It is US Housing Consultants’ goal to reduce and manage the risk of Cybersecurity Incidents and other events that may harm the Organization. Technology vulnerabilities, weaknesses in technology implementation, and procedural gaps can increase US Housing Consultants’ exposure to and reduce the Organization’s resilience to Cybersecurity Incidents. The following controls are intended to minimize US Housing Consultants’ exposure to and harm from Cybersecurity Incidents. It is the Organization’s policy that all Personnel adheres to this Policy when acting on behalf of US Housing Consultants and when using any of US Housing Consultants’ Computing Assets.
Information Technology must establish and maintain an inventory of all Computing Assets issued to Personnel, deployed on networks, or used to store Organization data. When discovered, computing assets not in the inventory must be promptly removed from use, quarantined, or added to the inventory. Information Technology must establish and maintain an inventory of all software authorized for use within the Organization. Upon discovery, software not found in the inventory must be promptly uninstalled or added to the inventory. The only software for which security patches are available and for which new security patches are continuing to be developed may be authorized; exceptions must be tracked in the software inventory.
Network Engineering must establish and maintain an inventory of all the Organization’s authorized network boundaries. Upon discovery, boundaries not found in the inventory must be promptly shut down or added to the inventory; exceptions must be tracked.
All data used in the process of company business is stored externally in a highly encrypted cloud storage environment which is only accessible by the Managing Partner and the IT Manager and requires two security keys and tokens and two-step verification to access. Data is in a mirrored environment, which creates a continuous backup in real-time of all data.
It is the policy of US Housing Consultants to protect personally identifiable information (PII) of employees, US Housing Consultants clientele, contractors, and volunteers. The electronic restrictions and safeguards outlined in this policy provide guidance for employees and US Housing Consultants contractors with access to PII retained by the US Housing Consultants to ensure compliance with state and federal regulations.
Personally Identifiable Information (PII) is any information about an individual that can be used to distinguish or trace a person’s identity. Some information considered PII is available in public sources such as telephone books, public websites, etc. This type of information is considered to be Public PII and includes:
In contrast, Protected PII is defined as any one or more types of information including, but not limited to:
This section provides guidelines on how to maintain and discard PII. If an employee determines that current procedures fall outside this policy or questions arise, they should create a support ticket with their questions or suggestions. All electronic files that contain Protected PII will reside within a protected information system location. All physical files that contain Protected PII will reside within a locked file cabinet or room when not being actively viewed or modified. Protected PII is not to be downloaded to a personal or organization-owned employee, US Housing Consultants contractors, volunteer workstations, or mobile devices (such as laptops, personal digital assistants, mobile phones, tablets, or removable media). PII will also not be sent through any form of insecure electronic communication, e.g., E-mail or instant messaging systems. Significant security risks emerge when PII is transferred from a secure location to a less secure location or is disposed of improperly. When disposing of PII, the physical or electronic file should be shredded or securely deleted.
The IT and Executive departments must be informed of a real or suspected disclosure of Protected PII data within 24 hours after discovery. E.g., misplacing a paper report, loss of a laptop, mobile device, or removable media such as USBs containing PII, accidental email of PII, possible virus or malware infection, or a computer containing PII.
Periodic audits of organization-owned equipment and physical locations may be performed to ensure that protected PII is stored in approved information systems or locations. The purpose of the audit is to ensure compliance with this policy and to provide information necessary to improve practices continuously.
Any employee of US Housing Consultants, US Housing Consultants contractor, or volunteer found to violate this policy may be subject to disciplinary action as deemed appropriate based on the facts and circumstances giving rise to the violation.
Records containing personal data are to be disposed of to prevent inadvertent compromise of data. Paper records are disposed of by shredding or other method approved by the National Institute of Standards and Technology. The disposal method will render all personal data unrecognizable and beyond reconstruction. Laptops, mobile devices, and/ or removable media such as USBs will have all data destroyed by certified Data Disposal procedures. Paperwork will be maintained to verify proper destruction.
Glossary – Abbreviations and Acronyms
CD – Compact Disc
PII – Personally Identifiable Information
PIN – Personal Identification Number
USB – Universal Serial Bus
Last Updated 9/1/2022