Data Safeguards
The following terms describe the technical and organizational measures, internal controls and information security requirements that Cope Plastics, Inc. maintains to safeguard company data as well as data provided by or on behalf of our partners (customers/vendors) in conducting business with Cope Plastics, Inc.
These security measures are intended to protect Cope Plastics, Inc’s data and Partner data when in Cope Plastics, Inc’s environments (e.g., systems, networks, facilities) against accidental, unauthorized or unlawful access, alteration, loss, or destruction.
When Cope Plastics, Inc and/or Partner data includes personal data, our implementation of and compliance with these measures is designed to provide an appropriate level of security in respect of the processing of the personal data. Cope Plastics, Inc may change these measures from time to time, without notice, so long as any such revisions do not materially reduce or degrade the protection provided for the Partner Data.
Likewise, Cope Plastics, Inc expects any partners accessing our systems or accessing Cope Plastics, Inc. company data as part of any implementation project or in providing support/maintenance services will also comply with these security measures that are put in place to protect Cope Plastics, Inc employees and company assets.
STANDARD DATA SAFEGUARDS:
- Organization of Information Security
-
- Security Ownership. Cope Plastics, Inc has a Systems Security Officer (SSO) responsible for coordinating and monitoring security policies and procedures.
- Security Roles and Responsibilities. Cope Plastics, Inc’s personnel with access to Partner Data will be subject to confidentiality obligations.
- Risk Management Program. Cope Plastics, Inc will have a risk management program in place to identify, assess and take appropriate actions with respect to risks related to the processing of the Partner Data in connection with the applicable agreement between the Parties.
- Asset Management
-
- Asset Inventory. Cope Plastics, Inc will maintain an asset inventory of its infrastructure, network, applications and cloud environments. Cope Plastics, Inc will also maintain an inventory of its media on which Partner Data is stored. Access to the inventories of such media will be restricted to personnel authorized by the SSO to have such access.
- Data Handling. Cope Plastics, Inc will
-
-
- Classify Partner Data to help identify such data and to allow for access to it to be appropriately restricted.
- Limit printing of Partner Data from its systems to what is minimally necessary to perform services and have procedures for disposing of printed materials that contain Partner Data.
- Require its personnel to obtain appropriate authorization prior to storing Partner Data outside of contractually approved locations and systems, remotely accessing Partner Data, or processing Partner Data outside the Parties’ facilities.
-
- Personnel Security Training
-
- Cope Plastics, Inc will
-
-
- Inform its personnel about relevant security procedures and their respective roles.
- Inform its personnel of possible consequences of breaching the security rules and procedures.
-
- Physical and Environmental Security
-
- Physical Access to Facilities. Cope Plastics, Inc will implement and maintain procedures to limit authorized access to its facilities where information systems that process Partner Data are located.
- Physical Access to Components. Cope Plastics, Inc will maintain records of the incoming and outgoing media containing Partner Data, including the kind of media, the authorized sender/recipients, date and time, the number of media, and the types of Partner Data they contain.
- Component Disposal. Cope Plastics, Inc will use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) processes to delete Partner Data when it is no longer needed.
- Communications and Operations Management
-
- Cope Plastics, Inc will maintain security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Partner Data.
- Mobile Device Management (MDM)/Mobile Application Management (MAM). Cope Plastics, Inc will maintain a policy for its mobile devices that:
-
-
- Enforces device encryption.
- Prohibit use of blacklisted apps.
- Prohibits enrollment of mobile devices that have been “jail broken.”
-
-
- Data Recovery Procedures. Cope Plastics, Inc will
-
-
- Have specific data recovery procedures with respect to its systems in place designed to enable the recovery of Partner Data being maintained in its systems.
- Review its data recovery procedures at least annually.
- Log data restoration efforts with respect to its systems, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.
-
- Malicious Software. Cope Plastics, Inc will
-
- Have anti-malware controls to help avoid malicious software gaining unauthorized access to Partner Data, including malicious software originating from public networks.
- Data Beyond Boundaries. Cope Plastics, Inc will
-
- Encrypt Partner Data that it transmits over public networks.
- Protect Partner Data in media leaving its facilities (e.g., through encryption).
- Implement automated tools where practicable to reduce the risks of misdirected email, letters, and / or faxes from its systems.
- Event Logging
-
- For its systems containing Partner Data, Cope Plastics, Inc will log events consistent with its stated policies or standards.
- Access Control
-
- Access Policy. Cope Plastics, Inc will
-
-
- Maintain a record of security privileges of individuals having access to Partner Data via its systems.
-
-
- Access Authorization. Cope Plastics, Inc will
-
-
- Maintain and update a record of personnel authorized to access Partner Data via its systems.
- When responsible for access provisioning, promptly provision authentication credentials.
- Deactivate authentication credentials where such credentials have not been used for a period of 90 days.
- Deactivate authentication credentials upon notification that access is no longer needed (e.g. employee termination, project reassignment, etc.) within 24 hours.
- Identify those personnel who may grant, alter or cancel authorized access to data and resources.
- Ensure that where more than one individual has access to its systems containing Partner Data, the individuals have unique identifiers/logins (i.e., no shared ids).
-
- Least Privilege. Cope Plastics, Inc will
-
- Only permit its approved personnel to have access to Partner Data when needed
- Maintain controls that enable emergency access to productions systems via privileged ids, temporary ids or ids managed by a Privileged Access Management (PAM) solution.
- Restrict access to Partner Data in its systems to only those individuals who require such access to perform their job function.
- Limit access to Partner Data in its systems to only that data minimally necessary to perform the services.
- Support segregation of duties between its environments so that no individual person has access to perform tasks that create a security conflict of interest (e.g., developer/ reviewer, developer/tester).
- Integrity and Confidentiality. Cope Plastics, Inc will
-
- Instruct its personnel to disable all sessions and lock workstations when leaving premises or when computers are otherwise left unattended.
- Cope Plastics, Inc will
-
- Use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) practices to identify and authenticate users who attempt to access its information systems.
- Where authentication mechanisms are based on passwords require that the passwords are renewed regularly.
- Where authentication mechanisms are based on passwords, require the password to contain at least eight characters and three of the following four types of characters: numeric (0-9), lowercase (a-z), uppercase (A-Z), special (e.g., !, *, &, etc.).
- Ensure that de-activated or expired identifiers are not granted to other individuals.
- Monitor repeated attempts to gain access to its information systems using an invalid password.
- Maintain industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
- Use industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, as well as during storage.
- Multi Factor Authentication. Cope Plastics, Inc will
-
- Implement Multi-Factor Authentication for internal access and remote access over virtual private network (VPN) to its systems.
- Penetration Testing and Vulnerability Scanning of Cope Plastics, Inc Systems.
-
- At least annually, Cope Plastics, Inc will perform penetration and vulnerability assessments on Cope Plastics, Inc’s IT environments in accordance with Cope Plastics, Inc’s internal security policies and standard practices.
-
- Cope Plastics, Inc agrees to share summary level information related to such tests as conducted by Cope Plastics, Inc to the extent applicable to the Services.
- Network and Application Design and Management. Cope Plastics, Inc will
-
- Have controls to avoid individuals gaining unauthorized access to Partner Data in its systems.
- Use network-based web filtering to prevent access to unauthorized sites.
- Use network intrusion detection and / or prevention in its systems.
- To the extent technically possible expect that the Parties will work together to limit the ability of Cope Plastics, Inc personnel to access non-Partner and non-Cope Plastics, Inc environments from the Partner systems.
- Maintain up to date server, network, infrastructure, application and cloud security configuration standards.
- Scan its environments to ensure identified configuration vulnerabilities have been remediated.
- Patch Management
-
- Cope Plastics, Inc will have a patch management procedure that deploys security patches for its systems used to process Partner Data that includes:
-
-
- Defined time allowed to implement patches (not to exceed 90 days for high or medium patches as defined by Cope Plastics, Inc’s standard); and
- Established process to handle emergency or critical patches as soon as practicable.
-
- Workstations
-
- Cope Plastics, Inc will implement controls for workstations it provides that are used in connection with service delivery/receipt incorporating the following:
-
-
- Software agent that manages overall compliance of workstation and reports at a minimum on a weekly basis to a central server
- Encrypted hard drive
- Patching process so that workstations are patched within the documented patching schedule
- Ability to prevent blacklisted software from being installed
- Antivirus with a minimum weekly scan
- Firewalls installed
-
- Information Security Breach Management
-
- Security Breach Response Process. Cope Plastics, Inc will maintain a record of its own security breaches in its systems with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the process for recovering data.
-
- Service Monitoring. Cope Plastics, Inc’s security personnel will review their own logs as part of their security breach response process to propose remediation efforts if necessary.
- Business Continuity Management
-
- Cope Plastics, Inc will have processes and programs that are aligned to ISO 22301 to enable recovery from events that impact its ability to perform in accordance with the Agreement.
-
- Technical Supplementary Measures:
-
-
- The Partner Data in transit between Cope Plastics, Inc entities will be strongly encrypted with encryption that:
-
-
-
-
- is state of the art,
- secures the confidentiality for the required time period,
- is implemented by properly maintained software,
- is robust and provides protection against active and passive attacks by public authorities, including crypto analysis, and
- does not contain back doors in hardware or software, unless otherwise agreed with the applicable Partner.
-
-
-
-
- The Partner Data at rest and stored by any Cope Plastics, Inc entities will be strongly encrypted with encryption that:
-
-
-
-
- is state of the art,
- secures the confidentiality for the required time period,
- is implemented by properly maintained software,
- is robust and provides protection against active and passive attacks by public authorities, including crypto analysis, and
- does not contain back doors in hardware or software, unless otherwise agreed with the applicable Partner.
-
-
-
- Organizational Supplementary Measures:
-
- The Partner Data transfer between Cope Plastics, Inc entities and the processing by any Cope Plastics, Inc entities will be in accordance with:
- Cope Plastics, Inc’s internal policies and procedures to manage requests from public authorities to access personal data,
- Cope Plastics, Inc’s internal data access and confidentiality policies and procedures,
- Cope Plastics, Inc’s internal data minimization policies and procedures, and
- Cope Plastics, Inc’s internal data security and data privacy policies and procedures.
- The Partner Data transfer between Cope Plastics, Inc entities and the processing by any Cope Plastics, Inc entities will be in accordance with: