Issues4Life

Cyber Security Policy Brief & Purpose

The Issues4Life Foundation's Cyber Security Policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure. The more we rely on technology to collect, store, transmit and manage information, the more vulnerable we become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize our reputation. For this reason, we have implemented a number of security measures. We have also prepared instructions that may help mitigate security risks. We have outlined both provisions in this policy.

Scope

This policy applies to all our employees, contractors, volunteers and anyone who has permanent or temporary access to our systems and hardware.

Policy Elements

Confidential Data

Confidential data is secret and valuable. Common examples are:

· Unpublished Financial Information
· Data Of Donors|Customers|Partners|Vendors
· Patents, Formulas Or New Technologies
· Donor Lists (Existing And Prospective)

All employees|volunteers are required to protect this data. In this policy, we will give our employees|volunteers instructions on how to avoid security breaches.

Protect Personal And Company Devices

When employees|volunteers use their digital devices to access company emails or accounts, they introduce security risk to our data. We advise our employees|volunteers to keep both their personal and company-issued computer, tablet and cell phone secure. They can do this if they:

· Keep All Devices Password Protected.
· Choose And Upgrade A Complete Antivirus Software.
· Ensure They Do Not Leave Their Devices Exposed Or Unattended.
· Install Security Updates Of Browsers And Systems Monthly Or As Soon As Updates Are Available.
· Log Into Company Accounts And Systems Through Secure And Private Networks Only.

We also advise our employees|volunteers to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others. When new hires receive company-issued equipment they will receive instructions for:

· Disk Encryption Setup
· Password Management Tool Setup
· Installation Of Antivirus|Anti-Malware Software

They should follow instructions to protect their devices and refer to our [Security Specialists|Network Engineers ] if they have any questions.

Keep Emails Safe

Emails often host scams and malicious software (e.g. worms.) To avoid virus infection or data theft, we instruct employees|volunteers to:

· Avoid opening attachments and clicking on links when the content is not adequately explained (e.g. "watch this video, it’s amazing.")
· Choose And Upgrade A Complete Antivirus Software.
· Be suspicious of clickbait titles (e.g. offering prizes, advice.)
· Check email and names of people they received a message from to ensure they are legitimate.
· Look for inconsistencies or give-aways (e.g. grammar mistakes, capital letters, excessive number of exclamation marks, etc.)

If an employee and|or volunteer isn’t sure that an email they received is safe, they are required to refer the email to our IT Specialists|Network Engineers.

Manage Passwords Properly

Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won't be easily hacked, but they should also remain secret. For this reason, we advice our employees|volunteers to:

· Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays.)
· Remember passwords instead of writing them down. If employees|volunteers need to write their passwords, they are required to keep the paper or digital document confidential and destroy it when their work is done.
· Exchange credentials only when absolutely necessary. When exchanging them in-person isn’t possible, employees|volunteers should prefer the phone instead of email, and only if they personally recognize the person they are talking to.
· Change their passwords every two months.

Leaving post-it notes attached to your monitor to remember passwords is a major security risk! In a world plagued by privacy concerns. Or remembering a large number of passwords can be daunting. Thus we require the services of a password management tool which generates, encrypts, stores passwords and employs "Two-Factor Authentication". Employees|volunteers are required to create a secure password for the tool itself, following the above mentioned advice.

Transfer Data Securely

Transferring data introduces security risk. Employees|volunteers must:

· Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, we request employees|volunteers to ask our IT Specialists|Network Engineers for help.
· Share confidential data over the company network|system and not over public Wi-Fi or private connection.
· Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.
· Report scams, privacy breaches and hacking attempts.

Our IT Specialists|Network Engineers need to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees|volunteers to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists. Our IT Specialists|Network Engineers must investigate promptly, resolve the issue and send a companywide alert when necessary.

Our Security Specialists are responsible for advising employees|volunteers on how to detect scam emails. We encourage our employees|volunteers to reach out to them with any questions or concerns.

Additional Measures

To reduce the likelihood of security breaches, we also instruct our employees|volunteers to:

· Turn off their screens and lock their devices when leaving their desks.
· Report stolen or damaged equipment as soon as possible to our IT Specialists|Network Engineers.
· Change all account passwords at once when a device is stolen.
· Report a perceived threat or possible security weakness in company systems.
· Refrain from downloading suspicious, unauthorized or illegal software on their company equipment.
· Avoid accessing suspicious websites.

We also expect our employees|volunteers to comply with our social media and internet usage policy. Our IT Specialists|Network Engineers should:

· Install firewalls, anti malware software and access authentication systems.
· Arrange for security training to all employees|volunteers.
· Inform employees|volunteers regularly about new scam emails or viruses and ways to combat them. · Investigate security breaches thoroughly.
· Follow this policies provisions as other employees|volunteers do.

The Issues4Life Foundation will have all physical and digital shields to protect information.

Remote Employees|Volunteers

Remote employees|volunteers must follow this policy’s instructions too. Since they will be accessing our company’s accounts and systems from a distance, they are required to follow all data encryption, protection standards and settings, and ensure their private network is secure.

We expect all our employees|volunteers to always follow this policy and those who cause security breaches may face disciplinary action:

Disciplinary Action

We expect all our employees|volunteers to always follow this policy and those who cause security breaches may face disciplinary action:

· First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the employee on security.
· Intentional, repeated or large scale breaches (which cause severe financial or other damage): We will invoke more severe disciplinary action up to and including termination.
· We will examine each incident on a case-by-case basis.
· Report a perceived threat or possible security weakness in company systems.

Additionally, employees|volunteers who are observed to disregard our security instructions will face progressive discipline , even if their behavior hasn’t resulted in a security breach.

Take Security Seriously

Everyone, from our donors, customers and partners, to our employees, contractors and volunteers, should feel that their data is safe. We feel, the only way to gain and maintain your trust in this arena, is to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security a high priority. As such, the Issues4Life Foundation employs the services of F-Secure, a security and privacy company based in Helsinki, Finland that offers the best protection in the world for all devices, ensuring your and our online privacy and a holistic portfolio with best-in-class cyber security solutions for businesses. To learn more about our recommendations, regarding cyber security and online privacy protection, please visit the third (3rd) floor of our libary and click on: Question: Are You Secure Online?.

ProtonMail EMail Security

ProtonMail has created an easy to use secure email service with "Built-In" "End-To-End" Encryption and state of the art security features. ProtonMail messages are encrypted at all times. ProtonMail messages are transmitted in encrypted format between ProtonMail servers and your devices. ProtonMail Messages are stored on ProtonMail servers in encrypted format. ProtonMail messages between ProtonMail users are also transmitted in encrypted format. ProtonMail has zero (0) access to your data because your ProtonMail data is encrypted at all times. This means the risk of your ProtonMail message being intercepted in "Plain Text" format is eliminated. The Issues4Life Foundation has secured ProtonMail to protect the privacy of all emails coming from our founders.

Tuta EMail Security

Tuta ( i.e., formerly "TutaNota" ) is the world's most secure email service, easy to use and private by design. You will get fully encrypted calendars and contacts with all our personal and business email accounts. Tuta never choose the easy way out or the most profitable way, if that means compromising your privacy or security. And Tuta is not pressured to do so, because Tuta is not beholden to any venture capital companies or to shareholders outside the team. Tuta's goal is to make security and privacy easily accessible to everyone. Yes, Tuta is strongly and boldly focused on usability and convenience. So, Tuta's entire encryption process runs in the background, so you can use Tuta as easily as any email service. The Issues4Life Foundation highly recommends Tuta's email service.