Workamajig
Information Security Policy

1.   Policy

1. It is the policy of Workamajig that information, as defined hereinafter, in all its forms -- written, spoken, recorded electronically or printed -- will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its lifecycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.
2. All policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must also be documented. All documentation must be periodically reviewed for appropriateness and currency, a period of time to be determined by each entity within Workamajig.
3. At each entity and/or department level, additional policies, standards and procedures will be developed detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such entity and/or department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where possible. Existing systems are expected to be brought into compliance where possible and as soon as practical.

2.   Scope

1. The scope of information security includes the protection of the confidentiality, integrity and availability of information.
2. The framework for managing information security in this policy applies to all Workamajig entities and workers, and other Involved Persons and all Involved Systems throughout Workamajig as defined below in Information Security Definitions.
3. This policy and all standards apply to all protected health information, payment cardholder information, and other classes of protected information in any form as defined below in Information Classification.

3.   Risk Management

1. A thorough analysis of all Workamajig information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats – internal or external, natural or manmade, electronic and non-electronic-- that affect the ability to manage the information resource.
2. The analysis will also document the existing vulnerabilities within each entity, which potentially expose the information resource to the threats (Vulnerability Assessment). Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination and protection.
3. From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. The frequency of the risk analysis will be determined at the entity level.
4. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.

4.   Audit Assurance

1. Policy framework. Workamajig maintains this security policy as a framework for capturing the standards, regulations, and practices for which Workamajig adheres to for providing services.
2. Audit Controls. Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use Confidential Information must be implemented. Further, procedures must be implemented to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
3. Internal review. This policy and Workamajig’s practices are reviewed internally at least annually and on major changes.
4. Independent review. Independent reviews and assessments are performed periodically to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.

5.   Information Security Definitions

Affiliated Covered Entities: Legally separate, but affiliated, covered entities which choose to designate themselves as a single covered entity for purposes of HIPAA.

Availability: Data or information is accessible and usable upon demand by an authorized person.

Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes.

HIPAA: The Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards.

Integrity: Data or information has not been altered or destroyed in an unauthorized manner.

Involved Persons: Every worker at Workamajig -- no matter what their status. This includes programmers, trainers, management, temporaries, volunteers, interns, etc.

Involved Systems: All computer equipment and network systems that are operated within the Workamajig environment. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems.

Risk: The probability of a loss of confidentiality, integrity, or availability of information resources.

 

6.   Information Security Responsibilities

1. Information Security Officer: The Information Security Officer (ISO) for each entity is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of Workamajig. Specific responsibilities include:
   1. Ensuring security policies, procedures, and standards are in place and adhered to by the entity.
   2. Providing basic security support for all systems and users.
   3. Advising owners in the identification and classification of computer resources. See Section VI Information Classification.
   4. Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation.
   5. Educating custodian and user management with comprehensive information about security controls affecting system users and application systems.
   6. Providing ongoing employee security education.
   7. Performing security audits.
   8. Reporting regularly to the Workamajig Oversight Committee on the entity’s status with regard to information security.
2. Custodian: The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as specified by the owner. This role is performed by NTT America as our hosting provider. Responsibilities may include:
   1. Providing and/or recommending physical safeguards.
   2. Providing and/or recommending procedural safeguards.
   3. Administering access to information.
   4. Releasing information as authorized by the Information Owner and/or the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information.
   5. Evaluating the cost-effectiveness of controls.
   6. Maintaining information security policies, procedures, and standards as appropriate and in consultation with the ISO.
   7. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.
   8. Reporting promptly to the ISO the loss or misuse of Workamajig information.
   9. Identifying and responding to security incidents and initiating appropriate actions when problems are identified.
3. Support Staff Management: Workamajig management supervises the support staff as defined below. All Workamajig employees complete a background check prior to joining the team. User management is responsible for overseeing their employees' use of information, including:
   1. Reviewing and approving all requests for their employees’ access authorizations.
   2. Initiating security change requests to keep employees' security record current with their positions and job functions.
   3. Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures.
   4. Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc.
   5. Providing employees with the opportunity for training needed to properly use the computer systems.
   6. Reporting promptly to the ISO the loss or misuse of Workamajig information.
   7. Initiating corrective actions when problems are identified.
   8. Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any computer system/software to manage information
4. Information Owner: The owner of a collection of information is usually the Workamajig client that is using the system. The owner of the information has the responsibility for:
   1. Ensuring appropriate procedures are in effect to protect the integrity and confidentiality of the information used or created within the unit.
   2. Specifying controls and communicating the control requirements to the users of the information.
   3. Reporting promptly to Workamajig the loss or misuse of Workamajig information.
   4. Initiating corrective actions when problems are identified.
   5. Promoting employee education and awareness.
   6. Setting password strength and authorization settings for end users of Workamajig.
   7. Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.
5. End User: The user is any person who has been authorized to read, enter, or update information. A user of information is expected to:
   1. Access information only in support of their authorized job responsibilities.
   2. Comply with Information Security Policies and Standards and with all controls established by the owner and custodian.
   3. Keep personal authentication devices (e.g. passwords, SecureCards, PINs, etc.) confidential.
   4. Report promptly to the ISO the loss or misuse of Workamajig information.
   5. Initiate corrective actions when problems are identified.

7.   Application Security

1. Development. Applications shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.
2. Access control. Prior to granting customers access to data, assets, and information systems, identified security, contractual, and regulatory requirements for customer access shall be addressed.
3. Input validation. Data input and output integrity routines (i.e., reconciliation and edit checks) shall be implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse.
4. Ongoing risk management. Upon the development and/or acquisition of new data, applications, infrastructure networks, systems components, or data center facilities, a risk review process is performed by Workamajig's business leadership to ensure the change does not introduce undue risk.

8.   Hosting Security

1. Each data center is compliant with SOC2 and SysTrust certifications. These certifications are governed by industry and government regulations and speak to critical aspects of the data centers — physical access, network and IP backbone access, system availability, customer provisioning, and problem management. This certification status is regularly audited and validated by Ernst & Young.
2. Physical Security. Each premier data center is staffed 24x7x365. Bulletproof glass, biometric hand scans, controlled man-traps, and digitally recorded closed-circuit video monitoring ensure the highest physical security levels. Fire suppression systems work in collaboration with heat and smoke detection systems.
3. Logical Security. All security best practices are utilized to ensure secure application operation, data storage, and communication with Border Gateway equipment, data center routers (Juniper, Cisco), and Firewalls. Servers are protected by Check Point Nokia Firewalls (managed by IBM Security Systems) limiting access to the servers as follows:
   1. Application servers allow only Authenticated Secure Web (HTTPS) traffic to pass and such traffic is stated fully inspected for harmful patterns and blocked if found.
   2. Database servers are not accessible from the Internet and communicate with Application servers out-of-band via a secondary back-link network.
   3. Remote monitoring and software/operating system maintenance is performed via encrypted Virtual Private Network (VPN) tunnels and with hard-coded point-to-point IP addressing.

9.   Data Security and Information Classification

1. Introduction. Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. The information must be classified according to the most sensitive detail it includes. The information recorded in several formats (e.g., source document, electronic record, report) must have the same classification regardless of format. The following levels are to be used when classifying information:
2. Confidential Information
   1. Confidential Information is very important and highly sensitive material. This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access.
   2. Examples of Confidential Information may include: personnel information, key financial information, proprietary information of commercial research sponsors, system access passwords, and information file encryption keys and content from clients entered into Workamajig.
   3. Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations or may cause significant problems for Workamajig, its customers, or its business partners. Decisions about the provision of access to this information must always be cleared through the information owner.
   4. Workamajig requires that periodic technical and non-technical evaluations be performed in response to environmental or operational changes affecting the security of electronic Confidential Information to ensure its continued protection. For more details, see the Audit Assurance section.
3. Internal Information
   1. Internal Information is intended for unrestricted use within Workamajig, and in some cases within affiliated organizations such as Workamajig business partners. This type of information is already widely distributed within Workamajig, or it could be so distributed within the organization without advance permission from the information owner.
      Examples of Internal Information may include personnel directories, internal policies, and procedures, and most internal electronic mail messages.
   2. Any information not explicitly classified as Confidential or Public will, by default, be classified as Internal Information.
   3. Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions.
4. Public Information
   1. Public Information has been specifically approved for public release by a designated authority within each entity of Workamajig.
      Examples of Public Information may include marketing brochures and material posted to Workamajig entity internet web pages.
   2. This information may be disclosed outside of Workamajig.

10. Change Control and Configuration Management

1. Quality change control. Workamajig follows a defined quality change control and testing process with established testing and release standards that focus on system availability, confidentiality, and integrity of systems and services. This consists of the development, QA, UAT, and production procedures.
   1. Application code is developed and released on a monthly basis. The code is peer reviewed and reviewed by Workamajig business management prior to Quality Assurance (QA).
   2. Quality Assurance (QA) testing, following successful review, is performed following a set of test scripts, including verification of select functional and security requirements.
   3. User Acceptance Testing (UAT) is performed, following successful QA, as the new application changes are deployed to a select number of servers in a limited roll-out.
   4. Production deployment, following successful UAT, is performed on a rolling basis to all production servers.
2. Infrastructure network and systems components. Technical infrastructure changes are handled by NTT America, in a manner transparent to Workamajig and its customers, with controls covered under NTT America’s SOC 2, and in keeping with the Service Level Agreements (SLA) provided to Workamajig.
3. Ongoing change management. The change control and configuration management procedures are established to ensure the development and/or acquisition of new data, applications, infrastructure network, systems components, or data center facilities, have an approval and authorization process performed by Workamajig business leadership.

11. Threat and Vulnerability Management

1. Virus Protection. Virus-checking systems approved by the Information Security Officer and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus-checking systems.
2. Patching. Operating System security patches and software audits are performed automatically when released by the vendor.
3. Network Firewall. NTT America's Managed Firewall Services utilize best-in-class inspection technology, which intercepts packets at the network level for state and context information before passing or blocking. The service offers end-to-end management including installation, configuration, management, and monitoring.
4. Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). NTT America provides, maintains, manages, and monitors the IDS and IPS for Workamajig’s hosted environment.
   1. Intrusion Detection – passive monitoring; non-invasive, deep packet inspection with corresponding alerts and reports on identified threats.
   2. Intrusion Prevention – all of the features of IDS with the additional ability to mitigate & block/drop known malicious and other potentially harmful traffic or content.
5. Penetration Testing and Vulnerability Assessment. Independent reviews and technical assessments, including penetration testing and vulnerability assessments, are performed periodically to ensure that the organization is aware of and addressing the vulnerabilities within the Workamajig application, systems, and networks.

12. Access Controls

1. Access Controls. Physical and electronic access to Confidential and Internal information and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the Information Security Officer and approved by Workamajig.
2. Authorization: Access will be granted on a “need to know” basis and must be authorized by the immediate supervisor and application owner with the assistance of the ISO. Any of the following methods are acceptable for providing access under this policy:
   1. Context-based access: Access control is based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include the time of day, location of the user, the strength of user authentication, etc.
   2. Role-based access: An alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization’s structure and business activities. Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.

• User-based access: A security mechanism used to grant users of a system access based upon the identity of the user.

1. Identification/Authentication: Unique user identification (user id) and authentication is required for all systems that maintain or access Confidential and/or Internal Information. Users will be held accountable for all actions performed on the system with their user id.
   1. At least one of the following authentication methods must be implemented: strictly controlled passwords (Appendix 1: Password Control Standards).
   2. The user must secure his/her authentication control (e.g. password, token) such that it is known only to that user and possibly a designated security manager.
   3. The user must log off or secure the system when leaving it.

13. Physical and Remote Access

1. Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals. The following physical controls must be in place:
   1. File servers containing Confidential and/or Internal Information must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
   2. Workstations or personal computers (PC) must be secured against use by unauthorized individuals. The following local procedures and standards on secure and appropriate workstation use and physical safeguards must include:
      1. Position workstations to minimize unauthorized viewing of protected health information.
      2. Grant workstation access only to those who need it in order to perform their job function.
      3. Establish workstation location criteria to eliminate or minimize the possibility of unauthorized access to information.
      4. Employ physical safeguards as determined by risk analysis, such as locating workstations in controlled access areas or installing covers or enclosures to preclude passerby access to confidential information.
      5. Use automatic screen savers with passwords to protect unattended machines.
      6. Lock systems when users are not physically present.
   3. Facility access controls must be implemented to limit physical access to electronic information systems and the facilities they are housed in while ensuring that properly authorized access is allowed. Local policies and procedures must be developed to address the following facility access control requirements:
      1. Contingency Operations: Documented procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
      2. Facility Security Plan: Documented policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
      3. Access Control and Validation: Documented procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
      4. Maintenance records: Documented policies and procedures to document repairs and modifications to the physical components of the facility, which are related to security (for example, hardware, walls, doors, and locks).
2. Remote Access: Access into the Workamajig network from outside will be granted using Workamajig-approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further, Confidential and/or internal information stored or accessed remotely must maintain the same level of protection as information stored and accessed within the Workamajig network. Information from remote servers may not be transferred outside the network system protected by our firewalls other than for approved offsite backup systems.

14. Continuity and Recovery

1. Business Continuity Plan: Strategies and protection measures must be in place to react to natural and man-made threats based upon a geographically-specific risk, likelihood, and impact.
2. Contingency Plan: Controls must ensure that Workamajig can recover from any damage to computer equipment or files within a reasonable period of time. Each entity is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain Confidential, or Internal Information. This will include developing policies and procedures to address the following:
3. Data Backup Plan:
   1. A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information.
   2. Backup data must be stored in an off-site location and protected from physical damage.
   3. Backup data must be afforded the same level of protection as the original data.
   4. Standard Backups are performed (nightly differential, weekly full, 28-day rotation) to both hard drive arrays and tape (for secure off-site).
4. Disaster Recovery Plan: A disaster recovery plan must be developed and documented which contains a process enabling the entity to restore any loss of data in the event of a fire, vandalism, natural disaster, or system failure.
   1. Data from the East Coast and West Coast data centers are transferred encrypted to the other data center nightly as part of the disaster recovery plan.

15. Additional Computer and Information Controls

1. All involved systems and information are assets of Workamajig and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software-based.
2. Ownership of Software: All computer software used by Workamajig in its business and licensed to third parties is either owned by Workamajig or licensed exclusively to Workamajig, and must not be copied by any third-party user for use at home or at any other location unless otherwise expressly authorized by the license agreement.
3. Installed Software: All software packages that reside on computers and networks within Workamajig must comply with applicable licensing agreements and restrictions and must comply with Workamajig's acquisition of software policies.
4. Information Access Controls: Physical and electronic access to Confidential and Internal information and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the Information Security Officer and approved by Workamajig. Mechanisms to control access to Confidential and Internal information include (but are not limited to) the following methods:
   1. Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks. All communications must occur over an encrypted connection.
   2. Equipment and Media Controls: No confidential information is allowed to be removed from Workamajig premises for any reason. All backups will be maintained either on Workamajig servers or on specifically contracted backup equipment.
5. Confidential Information stored on external media (diskettes, cd-roms, portable storage, memory sticks, etc.) is prohibited.
6. Confidential Information must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smartphones, tablet PCs, etc.)
7. If Confidential Information is stored on external medium or mobile computing devices and there is a breach of confidentiality as a result, then the owner of the medium/device will be held personally accountable and is subject to the terms and conditions of Workamajig Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation with Workamajig.
8. Data Transfer/Printing:
   1. Electronic Mass Data Transfers: Downloading and uploading Confidential, and Internal Information between systems must be strictly controlled. Requests for mass downloads of, or individual requests for, information for research purposes that include Confidential Information must be approved through the ISO.
   2. Other Electronic Data Transfers and Printing: Confidential and Internal Information must be stored in a manner inaccessible to unauthorized individuals. Confidential information must not be downloaded, copied, or printed indiscriminately or left unattended and open to compromise. Confidential Information that is downloaded for educational purposes where possible should be de-identified before use. All printed information containing confidential information will be destroyed after use.
   3. Oral Communications: Workamajig staff should be aware of their surroundings when discussing Confidential Information. This includes the use of cellular telephones in public areas. Workamajig staff should not discuss Confidential Information in public areas if the information can be overheard. Caution should be used when conducting conversations in semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.

16. SECURITY INCIDENT PROCEDURES

Cross-company viewing of information.
In the event that there is an error in the code and that information from one company is visible to another company in the software, the following procedure will be followed.

• The chief security officer will be notified of the breach and the extent of the information shared.
• The development will conduct an immediate review of the affected code to determine the cause
• Updated code will be deployed as soon as it is fully tested and confirms the breach is fixed.
• Notify all affected clients of the data that was shared and for what period of time.
• Review code fixes with staff who originally performed the change.

 

Access to unauthorized information in the application

In the event that security rights are applied incorrectly and an authorized user is able to access information that they should not have access to in the application, the following procedure will be followed.

• The chief security officer will be notified of the breach and the extent of the information shared.
• The development will conduct an immediate review of the affected code to determine the cause
• Updated code will be deployed as soon as it is fully tested and confirms the breach is fixed.
• Notify all affected clients of the data that was shared and for what period of time.
• Review code fixes with staff who originally performed the change.

 

Unauthorized access to servers, databases, or client files

In the event that our servers are breached or an outside party gains access to files or database records through some form of hacking, the following procedure will be followed.

• The chief security officer will be notified of the breach and the extent of the information shared.
• The development will conduct an immediate review of what information was accessed and how it was accessed in order to disable access to the information.
• Engage a certified outside party to assist with a review of the breach and to verify that it has been stopped.
• Updates to servers will be deployed as soon as possible to stop the breach and prevent further access.
• Notify all affected clients of the data that was shared and for what period of time.
• Review procedures and practices to prevent similar issues from occurring.

 

17.   DATA PROTECTION

All Personal Data and Sensitive Data in Workamajig are encrypted during their transmission (using TLS 1.2) to the Workamajig servers but are NOT encrypted while stored on these servers. The only items of information that are encrypted on the Workamajig servers are the following standard Workamajig fields: passwords, credit card numbers, and EIN numbers.

Appendix 1: Password Control Standards

The Workamajig Information Security Policy requires the use of strictly controlled passwords for accessing Confidential Information (CI) and Internal Information (II). (See Workamajig Information Security Policy for the definition of these protected classes of information.)

Listed below are the minimum standards that must be implemented in order to ensure the effectiveness of password controls.

Standards for accessing CI, II:

Users are responsible for complying with the following password standards:

1. Passwords must never be shared with another person unless the person is a designated security manager.
2. Every password must, where possible, be changed regularly – (between 45 and 90 days depending on the sensitivity of the information being accessed)
3. Passwords must, where possible, have a minimum length of six characters.
4. Passwords must never be saved when prompted by any application with the exception of central single sign-on (SSO) systems as approved by the ISO. This feature should be disabled in all applicable systems.
5. Passwords must not be programmed into a PC or recorded anywhere that someone may find and use them.
6. When creating a password, it is important not to use words that can be found in dictionaries or words that are easily guessed due to their association with the user (i.e. children’s names, pets’ names, birthdays, etc…). A combination of alpha and numeric characters is more difficult to guess.

Where possible, system software must enforce the following password standards:

1. Passwords routed over a network must be encrypted.
2. Passwords must be entered in a non-display field.
3. System software must enforce the changing of passwords and the minimum length.
4. System software must disable the user identification code when more than three consecutive invalid passwords are given within a 15-minute timeframe. Lockout time must be set at a minimum of 30 minutes.
5. System software must maintain a history of previous passwords and prevent their reuse.

The following password settings are available in Workamajig and may be enabled by Admin Users:

1. Passwords require numbers
2. Passwords require letters
3. Passwords require special characters
4. Passwords require capital letters
5. Passwords require lowercase letters
6. Passwords may not be similar to User ID
7. User must change the password on the first login
8. Password minimum length
9. Number of passwords to remember
10. Number of incorrect logins before the lockout
11. Number of days between password changes
12. Log out after the number of active minutes