Information Security Policy

Top Management at ACADACA LLC. understands the information security needs and expectations of its interested parties both within the organization and from external parties including, amongst others, clients, suppliers, regulatory and Governmental departments. The organization has recognised that the disciplines of confidentiality, integrity, and availability of information in Information Security Management are integral parts of its management function and view these as their primary responsibility and fundamental to best business practice. To this end ACADACA LLC. has produced this Information Security Policy aligned to the requirements of ISO/IEC 27001 to ensure that the organization:

• Complies to all applicable laws and regulations and contractual obligations.
• Implements Information Security Objectives that consider information security requirements following the results of applicable risk assessments.
• Communicates these Objectives and performance against them to all interested parties.
• Adopts an Information Security Management System comprising a Security Manual and Procedures which provide direction and guidance on information security matters relating to employees, customers, suppliers, and other interested parties who come into contact with its work.
• Works closely with customers, business partners and suppliers in seeking to establish appropriate information security standards.
• Adopts a forward-thinking approach on future business decisions, including the continual review of risk evaluation criteria, which may impact on information security.
• Instructs all members of staff in the needs and responsibilities of Information Security Management.
• Constantly strives to meet, and where possible exceed, its customer’s expectations.
• Implements continual improvement initiatives, including risk assessment and risk treatment strategies, while making best use of its management resources to better meet information security requirements.

Responsibility for upholding this policy is truly company-wide under the authority of the Founder & CEO Jason Feingold who encourages the personal commitment of all staff to address information security as part of their skills.

Information Security Policy 

Providing our clients with excellence in e-commerce includes protecting their information.

Executive Summary

The Information Security Handbook for Employees establishes the organizational information security policy for the employees of Acadaca. Acadaca is committed to creating and maintaining business risk at an appropriate level and an environment that protects Acadaca information and information resources from accidental or intentional unauthorized use, modification, disclosure, or destruction. Adherence to information security policies will help safeguard the confidentiality, integrity, and availability of Acadaca information, and will protect the interests of Acadaca, its customers, personnel, and business partners.

Purpose

The intent of the Information Security Handbook for Employees is to:

• Establish an information security policy management and governance structure applicable across Acadaca.
• Acquaint employees and external business employees with the requirements for protecting Acadaca information resources.
• Protect customer and employee information from unauthorized use, disclosure, modification, or destruction.
• Comply with applicable regulatory requirements.
• Clarify employee and external business associate responsibilities and duties with respect to the protection of information resources.
• Standardize security controls across the enterprise and coordinate security efforts throughout Acadaca.
• Enable employees to make information security conscious decisions in accordance with the approved information security policies.

Scope

The policies and guidelines contained in this handbook are the foundation of the Information Security Program and together with other policies define requirements for the user community and granted access privileges to Acadaca information systems, computer networks, facilities, and information.

Within the context of these policies, information refers to all information processed, stored, used, or transmitted in any medium or form within the Acadaca environment. Information resources include, but are not limited to: Acadaca's network, computers, workstations, software, hardware, Internet/Intranet, electronic messaging systems (email), fax machines, palm devices, voice mail, telephones, pagers, and cellular phones.

Applicability

Information security is the individual and collective responsibility of all Acadaca personnel, business partners, and other authorized employees. For this reason, the policies and guidelines in the Information Security Handbook for Employees apply to all executives, officers, employees, contractors, part-time workers, consultants, service providers, and those employed by others to work for Acadaca, or who have been granted access and are users of Acadaca information assets and supporting technology resources. Therefore, all employees are responsible for:

• Understanding and complying with the Information Security Handbook, as well as, procedures, standards, and guidelines relevant to their job function.
• Using information resources for authorized business purposes in accordance with the Acceptable Use policy and guidelines.
• Reporting situations that could cause a potential security incident to the System Support area.
• Paying attention to unexplained system behavior and unsolicited requests for information.
• Watching for inappropriate conduct from employees and visitors.
• Complying with the information security procedures specified by the business area.

Governance and Policy Management Framework

The Information Security Handbook for Employees is a condensed version of our policies regarding information security. It is based on standards applicable to our business, clients, service providers, and our industry. As an employee, you may be required to delve deeper into some of these policies depending on your job function or role at Acadaca.

Managing the Information Security Handbook for Employees to ensure that it addresses all security issues adequately and is up-to-date with business issues and new technologies is critical. This handbook is an evolving document that will be reviewed at least annually. If there is a major change during the year, a revision will be issued and posted.

Compliance

Compliance with the security provisions described in this booklet is the responsibility of all employees. Noncompliance with information security policies, procedures, standards, and guidelines poses a significant risk to the protection of Acadaca’s information and information resources.

Failure to comply with the policies and guidelines articulated in this handbook can result in disciplinary actions such as termination of employment, termination of contracts with consultants, vendors, and other entities. In addition, legal actions may be taken if applicable regulations and laws are violated.

Acceptable Use

Acadaca’s information resources are primarily for business-related purposes. It is a privilege that can be taken away at any time when used inappropriately. All Acadaca’s information resources must be explicitly approved by management for use and adhere to organizational policies. Employees’ use of Acadaca information resources must meet the following criteria:

• Employees must use Acadaca information resources primarily for business-related purposes.
• Employees must use Acadaca information resources in a professional, ethical, and lawful manner.
• Employees must not introduce offensive materials into the work environment.
• Acadaca business assets, including information resources, must not be used for personal gain.
• Software cannot be introduced into Acadaca’s environment unless it is both properly licensed and authorized for use.
• Employees must not connect non-Acadaca hardware to the Acadaca network.
• Acadaca employees must protect the intellectual property rights of others.

Acadaca reserves the right to monitor employee behavior for compliance and access, and review any aspects of its information and information resources.

The following are examples of unacceptable uses for Acadaca IT resources:

• Divulging or making unauthorized copies of Acadaca corporate data, or data owned by its clients, vendors, and business partners to unauthorized third parties.
• Using information resources to conduct the operations of a business other than Acadaca business (e.g., selling products or services, running a multi-level marketing business, etc.).
• Gambling in any form including Internet casino gambling.
• Accessing, storing, or transmitting offensive material including (but not limited to) sexually explicit, racially antagonistic, gender antagonistic, ethnically antagonistic, harassing, or violent material.
• Sending or forwarding chain mail, known hoax information, rumour, or information detrimental to the reputation of Acadaca, an individual, group, or any organization.
• Spending excessive amounts of time, as determined by the respective department or staff manager, on the Internet.
• Excessive use of the Internet for non-business purposes.

As a guideline, employees should consider whether they would be willing to conduct the activity in the presence of their manager. For example, writing a letter to a relative using your Acadaca computer during your lunch break is probably acceptable. However, composing a newsletter to your international sports car owner’s organization and printing 550 copies is not.

Privacy

Given that all Acadaca information technology (IT) resources are provided solely for the conduct of Acadaca business, all information produced by, stored on, and transmitted through Acadaca IT resources is the property of Acadaca. Users of Acadaca IT resources shall have no expectation of privacy while using Acadaca IT resources and as such Acadaca may, but is not required to, monitor, record, or trace any activity on these systems, with or without notification. Furthermore, Acadaca may use any tools, automated or manual, deemed appropriate to accomplish this monitoring.

When using Acadaca IT resources to send and receive correspondence, exchange, store and/or process information, or utilise resources available on the Internet, all users hereby waive their right to privacy.

Users should never consider any electronic communications secure unless encrypted.

In addition, Acadaca reserves the right to monitor their office space to ensure the safety of their employees and security of their IT resources. Employees at Acadaca shall have no expectation of privacy while in Acadaca’s office and as such Acadaca may, but is not required to, monitor or record any activity within the office, with or without notification. Furthermore, Acadaca may use any tools, automated or manual, deemed appropriate to accomplish this monitoring.

Likewise, when personal information is supplied to Acadaca, they have the legal obligation towards the employee and, or customers to ensure that this information is kept private and is secured. Acadaca is committed to protecting the privacy and accuracy of confidential information to the extent possible, subject to provisions of state and federal laws.

User Authentication and Password Management

All users are provisioned a unique user identification code (User ID or account) on their start date. User IDs will usually consist of a person's first name (and their last initial in the event that a second non-unique ID is produced). All users are required to authenticate themselves via an automated access control system, provided on all system components, when accessing Acadaca resources. User authentication is accomplished via the use of passwords. For every account provisioned, users are set with an initial password. Initial passwords shall only be valid until the first successful user authentication and must be changed by the user after first use.

Passwords are an important aspect of our information security program. They help authenticate a user and protect information resources against unauthorized access. Weak passwords may result in the compromise of critical Acadaca resources. As such, employees are responsible for taking the appropriate steps to select and secure their passwords. The guidelines are as follows:

• All passwords are to be at least seven (7) characters in length.
• All passwords should include both alphabetic and numeric characters.
• Passwords should not include any pronounceable words in any language.
• Consider using a mixture of upper and lowercase letters.
• Consider including special characters.
• Consider using a pronounceable word as the base and replace each vowel with a special character or number.
  
  • For example, base word = stupendous, password = 5tup3nd0u5.
  • Consider starting with a phrase you can easily remember (Oh, Say Can You See, By the Dawn’s Early Light), and replace each vowel with a special character and mix the case (0sCySbTd3l).
• Group and shared passwords are explicitly prohibited at Acadaca.
• Passwords will be set to expire at least once every ninety (90) days.
• Passwords should not be the same as the four (4) previously used passwords. V1.2 Information Security.

Electronic Mail Use

To help you do your job, Acadaca provides every employee with an Acadaca email. It is important that we protect the public image of Acadaca even in this regard - when email goes out from Acadaca, the general public will tend to view that message as an official policy statement from Acadaca.

Acadaca email is intended to be used exclusively for business purposes by employees and other authorized individuals. All email messages are the sole property of Acadaca, regardless of their form, and may be monitored at any time by a supervisor or other authorized individual, and should not be presumed to be private.

Misuse of Acadaca’s electronic message communication systems is prohibited and may result in corrective action up to and including job termination. Misuse includes but is not limited to:

• Accessing or distributing pornographic or otherwise distasteful information.
• Accessing or distributing materials containing offensive language, vulgarities, obscenities, sexually explicit language, derogatory and defamatory remarks, or discriminatory or harassing statements.
• Accessing or distributing confidential employee, customer, or business information for non-work-related purposes.
• Sending chain letters.
• Sending copies of documents in violation of copyright laws.
• Accessing or attempting to access another employee’s email without the written consent of authorized company personnel.
• Conducting excessive personal business.
• Use or misuse resulting in violation of a law.
• Unauthorized intentional destruction or modification of data records.

We work hard to maintain a workplace environment that is free from harassment and sensitive to the diversity of our employees. For this reason, we do not allow the use of email in ways that are disruptive or are offensive to others.

In addition, employees should watch out for phishing emails and links. Phishing is an attempt to acquire sensitive information for malicious reasons by a seemingly trustworthy person or entity. Thus be careful with emails whose sender you don’t automatically recognize, and links that may include weird spelling. Users should never open any files or macros attached to an email from an unknown, suspicious or untrustworthy source; they should delete these attachments immediately. Spam, chain, and other junk email should be deleted without forwarding.

Internet Use

Since the Internet is largely an unregulated and uncontrolled network of computer systems operated and maintained by people with varying personal values and ideals, Acadaca cannot be held responsible for any employees (including contractors and consultants) who view material, download, or distribute information through this medium. Employees accessing the Internet do so at their own risk. 

Users must exercise caution when searching for and retrieving information from the Internet.

Accessing the following types of Internet sites and internet usage are strictly prohibited using Acadaca IT resources:

• Gambling in any form including Internet casino gambling.
• Offensive material including (but not limited to) sexually explicit, racially antagonistic, gender antagonistic, ethnically antagonistic, harassing, or violent material.
• Publishing a personal website with the use of Acadaca computing resources is strictly prohibited.
• Users may not use the Internet to play games.
• The use of chat rooms and external logins are prohibited.
• Uploads are not allowed.
• Users may not use the Internet in ways that violate federal, state, or local laws or statutes.

Unauthorized Duplication

Materials in electronic format are easily duplicated and transmitted. The ease of such transactions does not in and of themselves make these actions legal or appropriate. Copyrights, trademarks, and contractual agreements prohibit the duplication of material without authorization. All licenses and copyrights associated with electronic material must be adhered to, and copyright notices, as required, included in any use of such material. For this reason, published material must not be included in email or file transfers without proper authorization. If an employee is unsure whether published material is covered by a copyright or not, he or she should assume that it is and act accordingly. 

Provision of Software 

In order to maintain the security of Acadaca’s IT resources and to assure that the proper use of software is properly enforced, appropriate software must be provided. 

Acadaca management must approve the deployment of software on Acadaca information technology assets including workstations, servers, laptops, and PDAs. Software may only be used in compliance with the terms of applicable licence agreements. Unless authorized by their manager, users may not:

• Copy software for use on their home computers.
• Provide copies of software to any independent contractors, clients, or third parties.
• Install any software, to include demonstration or evaluation copies, on Acadaca workstations or servers.
• Download any software from the Internet or other online service to any Acadaca workstation or server.
• Modify, revise, transform, or adapt any software.
• Reverse engineer, disassemble, or decompile any software.

Data Classification 

Information and information resources are strategic assets vital to Acadaca business. These strategic assets must be protected commensurate with their tangible value, legal and regulatory requirements, and their critical role in Acadaca's ability to conduct its mission. 

Acadaca has defined two levels of sensitivity that dictate the controls required to protect the information. They are as follows:

Confidential 

Acadaca Confidential information is information that, if disclosed, is likely to cause serious damage, legal liability, or embarrassment to the organization or its clients, subscribers and affiliates. This type of information requires protection. Acadaca confidential information includes, but is not limited to the following records and information relating to Acadaca:

• Operations (such as financial records, standards of operation, Acadaca infrastructure diagrams).
• Customers (such as customer account information and lists of prospective customers).
• Employees (such as personnel information and evaluation records).

Open 

Open information is any information deemed not Acadaca confidential information. Open information does not require any special protection and may be accessed by anyone. 

Employees and contractors are to consult with their supervisor if they are unsure of the information’s classification. If the supervisor is unsure of the classification, he or she should consult with the Information Technology Department. The final authority on data classification is the Vice President of Operations. 

Data Confidentiality 

In the execution of its business, Acadaca may become secondary owners or stewards of confidential information from other parties. In order to maintain Acadaca’s business integrity and limit any legal liability associated with the stewardship of third-party, confidential information, Acadaca will hold this information in a manner consistent with any agreements with the third-party and industry best practices. 

Confidential information provided to Acadaca shall be used solely for the purpose for which it was furnished. Acadaca employees and contractors may be asked to sign a Confidentiality and Proprietary Information Agreement as a condition of employment. Release of Acadaca confidential information to unauthorized parties bypasses all information security measures taken to protect sensitive data. Acadaca employees and contractors are prohibited from releasing confidential data to any unauthorized parties. 

The following guidelines are as follows: 

Storage 

Information determined to be Acadaca confidential should be stored securely to ensure that only authorized individuals have access. For more detailed information on proper storage for specific media, please see the all-inclusive Security Policy. 

Transmission 

Acadaca confidential information transmitted over any public network (such as the Internet) must be encrypted or password protected. For more detailed information on proper transmission processes for specific media, please see the all-inclusive Security Policy.

Disposal 

Any material containing privileged information must be disposed of in such a way in which its contents is no longer readable or meaningful. For more detailed information on proper disposal techniques, please see the all-inclusive Security Policy. 

Computer and Network Management 

All Acadaca workstations, desktop and laptop that access Acadaca’s network or access, store, or process data must be secured against unauthorized access. Users are responsible for the security of their Acadaca provided workstations and/or laptops. All users must adhere to the following:

• All workstations must use a screensaver with password enabled. This password enabled screensaver will be activated within five minutes of inactivity.
• Users may not utilize another user’s workstation or password to gain access to Acadaca’s network.
• Users who are provided with an Acadaca laptop shall secure it appropriately and not allow it to be used by non-Acadaca individuals.
• All networks, regardless of connectivity, must be protected from unauthorized access.
• Users may not purchase, download, or install hardware or software network data monitoring tools, including sniffers and data scopes.

Malicious Code 

In order to prevent information loss due to the infection by and spread of computer viruses and worms, and to ensure continued uninterrupted services for the computer and network, Acadaca has implemented a viable antivirus solution. 

Each user is responsible for taking reasonable precautions to avoid the introduction of viruses into Acadaca’s network. All material to be introduced into Acadaca’s network on floppy disk, or other magnetic media, and all material downloaded from the Internet or from computers or networks that are not a part of the Acadaca’s network MUST be scanned for viruses and other destructive programs before being placed on the Acadaca’s network or any system connected to the Acadaca’s network. Personally owned virus protection software may not be used on any Acadaca computer system. 

Software Download and Installation 

In order to ensure proper system configuration and application interoperability, compliance with licences and copyrights, and maintenance of the information systems security state, Acadaca establishes the right to limit the ability of its employees to download and/or install software. All Acadaca employees must receive management approval prior to downloading and/or installing software on or through any Acadaca IT resource.

Bring Your Own Devices 

Acadaca understands the advantages of being able to use personally owned devices, (smartphones, tablets, laptops, USB flash drives), for business activities such as email, calendar, contacts, and documents. Employee access to Acadaca resources and services through a personally owned device is granted on the condition that each employee reads, signs, and adheres to the Bring Your Own Device policy. This is currently a separate document and agreement. If you are interested in utilising this resource, please notify HR or the Chief Information Security Officer for enrollment. 

Visitors 

Acadaca employees sponsoring visitors should ensure that visitors do not access information that does not relate to the reason of their visit or the work being performed. Requests for Acadaca confidential information, company documents, customer or client information, financial projections, or comments unrelated to the guest’s visit should be reported to the Chief Information Security Officer.

‍