• Products
    • ManageTeam
    • DefineTeamPerformance
    • ImproveTeam
  • Company
    • About Us
    • Careers
  • Resources
Sign In Request Demo

Security Policy

Effective: 2023-08-09

Introduction

The Cybersecurity and Data Protection Program (CDPP) provides definitive information on the prescribed measures used to establish and enforce the cybersecurity program at TalentSavvy.com LLC (TalentSavvy).

TalentSavvy is committed to protecting its employees, partners, clients and TalentSavvy from damaging acts that are intentional or unintentional. Effective security is a team effort involving the participation and support of every entity that interacts with TalentSavvy data and systems, applications and services. Therefore, it is the responsibility of both TalentSavvy personnel and third-parties to be aware of and adhere to TalentSavvy’s cybersecurity and data protection requirements.

Protecting TalentSavvy data and the systems that collect, process and maintain this data is of critical importance. Commensurate with risk, cybersecurity and privacy measures must be implemented to guard against unauthorized access to, alteration, disclosure or destruction of data and systems, applications and services. This also includes protection against accidental loss or destruction. The security of systems, applications and services must include controls and safeguards to offset possible threats, as well as controls to ensure confidentiality, integrity, availability and safety:

  • Confidentiality – This addresses preserving authorized restrictions on access and disclosure to authorized users and services, including means for protecting personal privacy and proprietary information.

  • Integrity – This addresses protecting against improper modification or destruction, including ensuring non-repudiation and authenticity.

  • Availability – This addresses timely, reliable access to data, systems and services for authorized users, services and processes.

  • Safety – This addresses reducing risk associated with technologies that could fail or be manipulated by nefarious actors to cause death, injury, illness, damage to or loss of equipment.

Confidentiality – This addresses preserving authorized restrictions on access and disclosure to authorized users and services, including means for protecting personal privacy and proprietary information.

Integrity – This addresses protecting against improper modification or destruction, including ensuring non-repudiation and authenticity.

Availability – This addresses timely, reliable access to data, systems and services for authorized users, services and processes.

Safety – This addresses reducing risk associated with technologies that could fail or be manipulated by nefarious actors to cause death, injury, illness, damage to or loss of equipment.

Secure Controls Framework (SCF) Structure

The CDPP leverages its structure and nomenclature from the Secure Controls Framework (SCF).1 The CDPP contains applicable policies that provides coverage to address NIST Cybersecurity Framework (NIST CSF) version 1.1.

Purpose

The purpose of the Cybersecurity and Data Protection Program (CDPP) is to prescribe a comprehensive framework for:

  • Creating an Information Security Management System (ISMS) in accordance with ISO 27001.

  • Protecting the confidentiality, integrity and availability of TalentSavvy data and information systems.

  • Protecting TalentSavvy, its employees and its clients from illicit use of TalentSavvy information systems and data.

  • Ensuring the effectiveness of security controls over data and information systems that support TalentSavvy’s operations.

  • Recognizing the highly networked nature of the current computing environment and provide effective company-wide management and oversight of those related Information Security risks.

  • Providing for development, review and maintenance of minimum security controls required to protect TalentSavvy’s data and information systems.

The formation of these cybersecurity policies is driven by many factors, with the key factor being a risk. These policies set the ground rules under which TalentSavvy operates and safeguards its data and systems to both reduce risk and minimize the effect of potential incidents.

These policies, including their related control objectives, standards, procedures and guidelines, are necessary to support the management of information risks in daily operations. The development of policies provides due care to ensure TalentSavvy users understand their day-to-day security responsibilities and the threats that could impact the company.

Scope & Applicability

These policies, standards and guidelines apply to all TalentSavvy data, systems, activities and assets owned, leased, controlled or used by TalentSavvy, its agents, contractors or other business partners on behalf of TalentSavvy. These policies, standards and guidelines apply to all TalentSavvy employees, contractors, sub-contractors and their respective facilities supporting TalentSavvy business operations, wherever TalentSavvy data is stored or processed, including any third-party contracted by TalentSavvy to handle, process, transmit, store or dispose of TalentSavvy data.

Some standards apply specifically to persons with a specific job function (e.g., a System Administrator); otherwise, all personnel supporting TalentSavvy business functions shall comply with the standards. TalentSavvy departments shall use these standards or may create a more restrictive standard, but none that are less restrictive, less comprehensive or less compliant than these standards.

These policies do not supersede any other applicable law or higher-level company directive or existing labor management agreement in effect as of the effective date of this policy.

TalentSavvy's documented roles and responsibilities provides a detailed description of TalentSavvy user roles and responsibilities, in regards to cybersecurity-related use obligations.

TalentSavvy reserves the right to revoke, change or supplement these policies, standards and guidelines at any time without prior notice. Such changes shall be effective immediately upon approval by management unless otherwise stated.

Policy Overview

To ensure an acceptable level of cybersecurity risk, TalentSavvy is required to design, implement and maintain a coherent set of policies, standards, procedures and guidelines to manage risks to its data and systems.

The CDPP addresses the policies, standards and guidelines. Data / process owners, in conjunction with asset custodians, are responsible for creating, implementing and updated operational procedures to comply with CDPP requirements.

TalentSavvy users must protect and ensure the Confidentiality, Integrity, Availability and Safety (CIAS) of data and systems, regardless of how its data is created, distributed or stored.

Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of the data and system; and

Security controls must be designed and maintained to ensure compliance with all legal requirements.

Violations of Policies, Standards and/or Procedures

Any TalentSavvy user found to have violated any policy, standard or procedure may be subject to disciplinary action, up to and including termination of employment. Violators of local, state, Federal and / or international law may be reported to the appropriate law enforcement agency for civil and / or criminal prosecution.

Exception To Standards

While every exception to a standard potentially weakens protection mechanisms for TalentSavvy systems and underlying data, occasionally exceptions will exist. When requesting an exception, users must submit a business justification for deviation from the standard in question.

Updates To Policies & Standards

Updates to the Cybersecurity and Data Protection Program (CDPP) will be announced to employees via management updates or email announcements. Changes will be noted in the Record of Changes section to highlight the pertinent changes from the previous policies, procedures, standards and guidelines.

Key Terminology

In the realm of cybersecurity terminology, the National Institute of Standards and Technology (NIST) IR 7298, Glossary of Key Information Security Terms, is the primary reference document that TalentSavvy uses to define common cybersecurity terms. 2 Key terminology to be aware of includes:

  • Adequate Security. A term describing protective measures that are commensurate with the consequences and probability of loss, misuse or unauthorized access to or modification of information.

  • Asset: A term describing any data, device, application, service or other component of the environment that supports information-related activities. An asset is a resource with economic value that a TalentSavvy owns or controls.

  • Asset Custodian: A term describing a person or entity with the responsibility to assure that the assets are properly maintained, are used for the purposes intended and that information regarding the equipment is properly documented.

  • Cloud Computing. A term describing a technology infrastructure model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. It also includes commercial offerings for Software-as-a-Service (Saas), Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).

  • Control: A term describing any management, operational or technical method that is used to manage risk. Controls are designed to monitor and measure specific aspects of standards to help TalentSavvy accomplish stated goals or objectives. All controls map to standards, but not all standards map to Controls.

  • Control Objective: A term describing targets or desired conditions to be met that are designed to ensure that policy intent is met. Where applicable, Control Objectives are directly linked to an industry-recognized leading practice to align TalentSavvy with accepted due diligence and due care requirements.

  • Cybersecurity / Information Security: A term that covers the protection of information against unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional. The focus is on the Confidentiality, Integrity, Availability and Safety (CIAS) of data.

  • Data: A term describing an information resource that is maintained in electronic or digital format. Data may be accessed, searched or retrieved via electronic networks or other electronic data processing technologies. Annex 1: Data Classification & Handling Guidelines provides guidance on data classification and handling restrictions.

  • Data Controller. A term describing the privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing Personal Data (PD) other than natural persons who use data for personal purposes

  • Data Principle. A term describing the natural person to whom the Personal Data (PD) relates

  • Data Processor. A term describing the privacy stakeholder that processes Personal Data (PD) on behalf of and in accordance with the instructions of a PD controller

  • Encryption: A term describing the conversion of data from its original form to a form that can only be read by someone that can reverse the encryption process. The purpose of encryption is to prevent unauthorized disclosure of data.

  • Guidelines: A term describing recommended practices that are based on industry-recognized leading practices. Unlike Standards, Guidelines allow users to apply discretion or leeway in their interpretation, implementation or use.

  • Information Assurance: A term that covers the protection of information against unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional. The focus is on the Confidentiality, Integrity, Availability and Safety (CIAS) of data.

  • Information Technology (IT). A term includes computers, ancillary equipment (including imaging peripherals, input, output and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services) and related resources.

  • Least Privilege: A term describing the theory of restricting access by only allowing users or processes the least set of privileges necessary to complete a specific job or function.

  • Personal Data / Personal Information (PD). A term describing any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

  • Policy: A term describing a formally established requirement to guide decisions and achieve rational outcomes. Essentially, a policy is a statement of expectation that is enforced by standards and further implemented by procedures.

  • Procedure: A term describing an established or official way of doing something, based on a series of actions conducted in a certain order or manner. Procedures are the responsibility of the asset custodian to build and maintain, in support of standards and policies.

  • Process Owner / Data Owner: A term describing a person or entity that has been given formal responsibility for the security of an asset, asset category, process or the data hosted on the asset or process. It does not mean that the asset belongs to the owner in a legal sense. Data / process owners are formally responsible for making sure that assets are secure while they are being developed, produced, maintained and used.

  • Sensitive Data: A term that covers categories of data that must be kept secure. Examples of sensitive/regulated data include sensitive Personal Data (sPD), Electronic Protected Health Information (ePHI) and all other forms of data classified as Restricted or Confidential in Annex 1: Data Classification & Handling Guidelines.

  • Sensitive Personal Data (sPD) / Sensitive Personal Information (sPI): A term describing personal data, revealing:

    • The first name or first initial and last name, in combination with any one or more of the following data elements:

    • Social Security Number (SSN) / Taxpayer Identification Number (TIN) / National Identification Number (NIN);

    • Driver License (DL) or another government-issued identification number (e.g., passport, permanent resident card, etc.);

    • Financial account number; or

    • Payment card number (e.g., credit or debit card);

    • Racial or ethnic origin;

    • Political opinions;

    • Religious or philosophical beliefs;

    • Trade-union membership;

    • Physical or mental health;

    • Sex life and sexual orientation;

    • Genetic data; and / or

    • Biometric data.

  • Standard: A term describing formally established requirements in regard to processes, actions and configurations.

  • System: A term describing an asset; a system or network that can be defined, scoped and managed. Includes, but is not limited to, computers, workstations, laptops, servers, routers, switches, firewalls and mobile devices.

  • Target Audience: A term describing the intended group for which a control or standard is directed.

Cybersecurity & Data Protection Program Structure

Management Direction for Cybersecurity & Data Protection

The objective is to provide management direction and support for cybersecurity and data protection in accordance with business requirements and relevant laws and regulations. 6

An Information Security Management System (ISMS) focuses on cybersecurity management and technology-related risks. The governing principle behind TalentSavvy’s ISMS is that, as with all management processes, the ISMS must remain effective and efficient in the long-term, adapting to changes in the internal organization and external environment.

In accordance with leading practices, TalentSavvy’s ISMS incorporates the typical "Plan-Do-Check-Act" (PDCA) or Deming Cycle, approach:

  • Plan: This phase involves designing the ISMS, assessing IT-related risks and selecting appropriate controls.

  • Do: This phase involves implementing and operating the appropriate security controls.

  • Check: This phase involves reviewing and evaluating the performance (efficiency and effectiveness) of the ISMS.

  • Act: This involves making changes, where necessary, to bring the ISMS back to optimal performance.

Policies, Controls, Standards, Procedures & Guidelines Structure

TalentSavvy’s cybersecurity and data protection documentation is comprised of five (5) core components:

Policies are established by the organization’s corporate leadership establishes “management’s intent” for cybersecurity and data protection requirements that are necessary to support the organization’s overall strategy and mission;

Control Objectives identify the technical, administrative and physical protections that are generally tied to a law, regulation, industry framework or contractual obligation;

Standards provide organization-specific, quantifiable requirements for cybersecurity and data protection;

Procedures (also known as Control Activities) establish the defined practices or steps that are performed to meet to implement standards and satisfy controls / control objectives; and

Guidelines are additional guidance that is recommended, but not mandatory.

Helping you build the 10x agile team.

  • Quick Links
    • Contact Us
    • Privacy Policy
    • Security Policy
  • Product
    • Sign In
    • Request Demo

© 2024 All rights reserved.