITC Systems premises unless approval as been received by the Owner. This includes hard copies, storage media and If such approval has been provided, then items must never be left unattended. Additionally, such information should not be viewed within public places or taken to a foreign country.
      • All sensitive information must be secured when not in use within the company safe or heavy Any of ITC Systems sensitive information found out when not in use will be confiscated and provided to the President.
      • When discussing sensitive information, the use of Skype, internet messaging, non-encrypted cellular or radio communications is prohibited.
      • All copies of sensitive documents must be numbered and logged with location and recipients so that they can all be accounted for. Logs must be kept as long as the document are released and classified as secret. These documents must also contain the statement stating they must not be copied without permission from the owner.


Declassification And Downgrading

      • Only the owner of information may change its classification. The change may occur at any time but they must notify custodians, IT Manager and any other potential recipients.
      • Information that will be reclassified at a later date should state the date in which it will be If a user is unsure If the information has become reclassified after the specified date has come and gone needs to confirm this with the document owner. The owner of a document that is scheduled for a classification change by extends the date at any time. They must notify custodians IT Manager and any other potential recipients.
      • Owners should review information classification that they are responsible for at least once per year.


Retention, Destruction and Disposal

      • All sensitive information that is scheduled for destruction needs to be placed in a secure locked metal box until it has been destroyed. This information should be be destroyed as soon as it is no longer needed and should be disposed of through confetti style shedders rather than strip style shredders by ITC Personnel.
      • Reformatting or simple deletion of classified Information stored on a specific media is Stored information must be destroyed by software that overwrites the sensitive area with other data such as Secure Shedder Software. Therefore, when information is destroyed it should be unrecoverable by any means.
      • ITC Systems employees must not destroy information without specific approval from ITC Systems Management Team. This authorization may be given through verbal instructions from the Owner of the information, President or issued by ITC System’s legal counsel. Any unauthorized destruction of ITC Systems information is subject to disciplinary action including suspension, termination and prosecution.
      • Any material that are used in the creation or destruction of sensitive information should also be This includes carbon paper, negatives, typewriter ribbons, aborted computer hardcopies and drafts. This includes rejected hard copies due to paper jams or toner issues.
      • Equipment to be serviced, donated or disposed of must not contain any sensitive information and must be wiped clean with Secure Shedder Software.



      • Building must be locked, and alarm enabled during non-business hours.
      • Visitor check in/out location at ITC Systems Toronto is located at reception.
      • Visitor check in/out location at ITC Systems Louis is located at main entrance reception.
      • All visitors are required to sign the visitors log and receive a visitor’s badge prior to gaining admittance into any building. The sponsoring individual must ensure this requirement is satisfied.
      • All visitors must wear their visitor’s badge, clearly visible, at all times while on site.
      • Visitors are to be escorted at all times, within reason, by the sponsoring employee or their Common sense is the primary factor when an escort is required. Visitor hours at ITC Systems are from 8:30 a.m. to 5:00 p.m., Monday through Friday. The visitor check in location will only attend to visitors during this time frame.
      • If the visitor leaves after regular hours, the escort is to see the visitor outside of the building, retrieve the visitor badge, and note the time the visitor left. The escort or sponsoring employee is then to return the badge to where it was issued the next business day and make sure the time out is written in the visitor log.
      • The specific employee that is hosting a meeting during regular business hours is responsible to inform reception of any visitors and inform attendees that they must sign-in and receive a visitor’s badge prior to attending the meeting.
      • Visitor to ITC Systems who arrive unannounced or without an escort will not be permitted beyond the check in location until visitor protocol has been met.
      • Visitors to ITC Systems are not required to sign-in and obtain a visitor’s badge if business is not conducted beyond the visitor check in/out location.
      • It is the responsibility of every employee to notify management if they should see anyone on the premises who is not wearing a visitor’s badge that is not an employee of ITC Systems.
      • Access to rooms containing sensitive information must be physically restricted if left Therefore rooms with such information need to be locked and secured.
      • Computers that view sensitive information should be positioned such that they cannot be viewed.



Need to Know

      • Data access is limited to those who require the data on a daily basis to perform their role.


System Access Controls

      • All users’ logins must be unique and Group ID’s are prohibited.
      • Passwords must include numeric, alphabetic with different cases and at least one special character.
      • Passwords must be at least 7 characters.
      • Passwords must be changed at least every 90 days.
      • New passwords cannot be the same as the last 4 passwords.
      • If an incorrect password is provided 3 times the account should be locked out.
      • Account lock out duration should be at least 30 min (or until an administrator resets it).
      • Sessions idle for more than 10 minutes should require re-entry of username and passwords.
      • Passwords must not be placed in emails unless they have been encrypted.
      • Logins and passwords should not be coded into programs or queries unless they are encrypted or otherwise secure.
      • Terminated employee’s user accounts must be disabled upon termination.
      • Promotion or change in position must be recognized in access rights changes upon the date of change.
      • Logon events are reviewed for failures
      • Those with access to high-risk data should understand their responsibility to protect that data.
      • Users must not share their usernames with anyone else.
      • Administrator should use accounts with standard access for day-to-day activities and only use full administrator privileges when required.
      • Default application passwords should never be used and should be change upon installation.
      • Database passwords must follow user login criteria.
      • Connection capabilities of devices is controlled through ITC Systems firewall.


Access Granting Decisions

      • User that receive user account must sign the team members guide stating that they will adhere to company access policies.
      • Access to ITC Systems sensitive information can only be provided with written authorization from the Owner.
      • Standard templates for access are defined for each job title and must be reviewed and approved by the owner of the information.
      • User access rights will be reviewed on a quarterly basis to ensure that they still meet with current dynamics.
      • Access rights due to position changes and termination will be dealt with immediately and documentation will be updated.
      • User account creation, and deletion must be provided by written request.


      • All computers connecting to ITC’s network must have recognized antivirus program with updated virus definitions on their ITC Systems uses Symantec Anti Virus client.
      • All incoming emails are scanned for viruses on the web server prior to being downloaded to a client’s outlook.
      • Workstations containing viruses must be removed from the network immediately to eliminate the possible spread of the virus.
      • User should be informed when a virus is detected on a workstation to reduce the chances of it spreading.
      • Virus detection logs should be reviewed routinely to identify possible threats.
      • Laptop users should perform a full scan for viruses prior to attaching their laptop to the network.
      • Firewalls should be enabled on all workstations where possible. Only specific ports should remain open.
      • Symantec Anti Virus should be configured to check for updates every day.
      • Desktop user workstations should be configured to run full Systems Scan at least once per week.



      • Intruder detection must be implemented on all servers and workstations containing data classified as high risk.
      • Server firewalls logs should be review regularly for intrusion attempts. Appropriate action must be taken if discovered.



      • All connections to the Internet must go through a properly secured connection point to ensure the network is protected when the data is classified high risk.
      • All connections to the Internet should go through a properly secured connection point to ensure the network is protected when the data is classified confidential.
      • All connections between public networks (the internet) and ITC Systems internal network is controlled by the VPN/Firewall.



The following is a list of prohibited activates. Taking part in any of the activities listed below is subject to disciplinary actions including suspension, termination and prosecution.


      • Using computer resources for personal or financial gain, such as selling access to company computer resources, distributing advertisements, or performing work for personal profit is strictly prohibited.
      • Employees and contractors must not use ITC Systems computer resources to solicit others for commercial ventures, religious or political causes, or outside organizations.
      • ITC Systems employees must not engage in activity that might be harmful to system performance or access, such as flooding the system with e-mail traffic, intentionally introducing a virus to the system, audio/video streaming or engaging in unauthorized peer-to-peer file sharing (e.g. BitTorrent).
      • Employees and contractors must not use ITC Systems computer resources to harass another person or entity.
      • Attempting to circumvent resource limits or security measures is strictly prohibited.
      • Engaging in illegal activities, such as attempting to gain unauthorized access to computing resources at another site is strictly prohibited.
      • Violating license agreements or copyright laws, such as transferring copyrighted materials to/from a company computer is strictly prohibited.
      • Misusing shared resources, which can include but is not limited to actions such as clogging the server with too many files, and excessive printing from shared printers is strictly prohibited.
      • Attempting to enter another individual’s account or allowing unauthorized users to access any ITCS account, the Internet, or other computer resources is strictly prohibited.
      • Using another individual’s account without permission is strictly prohibited.
      • Attempting to delete, destroy or modify files on a computer or server that are not in the user’s personal drive or folder/directory is strictly prohibited.
      • A user must not use the network to gain access to any information to which the user is not entitled to access; or to copy, modify, or use any information which the user is not entitled to copy, modify or use.
      • Writing or deliberately sending a virus, worm, or trojan horse, or initiating a denial of service or any other attack within ITC Systems or from ITC Systems to any other network is strictly prohibited
      • Distributing information protected by privacy laws is strictly prohibited.
      • Anonymous access in not permitted on the network.



      • All Servers and workstations need to be patched with the latest security patches from Microsoft and other relevant software manufacturers.



      • All workstations are configured to connect to the domain where their security policy is applied.
      • Users should not be able to install programs or modify system values.
      • Workstation should be configured to lock after 5 minutes of inactivity and users should lock their desktop if they will leave it unattended for any period of time.
      • Users should only have applications installed that they will have access to.
      • If multiple users will use the same workstation, then their login must only provide access to applications that they have permissions to utilize
      • All workstations must be assigned asset tags that track which programs are installed and licensing.



      • All Remote workstations must connect through the VPN.
      • Remote workstations use terminal services to access business applications.
      • Remote login accounts have limited access to specific applications and files.
      • When remote workstations are brought into the office a full virus scan must be run prior to connecting the computer to the network.



      • The database.config and encryption.config files must be saved in an encrypted form, so that the connection string and encryption key remain protected.
      • Access must be regulated through a login process.
      • Login account passwords must adhere to the password policy as listed in the access control policy.
      • Capable of implementing access control based on the Data Classification policy.
      • Applications must have a way to audit access.
      • Application must not store credit card numbers.



      • All new software packages and updates to existing software must be implemented in accordance with the changes management guidelines.
      • All new software packages must first be implemented in a controlled environment to determine the impact and requirements of the system on the network.
      • New systems must first be tested in a non-production environment to minimize failure and data loss.
      • Future requirements of system including disk space, processor and memory need to be planned for.
      • After passing acceptance testing the system or application should be rolled out and tested after hours.
      • Previous systems should remain online or have the capability of being rolled back, in case of system failure.



Prior to updating any hardware or software an analysis must be completed stating the reason for the change. The following procedure must be followed prior to implementing new releases


Stage Procedure Owner of Task
Report 1. Identify the need for change Technical Support, Sales

2. Report the need for the change. (Issues

and Minor Changes on SharePoint) All Parties will be notified via email.

Technical Support, Sales, engineering
3. The Developer(s) responsible for the affected Hardware and/or Software MUST acknowledge the issue within 24 hours Engineering
4. Review issues, validate issues, set priority and schedule date. Engineering Manager
Development 5. Document required changes Engineering

6. Identify the level of change

      • Hot/Warm fix
      • Service Pack
      • Minor Release
      • Major Release
7. Code and implement change Engineering
Testing 8. Update Validation documents Engineering
9. Assign new version number and copy software to network server under ITC Software\Product Number\Testing\Version Number. Engineering
10. Update version control document with changes. Engineering
11. Update SharePoint with status to “Fixed Ready for Testing” this will send an email to all parties Technical Support, Sales rites to be notified. Engineering
12. Test changes based on level. Major releases require regressive testing on all related functions. Validation
13. Update status of issue. Validation
14. Update documentation. Engineering
Implementation 15. Contact customer if issue is not local and schedule update. Technical Support
16. Implement on a non-production test server environment if available. Technical Support
17. Plan for roll back, backup database and applications files. Prepare previous installation files. Technical Support
18. Implement update, test application and verify result through reports Technical Support
19. Update SharePoint with changes. Technical Support





      • All engineers and developers must sign NDA agreement stating that all ITC intellectual property is confidential and owned by ITC.
      • All source code developed while employed by ITC is property of ITC.
      • All source code must be stored within MS Source Safe Libraries and require authentication for access.
      • Source code must be backed up on a weekly (onsite storage), Monthly basis (off-site storage).
      • Information stored within databases must remain secure during the support process.
      • Transfer of data and source code over the internet must be encrypted and secured.
      • Code must be written in a method that eliminates the chances of SQL injection attacks.
      • Applications must provide different security access rights so as to limit access as required.
      • If a security threat has been established test must be designed to access the fix.
      • Transaction limitations and reports must be available to prevent and access system abuse.
      • Removal of the use of java within web sites as to eliminate scripting attacks.
      • Hardcode field lengths to prevent scripting.
      • Include http module to capture errors and java script attempts by redirecting to a static error page that does not display any error details.



A security incident is an activity or event that compromises ITC Systems Security and could lead to loss of confidential information, system failure or legal ramifications. All potential security threats or weaknesses need to be reported immediately to the IT Manager or Software Support Manager. It is the requirement of the IT Manager that all reported incidents are identified and responded to in an urgent fashion. Additionally these events must be taken as a “learning experience” and measure must be put in place going forward to prevent reoccurrences. Incident Management should be handled in the follow sequence.

Incident Reports

It is the responsibility of all ITC Systems employees and contractors to report any incident or possible weakness within network security or information security immediately to their managers or the ITC Manager. A Security Incident report must then be filled out. All Team members must be clearly informed that they are not to attempt to rectify this issue on their own as they may affect the ability of the management team to research and properly respond to the issue. All Security incidents must be reported on the sharepoint team site:

The following steps must be taken with each incident report.(Please See Form on Page)


Step Individual Report Field
1 Report the Incident with in SharePoint. This will send an email notification toIT Manager and Software Support Manager. Person Reporting Incident Incident Description, Title
2 Verbally notification IT Manager or Software Support Manager. Person Reporting Incident N/A
3 Investigation of the incident IT Manager Software Support Manager Incident Investigation Notes, Assigned to
4 Identify the validity and type of incident IT Manager Software Support Manager Incident Type, Breach Level, Priority
5 Notify affected parties IT Manager Software Support Manager Incident Investigation notes
6 Collect audit trail and information IT Manager Software Support Manager Attached Files
7 Resolve Issue IT Manager Software Support Manager Incident Investigation Notes
8 Prepare Report with recommendation to prevent incident and business contingency plan. IT Manager Software Support Manager Incident Prevention Report, Related Incidents


It is the responsibility of the IT Manager to ensure that all reports are handled in a timely fashion and that all steps are take to prevent similar occurrences.




Preventative Maintenance

      • All efforts must be taken to prevent a system failure. This includes regular review of server status and notifications to recognized degraded equipment.
      • All drives that contain company date must be configured for Raid 5 or 10.
      • All Server Operating systems must be configured with Raid 0 or 10.
      • Degraded drives must be replaced within 48 hours.
      • Spare drive must be kept in stock to eliminate delays due to availability.
      • Servers should be cleared of dust every 6 months.
      • UPS batteries should be reviewed and replaced when required.
      • Server room fan and AC must be kept active and temperature should be reviewed weekly.
      • Company files must be stored on servers and not on workstation to ensure recovery.


Backup media must follow Data Classification Policy.



Differential Backup of all changed files since the previous full backup, media located within server room.

Ghost images of server OS needs to be created when new applications or service packs are installed.


Full Backup Stored offsite within safe in building 43 separate building.


Full backup stored offsite.


Server images need to be created quarterly to ensure up to date recovery of OS.



      • In the event of and OS Drive failure, drive must be replaced immediately.
      • In the event that an array is unrecoverable the drive will be replaced with a spare and most recent backup or ghost image will be restored.
      • Company notification will be sent out so that each department can determine if there is any work or data lost. It is the responsibility of each manager to ensure that any work that is lost is brought up to date.

General Network

      • 100/1000 mbps Ethernet
      • Encryption Key is changed regularly.

VPN with St. Louis Office and San Francisco

      • VPN tunnel is implemented between Toronto Office, San Francisco Office and the St. Louis office with two VPNs.
      • VPN firewall inhibits all traffic from the untrusted network (internet).


VPN Remote Client

      • VPN clients have remote VPN client software installed.
      • VPN is utilized when running business applications through terminal services over the VPN.
      • Terminal Services and business applications require logon authentication.


Termination Checklist


Employee                                                                               Position                                                                    Department                                                                                             Manager                                                                              Date terminated                                                                  [ ] Voluntary[ ] Involuntary




Pre-termination concerns                           Inform IT Manager                                           
[ ] Issue appropriate warning notices [ ] E-mail address (redirect)
[ ] Apply progressive discipline [ ] Delete or move home directory files







Allow employee the opportunity to correct performance

Consider mitigating factors





Delete Computer passwords Delete web mail access password
[ ] Consider overall record (length and quality) Recover company property







Conduct an objective review


Obtain management approval







Office keys Credit Card

Cell Phone/Phone Card

[ ] Send termination letter [ ] Beeper
[ ] Inform personnel department [ ] Company documents and all copies
[ ] Inform payroll [ ] Computer disks
[ ]

Include copies of all termination documents in employee’s personnel file

Discussion with employee                         







Computer books Laptop


Ensure that the employee understands each of these areas of concern and how it applies to him or her.





Company vehicle/ keys Conduct exit interview


[ ] Severance package Termination                                                       
[ ] Benefits package(s) [ ] Inform Accounting
[ ] Trade secrets and patents [ ] Time Sheets completed
[ ] Confidentiality [ ] Vacation Sheets completed
[ ] Home directory documents [ ] Record of Employment Form
[ ] Removal of company documents [ ] Final paycheck
[ ] Employment with competitors
[ ] Reference policy


ITC Systems

2017 Visitor Sign in Log


Date Visitors Name (Print) Company Visiting Reason for Visit Badge # Time In Time Out