ESPY Information Security Policy

1. Purpose

The purpose of this policy is to establish ESPY’s approach to safeguarding information assets and protecting sensitive data from unauthorized access, misuse, and disclosure. This policy supports ESPY’s mission to ensure high standards of data privacy, security, and integrity in all operations.

2. Scope

This policy applies to:

  • All ESPY employees, contractors, and third-party vendors.

  • All devices, systems, and applications that process or store ESPY data.

  • Data in all forms, including digital, paper, and verbal.

3. Information Security Objectives

ESPY’s security objectives include:

  • Data Confidentiality: Ensuring that sensitive information is only accessible to authorized individuals.

  • Data Integrity: Maintaining accurate and complete data throughout its lifecycle.

  • Data Availability: Guaranteeing reliable access to data whenever needed.

  • Compliance: Adhering to relevant legal, regulatory, and contractual security requirements.

4. Roles and Responsibilities

  • Information Security Officer (ISO): Responsible for implementing, reviewing, and updating security practices. Coordinates responses to security incidents and audits.

  • Department Heads: Ensure employees within their departments follow security protocols and participate in security training.

  • Employees and Contractors: Responsible for complying with security policies, reporting incidents, and participating in security training.

5. Access Control

  • User Authentication: All systems must require secure login methods, including multi-factor authentication for sensitive data access.

  • Password Management: Passwords must meet complexity requirements, expire periodically, and never be shared.

  • Access Reviews: Conduct periodic reviews to ensure that access permissions match job roles and responsibilities.

6. Data Classification and Handling

  • Classification Levels:

    • Public: Data that can be freely shared.

    • Internal: Data intended for ESPY use only.

    • Confidential: Sensitive data restricted to specific employees.

    • Restricted: Highly sensitive data with strict access controls.

  • Data Handling: Confidential and restricted data should be encrypted and shared only on a need-to-know basis. Physical and digital protections are required for data classified as confidential or restricted.

7. Data Encryption

  • Encryption Standards: Use AES-256 or stronger encryption for data storage and transfer.

  • Encryption Keys: Keys must be stored securely and rotated periodically.

  • File-Level Encryption: Required for sensitive documents, especially when shared externally.

8. Incident Response Plan

  • Incident Detection and Reporting: Employees must report suspicious activities, data breaches, or vulnerabilities immediately to the Information Security Officer.

  • Response Stages:

    • Identification: Assess and verify the incident.

    • Containment: Isolate affected systems to prevent further impact.

    • Eradication: Remove threats and vulnerabilities.

    • Recovery: Restore normal operations, ensuring no compromise remains.

    • Review: Document the incident and conduct a post-incident review.

  • Communication: Inform affected parties and stakeholders, and document findings for regulatory compliance.

9. Security Awareness and Training

  • Mandatory Training: New employees must complete security awareness training within the first month of employment.

  • Ongoing Training: All staff must participate in annual security refreshers on data handling, phishing, malware prevention, and privacy standards.

  • Simulated Attacks: Regular phishing simulations and social engineering drills to enhance awareness.

10. Physical Security

  • Facility Access Control: Implement badge-based or biometric access for ESPY offices and critical facilities.

  • Workstation Security: Employees must lock their screens when away from workstations and report any suspicious activity.

  • Visitor Management: Maintain a log of visitors, who must be escorted in secure areas.

11. Network and System Security

  • Firewalls and Intrusion Detection: Use firewalls and IDS/IPS on all network entry points.

  • Patch Management: Regularly apply patches and updates to all software and operating systems.

  • Logging and Monitoring: Continuously monitor network and system activities to detect and respond to threats.

12. Vendor and Third-Party Management

  • Vendor Assessments: Perform due diligence on third-party vendors to ensure they meet ESPY’s security standards.

  • Data Sharing: Limit the data shared with vendors and ensure it’s transferred securely.

  • Regular Audits: Conduct periodic audits of vendors to verify compliance with ESPY’s data protection requirements.

13. Data Backup and Recovery

  • Backup Frequency: Perform daily backups for critical systems and weekly backups for other data.

  • Backup Storage: Store backups in secure, geographically separated locations.

  • Disaster Recovery Testing: Conduct biannual recovery tests to verify that data can be restored effectively.

14. Compliance and Monitoring

  • Audit Log Maintenance: Ensure audit logs are maintained and protected from unauthorized access for all critical systems.

  • Internal and External Audits: Perform regular internal reviews and annual external audits to ensure policy compliance.

  • Policy Review: The Information Security Officer should review this policy annually to adapt to new threats or business changes.

15. Policy Review and Updates

  • This policy will be reviewed and updated annually or whenever significant changes occur in ESPY’s technology, legal, or regulatory landscape. All employees are responsible for adhering to the most current version of the policy.

16. Non-Compliance

  • Disciplinary Action: Non-compliance with this policy may result in disciplinary actions, up to and including termination of employment or contract.

  • Reporting Channels: Employees may report security concerns anonymously, if preferred, through ESPY’s compliance hotline or directly to the Information Security Officer.

17. Appendix: Security Policy Definitions

  • Confidentiality: The requirement to keep sensitive information from being disclosed to unauthorized parties.

  • Integrity: Ensuring that data remains accurate and unaltered.

  • Availability: Ensuring that data and systems are accessible to authorized users when needed.

  • Encryption: A method of protecting data by converting it into a code to prevent unauthorized access.

Last updated