Skyline Capital Builders LLC and its affiliates (“Skyline”) require that their service providers, suppliers and vendors (collectively, “You”) comply with the requirements set forth in this Vendor Information Security Policy (“Policy”) with respect to any information (“Skyline Data”) that You create, access or collect from or on behalf of Skyline, including Skyline’s employees, representatives, customers, distributors, or other business partners.
This Policy does not limit other obligations of Yours, including under any agreements between You and Skyline or laws that apply to You. To the extent this Policy directly conflicts with any agreement between You and Skyline, You will promptly notify Skyline of the conflict and will comply with the requirement that is more restrictive and more protective of Skyline Data, which may be designated by Skyline. You will maintain a named individual or group who is responsible for ensuring compliance with this Policy.
You shall implement suitable measures, including an acceptable use policy, to ensure that Your employees, contractors, temporary staff, system administrators, vendors, suppliers, service providers and any other persons to whom You disclose Skyline Data (collectively, “users”) act in accordance with this Policy and Your instructions.
You must maintain acknowledgement by all users that they will adhere to Your security measures, including Your acceptable use policy.
You must enter into confidentiality agreements that reflect the protections herein with all users before permitting them to access Skyline Data.
You shall implement suitable measures to prevent unauthorized persons from gaining physical access to the data processing equipment where Skyline Data is processed, including but not limited to the following:
Access to premises shall be protected by physical safeguards to protect secure areas, including locks and floor-to-ceiling barriers;
A card-key shall be required to access the facilities wherein Skyline Data is processed;
Card-key issuance shall be subject to appropriate restrictions and the principle of least privilege (i.e., strictly on a need-to-know basis);
A 24/7 security alarm system shall be maintained and reliable security guards or services shall be used;
Continuous monitoring of access and exit points of your physical facilities;
Continuous logs of access to secure processing areas shall be maintained.
You shall implement suitable measures to prevent Your data processing systems from being used/accessed by unauthorized persons, including but not limited to the following:
You shall maintain an inventory of assets which may hold or process Skyline Data, including but not limited to computers, firewalls, routers, security devices, servers and external systems and services;
Users shall be issued their own unique login credentials which they must be required not to share with other users and which, once assigned, cannot be re-assigned to another person;
Users shall be assigned access rights dependent on their job requirements and in accordance with the principle of least privilege;
Users’ access rights shall be reviewed quarterly or more frequently;
User passwords must adhere to industry standard constraints in length, complexity, aging and history;
Your data processing systems and equipment shall hash user passwords and not store or save passwords to disk, and mask users’ authentication details, such as passwords, to prevent their display in plain text;
You shall disable a user’s access privileges to Your data processing systems as soon as possible after the user’s access privileges are no longer required, such as if the user was an employee of Yours who was terminated;
You shall prohibit personnel from installing hardware and software within processing systems without authorization from Your IT Security Department issued after ensuring the hardware and software is not subject to known vulnerabilities;
If a user has been given access to any Skyline-controlled data processing systems as part of their functions under Your control and the user no longer requires such access, You shall notify Skyline as soon as possible so that Skyline may disable the user’s access privileges;
You shall administer and enforce policies and procedures in respect of each user’s rights and obligations in respect of Skyline Data and which detail appropriate consequences of any violations of such obligations;
Two-factor authentication shall be used before a user may log in;
The user session of a user of Your data processing systems shall be automatically terminated after 30 minutes of inactivity or less;
A user account shall be automatically locked out after several erroneous passwords are entered on login;
You shall implement appropriate automated monitoring systems to detect unusual or unauthorized activities and conditions at ingress and egress communication points, including tools that monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts; and
All access and changes to Skyline Data via Your data processing systems shall be logged, monitored, and tracked.
You shall use all appropriate encryption, firewall, anti-virus and other information security technologies to prevent the unauthorized access, use, disclosure, modification and deletion of Skyline Data, including but not limited to the following:
encrypt all Skyline Data at rest and when in transit over public networks;
encrypt passwords separately from (or in addition to) other data―for example, if the entire database is encrypted at rest, passwords within the database must be encrypted again at the column level;
ensure that all devices containing Skyline Data are encrypted either at the disk level or partition level (or equivalent);
Users’ computers must maintain a firewall, antivirus, whole disk or partition encryption, and must be set to automatically update their antivirus measures daily at a minimum; and
You shall maintain the integrity of Skyline Data via ongoing problem diagnostics, escalation procedures, and configuration and patch management.
You shall implement suitable measures to make sure that data collected for different purposes can be processed separately, including but not limited to the following:
You shall ensure strict logical and physical separation, as appropriate, between Skyline Data and data received from different clients;
Access to data shall be separated through application security for the appropriate users;
Modules within Your database shall separate data based on the purpose for which it is used;
At the database level, data shall be stored in different areas, separated per module or function they support; and
Interfaces, batch processes and reports shall be designed for only specific purposes and functions, so that data collected for specific purposes is processed separately.
You shall implement suitable measures to prevent Skyline Data from being accessed, used, disclosed altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media, including but not limited to the following:
You shall use appropriate firewall and encryption technologies;
You shall implement all reasonable and appropriate perimeter defense safeguards, including but not limited to firewalls, router configuration, intrusion detection or prevention systems, the use of Secure Socket Layers, and anti-virus/anti-spyware software to mediate all traffic and to systems that are accessible from the Internet;
You shall implement all reasonable and appropriate measures to “harden” systems that are exposed to the Internet, including but not limited to removing or disabling unnecessary services and applications and properly configuring user authentication; and
As far as possible, You shall log and monitor all data transmissions, and monitor the completeness and correctness of transferred data
You shall implement suitable measures to make sure that Skyline Data is protected from accidental destruction or loss, including but not limited to the following:
You shall implement infrastructure redundancy to ensure that data is backed up at an industry-standard frequency and data access can be restored as soon as practicable where necessary;
Backups shall be stored off-site and available for restore in case of failure of Your main data processing systems;
You shall ensure that only You may authorize the recovery of backups or the movement of data outside of Your main data processing systems, and security measures will be adopted to avoid loss or unauthorized access to data, when moved; and
You shall implement and administer appropriate disaster recovery and business continuity plans which are tested annually or more frequently.
You shall undergo at least annual external penetration testing on network appliances and applications, through trusted security partners, to ensure the systems remain secure and contained.
You shall undergo at least annual internal audits with respect to Your security policies and procedures to ensure that they are at least protective of data as this Policy.
You shall maintain and comply with a risk assessment program that includes identification, tracking, and remediation of all identified risk and vulnerabilities to Your infrastructure, data, and other relevant systems.
You shall conduct personnel privacy and security training regularly to ensure that they understand and adhere to Your information security policies and protocols.
You shall administer and enforce appropriate policies and procedures to ensure that Skyline Data is securely deleted, destroyed or erased once it is no longer required, irrespective of the media on which such information is stored, including after the termination of all of Your services for Skyline.
You shall conduct appropriate background checks of employee and contractor candidates as permitted by applicable law.
You shall administer and enforce policies and procedures to identify and respond to incidents involving Skyline Data, mitigate the effects of any such incidents, document their outcomes, and notify appropriate stakeholders, including Skyline.
You shall conduct due diligence of vendors, suppliers and service providers that process Skyline Data to ensure that they implement appropriate security standards, including to ensure that they are able to implement measures no less protective than those set forth in this Policy.
You shall implement policies providing for disciplinary action with respect to users who do not comply with Your information security policies.