Information Security Policy

Last Updated: November 21, 2023

Introduction

  • Purpose. The purpose of the Information Security Policy at NMSDC is to establish guidelines, procedures, and responsibilities to ensure the confidentiality, integrity, and availability of information and information systems.
  • Scope and Responsibility. This policy applies to all information and systems owned or operated by NMSDC, regardless of where they are located. This includes, but is not limited to:
    • Electronic data and systems
    • Hard copy records
    • Physical facilities
    • Personnel
  • All NMSDC employees, Affiliate employees, contractors, and business partners are responsible for complying with this policy. NMSDC management is responsible for implementing and maintaining the security controls outlined in this policy.

Security Controls

  • NMSDC has implemented a variety of security controls to protect its information and systems. These controls include:
    • Access Control. Access to information and systems is restricted to authorized users only.
    • Data Encryption. Sensitive data is encrypted at rest and in transit.
    • Network Security. NMSDC uses firewalls and other network security devices to protect its systems from unauthorized access.
    • Physical Security. NMSDC’s physical facilities are protected by security cameras, access control systems, and other physical security measures.
    • Information Security Awareness. NMSDC employees and Affiliate employees are required to complete information security awareness training on a regular basis when offered.

Access Control

  • Access Control Principles. The NMSDC Access Control Policy is based on the following principles:
    • Least Privilege. Users are granted the least amount of access necessary to perform their job duties.
    • Need to Know. Users are granted access to information and systems only on a need-to-know basis.
    • Separation of Duties. Access to critical information and systems is separated among multiple users.
    • Users are accountable for their use of NMSDC information and systems.
  • Access Control Procedures. NMSDC uses a variety of access control procedures to implement the principles outlined above. These procedures include:
    • User Accounts. All users are assigned a unique user account and password.
    • Access Roles. Users are assigned access roles that define the information and systems that they are authorized to access.
    • Access Reviews. Access to information and systems is reviewed on a regular basis to ensure that users are still authorized to access the information and systems that they need.
  • User Authentication. Access to NMSDC systems and data shall be controlled through strong authentication methods, including but not limited to:
    • Username and password
    • Two-factor authentication (2FA)
  • Authorization. Access to information and systems shall be based on the principle of least privilege. Users and systems shall be granted only the permissions necessary to perform their duties
  • User Account Management. User accounts shall be created, modified, and terminated in accordance with NMSDC’s user account management procedures. Inactive accounts shall be regularly reviewed and disabled or removed as appropriate.
  • Password Policy.
    • Password requirements.
      • Users must choose strong passwords that meet the following criteria:
      • A minimum length of at least 8 characters.
      • A combination of uppercase and lowercase letters, numbers, and special characters.
      • Passwords should not be based on easily guessable information, such as names or birthdays.
      • Passwords should not be reused within a specified number of generations.
    • Password Changes. Users are required to change their passwords regularly. The frequency of password changes should be defined in accordance with the organization’s risk assessment and regulatory requirements.
    • Password Sharing. Users are prohibited from sharing their passwords with anyone, including IT personnel or supervisors. Passwords are for individual use only.
    • Password Recovery. A secure and authorized process for password recovery shall be implemented. This process will confirm the identity of the user before resetting or recovering a password.

Information Classification and Handling 

  • Purpose. NMSDC recognizes the utmost importance of safeguarding the confidentiality of information and data held within our organization. NMSDC shall implement appropriate security controls to protect data based on its classification. This includes encryption, access controls, and regular assessments.
  • Information Classification. All information assets shall be classified based on their sensitivity and importance into the following categories:
    • Public Information. information intended for unrestricted disclosure.
      Example: Marketing materials, public websites, and non-sensitive data.
    • Internal Information. intended for internal use within the organization.
      Example: Company policies, internal reports, data for employees.
    • Confidential Information. sensitive data that, if mishandled, could harm the organization or individuals.
      Example: Employee and customer personal information, financial records, intellectual property.
  • Obligation to Protect Confidential Information. All NMSDC and Affiliate employees, contractors, third-party service providers, and any entities accessing NMSDC information systems are required to protect and maintain the confidentiality of information classified as Confidential.
  • Access Control and Least Privilege. Access to Confidential information shall be limited to only those personnel who require access for legitimate business purposes. Access permissions shall be managed according to the principle of least privilege.
  • Non-Disclosure Agreements. Third-party contractors, vendors, or service providers who have access to NMSDC’s Confidential information shall be required to enter into non-disclosure agreements (NDAs).
  • Training and Awareness. NMSDC will provide training and awareness programs to educate Affiliate employees and personnel about the significance of safeguarding confidential information and the security measures in place to protect it.

    Failure to uphold this confidentiality statement and NMSDC’s Information Security Policy may result in disciplinary actions, up to and including termination of the Agreement, and could lead to legal consequences.

    By adhering to these confidentiality principles, NMSDC demonstrates its commitment to maintaining the trust and confidence of its stakeholders, partners, and the individuals whose information it handles.

Database Use Terms and Conditions

  • Purpose. The following Terms and Conditions (“Terms”) apply to the Affiliate’s access and use of the NMSDC Hub (“Database”), which is made available by NMSDC. The Affiliate’s use of the Database constitutes acceptance of these Terms. Should the Affiliate disagree with any of the stipulated Terms, they must refrain from using the Database.

License and Use

  • License Grant. Subject to compliance with these Terms, NMSDC grants Affiliate a restricted, non-exclusive, non-transferable, and rescindable license to access and utilize the Database for the following purposes:
    • MBE search and lead management.
    • Registration of local members.
    • Local and national member communications.
    • Contract opportunity leads.
    • MBE pre-qualification and certification referral.
    • Reporting on KPIs and other reporting as detailed in the Statement of Work (SOW).

Restrictions

Access to and utilization of the Database is confined to the activities outlined in Section 1. The following actions are strictly forbidden:

  • Unauthorized copying, reproduction or distribution of the database or its content
  • Engaging in reverse engineering, decompiling, or any similar attempt to discern the Database’s source code.
  • Using the Database for any unlawful, unethical, or malicious purposes.

Database Credentials

  • Individual User Credentials. User credentials are assigned to individual users and should not be shared. Sharing user credentials is strictly prohibited.

    User shall not impersonate any person or entity, falsely state, or otherwise misrepresent affiliation with any person or entity, or use any fraudulent, misleading or inaccurate email address or other contact information.
  • Responsibility. User credential owners are responsible for all activities conducted with their assigned user credentials.
  • User Credential Assignment. User credential administrators may only assign user credentials to individuals authorized to receive access based on their relationship with NMSDC or their company’s relationship with NMSDC.
  • Protection of User Credentials. User credentials must be kept confidential to prevent unauthorized access to the system.

Data Management and Privacy

  • Data Copy/Download. Users are strictly prohibited from copying or downloading MBE details and certification data and making it available to users outside their own organization. This includes the prohibition to add certification details to supplier profile data that is shared across corporations or any other third-party platforms.
  • Marketing. Users must not use the information for marketing products or services.
  • Data Handling. Users are required to handle data with care, ensuring that confidential information is not inappropriately disclosed, lost, or compromised.
  • Data Confidentiality. Users must treat all information accessed within the Database as confidential and must not disclose it to anyone NMSDC has not authorized to receive it.

Database Monitoring

Affiliate acknowledges and agrees that NMSDC has the right to monitor the use of the Database electronically from time to time and to disclose any information as necessary or appropriate to satisfy any law, to operate the Database, or to protect itself or its clients.

Penalties for Misuse of MBE Details and Certification Data

  • Access Limitation/Revocation. In the event of misuse, NMSDC reserves the right to limit or revoke a user’s access to the Database.
  • Termination of Relationship. Misuse of the Database may result in penalties, leading up to the termination of the Agreement.

Data Accuracy Disclaimer

NMSDC makes every effort to provide accurate and up-to-date data within the Database. However, NMSDC does not warrant or guarantee the accuracy, completeness, or reliability of the information provided in the system.

Limitation of Liability

NMSDC is not liable for any direct, indirect, incidental, special, or consequential damages arising from Affiliate use of the Database.

  • Third-Party Links. The Database may contain links to third-party websites or resources. NMSDC is not responsible for the availability or content of these external sites and shall not be held liable for any loss or damage arising from the use of such external resources.

Remote Access Policy

  • Purpose. The Remote Access Policy governs the use of remote access to NMSDC’s information systems and data. Remote access to NMSDC systems and data shall be granted only to authorized personnel through secure, encrypted connections and using strong authentication methods.
  • Remote Access Requirements. All information assets shall be classified based on their sensitivity and importance into the following categories:
    • Remote access to NMSDC systems and data will be authorized and granted based on job roles and responsibilities.
    • Remote users must use secure, encrypted connections such as Virtual Private Networks (VPNs) or other approved methods.
    • Strong authentication methods, such as two-factor authentication (2FA), must be used for remote access.
  • Monitoring. Remote access sessions shall be monitored for security and compliance. Unauthorized access attempts shall be reported and investigated.
  • Termination. Remote access privileges will be terminated upon the end of an employee’s contract or when access is no longer required for the job role.

Cloud Hosted Applications

  • All cloud hosted applications must be approved by NMSDC IT before they are used.
  • Access to cloud hosted applications must be managed through NMSDC’s identity and access management (IAM) system.
  • Cloud hosted applications must be configured to use strong encryption for all data at rest and in transit.
  • Cloud hosted applications must be regularly monitored for security vulnerabilities.

Exception Request Policy

  • Purpose. The Exception Request Policy defines the process for requesting exceptions to established information security policies.
  • Exception Request Procedure. Employees or authorized personnel may request an exception to a security policy by submitting a formal exception request. The request must include details of the policy to be exempted, a justification, and a proposed alternative security measure.
  • Review and Approval. Exception requests will be reviewed by the Information Security Officer (ISO) and relevant stakeholders. Exceptions may be granted, denied, or subject to conditions as determined by the ISO and senior management.
  • All exception requests, decisions, and related documentation will be maintained for auditing and compliance purposes.

Inactivity Timeout Policy

  • Purpose. The Inactivity Timeout Policy outlines the requirements for automatically logging out users from their sessions after a period of inactivity.
  • Timeout Settings. User sessions on NMSDC systems shall be set to automatically log out after a defined period of inactivity. The timeout period will be appropriate for the sensitivity of the data and systems being accessed.

Email Security Policy

  • Purpose. The Email Security Policy outlines guidelines and best practices for the secure use of email within NMSDC.
  • Email Encryption. Emails containing sensitive or confidential information must be encrypted during transmission. Users are responsible for using email encryption tools provided by NMSDC when required.
  • Phishing Awareness. Employees shall receive training and awareness programs to recognize and report phishing attempts. Suspicious emails should be reported to the IT department for investigation.
  • Attachments. Caution must be exercised when opening email attachments. Untrusted attachments should not be opened, and attachments from unknown sources should be treated with caution.
  • Email Retention. NMSDC shall establish email retention policies to comply with legal and regulatory requirements. Emails should be archived and retained for the specified time period.

Compliance

  • NMSDC shall regularly review and update these policies to ensure they align with applicable laws, regulations, and industry standards.

Enforcement

  • Failure to comply with this Information Security Policy may result in disciplinary actions, up to and including termination of employment or Agreement.

Changes to the Policy

NMSDC reserves the right to update or modify this policy at any time and for any reason. Any changes will be effective immediately, NMSDC will notify the Affiliate, and Affiliate is responsible for reviewing the changes to the policy and complying.

Contact Information

For questions or concerns related to these Terms, please contact NMSDC at itsupport@nmsdc.org.