We take information security very seriously and we see ourselves as being under a duty to be constantly informed on state-of-the-art IT security technologies. Information security is for us the natural extension of our duty of confidentiality.
Access to offices and work areas is restricted to our staff only through the use of reasonable security measures. Keys or cards issued to former staff or contractors are retrieved or deactivated. Network file servers and consoles are reasonably secured, with access limited to authorized staff. Network and mainframe backup storage media is catalogued and stored in a locked fireproof safe.
Boot-up and hard drive password protection software is installed and enabled on all personal computers. Users may not share passwords. All desktop computers have screensaver password protection software installed and enabled. Such protection is triggered automatically at intervals of no greater than ten minutes, and users are not be permitted to disable the function. User IDs and passwords are not hard-coded into laptop computers used for remote dial-in, nor are they documented in any manner. Personal computer hard drives and disks are erased prior to disposal.
A formal process is required to assign and approve user IDs and separate passwords for network access, electronic mail (e-mail) and dial-in access. Passwords expire periodically and contain a minimum of six characters that are not easily guessed. Users are locked out of networks after three unsuccessful logon attempts, and such lock-outs are monitored and investigated. Guest and temporary IDs are not used, and users may not share IDs or passwords. Inactive user IDs are disabled. IDs of terminated users are deleted within twelve hours. Network system parameters are set to enforce the standards for password length and expiration, and allow only one concurrent logon connection. Access to local area networks from value-added networks and the Internet is prevented through the use of properly configured firewalls. Anti-virus software is installed on network servers and configured to identify and destroy viruses automatically.
Documents involving confidential, proprietary or non-public client matters are stored in locked cabinets or rooms accessible only to authorized users. They are never left unattended in open view. Such documents are only photocopied in-house by authorized individuals under appropriate supervision. Staff is restricted from transporting such documents or working with them in public places.
Electronic mail (e-mail)
E-mail communications bear a conspicuous legend indicating any applicable privileges. E-mail messages received from a client are not forwarded or edited without prior permission from the sender.
Use of facsimiles is strongly discouraged. Documents are scanned and emailed. In the event the use of facsimiles becomes necessary, the sender of facsimile containing confidential information notifies intended recipients by telephone prior to transmission and verbally confirms receipt. Appropriate measures are taken to retrieve misdelivered facsimiles. Facsimile cover sheets always contain language advising unintended recipients that the message is private; that use, copying or dissemination of the information is prohibited by law; and that the sender must be notified if the message is received in error. Facsimile transmissions are always “person-to-person”; confidential information are never transmitted to a shared facility where it may be viewed by an unauthorized person.
Because cellular telephone transmissions are susceptible to easy interception, cellular are not used for highly confidential communications unless network security has been verified.