Cybersecurity Policy

It is US Housing Consultants’ goal to reduce and manage the risk of Cybersecurity Incidents and other events that may harm the Organization. Technology vulnerabilities, weaknesses in technology implementation, and procedural gaps can increase US Housing Consultants’ exposure to and reduce the Organization’s resilience to Cybersecurity Incidents. The following controls are intended to minimize US Housing Consultants’ exposure to and harm from Cybersecurity Incidents. It is the Organization’s policy that all Personnel adheres to this Policy when acting on behalf of US Housing Consultants and when using any of US Housing Consultants’ Computing Assets.

Computer Asset Inventory

Information Technology must establish and maintain an inventory of all Computing Assets issued to Personnel, deployed on networks, or used to store Organization data. When discovered, computing assets not in the inventory must be promptly removed from use, quarantined, or added to the inventory. Information Technology must establish and maintain an inventory of all software authorized for use within the Organization. Upon discovery, software not found in the inventory must be promptly uninstalled or added to the inventory. The only software for which security patches are available and for which new security patches are continuing to be developed may be authorized; exceptions must be tracked in the software inventory.

Network Engineering must establish and maintain an inventory of all the Organization’s authorized network boundaries. Upon discovery, boundaries not found in the inventory must be promptly shut down or added to the inventory; exceptions must be tracked.

Cybersecurity Procedures and Requirements

• All default passwords must be changed before putting any Computing Asset into service. Newly assigned passwords must comply with the Organization’s password security standard.
• Only approved versions of email clients and web browsers may be used within the Organization. At a minimum, approved email clients and web browsers are limited to fully-supported versions that include the technology’s latest security features. Email client and web browser security features must be enabled to ensure maximum security protection.
• User devices must be configured to lock sessions automatically after a defined period of inactivity.
• A DNS filtering service must be implemented to prevent access to malicious domains. Where supported, web browsers must also be configured to use vendor-provided domain reputation checks.
• Anti-malware software must be implemented on all Computing Assets where such software is supported. The anti-malware software must be configured to update regularly and automatically scan Removable Media when Removable Media is connected to the asset.
• Portable devices must utilize encryption software to protect the Organization’s data stored on the device. Examples of portable devices include phones, tablets, and laptops.
• To ensure that network security controls are effective, Network Engineering must deploy the latest stable version of security updates to all wired and wireless network infrastructure.

Data Backup and Storage Security

All data used in the process of company business is stored externally in a highly encrypted cloud storage environment which is only accessible by the Managing Partner and the IT Manager and requires two security keys and tokens and two-step verification to access.  Data is in a mirrored environment, which creates a continuous backup in real-time of all data.

Personally Identifiable Information Policy Policy Statement

It is the policy of US Housing Consultants to protect personally identifiable information (PII) of employees, US Housing Consultants clientele, contractors, and volunteers. The electronic restrictions and safeguards outlined in this policy provide guidance for employees and US Housing Consultants contractors with access to PII retained by the US Housing Consultants to ensure compliance with state and federal regulations.

Definitions

Personally Identifiable Information (PII) is any information about an individual that can be used to distinguish or trace a person’s identity. Some information considered PII is available in public sources such as telephone books, public websites, etc. This type of information is considered to be Public PII and includes:

1. First and Last name
2. Address
3. Work telephone number
4. Work e-mail address
5. Home telephone number
6. General educational credentials
7. Photos and video

In contrast, Protected PII is defined as any one or more types of information including, but not limited to:

1. Social security number
2. Username and password
3. Passport number
4. Credit card number
5. Clearances
6. Banking information
7. Biometrics
8. Data and place of birth
9. Mother’s maiden name
10. Criminal, medical, and financial records
11. Educational transcripts
12. Photos and videos including any of the above

Procedures

This section provides guidelines on how to maintain and discard PII. If an employee determines that current procedures fall outside this policy or questions arise, they should create a support ticket with their questions or suggestions. All electronic files that contain Protected PII will reside within a protected information system location. All physical files that contain Protected PII will reside within a locked file cabinet or room when not being actively viewed or modified. Protected PII is not to be downloaded to a personal or organization-owned employee, US Housing Consultants contractors, volunteer workstations, or mobile devices (such as laptops, personal digital assistants, mobile phones, tablets, or removable media). PII will also not be sent through any form of insecure electronic communication, e.g., E-mail or instant messaging systems. Significant security risks emerge when PII is transferred from a secure location to a less secure location or is disposed of improperly. When disposing of PII, the physical or electronic file should be shredded or securely deleted.

Incident Reporting

The IT and Executive departments must be informed of a real or suspected disclosure of Protected PII data within 24 hours after discovery. E.g., misplacing a paper report, loss of a laptop, mobile device, or removable media such as USBs containing PII, accidental email of PII, possible virus or malware infection, or a computer containing PII.

Audits

Periodic audits of organization-owned equipment and physical locations may be performed to ensure that protected PII is stored in approved information systems or locations. The purpose of the audit is to ensure compliance with this policy and to provide information necessary to improve practices continuously.

Enforcement

Any employee of US Housing Consultants, US Housing Consultants contractor, or volunteer found to violate this policy may be subject to disciplinary action as deemed appropriate based on the facts and circumstances giving rise to the violation.

Records Disposal

Records containing personal data are to be disposed of to prevent inadvertent compromise of data. Paper records are disposed of by shredding or other method approved by the National Institute of Standards and Technology. The disposal method will render all personal data unrecognizable and beyond reconstruction. Laptops, mobile devices, and/ or removable media such as USBs will have all data destroyed by certified Data Disposal procedures. Paperwork will be maintained to verify proper destruction.

Glossary – Abbreviations and Acronyms
CD – Compact Disc
PII – Personally Identifiable Information
PIN – Personal Identification Number
USB – Universal Serial Bus

Last Updated 9/1/2022