Loom Systems is committed to provide physical integrity and security assurance of all confidential information relating to its clients. It will do this through the development and management of a coherent security culture, strong security awareness and approved physical and technical security programs.
It is the responsibility of the Loom Systems management team to assure the adequate protection and confidentiality of all company information, data and proprietary software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of data and programs to all authorized members of staff, and to ensure the integrity of all data and configuration controls.
1.2 Summary of Main Security Policies.
- Building integrity is to be maintained through physical security measures, integrated intruder alarm systems, laid down procedures and effective key management protocols.
- Confidentiality of all data is to be maintained through discretionary and mandatory access controls.
- Internet and other external service access is restricted to authorized personnel only.
- Access to data on all laptop computers is to be secured through username and password, to provide confidentiality of data in the event of loss or theft of equipment.
- Only authorized software may be installed, and installation may only be performed by the System Administrator.
- The use of unauthorized software is prohibited. In the event of unauthorized software being discovered it will be removed from the workstation immediately.
- Workstation configurations may only be changed by the System Administrator.
- Access control to Loom Systems software will include a mixture or usernames and passwords.
2. INFORMATION SECURITY
2.1 Virus Protection
- The System Administrator will have available up-to-date (no longer than 72 hours) virus scanning software for the scanning and removal of suspected viruses.
- Company file-servers will be protected with virus scanning software.
- Workstations will be protected by virus scanning software.
- All workstation and server anti-virus software will be regularly updated with the latest anti-virus patches by the System Administrator.
- All demonstrations by vendors will be run on their machines and not on own systems unless cleared through System Administrator.
- New commercial software will be scanned before it is installed.
- All removable media brought in to the Loom Systems will be scanned by the System Administrator before they are used on site.
- The QM will verify that users will be kept informed of current procedures and policies and will sign to confirm they have read and understood new changes.
- Users will be notified of virus incidents.
- Employees will be accountable for any breaches of the Loom Systems’ anti-virus policies.
- Anti-virus policies and procedures will be reviewed regularly by the QM.
- In the event of a possible virus infection the user must inform the System Administrator immediately. The System Administrator will then scan the infected machine and any removable media or other workstations to which the virus may have spread and eradicate it.
- Users will only be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times.
- Users requiring access to systems must make an application to the System Administrator.
- Head of Operations department will be responsible for determining end-user access rights to the data. The system administrator will approve applications requests by consulting with head of Operations department (and when the latter is absence, from the CTO).
- In some cases, customers will list specific users who can access their system. Head of Operations will approve access rights to these users only.
- Where possible no one person will have full rights to any system. The System Administrator will control network/server passwords and system passwords will be assigned by the System Administrator.
- Access to the network and systems will be by individual username and password. Each user will be assigned a separate email username and password.
- All users will have an alphanumeric password of at least 8 characters, containing the following types of characters: Upper case, Number and a Special Character.
- Intruder detection will be implemented where possible. The user account will be locked after 3 incorrect attempts.
- Usernames and passwords must not be shared by users.
- All users will have to change their password after initial login.
- All users will be prohibited to reuse their last 10 passwords
- Access to all cloud solutions will be through 2-factor authentication method, such as Google Mail, Github, AWS and Azure.
- Access to Loom Ops web-application will be only from pre-authorized devices, from an eligible IP address.
- Access to servers will be through Keys, not passwords.
- BYOD must join Google’s Mobile Device Management as part of GSuite.
- The System Administrator will be notified of all employees leaving the Organization’s employment. The System Administrator will then remove the employees’ rights to all systems.
- Network/server supervisor passwords and system supervisor passwords will be stored in a secure location in case of an emergency or disaster, for example within secure storage off site.
- The Quality Manager will perform annul reviews of access rights to data, applications and servers.
- Server Specific Security
This section applies to Windows, UNIX and Linux servers.
- The operating system will be kept up to date and patched on a regular basis.
- Servers will be checked daily for viruses.
- Physical servers will be locked in a secure room.
- Where appropriate the server console feature will be deactivated.
- Users possessing Admin/Administrator/root rights will be limited to trained members of the technical Department staff only.
- Use of the Admin/Administrator/root accounts will be kept to a minimum.
- Assigning security equivalences that give one user the same access rights as another user will be avoided where possible.
- User’s access to data and applications will be limited by the access control features.
- Users must logout or lock their workstations when they leave their workstation for any length of time.
- All unused workstations must be switched off outside working hours.
- All accounts will be assigned a password of a minimum of 8 characters.
- Unique passwords will be used.
If you have additional questions or need further clarification, please contact us by phone at +1(646)6933386 or by emailing us at firstname.lastname@example.org.