Handling of Customer Information
Customer database information should be stored in the Leading2Lean data center environment and should not be stored on Leading2Lean Employee laptops except for the following limited circumstances:
- The employee is onsite at a customer facility for installation, consulting, or other business,
- the customer has given Leading2Lean extended permission to use their data for development, testing, or marketing purposes,
- or the employee is working on an open bug/issue that requires a local copy of the customer database. Customer data must be removed immediately following the resolution of the issue.
Risk Assessment and Management
Data Classification, Integrity, & Confidentiality
All Leading2Lean employees must review the company security procedures upon hire and annually. Employee training will be tracked and documented.
Access & Authentication
- All Leading2Lean employees must be both qualified and vetted before being granted access to computer systems and data.
- Employees should be given the least applicable privileges needed to accomplish their assigned tasks.
- Passwords should be forced to change on a periodic basis with reuse prohibited.
Leading2Lean Production Service Security
- All production databases must be backed up on a daily basis in a secure manner.
- Backups must be test restored on a periodic basis.
- All production servers must be secure with individual user names and passwords with IP address banning on multiple failed login attempts.
- Only production qualified employees with applicable job assignments will be given access to the production environment.
- Security patches will be tested, implemented, and monitored to ensure production stability and security.
- Change management and testing procedures will be followed.
- Customer data will be segregated to ensure confidentiality.
- Firewalls will be used at the network and server levels.
- Security alerts will be monitored and responded to 7x24x365, following formal incident response procedures in the event of an incident.
- Employees will use 2 factor or encryption keys to secure access to back-end systems.