CYBER SECURITY POLICY*

PURPOSE

Pacific Asian Consortium in Employment (PACE) recognizes the importance of protecting sensitive

information concerning its operations, as well as that of its employees, customers, volunteers, interns,

contractors and partners. It is with this in mind that PACE has established the policy concerning

safeguarding the information relative to its operations.

The Cyber Security Policy serves several purposes. The main purpose is to inform PACE employees,

customers, volunteers, interns, contractors and partners and other authorized users of their obligatory

requirements for protecting the technology and information assets of the company. This policy is

applicable to remote and in-person business. This policy will describe the technology and information

assets that we must protect.

The Cyber Security Policy also describes the user’s responsibilities and privileges. PACE has outlined

security measures that may help mitigate cyber security risks.


WHAT ARE WE PROTECTING

It is the obligation of all users of the company to protect the technology and information assets of the

company. This information must be protected from unauthorized access, theft and destruction. The

technology and information assets of the company are made up of the following components:

• Computer hardware, CPU, disc, email, web, application servers, PC systems, application software,

system software, etc.

• System software including operating systems, database management systems, and backup and

restore software, communications protocols, no name a few.

• Application software: used by varies departments within the company. This includes custom

written software applications, commercial off the shelf software packages, and software

applications mandated by funding sources, such as Childplus, ServTraq, Salesforce, etc.

• Communications network hardware and software including routers, hubs, modems, multiplexers,

switches, firewalls, private lines, and associated network management software and tools.

PACE’s intention for publishing the Cyber Security Policy is not to impose restrictions, but rather to

promote PACE’s established culture of openness, trust and integrity. PACE is committed to protecting its

employees, partners and the company from illegal or damaging actions by individuals, either knowingly

or unknowingly. The Cyber Security Policy covers the use of the Internet/Intranet/Extranet-related

systems, including but not limited to computer equipment, mobile devices, software, operating systems,

storage media, network accounts providing electronic mail, WWW browsing and FTP. These systems are

to be used for business purposes in serving the interests of the company, and of our clients and

customers during normal operations.


The Cyber Security Policies and Procedures set forth applies to all PACE employees, Directors,

volunteers, contractors, subcontractors, consultants, temporary and other workers, including all

personnel affiliated with third parties, who have authorized access to the PACE’s private or personal

data, network, information system or devices owned or controlled by PACE.


Security Awareness & Training

Exposure of sensitive business information or personal customer details can be highly damaging to PACE.

Company devices and the company network are also at risk from ransomware and malware attacks,

which can prove highly costly to deal with. To prevent breaches of data, infection of company devices or

intrusion of the company network, it is essential that all employees, contractors subcontractors and

other users of the company network and devices are trained in the necessary measures to keep up

security.

The purpose of this policy is to set out why it is important for all network and device end users within

PACE to take up security awareness training, and to clearly outline the expectations of employees to

engage in their training. This policy will both ensure that employees know what is expected of them, and

that the company can take necessary measures to uphold compliance with its data protection regulatory

requirements.

Since all PACE employees must be aware of their responsibilities in protecting the data, devices, and its

network, PACE provides the appropriate training to each of its employees, officers, directors, volunteers,

contractors, and all other affiliated third parties that has authorized access to PACE’s data, network,

information systems and devices.

PACE will provide training to all its employees before, and during their use of, the company network and

company devices. All new employees will receive training courses from KnowBe4 and ThinkHR.

Simulated Phishing Attacks will occur every 3 months in a random fashion sent to the employee’s

inboxes. If the employee fails the simulated Phishing attack by either clicking on the links or replying,

they will receive additional training.

Employees are expected to complete all training courses received by them within no more than 3 weeks.


The training will educate employees on the risks of, or best practices regarding the use of, the following

core information security areas:

􀶷 Email and internet use

􀶷 Phishing

􀶷 Social engineering

􀶷 Malware

􀶷 Adware and spyware

􀶷 Ransomware

􀶷 Passwords and authentication

􀶷 Voice- and text-based phishing


If an employee has not received training in their email inbox in more than 5 weeks, or they have trouble

accessing or completing their training, they must contact their IT support team.


ACCOUNT MANAGEMENT

Computer accounts are the means used to grant access to PACE’s information systems. These accounts

provide a means of providing accountability, a key to any computer security program, for PACE usage.

This means that creating, controlling, and monitoring all computer accounts is extremely important to an

overall security program. The purpose of this policy is to establish a standard for the creation,

administration, use, and removal of accounts that facilitate access to information and technology

resources at PACE.


Accounts

􀍻 All accounts created must have an associated written request and signed management approval

that is appropriate for the PACE system or service.

􀍻 All accounts must be uniquely identifiable using the assigned username.

􀍻 Shared accounts on PACE information systems are not permitted.

􀍻 Reference the Employee Access During Leave of Absence Policy for removing an employee’s

access while on a leave of absence or vacation.

􀍻 All default passwords for accounts must be constructed in accordance with the PACE Password

Policy.

􀍻 All accounts must have a password expiration that complies with the PACE Password Policy.

􀍻 Concurrent connections may be limited for technical or security reasons.

􀍻 All accounts must be disabled immediately upon notification of any employee’s termination.


Account Management

The following items apply to System Administrators or designated staff:

􀍻 Information system user accounts are to be constructed so that they enforce the most restrictive

set of rights/privileges or accesses required for the performance of tasks associated with an

individual’s account. Further, to eliminate conflicts of interest, accounts shall be created so that

no one user can authorize, perform, review, and audit a single transaction.

􀍻 All information system accounts will be actively managed. Active management includes the acts

of establishing, activating, modifying, disabling, and removing accounts from information

systems.

􀍻 Access controls will be determined by following established procedures for new employees,

employee changes, employee terminations, and leave of absence.

􀍻 All account modifications must have a documented process to modify a user account to

accommodate situations such as name changes and permission changes.

􀍻 Information system accounts are to be reviewed monthly to identify inactive accounts. If an

employee or third-party account is found to be inactive for 30 days, the owner/s (of the account)

and their manager will be notified of pending disablement. If the account continues to remain

inactive for 15 days, it will be manually disabled.

􀍻 A list of accounts, for the systems they administer, must be provided when requested by

authorized PACE management.

􀍻 An independent audit review is performed on a regular basis to ensure the accounts are properly

managed.


EMAIL POLICY

Electronic email has become the primary means of communication in the business world. However,

misuse of email can post many legal, privacy and security risks. Therefore, it is important for users to

understand the appropriate use of electronic communications.

The purpose of this email policy is to ensure the proper use of PACE’s email system and make users

aware of what PACE deems as acceptable and unacceptable use of its email system. This policy outlines

the minimum requirements for use of email within the PACE Network by all PACE employees, Directors,

volunteers and all other third-party affiliates that use the PACE email system.

• All use of email must be consistent with PACE policies and procedures of ethical conduct, safety,

compliance with applicable laws and proper business practices.

• PACE email account should be used primarily for business-related purposes; personal

communication is permitted on a limited basis, but non-PACE related commercial uses are

prohibited.

• All PACE data contained within an email message, or an attachment must be secured according

to PACE data protection protocols.

• Email should be retained only if it qualifies as a PACE business record. Email is a business record

if there exists a legitimate and ongoing business reason to preserve the information contained in

the email.

• Email that is identified as a PACE business record shall be retained according PACE’s Record

Retention Schedule.

• The PACE email system shall not to be used for the creation or distribution of any disruptive or

offensive messages, including offensive comments about race, gender, hair color, disabilities,

age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national

origin. Employees who receive any emails with this content from any employee should report the

matter to their supervisor immediately.

• Email users are prohibited from automatically forwarding email to a third party email system.

Individual messages which are forwarded by the user must not contain confidential information.

• PACE email users are prohibited from using third-party email systems and storage servers such as

Google, Yahoo, and MSN Hotmail etc. to conduct PACE business, to create or memorialize any

binding transactions, or to store or retain email on PACE’s behalf. Such communications and

transactions should be conducted through proper channels using PACE-approved

documentation.

• Using a reasonable amount of PACE resources for personal emails is acceptable, but non-workrelated

email should be saved in a separate folder from work-related email. Sending chain

letters or joke emails from the PACE email account is prohibited.

• PACE employees must have no expectation of privacy in anything they store, send or receive on

the company’s email system.

• PACE may monitor messages without prior notice. PACE is not obliged to monitor email

messages.


PASSWORDS

Passwords are an important aspect of computer security. They are the front line of protection for user

accounts. A poorly chosen password may result in the compromise of PACE’s entire corporate network.

As such, all PACE employees or volunteers/directors (including contractors, subcontractors and vendors

with authorized access to PACE’s systems) are responsible for taking the appropriate steps and following

the PACE protocol/s described/outlined below, to select and secure their passwords.

The policy concerning creation of a password is to establish a standard for the creation of strong

passwords, the protection of those passwords, and the frequency of change. Typically, the longer the

password, the stronger it is. It should never be a name, dictionary word in any language, an acronym, a

proper name, a number, or be linked to any personal information about the password owner such as a

birth date, social security number, and so on.

User Network Passwords

Passwords for PACE network access must be implemented according to the following guidelines:

• Passwords must be changed every 90 days.

• Passwords must adhere to a minimum length of 7 characters.

• Passwords must contain a combination of alpha, numeric, and special characters, where the

computing system permits (!@#$%^&*_+=?/~’;’,<>|\).

• Passwords must not be easily tied back to the account owner such as: username, social security

number, nickname, relative’s names, birth date, etc.

• Passwords must not be dictionary words or acronyms.

• Passwords cannot be reused; the system remembers the last 24 passwords.


System-Level Passwords

All system-level passwords must adhere to the following guidelines:

• Passwords must be changed at least every 6 months.

• All administrator accounts must have 12-character passwords which must contain three of the

four items: upper case, lower case, numbers, and special characters.

• Non-expiring passwords must be documented listing the requirements for those accounts. These

accounts need to adhere to the same standards as administrator accounts.

• Administrators must not circumvent the Password Policy for the sake of ease of use.


Password Protection

􀍻 The same password must not be used for multiple accounts.

􀍻 Passwords must not be shared with anyone. All passwords are to be treated as sensitive,

confidential PACE information.

􀍻 Stored passwords must be encrypted.

􀍻 Passwords must not be inserted in e-mail messages or other forms of electronic communication.

􀍻 Passwords must not be revealed over the phone to anyone.

􀍻 Passwords must not be revealed on questionnaires or security forms.

􀍻 Users must not hint at the format of a password (for example, “my family name”).

􀍻 PACE passwords must not be shared with anyone, including co-workers, managers, or family

members, while on vacation.

􀍻 Passwords must not be written down and stored anywhere in any office. Passwords must not be

stored in a file on a computer system or mobile device (phone, tablet) without encryption.

􀍻 If the security of an account is in question, the password must be changed immediately. In the

event passwords are found or discovered, the following steps must be taken:

o Take control of the passwords and protect them o Report the discovery to IT

􀍻 Users cannot circumvent password entry with an auto logon, application remembering,

embedded scripts, or hard coded passwords in client software. Exceptions may be made for

specific applications (like automated backup processes) with the approval of IT. For an exception

to be approved, there must be a procedure to change the passwords.

􀍻 PCs must not be left unattended without enabling a password-protected screensaver or logging

off the device.

􀍻 If the security of an account is in question, the password must be changed immediately. In the

event passwords are found or discovered, the following steps must be taken:

o Take control of the passwords and protect them.

o Report the discovery to IT /R.

􀍻 Security tokens (i.e., smartcards, RSA hardware tokens, etc.) must be returned upon demand or

upon termination of the relationship with PACE.

PACE has subscribed to the Barracuda Email Protection that provides the most comprehensive

protection against all 13 email threat types, from spam and ransomware to socially engineered threats

such as spear phishing, business email compromise, and account takeover.

Barracuda protects data wherever it resides, including:

􀍻 Files located on physical devices, virtual environments, or the public cloud.

􀍻 Office 365 including SharePoint and OneDrive data.


ANTI-VIRUS GUIDELINES

The following are guidelines that PACE employees, Directors, volunteers, contractors, subcontractors

and other third-party representatives who have authorized access to PACE information and data systems

must observe to prevent virus problems:

• Downloading software from outside of PACE is restricted and performed only by the IT

Administrator or Specialist.

• The anti-virus software must be downloaded and the current version used at all times. Anti-Virus

and monitoring software are installed and managed by GNC. Automatic updates are sent to the

devices when available.

• NEVER open any files or macros attached to an email from an unknown, suspicious or

untrustworthy source. Report to IT Dept to remove from our email servers and block from any

future emails being sent.

• Delete spam, chain, and other junk email without forwarding.

• Never download files from unknown or suspicious sources.

• Avoid direct disk or drive sharing with read/write access unless there is absolutely a business

requirement to do so.

• Always scan a data or information from an unknown source for viruses before using it.

• Back-up critical data and system configurations on a regular basis and store the data in a safe

place.

• Report any suspected virus found in your computer or electronic device to the IT Administrators

or IT Specialist as soon as possible.


SECURITY RESPONSE PLAN

A Security Response Plan (SRP) provides the impetus for security and business teams to integrate their

efforts from the perspective of awareness and communication, as well as coordinated response in

times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines a product

description, contact information, escalation paths, expected service level agreements (SLA), severity

and impact classification, and mitigation/remediation timelines. By requiring business or program units

or departments to incorporate an SRP as part of their business continuity operations. As new products

or services are developed and prepared for release to consumers, this ensures that when an incident

occurs, swift mitigation and remediation ensues.

SRP defines the requirement for reporting and responding to incidents related to PACE information

systems and operations. Incident response provides PACE with the capability to identify when a security

incident occurs. If monitoring were not in place, the magnitude of harm associated with the incident

would be significantly greater than if the incident were noted and corrected.

PACE IT security intentions for an SRP or a Data Breach Response Policy is to focus significant attention

on data security and data security breaches and PACE’s established culture of openness, trust and

integrity should respond to such activity. PACE’s IT department is committed to protecting PACE's

employees, partners and the company from illegal or damaging actions by individuals, either knowingly

or unknowingly.

This policy applies to all information systems and information system components of PACE. Specifically,

it includes:

􀍻 Mainframes, servers, and other devices that provide centralized computing capabilities.

􀍻 Devices that provide centralized storage capabilities.

􀍻 Desktops, laptops, and other devices that provide distributed computing capabilities.

􀍻 Routers, switches, and other devices that provide network capabilities.

􀍻 Firewalls, Intrusion Detection/Prevention (IDP) sensors, and other devices that provide dedicated

security capabilities.

The development, implementation, and execution of a Security Response Plan (SRP) are the primary

responsibility of the IT Administrator. PACE facilitates the SRP for application to the service or products

it is responsible for. The IT Administrator is further expected to work with the development and

maintenance of a Security Response Plan and to test its effectiveness on a regular basis.


Service Description

PACE contracts with General Network Corporation (GNC) to maintain the network and email security of

the company. Email Security and Firewalls are managed through Barracuda’s premium service.

• In the case of a data breach and data is lost, all data which are backed up by Barracuda’s Back up

Service managed by GNC, can be restored.

• Information and data are backed up every night by GNC under a secure cloud storage that is

protected by encryption and other security protocols.

GNC has the capability to monitor PACE information and data system operations to detect any unusual

activity. When an unusual activity is detected or observed, GNC will report it to PACE’s IT Administrator

immediately and work out a plan to resolve such unusual activity, as needed.

• A review or evaluation of the system processes will be implemented, to include shutting down

affected point/s of intrusion to prevent a system-wide impact.

• GNC and PACE’s IT Department will immediately test, seek and identify any weakness or point of

intrusion and further appropriate action is implemented/put in place to prevent any repetition of

the said incident.

Reports are created to track all information incidents and processes are periodically reviewed and

protective measures tested to ensure the soundness of protections are not violated.

PACE mandates that any individual or employee who suspects that a theft, breach or exposure of PACE

protected or sensitive data has occurred must immediately provide a description of what occurred via

email to the IT Department immediately. The IT Administrator and other appropriate party/ies will

investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has

occurred. If this is verified to have occurred, the IT Administrator will follow the appropriate procedure

in place.


PROCEDURE WHEN BREACH IS SUSPECTED

As soon as a theft, data breach or exposure containing protected or sensitive data is identified, the

process of removing all access to that resource will begin.

• An Incident Response Team is immediately activated composed of the Department Director

(where breach occurred) as chair, and the following as members (as applicable): IT Administrator

or IT Specialist and Finance or Human Resources representative/s

o Employees of the affected unit or department that uses the involved system or output or

whose data may have been breached or exposed

o GNC Representative

• The Incident Response Team will analyze the breach or exposure to determine the root cause.

• If needed, PACE may need to provide access to forensic investigators and experts that will

determine how the breach or exposure occurred; the types of data involved; the number of

•internal/external individuals and/or organizations impacted; and analyze the breach or exposure

to determine the root cause.

• Develop communications to communicate the breach to: a) internal employees, b) the public, and

c) those directly affected.

• The Incident Response Team will evaluate the situation and determine what is the appropriate

course of action to limit the exposure of the breach, theft or exposure sensitive or protected

information.

• if it is necessary to escalate or bring in GNC, as needed/necessary or internal controls are to be

activated.

• Determine what emergency response actions need to be done, e.g., computer usage shut down,

system-wide shut down, listing of critical services impacted, data back up and restoration,

equipment replacement plan, etc., as applicable.

• Implement response plans per review/evaluation of situation, breach or incident.

• Review actions leading to or cause of breach, incident.

• Determine how to best prevent a repeat of the situation.

• Prepare report detailing incident of exposure of sensitive information.


Contact Information

PACE’s IT Department Contacts

Ticketing Inbox tech@pacela.org

Assistant Director – Andrew Le

Email: ale@pacela.org

Office Phone: (213) 989 - 3147

Cell Phone : (213) 549 – 2159

IT Manager – Cristian Melgar

Email : cmelgar@pacela.org

Office Phone : (213) 989 - 3144 Cell

Phone : (213) 571 – 4883


If GNC needs to be brought in, the IT Administrator will contact them.

GNC’s Department Contacts:

Help Desk – Eric Chan

Email : echan@gennet.com

Office Phone : (818) 249 – 1963 Cell

Phone : (818) 248 - 6355

Senior Engineer – Lee Selover

Email : lselover@gennet.com

Office Phone : (818) 249 – 1962 Ext. 715 Cell

Phone : (818) 369 - 7826

VP & Co-Owner – Jeff Baker

Email : jbaker@gennet.com

Office Phone : (818) 989 - 7616


Triage

In the event of an email account takeover, PACE’s IT Department will receive notification from

Barracuda’s Email Security System. The email will immediately be disabled and in order to regain access,

a password reset is mandated. The affected user/s will have their computer scanned and GNC will

investigate how the breach occurred. Any email that was sent out will be reached out to and informed of

the security breach and to disregard the email.

In the case of any data breaches, GNC will be contacted and evaluate the situation. If needed, a data

back up from Barracuda will occur.


Identified Mitigations and Testing

GNC performs monthly tests to ensure our back up and email servers are running and secure. If any

network, service, or unusual activity occurs, GNC notifies the IT Department.


Mitigation and Remediation Timeline

In the event of a Barracuda Back up, GNC will handle the data restore and estimate at most 3 business

days to restore the system back to full functionality.

While PACE information is stored on premises with protection in place, PACE information is also backed

up every night in a Cloud-based location. This ensures that should any breach, theft, intrusion, or

unauthorized access occurs, the information is located away from physical PACE premises. This provides

another layer security for the protection of PACE information and system.


EXTRANET CONNECTIONS

It is important that a policy under which third party organizations connect to PACE networks, and vice

versa for the purpose of transacting business be in place. Connecting to third party organization

information or data system sometimes becomes necessary in cases where PACE is transacting business

with the third party such as hiring candidates for vacancies, reviewing invoices, etc.

Connections between third parties that require access to non-public PACE resources fall under this

policy, regardless of whether a telco circuit (such as frame relay or ISDN) or VPN technology is used for

the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide

Internet access for PACE or to the Public Switched Telephone Network do NOT fall under this policy.


The following guidelines are to be strictly observed:

• All new extranet connectivity will go through a security review with the IT department. The

reviews are to ensure that all access matches the business requirements in a best possible way,

and that the principle of least access is followed.

• All new connection requests between third parties and PACE require that their representatives

agree to and sign a Third-Party Agreement that governs protocols and guidelines concerning the

use and access to each of their systems.

• All production extranet connections must be accompanied by a valid business justification, in

writing, that is approved by a project manager in the extranet group.

• Point/s of contact (POC) must be designated for the Extranet connection. The POC acts on behalf

of their organization and is responsible for ensuring compliance to protocols to protect

information and data systems of their organization and PACE. If the point of contact changes,

PACE must be informed promptly.

• All connectivity established must be based on the least-access principle, in accordance with the

approved business requirements and the security review. In no case will PACE rely upon the third

party to protect its network or resources.

• All changes in access must be accompanied by a valid business justification, and are subject to

security review.

• When access is no longer required, the third party/business affiliate must notify PACE that the

extranet connectivity is to be terminated and access is no longer required.

• Should it be necessary that PACE connect to a third party network, system of WIFI, PACE

employee or representative need to observe the protocols and precautions prescribed as regards

information safety and protection.

• The IT Administrator will verify compliance to this policy through various methods, including but

not limited to, business tool reports, internal and external audits, and feedback to the policy

owner.

• Any exception to the policy must be approved by the Infosec team in advance.

• An employee found to have violated this policy may be subject to disciplinary action, up to and

including termination of employment.


Definitions

Account: Any combination of a User ID (sometime referred to as a username) and a password that

grants an authorized user access to a computer, an application, the network, or any other information or

technology resource.

Application Administration Account: Any account that is for the administration of an application (i.e.

SQL database administrator, etc.).

Barracuda: Third Party Software that PACE pays to take care of data backups and email security.

Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted

file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted

data is called plain text.

General Network Corporation (GNC): GNC provides PACE with personalized managed services,

technology solutions and IT consulting.

Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming

languages and computer systems and can often be considered an expert on the subject(s).

KnowBe4: The world’s largest integrated platform for security awareness training combined with

simulated phishing attacks.

Barracuda: Third Party Software that PACE pays to take care of data backups and email security.

Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted

file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted

data is called plain text.

General Network Corporation (GNC): GNC provides PACE with personalized managed services,

technology solutions and IT consulting.

Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming

languages and computer systems and can often be considered an expert on the subject(s).

Barracuda: Third Party Software that PACE pays to take care of data backups and email security.

Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted

file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted

data is called plain text.

General Network Corporation (GNC): GNC provides PACE with personalized managed services,

technology solutions and IT consulting.

Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming

languages and computer systems and can often be considered an expert on the subject(s).

KnowBe4: The world’s largest integrated platform for security awareness training combined with

simulated phishing attacks.

Password: A string of characters which serves as authentication of a person’s identity, which may be

used to grant or deny access to private or shared data.

Plain text – Unencrypted data.

Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual.

Any information that can be used to distinguish one person from another and can be used for

deanonymizing anonymous data can be considered.

Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security

risks to physical property, information, computer systems, or other assets. Safeguards help to reduce

the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.

Security Incident: Refers to an adverse event in an information system, and/or network, or the

threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized

access, malicious code, network probes, and denial of service attacks.

Sensitive data - Data that is encrypted or in plain text and contains PII Security Administrator: The

person charged with monitoring and implementing security controls and procedures for a system.

Whereas PACE may have one Information Security Officer, technical management may designate a

number of security administrators.

Strong Password: A strong password is a password that is not easily guessed. It is normally constructed

of a sequence of characters, numbers, and special characters, depending on the capabilities of the

operating system.

System Administrator: The person responsible for the effective operation and maintenance of

information systems, including implementation of standard procedures and controls to enforce an

organization’s security policy.

ThinkHR: Training service provider for new hires. In this policy, Think HR provides the following training

in Cybersecurity Awareness for Employees, Security Awareness Essentials, Cybersecurity Awareness for

Employees: Classifying and Safeguarding Data for Corporate and Personal Use and Cybersecurity –

Browser Safety. The world’s largest integrated platform for security awareness training combined with

simulated phishing attacks.

Password: A string of characters which serves as authentication of a person’s identity, which may be

used to grant or deny access to private or shared data.

Plain text – Unencrypted data.

Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual.

Any information thatcan be used to distinguish one person from another and can be used for

deanonymizing anonymous data can be considered.

Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security

risks to physical property, information, computer systems, or other assets. Safeguards help to reduce

the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.

Security Incident: Refers to an adverse event in an information system, and/or network, or the

threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized

access, malicious code, network probes, and denial of service attacks.

Sensitive data - Data that is encrypted or in plain text and contains PII Security Administrator: The

person charged with monitoring and implementing security controls and procedures for a system.

Whereas PACE may have one Information Security Officer, technical management may designate a

number of security administrators.

Strong Password: A strong password is a password that is not easily guessed. It is normally constructed

of a sequence of characters, numbers, and special characters, depending on the capabilities of the

operating system.

System Administrator: The person responsible for the effective operation and maintenance of

information systems, including implementation of standard procedures and controls to enforce an

organization’s security policy.

ThinkHR: Training service provider for new hires. In this policy, Think HR provides the following training

in Cybersecurity Awareness for Employees, Security Awareness Essentials, Cybersecurity Awareness for

Employees: Classifying and Safeguarding Data for Corporate and Personal Use and Cybersecurity –

Browser Safety. A string of characters which serves as authentication of a person’s identity, which may be

used to grant or deny access to private or shared data.

Plain text – Unencrypted data.

Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual.

Any information that can be used to distinguish one person from another and can be used for

deanonymizing anonymous data can be considered.

Barracuda: Third Party Software that PACE pays to take care of data backups and email security.

Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted

file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted

data is called plain text.

General Network Corporation (GNC): GNC provides PACE with personalized managed services,

technology solutions and IT consulting.

Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming

languages and computer systems and can often be considered an expert on the subject(s).

KnowBe4: The world’s largest integrated platform for security awareness training combined with

simulated phishing attacks.

Password: A string of characters which serves as authentication of a person’s identity, which may be

used to grant or deny access to private or shared data.

Plain text – Unencrypted data.

Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual.

Any information that can be used to distinguish one person from another and can be used for

deanonymizing anonymous data can be considered.

Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security

risks to physical property, information, computer systems, or other assets. Safeguards help to reduce

the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.

Security Incident: Refers to an adverse event in an information system, and/or network, or the

threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized

access, malicious code, network probes, and denial of service attacks.

Sensitive data - Data that is encrypted or in plain text and contains PII Security Administrator: The

person charged with monitoring and implementing security controls and procedures for a system.

Whereas PACE may have one Information Security Officer, technical management may designate a

number of security administrators.

Strong Password: A strong password is a password that is not easily guessed. It is normally constructed

of a sequence of characters, numbers, and special characters, depending on the capabilities of the

operating system.

System Administrator: The person responsible for the effective operation and maintenance of

information systems, including implementation of standard procedures and controls to enforce an

organization’s security policy.

ThinkHR: Training service provider for new hires. In this policy, Think HR provides the following training

in Cybersecurity Awareness for Employees, Security Awareness Essentials, Cybersecurity Awareness for

Employees: Classifying and Safeguarding Data for Corporate and Personal Use and Cybersecurity –

Browser Safety. - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security

risks to physical property, information, computer systems, or other assets. Safeguards help to reduce

the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.

Security Incident: Refers to an adverse event in an information system, and/or network, or the

threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized

access, malicious code, network probes, and denial of service attacks.

Sensitive data - Data that is encrypted or in plain text and contains PII Security Administrator: The

person charged with monitoring and implementing security controls and procedures for a system.

Whereas PACE may have one Information Security Officer, technical management may designate a

number of security administrators.

Strong Password: A strong password is a password that is not easily guessed. It is normally constructed

of a sequence of characters, numbers, and special characters, depending on the capabilities of the

operating system.

System Administrator: The person responsible for the effective operation and maintenance of

information systems, including implementation of standard procedures and controls to enforce an

organization’s security policy.

ThinkHR: Training service provider for new hires. In this policy, Think HR provides the following training

in Cybersecurity Awareness for Employees, Security Awareness Essentials, Cybersecurity Awareness for

Employees: Classifying and Safeguarding Data for Corporate and Personal Use and Cybersecurity –

Browser Safety.