...
This policy applies to all Tekai assets utilized by personnel acting on behalf of Tekai or accessing its applications, infrastructure, systems, or data. All personnel are required to read, accept, and follow all plans upon starting Tekai policies and plans upon starting and at least annually.
Information Security Communication
Please contact Employee name Tekai Management team if you have any questions about the Tekai information security program.
People Security
Backgroud Check
...
Tekai promotes the understanding of secure coding to its engineers in order to improve the security and robustness of Tekai products.
Physical Security
Clear Desk
...
All devices containing sensitive information, including mobile devices, shall be configured to automatically lock after a period of inactivity (e.g. screen saver).
Remote Work
Any Tekai issued devices used to access company applications, systems, infrastructure, or data must be used only by the authorized employee or contractor of such device.
...
While working at home, employees and applicable contractors should be mindful when visitors (e.g. maintenance personnel) are at their residences, as visitors could become privy to sensitive information left up on computer screens.
System Access Security
Tekai adheres to the principle of least privilege, specifying that team members will be given access to only the information and r esources necessary to perform their job functions as determined by management or a designee. Requests for escalation of privileges or changes to privileges and access permissions are documented and require approval by an authorized manager. System access is revoked immediately upon termination or resignation.
...
Audits of access and privileges to sensitive Tekai applications, infrastructure, systems, and data are performed regularly and reviewed by authorized personnel.
Password Security
Unique accounts and passwords are required for all users. Passwords must be kept confidential and not shared with anyone. Where possible, all user and system accounts must invoke password complexity requirements specified in the Access Control Policy. All accounts must use unique passwords not shared with any other accounts.
...
Passwords must only be stored using a Tekai approved password manager. Tekai does not hard code passwords or embed credentials in static code.
Asset Security
Tekai maintains a Code of conduct designed to track and set configuration standards to protect Tekai devices, networks, systems, and data. In compliance with such policy, Tekai may provide team members laptops or other devices to perform their job duties effectively.
Data Management
Tekai stores and disposes of sensitive data in a manner that; reasonably safeguards the confidentiality of the data; protects against the unauthorized use or disclosure of the data; and renders the data secure or appropriately destroyed. Data entered into Tekai applications must be validated where possible to ensure quality of information processed and to mitigate the impacts of web-based attacks on the systems.
...
Tekai maintains a sanitization process that is designed to prevent sensitive data from being exposed to unauthorized individuals. Tekai hosting and service providers are responsible for ensuring the removal of data from disks allocated to Tekai use before they are repurposed or destroyed.
Change and Development Management
...
Tekai controlled directories or repositories containing source code are secured from unauthorized access.
Logging and Monitoring
Tekai collects and monitors audit logs and alerts on key events stemming from production systems, applications, databases, servers, message queues, load balancers, and critical services, as well as IAM user and admin activities.
...
Additionally, Tekai utilizes threat detection solution(s) to actively monitor and alert on network and application-based threats.
Business Continuity and Disaster Recovery
...
Backups are performed according to appropriate backup schedules to ensure critical systems, records, and configurations can be recovered in the event of a disaster or media failure.
Security Incident Response
...
A message should be sent to Tekai if you believe there may be a security incident or threat.
Risk Management
Tekai requires a risk assessment to be performed at least annually. For risks identified during the process, Tekai must classify the risks and develop action plans to mitigate discovered risks.
Vendor Management
Tekai requires a vendor security assessment before third-party products or services are used confirming the provider can maintain appropriate security and privacy controls. The review may include gathering applicable compliance audits (SOC 1, SOC 2, PCI DSS, HITRUST, ISO 27001, etc.) or other security compliance evidence. Agreements will be updated and amended as necessary when business, laws, and regulatory requirements change.
Exceptions
Tekai business needs, local situations, laws, and regulations may occasionally call for an exception to this policy or any other Tekai policy. If an exception is needed, Tekai management will determine an acceptable alternative approach.
Enforcement
Any violation of this policy or any other Tekai policy or procedure may result in disciplinary action, up to and including termination of employment.
...
The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security policies and procedures, and any other security breaches.
Responsibility, Review, and Audit
...
This document was last updated on MM/DD/YYYY.