Mersomo LLC Cyber Security Policy
Updated 30th March 2020
This cyber security policy is for our employees, vendors and partners to refer to when they need advice and guidelines related to cyber law and cyber crime. Having this cyber security policy we are trying to protect Mersomo's data and technology infrastructure.
This policy applies to all of Mersomo's employees, contractors, volunteers, vendors and anyone else who may have any type of access to Mersomo's systems, software and hardware.
Examples of Confidential Data
Some of the common examples of confidential data include:
- Classified financial information
- Customer data
- Data about partners
- Data about vendors
- Patents, formulas or new technologies
Device Security- Using personal devices
Logging in to any of company's accounts for personal devices such as mobile phones, tablets or laptops, can put our company's data at risk. Mersomo does not recommend accessing any client's data from personal devices. If so is inevitable, employees are obligated to keep their devices in a safe place, not exposed to anyone else.
We recommend employees to follow these best practices:
- Keep all electronic devices' password secured and protected
- Logging into company's accounts should be done only through safe networks
- Install security updates on a regular basis
- Upgrade antivirus software on a regular basis
- Don't ever leave your devices unprotected and exposed
- Lock your computers when leaving the desk
Emails can carry scams or malevolent software (for example worms, bugs etc.). In order to avoid virus infection or data theft, our policy is always to inform employees to:
- Abstain from opening attachments or clicking any links in the situations when its content is not well explained
- Make sure to always check email addresses and names of senders.
- Search for inconsistencies
- Be careful with clickbait titles (for example offering prizes, advice, etc.)
- All online class information sent via e-mail to a non-mersomo e-mail address (@mersomo.com) must be encrypted by typing the word “Encrypt” in the subject line. Never include confidential or individually identifiable information in the subject line of an e-mail. The subject line is not encrypted.
- Do not open suspicious attachments to e-mails, they may contain viruses or malware intended to steal confidential information or password credentials. Do not download or install software permission from Mersomo Security Officer
In case that an employee is not sure if the email received, or any type of data is safe, they can always contact our IT specialist.
To ensure avoiding that your company account password gets hacked, use these best practices for setting up passwords:
- At least 8 characters (must contain capital and lower-case letters, numbers and symbols)
- Do not write down password and leave it unprotected
- Do not exchange credentials when not requested or approved by supervisor
- Change passwords every [x] month
Data transfer is one of the most common ways cybercrimes happen. Follow these best practices when transferring data:
- Avoid transferring personal data such as customer and employee confidential data
- Adhere to personal data protection law
- Data can only be shared over company's network
Even when working remotely, all the cyber security policies and procedures must be followed.
When best practices and company's policy are not followed, disciplinary actions take place.
Some of the examples of disciplinary actions include:
- In case of breaches that are intentional or repeated, and are harmful to our company, [company name] will take serious actions including termination
- Depending on how serious the breach is, there will be [x number] of warnings
- Each incident will be evaluated
- Each case and incidence will be assessed on a case-by-case basis
- Everyone who disregards company's policies will face progressive discipline.
Never discuss a client (even the existence of a client) with anyone outside of any assigned online class taking or customer support team.
Ensure your computer automatically locks after a period of time that the computer has not been in use. Follow the Security Policy regarding this.
Safeguard the placement of laptops, computers and printers to limit potential access by unauthorized users. Retrieve documents from printers and faxes right away.
Verify the identity of anyone requesting confidential information. If discussing Online Class over the phone ensure you recognize the client’s voice or you ask identifying questions that the client would know
You must be completely familiar with all policies pertaining to storage of confidential information prior to accessing any online class. Do not store any confidential information on personal devices.
Ensure all confidential information in paper form is in your control or is locked in a secure location where it can be accessed only by authorized users. Dispose of confidential paperwork by shredding or placing them in locked confidential recycle bins.
All electronic communication should include a confidentiality statement.
You must ensure that any online class info transmitted electronically (e-mail, Fax, voicemail) is appropriately protected, (only leave a call back message on voicemail), and you should double-check the addressee before sending a fax or e-mail. This is one of the most common reasons for a breach.
Be aware of your surroundings when having conversations involving confidential information. Do not have confidential conversations in hallways or break-rooms. If possible, take your conversation to a confidential area/space. Remember an overheard conversation can still be a breach.
Always report suspected or actual violations of policy or law that involve compliance, privacy or security. Reporting is not only required, if known, but is simply the right thing to do for all of us.