Handling of Customer Information
Customer database information should be stored in the Leading2Lean data center environment and should not be stored on Leading2Lean Employee laptops except for the following limited circumstances:
- The employee is onsite at a customer facility for installation, consulting, or other business,
- the customer has given Leading2Lean extended permission to use their data for development, testing, or marketing purposes,
- or the employee is working on an open bug/issue that requires a local copy of the customer database. Customer data must be removed immediately following the resolution of the issue.
Risk Assessment and Management
Vulnerability scanning and risk assessments should be performed at least quarterly. Results are to be presented to Leading2Lean management for review and for further action. Based on the results, independent testing and audits may be initiated.
Data Classification, Integrity, & Confidentiality
Access to data stored in Leading2Lean systems shall be protected by individual usernames and passwords. By default, all customer data is deemed confidential and will be treated as such. Data integrity shall be maintained through application controls at the application and database layers. Customer backups will undergo periodic restores to ensure the integrity and usability of the data. Customer data used outside of the Leading2Lean data center environment should be encrypted if requested by the customer.
Employee Security
Training
All Leading2Lean employees must review the company security procedures upon hire and annually. Employee training will be tracked and documented.
Access & Authentication
- All Leading2Lean employees must be both qualified and vetted before being granted access to computer systems and data.
- Employees should be given the least applicable privileges needed to accomplish their assigned tasks.
- Passwords should be forced to change on a periodic basis with reuse prohibited.
Leading2Lean Production Service Security
Security in the Leading2Lean production data center environment is critical to our success. The following security production security policies must be observed.
- All production databases must be backed up on a daily basis in a secure manner.
- Backups must be test restored on a periodic basis.
- All production servers must be secure with individual user names and passwords with IP address banning on multiple failed login attempts.
- Only production qualified employees with applicable job assignments will be given access to the production environment.
- Security patches will be tested, implemented, and monitored to ensure production stability and security.
- Change management and testing procedures will be followed.
- Customer data will be segregated to ensure confidentiality.
- Firewalls will be used at the network and server levels.
- Security alerts will be monitored and responded to 7x24x365, following formal incident response procedures in the event of an incident.
- Employees will use 2 factor or encryption keys to secure access to back-end systems.
Disciplinary Policy
All employees must understand that violating Leading2Lean security policies may result in sanctions, removal of security access credentials, suspension of duties, and/or termination. Employees may also be subject to criminal and/or civil legal action.