Purpose
The purpose of this Policy is to provide a security framework that will ensure the protection of DraftWise, Inc. (“DraftWise” or “we”) Company Information from unauthorized access, loss or damage. Information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked.
Scope
This Policy affects all employees, contractors, consultants, vendors and other services providers currently working at DraftWise and who handle, manage, store or transmit DraftWise data. The company’s executive team is responsible for ensuring compliance with the Policy and for completing actions prescribed by the Policy. All employees of DraftWise are required to be aware of this Policy, their individual responsibilities when present and how to access the resources necessary to carry out their responsibilities.
Definitions
Authorization - the function of establishing an individual’s privilege levels to access and/or handle information;
Availability - ensuring that information is ready and suitable for use;
Confidentiality - ensuring that information is kept in strict privacy where necessary;
Integrity - ensuring the accuracy, completeness and consistency of information;
Unauthorized Access - looking up, reviewing, copying, modifying, deleting, analyzing, or handling information without proper authorization and legitimate business need; and
Company Information - information that DraftWise collects, possesses, or has access to, regardless of its source. This includes information contained in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation.
Policy
Classification Levels
All Company Information is classified into one of four levels based on its sensitivity and the risks associated with disclosure. The classification level determines the security protections that must be used for the information.
These classification levels are defined in the Data Classification Policy.
Protection, Handling and Classification of Information
Based on its classification, Company Information must be appropriately protected from unauthorized access, loss and damage.
Handling of Company Information from any source other than DraftWise may require compliance with both this policy and the requirements of the individual or entity that created, provided or controls the information. If concerns exist about the ability to comply with both applicable policies, notify and consult the executive team of DraftWise.
When deemed appropriate, the level of classification may be increased or additional security requirements imposed beyond what is required by the Information Security, Data Classification and Access Control Policies.
If you receive RED level information through any means other than official, approved channels, you must notify the executive team and assist them in any necessary investigation and response.
Individual Responsibilities
All DraftWise employees, contractors, representatives (when acting on behalf of the company) and any others granted access and use of Company Information are expected to:
Understand the data classification levels defined in the Data Classification Policy.
Understand the data retention durations defined in the Data Retention Policy.
As appropriate, classify the information for which one is responsible accordingly.
Access information only as needed to meet legitimate business needs.
Not divulge, copy, release, sell, loan, alter or destroy any Company Information without a valid business purpose and/or authorization.
Protect the confidentiality, integrity and availability of Company Information in a manner consistent with the information’s classification level and type.
Safeguard any accounts or tokens that permit access to Company Information.
Discard items containing Company Information in a manner consistent with the classification level, type and retention requirements. This includes any information in physical form, for storage or transfer purposes.
Policy Review
At a minimum, the Information Security Policy is reviewed every 12 months.