CYBER SECURITY POLICY*
PURPOSE
Pacific Asian Consortium in Employment (PACE) recognizes the importance of protecting sensitive
information concerning its operations, as well as that of its employees, customers, volunteers, interns,
contractors and partners. It is with this in mind that PACE has established the policy concerning
safeguarding the information relative to its operations.
The Cyber Security Policy serves several purposes. The main purpose is to inform PACE employees,
customers, volunteers, interns, contractors and partners and other authorized users of their obligatory
requirements for protecting the technology and information assets of the company. This policy is
applicable to remote and in-person business. This policy will describe the technology and information
assets that we must protect.
The Cyber Security Policy also describes the user’s responsibilities and privileges. PACE has outlined
security measures that may help mitigate cyber security risks.
WHAT ARE WE PROTECTING
It is the obligation of all users of the company to protect the technology and information assets of the
company. This information must be protected from unauthorized access, theft and destruction. The
technology and information assets of the company are made up of the following components:
• Computer hardware, CPU, disc, email, web, application servers, PC systems, application software,
system software, etc.
• System software including operating systems, database management systems, and backup and
restore software, communications protocols, no name a few.
• Application software: used by varies departments within the company. This includes custom
written software applications, commercial off the shelf software packages, and software
applications mandated by funding sources, such as Childplus, ServTraq, Salesforce, etc.
• Communications network hardware and software including routers, hubs, modems, multiplexers,
switches, firewalls, private lines, and associated network management software and tools.
PACE’s intention for publishing the Cyber Security Policy is not to impose restrictions, but rather to
promote PACE’s established culture of openness, trust and integrity. PACE is committed to protecting its
employees, partners and the company from illegal or damaging actions by individuals, either knowingly
or unknowingly. The Cyber Security Policy covers the use of the Internet/Intranet/Extranet-related
systems, including but not limited to computer equipment, mobile devices, software, operating systems,
storage media, network accounts providing electronic mail, WWW browsing and FTP. These systems are
to be used for business purposes in serving the interests of the company, and of our clients and
customers during normal operations.
The Cyber Security Policies and Procedures set forth applies to all PACE employees, Directors,
volunteers, contractors, subcontractors, consultants, temporary and other workers, including all
personnel affiliated with third parties, who have authorized access to the PACE’s private or personal
data, network, information system or devices owned or controlled by PACE.
Security Awareness & Training
Exposure of sensitive business information or personal customer details can be highly damaging to PACE.
Company devices and the company network are also at risk from ransomware and malware attacks,
which can prove highly costly to deal with. To prevent breaches of data, infection of company devices or
intrusion of the company network, it is essential that all employees, contractors subcontractors and
other users of the company network and devices are trained in the necessary measures to keep up
security.
The purpose of this policy is to set out why it is important for all network and device end users within
PACE to take up security awareness training, and to clearly outline the expectations of employees to
engage in their training. This policy will both ensure that employees know what is expected of them, and
that the company can take necessary measures to uphold compliance with its data protection regulatory
requirements.
Since all PACE employees must be aware of their responsibilities in protecting the data, devices, and its
network, PACE provides the appropriate training to each of its employees, officers, directors, volunteers,
contractors, and all other affiliated third parties that has authorized access to PACE’s data, network,
information systems and devices.
PACE will provide training to all its employees before, and during their use of, the company network and
company devices. All new employees will receive training courses from KnowBe4 and ThinkHR.
Simulated Phishing Attacks will occur every 3 months in a random fashion sent to the employee’s
inboxes. If the employee fails the simulated Phishing attack by either clicking on the links or replying,
they will receive additional training.
Employees are expected to complete all training courses received by them within no more than 3 weeks.
The training will educate employees on the risks of, or best practices regarding the use of, the following
core information security areas:
Email and internet use
Phishing
Social engineering
Malware
Adware and spyware
Ransomware
Passwords and authentication
Voice- and text-based phishing
If an employee has not received training in their email inbox in more than 5 weeks, or they have trouble
accessing or completing their training, they must contact their IT support team.
ACCOUNT MANAGEMENT
Computer accounts are the means used to grant access to PACE’s information systems. These accounts
provide a means of providing accountability, a key to any computer security program, for PACE usage.
This means that creating, controlling, and monitoring all computer accounts is extremely important to an
overall security program. The purpose of this policy is to establish a standard for the creation,
administration, use, and removal of accounts that facilitate access to information and technology
resources at PACE.
Accounts
All accounts created must have an associated written request and signed management approval
that is appropriate for the PACE system or service.
All accounts must be uniquely identifiable using the assigned username.
Shared accounts on PACE information systems are not permitted.
Reference the Employee Access During Leave of Absence Policy for removing an employee’s
access while on a leave of absence or vacation.
All default passwords for accounts must be constructed in accordance with the PACE Password
Policy.
All accounts must have a password expiration that complies with the PACE Password Policy.
Concurrent connections may be limited for technical or security reasons.
All accounts must be disabled immediately upon notification of any employee’s termination.
Account Management
The following items apply to System Administrators or designated staff:
Information system user accounts are to be constructed so that they enforce the most restrictive
set of rights/privileges or accesses required for the performance of tasks associated with an
individual’s account. Further, to eliminate conflicts of interest, accounts shall be created so that
no one user can authorize, perform, review, and audit a single transaction.
All information system accounts will be actively managed. Active management includes the acts
of establishing, activating, modifying, disabling, and removing accounts from information
systems.
Access controls will be determined by following established procedures for new employees,
employee changes, employee terminations, and leave of absence.
All account modifications must have a documented process to modify a user account to
accommodate situations such as name changes and permission changes.
Information system accounts are to be reviewed monthly to identify inactive accounts. If an
employee or third-party account is found to be inactive for 30 days, the owner/s (of the account)
and their manager will be notified of pending disablement. If the account continues to remain
inactive for 15 days, it will be manually disabled.
A list of accounts, for the systems they administer, must be provided when requested by
authorized PACE management.
An independent audit review is performed on a regular basis to ensure the accounts are properly
managed.
EMAIL POLICY
Electronic email has become the primary means of communication in the business world. However,
misuse of email can post many legal, privacy and security risks. Therefore, it is important for users to
understand the appropriate use of electronic communications.
The purpose of this email policy is to ensure the proper use of PACE’s email system and make users
aware of what PACE deems as acceptable and unacceptable use of its email system. This policy outlines
the minimum requirements for use of email within the PACE Network by all PACE employees, Directors,
volunteers and all other third-party affiliates that use the PACE email system.
• All use of email must be consistent with PACE policies and procedures of ethical conduct, safety,
compliance with applicable laws and proper business practices.
• PACE email account should be used primarily for business-related purposes; personal
communication is permitted on a limited basis, but non-PACE related commercial uses are
prohibited.
• All PACE data contained within an email message, or an attachment must be secured according
to PACE data protection protocols.
• Email should be retained only if it qualifies as a PACE business record. Email is a business record
if there exists a legitimate and ongoing business reason to preserve the information contained in
the email.
• Email that is identified as a PACE business record shall be retained according PACE’s Record
Retention Schedule.
• The PACE email system shall not to be used for the creation or distribution of any disruptive or
offensive messages, including offensive comments about race, gender, hair color, disabilities,
age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national
origin. Employees who receive any emails with this content from any employee should report the
matter to their supervisor immediately.
• Email users are prohibited from automatically forwarding email to a third party email system.
Individual messages which are forwarded by the user must not contain confidential information.
• PACE email users are prohibited from using third-party email systems and storage servers such as
Google, Yahoo, and MSN Hotmail etc. to conduct PACE business, to create or memorialize any
binding transactions, or to store or retain email on PACE’s behalf. Such communications and
transactions should be conducted through proper channels using PACE-approved
documentation.
• Using a reasonable amount of PACE resources for personal emails is acceptable, but non-workrelated
email should be saved in a separate folder from work-related email. Sending chain
letters or joke emails from the PACE email account is prohibited.
• PACE employees must have no expectation of privacy in anything they store, send or receive on
the company’s email system.
• PACE may monitor messages without prior notice. PACE is not obliged to monitor email
messages.
PASSWORDS
Passwords are an important aspect of computer security. They are the front line of protection for user
accounts. A poorly chosen password may result in the compromise of PACE’s entire corporate network.
As such, all PACE employees or volunteers/directors (including contractors, subcontractors and vendors
with authorized access to PACE’s systems) are responsible for taking the appropriate steps and following
the PACE protocol/s described/outlined below, to select and secure their passwords.
The policy concerning creation of a password is to establish a standard for the creation of strong
passwords, the protection of those passwords, and the frequency of change. Typically, the longer the
password, the stronger it is. It should never be a name, dictionary word in any language, an acronym, a
proper name, a number, or be linked to any personal information about the password owner such as a
birth date, social security number, and so on.
User Network Passwords
Passwords for PACE network access must be implemented according to the following guidelines:
• Passwords must be changed every 90 days.
• Passwords must adhere to a minimum length of 7 characters.
• Passwords must contain a combination of alpha, numeric, and special characters, where the
computing system permits (!@#$%^&*_+=?/~’;’,<>|\).
• Passwords must not be easily tied back to the account owner such as: username, social security
number, nickname, relative’s names, birth date, etc.
• Passwords must not be dictionary words or acronyms.
• Passwords cannot be reused; the system remembers the last 24 passwords.
System-Level Passwords
All system-level passwords must adhere to the following guidelines:
• Passwords must be changed at least every 6 months.
• All administrator accounts must have 12-character passwords which must contain three of the
four items: upper case, lower case, numbers, and special characters.
• Non-expiring passwords must be documented listing the requirements for those accounts. These
accounts need to adhere to the same standards as administrator accounts.
• Administrators must not circumvent the Password Policy for the sake of ease of use.
Password Protection
The same password must not be used for multiple accounts.
Passwords must not be shared with anyone. All passwords are to be treated as sensitive,
confidential PACE information.
Stored passwords must be encrypted.
Passwords must not be inserted in e-mail messages or other forms of electronic communication.
Passwords must not be revealed over the phone to anyone.
Passwords must not be revealed on questionnaires or security forms.
Users must not hint at the format of a password (for example, “my family name”).
PACE passwords must not be shared with anyone, including co-workers, managers, or family
members, while on vacation.
Passwords must not be written down and stored anywhere in any office. Passwords must not be
stored in a file on a computer system or mobile device (phone, tablet) without encryption.
If the security of an account is in question, the password must be changed immediately. In the
event passwords are found or discovered, the following steps must be taken:
o Take control of the passwords and protect them o Report the discovery to IT
Users cannot circumvent password entry with an auto logon, application remembering,
embedded scripts, or hard coded passwords in client software. Exceptions may be made for
specific applications (like automated backup processes) with the approval of IT. For an exception
to be approved, there must be a procedure to change the passwords.
PCs must not be left unattended without enabling a password-protected screensaver or logging
off the device.
If the security of an account is in question, the password must be changed immediately. In the
event passwords are found or discovered, the following steps must be taken:
o Take control of the passwords and protect them.
o Report the discovery to IT /R.
Security tokens (i.e., smartcards, RSA hardware tokens, etc.) must be returned upon demand or
upon termination of the relationship with PACE.
PACE has subscribed to the Barracuda Email Protection that provides the most comprehensive
protection against all 13 email threat types, from spam and ransomware to socially engineered threats
such as spear phishing, business email compromise, and account takeover.
Barracuda protects data wherever it resides, including:
Files located on physical devices, virtual environments, or the public cloud.
Office 365 including SharePoint and OneDrive data.
ANTI-VIRUS GUIDELINES
The following are guidelines that PACE employees, Directors, volunteers, contractors, subcontractors
and other third-party representatives who have authorized access to PACE information and data systems
must observe to prevent virus problems:
• Downloading software from outside of PACE is restricted and performed only by the IT
Administrator or Specialist.
• The anti-virus software must be downloaded and the current version used at all times. Anti-Virus
and monitoring software are installed and managed by GNC. Automatic updates are sent to the
devices when available.
• NEVER open any files or macros attached to an email from an unknown, suspicious or
untrustworthy source. Report to IT Dept to remove from our email servers and block from any
future emails being sent.
• Delete spam, chain, and other junk email without forwarding.
• Never download files from unknown or suspicious sources.
• Avoid direct disk or drive sharing with read/write access unless there is absolutely a business
requirement to do so.
• Always scan a data or information from an unknown source for viruses before using it.
• Back-up critical data and system configurations on a regular basis and store the data in a safe
place.
• Report any suspected virus found in your computer or electronic device to the IT Administrators
or IT Specialist as soon as possible.
SECURITY RESPONSE PLAN
A Security Response Plan (SRP) provides the impetus for security and business teams to integrate their
efforts from the perspective of awareness and communication, as well as coordinated response in
times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines a product
description, contact information, escalation paths, expected service level agreements (SLA), severity
and impact classification, and mitigation/remediation timelines. By requiring business or program units
or departments to incorporate an SRP as part of their business continuity operations. As new products
or services are developed and prepared for release to consumers, this ensures that when an incident
occurs, swift mitigation and remediation ensues.
SRP defines the requirement for reporting and responding to incidents related to PACE information
systems and operations. Incident response provides PACE with the capability to identify when a security
incident occurs. If monitoring were not in place, the magnitude of harm associated with the incident
would be significantly greater than if the incident were noted and corrected.
PACE IT security intentions for an SRP or a Data Breach Response Policy is to focus significant attention
on data security and data security breaches and PACE’s established culture of openness, trust and
integrity should respond to such activity. PACE’s IT department is committed to protecting PACE's
employees, partners and the company from illegal or damaging actions by individuals, either knowingly
or unknowingly.
This policy applies to all information systems and information system components of PACE. Specifically,
it includes:
Mainframes, servers, and other devices that provide centralized computing capabilities.
Devices that provide centralized storage capabilities.
Desktops, laptops, and other devices that provide distributed computing capabilities.
Routers, switches, and other devices that provide network capabilities.
Firewalls, Intrusion Detection/Prevention (IDP) sensors, and other devices that provide dedicated
security capabilities.
The development, implementation, and execution of a Security Response Plan (SRP) are the primary
responsibility of the IT Administrator. PACE facilitates the SRP for application to the service or products
it is responsible for. The IT Administrator is further expected to work with the development and
maintenance of a Security Response Plan and to test its effectiveness on a regular basis.
Service Description
PACE contracts with General Network Corporation (GNC) to maintain the network and email security of
the company. Email Security and Firewalls are managed through Barracuda’s premium service.
• In the case of a data breach and data is lost, all data which are backed up by Barracuda’s Back up
Service managed by GNC, can be restored.
• Information and data are backed up every night by GNC under a secure cloud storage that is
protected by encryption and other security protocols.
GNC has the capability to monitor PACE information and data system operations to detect any unusual
activity. When an unusual activity is detected or observed, GNC will report it to PACE’s IT Administrator
immediately and work out a plan to resolve such unusual activity, as needed.
• A review or evaluation of the system processes will be implemented, to include shutting down
affected point/s of intrusion to prevent a system-wide impact.
• GNC and PACE’s IT Department will immediately test, seek and identify any weakness or point of
intrusion and further appropriate action is implemented/put in place to prevent any repetition of
the said incident.
Reports are created to track all information incidents and processes are periodically reviewed and
protective measures tested to ensure the soundness of protections are not violated.
PACE mandates that any individual or employee who suspects that a theft, breach or exposure of PACE
protected or sensitive data has occurred must immediately provide a description of what occurred via
email to the IT Department immediately. The IT Administrator and other appropriate party/ies will
investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has
occurred. If this is verified to have occurred, the IT Administrator will follow the appropriate procedure
in place.
PROCEDURE WHEN BREACH IS SUSPECTED
As soon as a theft, data breach or exposure containing protected or sensitive data is identified, the
process of removing all access to that resource will begin.
• An Incident Response Team is immediately activated composed of the Department Director
(where breach occurred) as chair, and the following as members (as applicable): IT Administrator
or IT Specialist and Finance or Human Resources representative/s
o Employees of the affected unit or department that uses the involved system or output or
whose data may have been breached or exposed
o GNC Representative
• The Incident Response Team will analyze the breach or exposure to determine the root cause.
• If needed, PACE may need to provide access to forensic investigators and experts that will
determine how the breach or exposure occurred; the types of data involved; the number of
•internal/external individuals and/or organizations impacted; and analyze the breach or exposure
to determine the root cause.
• Develop communications to communicate the breach to: a) internal employees, b) the public, and
c) those directly affected.
• The Incident Response Team will evaluate the situation and determine what is the appropriate
course of action to limit the exposure of the breach, theft or exposure sensitive or protected
information.
• if it is necessary to escalate or bring in GNC, as needed/necessary or internal controls are to be
activated.
• Determine what emergency response actions need to be done, e.g., computer usage shut down,
system-wide shut down, listing of critical services impacted, data back up and restoration,
equipment replacement plan, etc., as applicable.
• Implement response plans per review/evaluation of situation, breach or incident.
• Review actions leading to or cause of breach, incident.
• Determine how to best prevent a repeat of the situation.
• Prepare report detailing incident of exposure of sensitive information.
Contact Information
PACE’s IT Department Contacts
Ticketing Inbox tech@pacela.org
Assistant Director – Andrew Le
Email: ale@pacela.org
Office Phone: (213) 989 - 3147
Cell Phone : (213) 549 – 2159
IT Manager – Cristian Melgar
Email : cmelgar@pacela.org
Office Phone : (213) 989 - 3144 Cell
Phone : (213) 571 – 4883
If GNC needs to be brought in, the IT Administrator will contact them.
GNC’s Department Contacts:
Help Desk – Eric Chan
Email : echan@gennet.com
Office Phone : (818) 249 – 1963 Cell
Phone : (818) 248 - 6355
Senior Engineer – Lee Selover
Email : lselover@gennet.com
Office Phone : (818) 249 – 1962 Ext. 715 Cell
Phone : (818) 369 - 7826
VP & Co-Owner – Jeff Baker
Email : jbaker@gennet.com
Office Phone : (818) 989 - 7616
Triage
In the event of an email account takeover, PACE’s IT Department will receive notification from
Barracuda’s Email Security System. The email will immediately be disabled and in order to regain access,
a password reset is mandated. The affected user/s will have their computer scanned and GNC will
investigate how the breach occurred. Any email that was sent out will be reached out to and informed of
the security breach and to disregard the email.
In the case of any data breaches, GNC will be contacted and evaluate the situation. If needed, a data
back up from Barracuda will occur.
Identified Mitigations and Testing
GNC performs monthly tests to ensure our back up and email servers are running and secure. If any
network, service, or unusual activity occurs, GNC notifies the IT Department.
Mitigation and Remediation Timeline
In the event of a Barracuda Back up, GNC will handle the data restore and estimate at most 3 business
days to restore the system back to full functionality.
While PACE information is stored on premises with protection in place, PACE information is also backed
up every night in a Cloud-based location. This ensures that should any breach, theft, intrusion, or
unauthorized access occurs, the information is located away from physical PACE premises. This provides
another layer security for the protection of PACE information and system.
EXTRANET CONNECTIONS
It is important that a policy under which third party organizations connect to PACE networks, and vice
versa for the purpose of transacting business be in place. Connecting to third party organization
information or data system sometimes becomes necessary in cases where PACE is transacting business
with the third party such as hiring candidates for vacancies, reviewing invoices, etc.
Connections between third parties that require access to non-public PACE resources fall under this
policy, regardless of whether a telco circuit (such as frame relay or ISDN) or VPN technology is used for
the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide
Internet access for PACE or to the Public Switched Telephone Network do NOT fall under this policy.
The following guidelines are to be strictly observed:
• All new extranet connectivity will go through a security review with the IT department. The
reviews are to ensure that all access matches the business requirements in a best possible way,
and that the principle of least access is followed.
• All new connection requests between third parties and PACE require that their representatives
agree to and sign a Third-Party Agreement that governs protocols and guidelines concerning the
use and access to each of their systems.
• All production extranet connections must be accompanied by a valid business justification, in
writing, that is approved by a project manager in the extranet group.
• Point/s of contact (POC) must be designated for the Extranet connection. The POC acts on behalf
of their organization and is responsible for ensuring compliance to protocols to protect
information and data systems of their organization and PACE. If the point of contact changes,
PACE must be informed promptly.
• All connectivity established must be based on the least-access principle, in accordance with the
approved business requirements and the security review. In no case will PACE rely upon the third
party to protect its network or resources.
• All changes in access must be accompanied by a valid business justification, and are subject to
security review.
• When access is no longer required, the third party/business affiliate must notify PACE that the
extranet connectivity is to be terminated and access is no longer required.
• Should it be necessary that PACE connect to a third party network, system of WIFI, PACE
employee or representative need to observe the protocols and precautions prescribed as regards
information safety and protection.
• The IT Administrator will verify compliance to this policy through various methods, including but
not limited to, business tool reports, internal and external audits, and feedback to the policy
owner.
• Any exception to the policy must be approved by the Infosec team in advance.
• An employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
Definitions
Account: Any combination of a User ID (sometime referred to as a username) and a password that
grants an authorized user access to a computer, an application, the network, or any other information or
technology resource.
Application Administration Account: Any account that is for the administration of an application (i.e.
SQL database administrator, etc.).
Barracuda: Third Party Software that PACE pays to take care of data backups and email security.
Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted
file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted
data is called plain text.
General Network Corporation (GNC): GNC provides PACE with personalized managed services,
technology solutions and IT consulting.
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming
languages and computer systems and can often be considered an expert on the subject(s).
KnowBe4: The world’s largest integrated platform for security awareness training combined with
simulated phishing attacks.
Barracuda: Third Party Software that PACE pays to take care of data backups and email security.
Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted
file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted
data is called plain text.
General Network Corporation (GNC): GNC provides PACE with personalized managed services,
technology solutions and IT consulting.
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming
languages and computer systems and can often be considered an expert on the subject(s).
Barracuda: Third Party Software that PACE pays to take care of data backups and email security.
Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted
file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted
data is called plain text.
General Network Corporation (GNC): GNC provides PACE with personalized managed services,
technology solutions and IT consulting.
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming
languages and computer systems and can often be considered an expert on the subject(s).
KnowBe4: The world’s largest integrated platform for security awareness training combined with
simulated phishing attacks.
Password: A string of characters which serves as authentication of a person’s identity, which may be
used to grant or deny access to private or shared data.
Plain text – Unencrypted data.
Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual.
Any information that can be used to distinguish one person from another and can be used for
deanonymizing anonymous data can be considered.
Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security
risks to physical property, information, computer systems, or other assets. Safeguards help to reduce
the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
Security Incident: Refers to an adverse event in an information system, and/or network, or the
threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized
access, malicious code, network probes, and denial of service attacks.
Sensitive data - Data that is encrypted or in plain text and contains PII Security Administrator: The
person charged with monitoring and implementing security controls and procedures for a system.
Whereas PACE may have one Information Security Officer, technical management may designate a
number of security administrators.
Strong Password: A strong password is a password that is not easily guessed. It is normally constructed
of a sequence of characters, numbers, and special characters, depending on the capabilities of the
operating system.
System Administrator: The person responsible for the effective operation and maintenance of
information systems, including implementation of standard procedures and controls to enforce an
organization’s security policy.
ThinkHR: Training service provider for new hires. In this policy, Think HR provides the following training
in Cybersecurity Awareness for Employees, Security Awareness Essentials, Cybersecurity Awareness for
Employees: Classifying and Safeguarding Data for Corporate and Personal Use and Cybersecurity –
Browser Safety. The world’s largest integrated platform for security awareness training combined with
simulated phishing attacks.
Password: A string of characters which serves as authentication of a person’s identity, which may be
used to grant or deny access to private or shared data.
Plain text – Unencrypted data.
Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual.
Any information thatcan be used to distinguish one person from another and can be used for
deanonymizing anonymous data can be considered.
Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security
risks to physical property, information, computer systems, or other assets. Safeguards help to reduce
the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
Security Incident: Refers to an adverse event in an information system, and/or network, or the
threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized
access, malicious code, network probes, and denial of service attacks.
Sensitive data - Data that is encrypted or in plain text and contains PII Security Administrator: The
person charged with monitoring and implementing security controls and procedures for a system.
Whereas PACE may have one Information Security Officer, technical management may designate a
number of security administrators.
Strong Password: A strong password is a password that is not easily guessed. It is normally constructed
of a sequence of characters, numbers, and special characters, depending on the capabilities of the
operating system.
System Administrator: The person responsible for the effective operation and maintenance of
information systems, including implementation of standard procedures and controls to enforce an
organization’s security policy.
ThinkHR: Training service provider for new hires. In this policy, Think HR provides the following training
in Cybersecurity Awareness for Employees, Security Awareness Essentials, Cybersecurity Awareness for
Employees: Classifying and Safeguarding Data for Corporate and Personal Use and Cybersecurity –
Browser Safety. A string of characters which serves as authentication of a person’s identity, which may be
used to grant or deny access to private or shared data.
Plain text – Unencrypted data.
Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual.
Any information that can be used to distinguish one person from another and can be used for
deanonymizing anonymous data can be considered.
Barracuda: Third Party Software that PACE pays to take care of data backups and email security.
Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted
file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted
data is called plain text.
General Network Corporation (GNC): GNC provides PACE with personalized managed services,
technology solutions and IT consulting.
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming
languages and computer systems and can often be considered an expert on the subject(s).
KnowBe4: The world’s largest integrated platform for security awareness training combined with
simulated phishing attacks.
Password: A string of characters which serves as authentication of a person’s identity, which may be
used to grant or deny access to private or shared data.
Plain text – Unencrypted data.
Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual.
Any information that can be used to distinguish one person from another and can be used for
deanonymizing anonymous data can be considered.
Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security
risks to physical property, information, computer systems, or other assets. Safeguards help to reduce
the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
Security Incident: Refers to an adverse event in an information system, and/or network, or the
threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized
access, malicious code, network probes, and denial of service attacks.
Sensitive data - Data that is encrypted or in plain text and contains PII Security Administrator: The
person charged with monitoring and implementing security controls and procedures for a system.
Whereas PACE may have one Information Security Officer, technical management may designate a
number of security administrators.
Strong Password: A strong password is a password that is not easily guessed. It is normally constructed
of a sequence of characters, numbers, and special characters, depending on the capabilities of the
operating system.
System Administrator: The person responsible for the effective operation and maintenance of
information systems, including implementation of standard procedures and controls to enforce an
organization’s security policy.
ThinkHR: Training service provider for new hires. In this policy, Think HR provides the following training
in Cybersecurity Awareness for Employees, Security Awareness Essentials, Cybersecurity Awareness for
Employees: Classifying and Safeguarding Data for Corporate and Personal Use and Cybersecurity –
Browser Safety. - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security
risks to physical property, information, computer systems, or other assets. Safeguards help to reduce
the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
Security Incident: Refers to an adverse event in an information system, and/or network, or the
threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized
access, malicious code, network probes, and denial of service attacks.
Sensitive data - Data that is encrypted or in plain text and contains PII Security Administrator: The
person charged with monitoring and implementing security controls and procedures for a system.
Whereas PACE may have one Information Security Officer, technical management may designate a
number of security administrators.
Strong Password: A strong password is a password that is not easily guessed. It is normally constructed
of a sequence of characters, numbers, and special characters, depending on the capabilities of the
operating system.
System Administrator: The person responsible for the effective operation and maintenance of
information systems, including implementation of standard procedures and controls to enforce an
organization’s security policy.
ThinkHR: Training service provider for new hires. In this policy, Think HR provides the following training
in Cybersecurity Awareness for Employees, Security Awareness Essentials, Cybersecurity Awareness for
Employees: Classifying and Safeguarding Data for Corporate and Personal Use and Cybersecurity –
Browser Safety.