Scivantage Data Security Policy & Acceptable Use Policy

Purpose

The purpose of this document is to define the policy of data security for Scivantage and its clients. The Company strives to ensure that all Scivantage Corporate and Client data is properly protected from malicious activity, incident, or breaches, and as such this policy must be adhered to and followed strictly. Any violation of this policy may result in disciplinary action up to and including termination of employment, and the violating individual(s) may be subject to civil and/or criminal prosecution.

Audience

This policy applies to all employees, management, contractors, vendors, business partners and any other parties who may have access to company data.

Data Types

Scivantage processes two distinct types of data:

2. Company-owned data such as corporate financial information, employment records, payroll and other related items.

3. Private data that is the property of clients and/or employees, such as social security numbers, credit card information, contact information, and other forms of public and non-public data.

Company-owned data is retained as required or stipulated by company or regulatory requirements. Any changes to company-owned data is determined by the owner or curator of the data, and as such may be maintained in various states or versions.

Private data is retained indefinitely or as defined in the contractual agreement between Scivantage and its clients or as required by regulatory or legal requirements.

All data independent of its source or type is to be handled, stored and treated as required by any agreements, obligations or requirements and any other use, destruction or mishandling of this data will be treated as a violation of this policy.

Responsibilities

All Scivantage employees, contractors, vendors, business partners and any other parties who have access to company data are responsible for adhering to this policy and reporting any violations or activities that do not comply with this policy.

Management is responsible for ensuring that their direct reports and any other parties including contractors, vendors and business partners understand the scope and implications of this policy. Human Resources must also ensure that all employees including contractors, vendors and business partners have a signed copy of this policy in their file.

Security staff monitor data use/usage for any unauthorized activity and are responsible for updating access requirements as needed and notifying the proper personnel of violations. The Vice President of Information Security, whose title is also that of Chief Information Security Officer and Data Protection Officer and is responsible for all data protection laws and meeting regulatory requirements, will review any incidents and in coordination with Human Resources determine how violations will be penalized.

Any employee, contractor(s), vendor(s) and business partner(s) who authors or generates corporate or client data must classify that data according to the criteria outlined above.

Review

Management is responsible for keeping this policy current. This policy will be reviewed annually or as circumstances arise.

In addition, a full security audit will be performed annually by the Scivantage Security Team to ensure that the policy is properly aligned with company directives, third party security requirements and legislated security regulations, laws or other conditions as required or mandated.

Termination

Any employee, contractor, vendor and business partner whose services have been completed or terminated will immediately and upon request deliver back to Scivantage any company owned or private data. Any such request that is not honored will be in breach of this agreement and the party in question will be subject to legal action.

Intent

The goal of this policy is to inform all Scivantage employees, clients and contractors of the rules and procedures relating to data security compliance and acceptable use.

The data covered by this policy includes, but is not limited to, all electronic information such as e-mail, databases, applications and other media; paper information, such as hard copies of electronic data, files, internal memos, and correspondence.

Data Classifications

Scivantage data is comprised of four (4) classifications of information:

1. Public/Unclassified. This is defined as information that is generally available to anyone within or outside of the company. Access to this data is unrestricted, may already be available and can be distributed as needed. Public/unclassified data includes, but is not limited to, marketing materials, company policies relating to external individuals and organizations, news releases and other data as applicable.

Employees may send or communicate a public/unclassified piece of data with anyone inside or outside of the company.

2. Private. This is defined as corporate information that is to be kept within the confines of the company. Access to this data may be limited to specific departments and cannot be distributed outside of the workplace. Private data includes, but is not limited to, work phone directories, organizational charts, company financial information, company policies (except for those specifically identified as Public/Unclassified), sales data, and other data as applicable. All information not otherwise classified will be assumed to be Private.

Employees may not disclose private data to anyone who is not a current employee of the company or whose role within the company does not allow them access to said data.

3. Confidential. This is defined as personal or corporate information that may be considered potentially damaging if released and is only accessible to specific groups (e.g. payroll, human resources, member support, etc.) Confidential data includes, but is not limited to, social security numbers, contact information, accounting data, security procedures, policies related to and provided by clients, and other data as applicable. Scivantage considers it a priority to protect the privacy of its clients and employees.

Employees may only share confidential data within the department or named distribution list, and only to individuals whose role or job function allows them access to said data.

4. Secret/Restricted. This is defined as sensitive data which, if leaked, would be harmful to Scivantage, its employees, contractors and other parties as applicable. Access is limited to authorized personnel and third parties as required. Secret/restricted data includes, but is not limited to, audit reports, legal documentation, business strategy details, client specific data, and other data as applicable.

Secret/restricted data cannot be disclosed by anyone other than the original author, owner or distributor. 

It is the responsibility of everyone who is employed by Scivantage to protect the Company’s data independent of its source. This applies to all employees, contractors, vendors, business partners and any other parties who have access to this data. Unintentional misuse of any data will be considered punishable in accordance with the extent and frequency of the misuse with theft of any data or use of any data for fraudulent purposes punishable to the fullest extent permitted by the law.

Enforcement

Employees, contractors, vendors and business partners found to be in violation of this policy by either unintentionally or maliciously stealing, using or otherwise compromising corporate or personal data may be subject to disciplinary action up to and including termination and or legal action.