lennonboggs.com

Share

Ninja, LLC

“The Way”

lennonboggs.com

Breach Policy

lennonboggs.com

Breach Response and Notification Policy

  1. Overview

This policy mandates that any individual who suspects that a theft, breach or exposure of Ninja, LLC Protected or Sensitive information has occurred must immediately provide a description of what occurred via mail to Lennon Boggs. This mail address are monitored by the Ninja, LLC’s PPO (Principal Privacy Officer). They will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the PPO will follow the appropriate procedure in place.

lennonboggs.com

  • Purpose

Ninja, LLC’s intentions for publishing a Breach Response and Notification Policy are to focus significant attention on information security and information security breaches, and how Ninja, LLC’s established culture of openness, trust and integrity should respond to such activity. Ninja, LLC Information Security is committed to protecting Ninja, LLC’s customers, employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

lennonboggs.com

  • Scope

This policy applies to all who collect, access (or have access to), maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle non-public (NPI) or personally identifiable (PII) of Ninja, LLC and/or its clients. Any agreements with vendors will contain language similar and/or reference this policy, with attestations as to have read, understand and agree to comply with the same.

lennonboggs.com

  • Policy

Confirmed theft, data breach or exposure of Ninja, LLC Protected or Sensitive information: As soon as a theft, data breach or exposure containing Ninja, LLC Protected or Sensitive information is identified, the process of removing all access to that resource will begin. The PPO will chair an incident response team to handle the breach or exposure. The team will include, where applicable, members from: IT Infrastructure, IT Applications, Finance, Legal, Communications, Client/Customer Services (if customer data is affected), Human Resources, The affected unit and/or department that uses the involved system or output or whose information may have been breached or exposed, Additional units/departments based on the information type involved, Additional individuals as deemed necessary by the PPO.

lennonboggs.com

Confirmed theft, breach, or exposure of Ninja, LLC:

The PPO will be notified of the theft, breach or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause. Notification by any third party provider engaged by Ninja, LLC who collects, accesses (or has access to), maintains, distributes, processes, protects, stores, uses, transmits, disposes of, or otherwise handles non-public (NPI) or personally identifiable (PII) to the PPO of the theft, breach or exposure [notification] is a requirement of doing business with Ninja, LLC. The PPO will treat this the same as if it were a breach of Ninja, LLC; effectively this is out-sourcing the work while insourcing the liability. All policies and procedures relating thereto will be followed.

lennonboggs.com

Work with Forensic Investigators:

As provided by Ninja, LLC ‘s cyber insurance, the insurer will need to provide access to forensic investigators and experts that will determine how the breach or exposure occurred; the types of information involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause. Where Ninja, LLC ‘s insurance policies don’t direct or otherwise cover forensics, unless same is deemed necessary by Ninja, LLC ‘s PPO, or, if the PPO does not have the authority, the person responsible for such a decision, or required by law, no additional forensics will be performed beyond that of the work done by the Breach Response team.

lennonboggs.com

Develop a communication plan:

Work with Ninja, LLC communications, legal and human resource departments to decide how to communicate the breach to: a) internal employees, b) the public, and c) those directly affected. As required by relevant laws and regulations, notification of a breach, and the potential, or realized, exposure of NPI/PII, to clients/customers is required. Any breach to a third party provider, and who, as required, notified the PPO will, like any breach to Ninja, LLC will require a Communication Plan per this section. The responsibility for the third party provider is to notify Ninja, LLC if they’ve suffered, or believed to have suffered, a data breach. Ninja, LLC is still liable to disclose the breach to its customers. The responsibility for the third party provider is to notify Ninja, LLC if they’ve suffered, or believed to have suffered, a data breach. Ninja, LLC is still liable to the disclosure of the breach to its customers/clients.

lennonboggs.com

Ownership and Responsibilities:

Custodians are those members of the Ninja, LLC team that have primary responsibility for maintaining any particular information resource. Custodians may be designated by any Ninja, LLC Executive in connection with their administrative responsibilities, or by the actual custody, collection, development, or storage of information. Principal Privacy Officer is the member of the Ninja, LLC team, designated by Senior Management, who provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources in consultation with the relevant Custodians. Users include virtually all Ninja, LLC stakeholders to the extent they have authorized access to information resources, and may include Ninja, LLC employees, contractors, consultants, interns, temporary employees and volunteers. The Incident Response Team shall be Senior Management and may include, but will not be limited to, the following departments or their representatives: IT- Infrastructure, IT-Application Security, Communications, Legal, Management, Financial Services, Client/Customer Services and Human Resources.

lennonboggs.com

Delay of Notification:

Authorized for Law Enforcement Purposes. If a law enforcement official states to the Covered Entity or a business associate that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the Covered Entity or a business associate shall: If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.

lennonboggs.com

Definitions:

Breach – Breach means the acquisition, access, use, or disclosure of NonPublic or Personally Identifiable in a manner not permitted under relevant laws or regulations, which compromises the security or privacy of the protected information.

lennonboggs.com

Breach excludes:

  1. Any unintentional acquisition, access, or use of protected information by a workforce member or person acting under the authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under governing law and/or regulation.
    lennonboggs.com
  2. Any inadvertent disclosure by a person who is authorized to access protected information at a covered entity or business associate to another person authorized to access NPI or PII at the same covered entity or business associate, or organized arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under governing law and/or regulation.
    lennonboggs.com
  3. A disclosure of protected information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
    lennonboggs.com
    a) Business Associate – A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected information (NPI or PII) on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate.
    lennonboggs.com
    b) Covered Entity – For NPI, covered entities are any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. For PII, any organization, individual and/or individuals who use, store, destroy, transmit, copy, etc. Personally Identifiable Information.
    lennonboggs.com
    c) Encryption or encrypted data – The most effective way to achieve electronic information security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text;
    lennonboggs.com
    d) Plain text – Unencrypted data.
    e) Hacker – A slang term for a computer expert/enthusiast with demonstrated skills in programming languages, computer systems and social engineering, and can often be considered an expert on the subject(s).
    lennonboggs.com
    f) Non-Public Information (NPI) – Defined as all electronic information that is not publicly available information and is: Business-related information, Information concerning an individual, which, because of name, number, personal mark or other identifier, can be used to identify such an individual when combined with SSN, driver’s license, account number, security code or biometric records. Personally Identifiable Information (PII) – Any information that can be used to contact, locate or identify a specific individual, either by itself or combined with other sources that are easily accessed. It can include information that is linked to an individual through financial, medical, educational or employment records. Some of the data elements that might be used to identify a certain person could consist of fingerprints, biometric data, a name, telephone number, email address or social security number.
    lennonboggs.com
    Ninja, LLC at LennonBoggs.com only requires that you provide an email address and password. Credit card information is stored with Paypal. Safeguarding PII and other sensitive information is the responsibility of federal agencies. Protected information – See NPI or PII. Information Resource – The data and information assets, both physical and electronic, of an organization, department or unit. Safeguards – Countermeasures, controls put in place to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Safeguards help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset. Sensitive information – Information that is encrypted or in plain text and contains NPI or PII. See NPI or PII above.

lennonboggs.com

Enforcement:

Any Ninja, LLC personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third party partner company found in violation may have their network connection terminated and/or our relationship severed; the terms of the same to be defined in the Agreement memorializing such relationship.

lennonboggs.com

Cyber Security Defense Policy

  1. Purpose

To establish requirements which must be met by all computers connected to Ninja, LLC’s networks, as well as the network, to ensure effective malware (virus, spyware, ransomware, etc.) detection and prevention.

lennonboggs.com

  • Scope

This policy applies to all Ninja, LLC endpoints (workstations and servers), and the network to which they connect, that have access to NPI or PII or confidential company information. This includes, but is not limited to, websites, servers, cloud, desktop computers, laptop computers, file/ftp/tftp/proxy servers, and any equipment such as packet analyzers or other networking equipment capable of running application-based protective measures, and the network itself.

lennonboggs.com

  • Policy

All Ninja, LLC endpoints must have Advanced Endpoint Protection, and Advanced Cyber Event (ACE) appliance installed on the systems and network respectively, which actively scans for malware, viruses, ransomware, unusual behavior, abnormal activity, etc., which reports on and alerts on cyber events, and is scheduled to run full scans at regular intervals. In addition, they must be kept up-to-date. Any endpoint found to have been infected or attacked must be removed from the network until they are verified as malware-free. Admins/ Managers are responsible for creating procedures that verify the protections are current and run at regular intervals, and endpoints are verified as malware-free.

lennonboggs.com

Any activities with the intention to create and/or distribute malicious programs into Ninja, LLC networks (e.g., malware, ransomware, viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited. Ninja, LLC maintains a managed Cyber Security Defense program and will, therefore enforce policy-based protocols on active and proactive anti-malware procedures to help prevent cyber attacks. In addition, all employees and Interested Parties should avail themselves of the Cyber Defense Recommended Processes attached here to ensure reasonable care is taken to mitigate cyber attacks. At regular intervals, typically weekly, Ninja, LLC employees, contractors, et al, will be reminded of what to look for and how to react to cyber events. The above prescribed actions will be considered a required task and part of the recipients’ job duties.

lennonboggs.com

  • Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

lennonboggs.com

  • Cyber Defense Recommended Processes

Recommended processes to mitigate the likelihood of a cyber-attack:

Always make sure that an endpoint security suite is running. The suite is designed to download and install software and signature updates as they become available. Definition and program updates are performed at least daily. NEVER open any attachments to an email from an unknown, suspicious or untrustworthy source. “Double delete” them by first deleting them and then deleting them from the deleted folder. NEVER open any attachments to an email from a known source if you were NOT expecting them to send you an attachment.

lennonboggs.com

It is the Ninja, LLC policy no attachment be opened unless you expected it. If a known source sends one you weren’t expecting contact them and confirm they sent it. Delete spam, chain, and other junk email without forwarding. Never download files from unknown or suspicious sources, including emails and websites. Prohibit or restrict access to USB and other accessible devices. When Ninja, LLC allows access, avoid direct disk sharing with read/write access unless there is absolutely a business requirement to do so. When Ninja, LLC allows access, always scan USB drives, CD’s, DVD’s and/or other portable media from an unknown source for viruses before using it. Back-up critical data and system configurations on a regular basis and store the data in a safe place.

lennonboggs.com

Data Security Policy

  1. Data Security Policy

This data security policy covers the use of individually identifiable information protected. WHEREAS, the Ninja, LLC (Company) collects individually identifiable information, the confidentiality of which is protected by Privacy Laws.

lennonboggs.com

  • Information Subject to this Policy

All data containing individually identifiable information about a person, and/or their families collected by or on the behalf of Company during the course of conducting business, that are provided to the Ninja, LLC and all information derived from those data, and all data resulting from merges, matches, or other uses of the data provided by Company with other data are referred to as protected data. Protected data under this policy may be in the form of USB sticks, CD-ROMs, hard copy, cloud, server, website, etc. Ninja, LLC may only use the protected data in a manner and to a purpose consistent with: The statistical or transactional purpose for which the data were supplied; The limitations imposed under the provisions of this policy and any agreement under which the data is collected and, uses necessary to conduct the business for which Ninja, LLC was contracted and which demand the protected data’s acquisition.

lennonboggs.com

  • Individuals and/or Companies who may have access to Protected Data.

There are four categories of individuals that Ninja, LLC may authorize to have access to protected data. The four categories of individuals are as follows: 1. The Principal Privacy Officer (PPO) is the most senior officer in charge of the day-to-day operations involving the use of protected data. 2. Professional/Technical Staff (P/TS) conduct the research and operations for which the data was acquired. 3. Support staff includes secretaries, typists, computer technicians, messengers, etc. Ninja, LLC may disclose protected data to support staff who come in contact with the protected data in course of their duties only to the extent necessary to support the operations under this policy.

lennonboggs.com

4. An independent contractor is an individual or company who has satisfied the requirements specified in the paragraph below: Ninja, LLC may disclose protected data to individuals or a company who desire to do independent contracting with Ninja, LLC, under the following conditions: The Independent Contractor or Vendor submits a Non-Disclosure Agreement and/or a Third Party Service Agreement (separately or together an NDA) for access to protected data to Company directly, The Independent Contractor or Vendor undergoes and successfully passes appropriate due diligence as outlined in the Vendor Management Policy, Ninja, LLC provides written approval to disclose protected data to the independent researcher, the form of which may be a countersigned NDA, or Ninja, LLC may disclose protected data to only necessary P/TS personnel.

lennonboggs.com

  • Limitations on Disclosure

Ninja, LLC shall not use or disclose protected data for any administrative purposes other than those expressly outlined in the agreements under which the data was collected and for the business purposes under which the data was acquired. Except as outlined in agreements under which the data was acquired, Ninja, LLC shall not disclose protected data or other information containing, or derived from, protected data at fine levels of geography to anyone other than Company employees working in the course of their employment or individuals for whom access is authorized under this policy or agreements subjected thereto.

lennonboggs.com

Ninja, LLC may make disclosures of protected data to individuals other than those specified in this paragraph only if those individuals have executed an affidavit of nondisclosure (NDA) and Ninja, LLC has agreed to such disclosure, acknowledgement of which may be through execution of same NDA. Except as outlined in agreements under which the data was acquired, Ninja, LLC shall not make any publication or other release of protected data listing information. Except as outlined in agreements under which the data was acquired, Ninja, LLC may publish the results, analysis, or other information developed as a result of any research and/or operations based on protected data made available under this policy only in summary or form so that the identity and private information (PI) of individual respondents contained in the protected data is not revealed.

lennonboggs.com

  • Administrative Requirements

The operations and research conducted by Ninja, LLC and the disclosure of protected data needed for that work must be consistent with the purpose for which the data were supplied and/or collected. Except as outlined in those agreements under which the data was acquired, the protected data may not be used to identify individual respondents for re-contacting.

lennonboggs.com

  • Security Requirements

Maintenance of, and access to, protected data. Ninja, LLC shall retain the original versions, along with derivative work and backups of the protected data in a secure manner and may make no copy or extract of the protected data available to anyone except a P/TS or independent contractor as necessary for the purpose of the operations and research for which the protected data were made available to or acquired by Ninja, LLC . Ninja, LLC shall maintain protected data (whether maintained on a server, personal computer or on printed or other material) in a space and/or manner that is limited to access by authorized PT/S.

lennonboggs.com

Ninja, LLC shall ensure that access to protected data maintained in computer memory is controlled by password protection of sufficient complexity. Ninja, LLC shall maintain all print-outs, USB and other portable media, personal computers with protected data on hard disks, or other physical products containing individually identifiable information derived from protected data in locked cabinets, file drawers, or other secure locations when not in use, and obscured from unauthorized view when in use. Ninja, LLC shall ensure that all printouts, tabulations, and reports are edited for any possible disclosures of protected data as needed. Ninja, LLC shall establish security procedures to ensure that protected data cannot be used or taken by unauthorized individuals.

lennonboggs.com

Ninja, LLC shall not permit removal of any protected data from the limited access space protected under the provisions of this policy as required by agreements under which the data was acquired, without first notifying, and obtaining written approval from the appropriate persons. Retention of protected data. Ninja, LLC shall retain, minimally, all protected data as required by law and/or governing bodies of authority where such data falls under their jurisdiction. Compliance with established security procedures. Ninja, LLC shall comply with the security procedures in place.

lennonboggs.com

  • Penalties

Any violation of the terms and conditions of this policy may subject the user to immediate disciplinary action, including termination. Ninja, LLC shall initiate disciplinary action, including termination by written notice to the offending party indicating the factual basis and grounds for such action. Upon receipt of the notice, noticed party has thirty (30) days to submit written argument and evidence to the PPO indicating why the disciplinary action should be reconsidered.

lennonboggs.com

The PPO shall decide whether to invoke or modify the action based solely on the information contained in the notice to the party and the party’s response, along with any other records contained in a history of cause and shall provide written notice of the decision to the party within five (5) days after receipt of party’s response. The PPO may extend this time period for good cause. The noticed party has five (5) days to appeal the decision of the PPO to the President, where such appeal is made in writing indicating why the decision by the PPO should be reconsidered. Any violation of this policy may also be a violation of Federal, Provincial or municipal law or statute in effect at that time.

lennonboggs.com