Security Policy

Introduction: This document provides a summary of the security policies of Eclecia for its customers and users and may update this Information as needed and without notice. For questions regarding information security, please contact support@theosys.com

Scope: Everyone at Eclecia must comply with the information security policies found in this and related information security documents. This policy applies to all computer systems, network systems, websites, and information products owned by or administered by Eclecia. This policy applies to all operating systems, computer sizes and application systems.

Purpose: Eclecia is critically dependent on information and information systems. The good reputation that Eclecia enjoys is directly linked with the way that it manages both information and information systems. Public disclosure of private data would harm our reputation and impact our ability to retain new customers and new business. For these and other important business reasons, the executive team has initiated and continues to support an information security effort. To be effective, information security must be a team effort involving the participation and support of everyone at Eclecia who deals with information and information systems. This document describes ways to prevent and respond to a variety of threats to information and information systems including unauthorized access, disclosure, duplication, modification, appropriation, destruction, loss, misuse, and denial of use.

Information Classification and Handling: Eclecia information, and information that has been entrusted to Eclecia, must be protected in a manner commensurate with its sensitivity and criticality. Eclecia has adopted an information classification system that categorizes information into four groupings. All information under Eclecia control, whether generated internally, or externally, falls into one of these categories: Secret, Confidential, Internal Use Only, or Public. For purposes of this policy, ?sensitive information? is information that falls into either the Secret or Confidential categories.

Roles and Responsibilities: Guidance, direction, and authority for information security activities are centralized for all Eclecia in the Information Technology Team under the direction of the Vice President of Development. The Information Technology Team, in conjunction with and under the guidance of the executive team, is responsible for establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures. Compliance checking to ensure that departments are operating in a manner consistent with these requirements is the responsibility of the department head with the assistance of the IT Team.

Information Access Control: Access to information in the possession of, or under the control of Eclecia must be provided based on the need to know. Information must be disclosed only to people who have a legitimate business need for the information. The privileges granted to all workers must be periodically reviewed by information owners and Custodians to ensure that only those with a current need to know presently have access.

User IDs and Passwords: To implement the need-to-know process, Eclecia requires that each worker accessing multi-user information systems has a unique user ID and a private password. Users are prohibited from logging into any Eclecia system or network anonymously. Users must choose passwords that are difficult to guess. Users must not construct passwords that are identical or substantially similar to passwords they have previously employed or currently use in systems not belonging to Eclecia. Passwords must be changed every 90 days or at more frequent intervals. Whenever a worker suspects that a password has become known to another person or non-Eclecia sanctioned entity, that password must immediately be changed. Passwords must not be stored in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in computers without access control systems, or in other locations where unauthorized persons might discover them. Passwords must never be shared with or revealed to others. System administrators and other technical information systems staff must never ask a worker to reveal his or her personal password

Release of Information to Third Parties: Unless it has specifically been designated as public, all Eclecia internal information must be protected from disclosure to third parties. Third parties may be given access to Eclecia internal information only when a demonstrable need to know exists, when a Eclecia non-disclosure agreement has been signed, and when such a disclosure has been expressly authorized by the relevant Eclecia information Owner.

Third-Party Requests for Eclecia Information: Unless a worker has been authorized by the information Owner to make public disclosures, all request for information about Eclecia and its business must be referred to the Department Head. Such requests include questionnaires, surveys, and newspaper interviews. This policy does not apply to sales and marketing information about Eclecia products and services, nor does it pertain to customer technical support calls. If a worker is to receive sensitive information from third parties on behalf of Eclecia, this receipt must be preceded by the third-party signature on a non-disclosure agreement, a Eclecia license agreement, or purchase agreement containing a relevant release.

Physical Security: Access to every office, computer machine room, and other Eclecia work area containing sensitive information must be physically restricted to those people with a need to know. All Eclecia local area network servers and other secured multi-user systems containing sensitive information must be placed in locked cabinets, locked closets, or locked computer rooms.

Network Security: All Eclecia computers, network equipment and multi-user information systems that store sensitive information and that are permanently or intermittently connected to internal computer networks must have a password-based access control system approved by the Information Technology Team. Regardless of the network connections, all stand-alone computers handling sensitive information must also employ an approved password-based access control system. Eclecia workers must not use unsecured network connections to access sensitive information. With the exception of emergency situations, all changes to Eclecia computer networks must be approved in advance by the Information Technology department. This process prevents unexpected changes from inadvertently leading to denial of service, unauthorized disclosure of information, and other problems.

Internet and Electronic Mail: Sensitive information, including passwords and credit card numbers, must not be sent across the Internet unless this information is in encrypted form. All personal computer users must keep the current versions of approved virus screening software enabled on their computers. Eclecia computers and networks must not run software that comes from sources other than Eclecia departments, knowledgeable and trusted user groups, well-known systems security authorities, or established computer, network or commercial software vendors. All computer and communications systems used for production processing must employ a documented change control process that is used to ensure that only authorized changes are made. For multi-user computer and communication systems, a system administrator is responsible for making periodic backups. All backups containing critical or sensitive information must be stored at an approved off-site location with either physical access controls or encryption. A contingency plan must be prepared for all applications that handle critical production information. It is the responsibility of the information Owner to ensure that this plan is adequately developed, regularly updated, and periodically tested.

User Rights and Expectations: Eclecia management reserves the right to monitor, inspect, or search at any time all Eclecia information systems. Because Eclecia computers and networks are provided for business purposes, workers must have no expectation of privacy associated with the information they store in or send through these information systems. Eclecia management retains the right to remove from its information systems any material it views in its sole discretion as offensive or potentially illegal. Incidents involving unapproved system hacking, password guessing, file decryption, bootleg software copying, or similar unauthorized attempts to compromise security measures may be unlawful and will be considered serious violations of Eclecia internal policy. All suspected policy violations must immediately be reported to the department head. All system intrusions, virus infestations, and other conditions that might jeopardize Eclecia information or Eclecia information systems must immediately be reported to the Information Technology Team. Eclecia workers who willingly and deliberately or negligently violate this policy will be subject to disciplinary action up to and including termination.