FlowTrack is committed to ensuring all workforce members actively address security and compliance in their roles at FlowTrack. We encourage self management and reward the right behaviors. This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.
In addition to the roles and responsibilities stated earlier, FlowTrack policy requires all workforce members to comply with the Acceptable Use Policy for End-use Computing and HR Security Policy.
FlowTrack policy requires that:
(a) Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.
(b) Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.
(c) Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures FlowTrack has in place. Employees will also have ongoing security awareness training that is audited.
(d) Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any FlowTrack systems has been removed, as well as ensuring that all company owned assets are returned.
(e) FlowTrack and its employees will take reasonable measures to ensure no sensitive data is transmitted via digital communications such as email or posted on social media outlets.
(f) FlowTrack will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.
(g) A fair disciplinary process will be utilized for employees are suspected of committing breaches of security. Multiple factors will be considered when deciding the response such as whether or not this was a first offense, training, business contracts, etc. FlowTrack reserves the right to terminate employees in the case of serious cases of misconduct.
FlowTrack uses internal systems to manage its workforce personnel records.
A reporting structure has been established that aligns with the organization's business lines and/or individual's functional roles. The organizational chart is available to all employees via their manager and/or on the internal document store.
Position / Job descriptions are documented and updated as needed that define the skills, responsibilities, and knowledge levels required for certain jobs.
Employees receive regular feedback and acknowledgement from their manager and peers. Performance reviews are conducted annually. Performance measures, incentives, and other rewards are established by management according to responsibilities at all levels, reflecting appropriate dimensions of performance and expected standards of conduct.
FlowTrack requires all workforce members to comply with the following acceptable use requirements and procedures, such that:
(a) Per FlowTrack security architecture, all workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.
(b) Use of FlowTrack computing systems is subject to monitoring by FlowTrack IT and/or Security team.
(c) Employees may not leave computing devices (including laptops and smart devices) used for business purpose, including company-provided and BYOD devices, unattended in public.
(d) Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.
(f) Encrypt all email messages containing sensitive data.
(g) Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting. This even includes internal IP addresses, API endpoints, account usernames, and other details.
(h) Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers.
(i) All data storage devices and media must be managed according to the FlowTrack Data Classification specifications and Data Handling procedures.
(j) It is strictly forbidden to download or store any sensitive data on end-user computing devices, including laptops, workstations and mobile devices.
(k) Mobile devices are not allowed to connect directly to FlowTrack production environments without CEO approval.
FlowTrack publishes job descriptions for available positions and conducts interviews to assess a candidates technical skills as well as culture fit prior to hiring.
Background checks of an employee or contractor is performed by HR/operations and/or the hiring team prior to the start date of employment.
A master checklist for employee onboarding is maintained by HR/Facilities.
It is published in the HR system or the HR folder on FlowTrack's internal file document store.
The HR Representative / Facility Manager is responsible to create an Issue in the Jira HR & Facilities project to initiate and track the onboarding process. The onboarding process should include the following IT/Security items:
A master checklist for employee existing/termination is maintained by HR/Facilities. It is published in the HR system or the HR folder on FlowTrack's internal document stores.
The Human Resources Department (or other designated department), users, and their supervisors (HR) are required to notify Security upon completion and/or termination of access needs and facilitating completion of the "Termination Checklist". This notice may be in the form of changes to a internal ticket status or notes.
HR are required to notify Security to terminate a user's access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):
Security will terminate users' access rights immediately upon notification, and will coordinate with the appropriate FlowTrack employees to terminate access to any non-production systems managed by those employees.
Security audits and may terminate access of users that have not logged into organization's information systems/applications for an extended period of time.
FlowTrack workforce members are to escalate issues using the procedures outlined in the Employee Quick Reference. Issues that are brought to the Escalation Team are assigned an owner. The membership of the Escalation Team is maintained by the Chief Executive Officer or his delegate.
Security incidents, particularly those involving sensitive data, are handled using the process described in Incident Response. If the incident involves a breach of sensitive data, the Security Officer will manage the incident using the process described in Breach Notification. Refer to Incident Response for a list of sample items that can trigger FlowTrack's incident response procedures; if you are unsure whether the issue is a security incident, contact the Security team immediately.
It is the duty of the incident owner to follow the process outlined below:
The FlowTrack requires all workforce members to observe high standards of business and personal ethics in the conduct of their duties and responsibilities. All workforce members must practice honesty and integrity in fulfilling their responsibilities and comply with all applicable laws and regulations.
(a) Reporting Responsibility. Each workforce member is required and encouraged to report serious concerns so that FlowTrack can address and correct inappropriate internal conduct and actions. This includes
(b) Acting in Good Faith. Anyone filing a written complaint concerning a violation or suspected violation must be acting in good faith and have reasonable grounds for believing the information disclosed indicates a violation. Any allegations that prove not to be substantiated and which prove to have been made maliciously or knowingly to be false will be viewed as a serious disciplinary offense.
(c) Confidentiality. Insofar as possible, the confidentiality of the whistleblower will be maintained. However, identity may have to be disclosed to conduct a thorough investigation, to comply with the law, and to provide accused individuals their legal rights of defense.
(d) No Retaliation. Workforce members, in good faith, reporting a concern under the Whistleblower Policy shall NOT be subject to retaliation or adverse employment consequences. Moreover, any workforce member who retaliates against someone who has reported a concern in good faith is subject to disciplinary actions up to and including termination of employment.
(e) Reporting. Reports of concerns may be filed directly with the company CEO, COO, and/or the Compliance Officer. Additional reporting procedure details can be found in the employee handbook.
Performance reviews are conducted annually.
FlowTrack encourages employees to go above and beyond to contribute to the business objectives and help their peers and customers. Employees are recognized and rewarded for positive behavior on a regular basis via peer recognition, appreciation, and feedback.
FlowTrack provides employees the opportunity to attend conferences, trade shows, and/or ongoing training/studies relevant to their job function and business objectives.
Workforce members shall report non-compliance of FlowTrack's policies and procedures to the Security Officer or other individual as assigned by the Security Officer. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.
The Security Officer promptly facilitates a thorough investigation of all reported violations of FlowTrack's security policies and procedures. The Security Officer may request the assistance from others.
Violation of any security policy or procedure by workforce members may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and procedures by others, including business associates, customers, and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.
The Security Officer facilitates taking appropriate steps to prevent recurrence of the violation (when possible and feasible).
In the case of an insider threat, the Security Officer and Privacy Officer are to set up a team to investigate and mitigate the risk of insider malicious activity. FlowTrack workforce members are encouraged to come forward with information about insider threats, and can do so anonymously.
The Security Officer maintains all documentation of the investigation, sanctions provided, and actions taken to prevent reoccurrence for a minimum of seven years after the conclusion of the investigation.
When the Security Officer identifies a violation and begins a formal sanction process, they will notify the appropriate management or supervisors within 24 hours. That notification will include 1) identifying the individual sanctioned, 2) the reason for the sanction, and 3) specific procedures for service or account restriction / revocation or other disciplinary actions as required.
Fincosa LLC, 220 Calle Manuel Domenech #2012, San Juan, PR, 00918, USA