DATA SECURITY POLICY

Purpose and Scope:

Circuit Stream provides online tools and services that our customers use to operate aspects of their organization. These include tools for software deployment, management and development, training, employee performance management, operations management, hardware management, cloud infrastructure, data analytics, and reporting. 

In providing these tools, Circuit Stream processes data our customers submit to our services or instruct us to process on their behalves. To fulfill these purposes, Circuit Stream may access the data to provide the services, to correct and address technical or service problems, or to follow instructions of the Circuit Stream customer who submitted the data, or in response to contractual requirements. 

The security of customer information is important to us. We follow generally accepted industry standards to protect the information submitted to us, both during transmission and once we receive it. 

Circuit Stream uses Amazon Web Services (AWS) as its cloud infrastructure provider to meet Circuit Stream’s customers’ growing needs. 

AWS is Privacy Shield certified (see further AWS Certifications). To ensure data security, all application data resides and is backed-up in the U.S. West 2 geographic region. 

During the period of transmission between the customer, Circuit Stream’s devices and AWS servers, Circuit Stream follows the best practices and standards described in this document. 

If you have any questions about security on Circuit Stream’s platforms, you can contact us at support@circuitstream.com with subject line [Security]. 

Our Responsibilities:

1. Accountability

Circuit Stream is entrusted with the responsibility to protect customer’s confidential data and information. Inherent in this responsibility is an obligation to provide appropriate protection against theft of data and malware threats, such as viruses and spyware applications. The purpose of this policy is to establish standards for the base configuration of equipment that is owned and/or operated by Circuit Stream or equipment that accesses Circuit Stream’s internal systems. Effective implementation of this policy will minimize unauthorized access to Circuit Stream’s proprietary information and technology and protect confidential customer information.

2. Scope 

This policy applies to equipment owned and/or operated by Circuit Stream, and to employees and contractors connecting to any Circuit Stream-owned network.

3. Security-Related Events 

Security-related events will be reported to the Security Officer. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to: attacks and evidence of unauthorized access to privileged accounts.

4. WiFi 

The password on the WiFi must be kept secure. Employees must have explicit permission to access or configure Circuit Stream WiFi.

5. Safeguards 

Circuit Stream uses security safeguards to protect customer information. These safeguards are appropriate to the sensitivity of the information. Circuit Stream will make all reasonable efforts to protect customer information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The security safeguards include: 

  • AWS datacenter security, including but not limited to: 
  • AWS safeguards (including monitoring and alerting) to prevent unauthorized access to the system b. Assignment of AWS IAM user roles for appropriate permissions for employees
  • Data automation employed for all data related tasks, employees are not manually interacting with the database d. Backups stored on AWS using data tier that provides geographically separate backups
  • All customer data stored in AWS us-west-2 region
  • All customer data stored in separate AWS databases
  • AWS disaster recovery services B. Data in transit encrypted through TLS/HTTPS

6. Backup Procedures

Circuit Steam shall conduct manual backups to AWS weekly to capture all data from the previous week.

One responsible party should be available to supervise backups each week. If the designated backup specialist is not available, an alternative should be named to oversee the process.

7. Workstation Security

A) Physical security measures (e.g., keycard locked office, password protected computers and devices).

B) Administrative measures (e.g., timely transfer of data to AWS cloud; timely deletion/destruction of files; and protection of files in use from access by unauthorized persons).

C) Authorized Users - Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information is restricted to authorized users.

D) All confidential information should be moved from local workstations to AWS  cloud servers as soon as permitted.

E) Safeguards - Circuit Stream will implement physical and technical safeguards for all workstations that access electronic confidential information to restrict access to authorized users. Appropriate measures include:

  • Restricting physical access to workstations to only authorized personnel.
  • Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
  • Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected.
  • Complying with all applicable password policies and procedures.
  • Ensuring workstations are used for authorized business purposes only.
  • Never installing unauthorized software on workstations.
  • Securing laptops that contain sensitive information by locking laptops up in drawers or cabinets.

8. Data Retention Policy

Data will be retained in perpetuity for the duration of the period that Circuit Stream is providing services to the customer.

In the event of service termination, data will be retained for a period of ninety (90) days beginning on the final day Circuit Stream stops providing services to the customer.

9. Incident Response

In the event of an incident, immediate action will be taken by Circuit Stream to:

A. Change all passwords relevant to the incident.
B. Contact the customer by phone call first then email within 90 minutes.
C. Contact all relevant stakeholders by email within 24 hours.
D. Take immediate and appropriate next steps to resolve the incident.

10. Business Continuity and Disaster Recovery Plan

In the event of disaster, AWS credentials will be shared with appropriate successive board officers and/or senior management to avoid service interruption for the customer.

11. Data Deletion/Destruction Policy

In the event of returning customer data and deleting/destroying it from all storage locations if operations between Circuit Stream and the customer are terminated, the Security Officer will manually log into AWS and return OR delete/destroy all data associated with the customer.

12. Software Installation and Anti-Virus

A. This policy covers all computers, servers, and other computing devices operating within Circuit Stream’s network.
B. Software requests must first be approved by management or the IT Department.
C. Anti-Virus - All Circuit Stream computers must have Circuit Stream’s standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into Circuit Stream’s networks are prohibited.

13. Password Security Requirements

A. All system-level passwords (Administrator, etc.) must be changed on an annual basis, at a minimum.
B. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed on an annual basis.
C. All user-level and system-level passwords must conform to the standards described below.
D. All users at Circuit Stream should be aware of how to select strong passwords. Strong passwords have the following characteristics:

  • Contain at least three of the five following character classes:
    • Lower case characters
    • Upper case characters
    • Numbers
    • Punctuation
    • “Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc).
  • Contain at least eight alphanumeric characters.
  • The password is NOT a common usage word such as: computer terms and names, commands, sites, companies, hardware, software, passwords should NEVER be “Password1” or any derivation, passwords should not contain the words “Circuit Stream”, names of family, pets, friends, co-workers, birthdays and other personal information such as addresses and phone numbers, word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, any of the above spelled backwards, any of the above preceded or followed by a digit (e.g., secret1, 1secret).

E. Do not share Circuit Stream passwords with anyone, including administrative assistants or secretaries.
F. All passwords are to be treated as sensitive, confidential Circuit Stream information.
G. Passwords should never be written down or stored on-line without encryption.
H. Do not reveal a password in email, chat, or other electronic communication.

14. Security and Proprietary Information

A. The information contained on Circuit Stream’s systems should be classified as either confidential or not confidential, as defined by the customer’s confidentiality requirements.
B. Employees should take all necessary steps to prevent unauthorized access to this information.
C. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.
D. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when unattended.

15. Unacceptable Use 

The following activities are, in general, prohibited. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use:

A. Under no circumstances is an employee of Circuit Stream authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing Circuit Stream-owned resources.
B. Violations of the rights of any person or Firm protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Circuit Stream.
C. Unauthorized copying of copyrighted material including the installation of any 
copyrighted software for which Circuit Stream or the end user does not have an active license is strictly prohibited.
D. Introduction of malicious programs into the network.
E. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
F. Using a Circuit Stream computing asset to actively engage in procuring or 
transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
G. Making fraudulent offers of products, items, or services originating from any 
Circuit Stream account.
H. Effecting security breaches or disruptions of network communication. Security 
breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties.
I. Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
J. Circumventing user authentication or security of any host, network or account.
K. Providing information about, or lists of, Circuit Stream employees or customers to 
parties outside Circuit Stream.

16. Remote Access 

Persons Affected - Circuit Stream employees, consultants, vendors, contractors, and others who use mobile computing and storage devices on the Circuit Stream network. 

General Standards - It is the responsibility of Circuit Stream employees, contractors, vendors and agents with remote access privileges to Circuit Stream’s network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to Circuit Stream. 

Requirements: 

A. Secure remote access must be strictly controlled. Control will be enforced via password authentication with strong pass-phrases. For information on creating a strong pass- phrase see the Password section.
B. At no time should any Circuit Stream employee provide their login or e-mail 
password to anyone, not even family members.
C. Circuit Stream employees and contractors with remote access privileges must 
ensure that their Circuit Stream-owned or personal computer or workstation, which is remotely connected to Circuit Stream’s network, is not connected to any  other network at the same time, with the exception of personal networks that are under the complete control of the user.
D. All PCs, laptops and workstations that are connected to Circuit Stream internal 
networks via remote access technologies must use the most up-to-date anti-virus software, this includes personal computers.
E. Circuit Stream employees and contractors with remote access privileges to Circuit Stream’s network must not use non-Circuit Stream e-mail accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct Circuit Stream business, thereby ensuring that official business is never confused with personal business.
F. Personal equipment that is used to connect to Circuit Stream’s networks must meet the requirements of Circuit Stream-owned equipment for remote access.

17. Mobile Computing and Storage Devices

Items covered - Mobile computing and storage devices include, but are not limited to: laptop computers, USBs, hard drives, smartphones, tablets, and any other existing or future mobile computing or storage device, either personally owned or Circuit Stream owned, that may connect to or access the information systems at Circuit Stream.

Risks - Mobile computing and storage devices are easily lost or stolen, presenting a high risk for unauthorized access and introduction of malicious software to the network at the Circuit Stream. These risks must be mitigated to acceptable levels.

Encryption - Portable computing devices and portable electronic storage media that contain confidential, personal, or sensitive Circuit Stream information must use encryption or equally strong measures to protect the data while it is being stored.

Database - Databases or portions thereof, which reside on the network at the Circuit Stream, shall not be downloaded to mobile computing or storage devices.

Minimum Requirements: 

A. Report lost or stolen mobile computing and storage devices to management.
B. Non-departmental owned device that may connect to the Circuit Stream network 
must first be approved by management or the IT department.
C. Compliance with the Remote Access policy is mandatory.

Persons affected - This policy applies to all Circuit Stream employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties.

18. Employee and Contractor Termination

Removing access - An employee’s or contractors credentials shall be inactivated immediately upon termination of employment or contractual agreement. This includes, but is not limited to the following: 

A. Circuit Stream’s database
B. Workstation access
C. E-mail access
D. Remote access to Circuit Stream’s network
E. Any other access to Circuit Stream’s network or programs

Returning mobile devices - Any employee in possession of Circuit Stream portable devices shall return such devices before exiting the premises on their final day of employment. Mobile devices include, but are not limited to, the following: Circuit Stream-owned smartphone, tablet, laptop, hard drive and USB drive.

19. Visitor and Contractor Access

Permission - Visitors who require internet network access will need permission from the management or IT department. After credentials are arranged, activities on the network will be subject to acceptable use.

20. Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

21. Concerns or Questions Regarding Compliance 

You may address a concern or question about compliance with this policy to Circuit Stream’s Security Officer, at support@circuitstream.com with the subject line [Security]. 

Circuit Stream will investigate any concerns or questions received by email. If a concern is found to be justified, Circuit Stream will take appropriate measures to resolve the concern including, if necessary, amending its policies and procedures. A customer will be informed, by email, of the outcomes regarding their concern or question.