Company cyber security policy 

Boston Neurobehavioral Associates ("Company") is committed to safeguarding the confidentiality of all access and application assets available and to complying with the current laws, regulations, guidelines, and best practices to protect its (list all who apply, e.g., employees, stakeholders, officers, affiliates, and shareholders) from the dangers of the cyber world due to its technological advances that include cybercriminals who engage in various types of cybercrime such as phishing, data leakage, inside job or threat, unethical hacking, and ransomware.

This Cyber Security Policy is a formal set of rules by which those people who are given access to company technology and information assets must abide.   

The Cyber Security Policy serves several purposes. The main purpose is to inform company users: employees, contractors and other authorized users of their obligatory requirements for protecting the technology and information assets of the company.  The Cyber Security Policy describes the technology and information assets that we must protect and identifies many of the threats to those assets.

The Cyber Security Policy also describes the user’s responsibilities and privileges. What is considered acceptable use? What are the rules regarding Internet access? The policy answers these questions, describes user limitations and informs users there will be penalties for violation of the policy. This document also contains procedures for responding to incidents that threaten the security of the company computer systems and network.

Policy brief & purpose

Our company cyber security policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure. The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize our company’s reputation.

For this reason, we have implemented several security measures. We have also prepared instructions that may help mitigate security risks. We have outlined both provisions in this policy.

Scope

This policy applies to all our employees, contractors, volunteers and anyone who has permanent or temporary access to our systems and hardware.

Policy elements

Confidential data

Confidential data is secret and valuable. Common examples are:

• Unpublished financial information
• Data of patients and prescriptions
• Patents, formulas or new technologies
• Patient lists (existing and prospective)

All employees are obliged to protect this data. In this policy, we will give our employees instructions on how to avoid security breaches.

User Classification

All users are expected to have knowledge of these security policies and are required to report violations to the Security Administrator.  Furthermore, all users must conform to the Acceptable Use Policy defined in this document. The company has established the following user groups and defined the access privileges and responsibilities:

Security Policy Department : 

• Q from Flagshipit : 617 669 3645 : q@flagshipit.com
• Zain Kagzi : 508 817 5129 : zkagzi@ bostonneurobehavioral.com
• Ahsan : +92 319 3474803 : 
• Fahad Munir: 781 249 8431 : 

Protect personal and company devices

When employees use their digital devices to access company emails or accounts, they introduce security risk to our data. We advise our employees to keep both their personal and company-issued computer, tablet and cell phone secure. They can do this if they:

• Keep all digital devices password protected.
• Upgrade Malwarebytes antivirus software.
• Ensure they do not leave their devices exposed or unattended.
• Install security updates of browsers and systems monthly or as soon as updates are available.
• Log into company accounts and systems through secure and private networks only.
• Make sure you update Logmein when you prompted

We also advise our employees to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others.

PERSONNEL RESPONSIBILITIES

• All devices provided by the Company are strictly for business use only to avoid any possible access opening from the outside network. It is provided for the sole purpose of the performance of your role to the Company and its Clients.
• Properly sign out of the systems and devices after office hours.
• Login credentials, especially the passwords to different systems and databases, should be stored in the secured password manager system as prescribed by the Company.
• Lock computer or laptop devices when the personnel is not in their respective workplace or work area.
• Avoid sharing any company data or information, especially with the person/s that is not in the company circle or in the business to know.
• Always be vigilant in your surrounding area outside the premises of the company in order to protect yourself, your essential belongings, your mobile, and your laptop devices. The company information may be important, but the subject itself is more valuable than any assets available.
• It is strictly implemented that all subjects must adhere never try to connect to any public Wi-Fi – anytime and anywhere; in malls, fast food chains, coffee shops, and any other places with a high risk of a security breach.
• Always be in your cyber security mindset.

When new hires receive company-issued equipment they will receive the digital device with:

• Malwarebytes Anti-virus
• Complex Password to access the device
• Logmein tools to allow the IT department to access the pc
• VPN tools in case of problem or hiding IP

They should follow instructions to protect their devices and refer to our IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com. if they have any questions.

Keep emails safe

Emails often host scams and malicious software (e.g. worms.) To avoid virus infection or data theft, we instruct employees to:

• Avoid opening attachments and clicking on links when the content is not adequately explained
• Be suspicious of clickbait titles (e.g. offering prizes, advice.)
• Check email and names of people they received a message from to ensure they are legitimate.
• Look for inconsistencies or giveaways 

If an employee isn’t sure that an email they received is safe, they can refer to our IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com.

Manage passwords properly

Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advice our employees to:

• Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays.)
• Remember passwords instead of writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done.
• Exchange credentials only when absolutely necessary. When exchanging them in-person isn’t possible, employees should prefer the phone instead of email, and only if they personally recognize the person they are talking to.
• Change their passwords every two months.

Remembering many passwords can be daunting. We will purchase the services of a password management tool which generates and stores passwords. Employees are obliged to create a secure password for the tool itself, following the abovementioned advice.

Acceptable Use

User accounts on company computer systems are to be used only for business of the company and not to be used for personal activities.  Unauthorized use of the system may be in violation of the law, constitutes theft and can be punishable by law.  Therefore, unauthorized use of the company computing system and facilities may constitute grounds for either civil or criminal prosecution.

Users are personally responsible for protecting all confidential information used and/or stored on their accounts.  This includes their logon IDs and passwords. Furthermore, they are prohibited from making unauthorized copies of such confidential information and/or distributing it to unauthorized persons outside of the company.

Users shall not purposely engage in activity with the intent to: harass other users; degrade the performance of the system; divert system resources to their own use; or gain access to company systems for which they do not have authorization. 

Users shall not attach unauthorized devices on their PCs or workstations, unless they have received specific authorization from our IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com

Users shall not download unauthorized software from the Internet onto their PCs or workstations.

Users are required to report any weaknesses in the company computer security, any incidents of misuse or violation of this policy to their immediate supervisor.

Use of the Internet

The company will provide Internet access to employees and contractors who are connected to the internal network and who has a business need for this access.   Employees and contractors must obtain permission from their supervisor and file a request with the our IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com

The Internet is a business tool for the company.  It is to be used for business-related purposes such as: communicating via electronic mail with suppliers and business partners, obtaining useful business information and relevant technical and business topics.  

The Internet service may not be used for transmitting, retrieving or storing any communications of a discriminatory or harassing nature or which are derogatory to any individual or group, obscene or pornographic, or defamatory or threatening in nature for “chain letters” or any other purpose which is illegal or for personal gain.

Transfer data securely

Transferring data introduces security risk. Employees must:

• Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, we request employees to ask our IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com. for help.
• Share confidential data over the company network/ system and not over public Wi-Fi or private connection.
• Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.
• Report scams, privacy breaches and hacking attempts

Our IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com need to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists. Our IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com  must investigate promptly, resolve the issue and send a companywide alert when necessary.

Our Security Specialists are responsible for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns.

Additional measures

To reduce the likelihood of security breaches, we also instruct our employees to:

• Turn off their screens and lock their devices when leaving their desks.
• Report stolen or damaged equipment as soon as possible to IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com.
• Change all account passwords at once when a device is stolen.
• Report a perceived threat or possible security weakness in company systems.
• Refrain from downloading suspicious, unauthorized or illegal software on their company equipment.
• Avoid accessing suspicious websites.

We also expect our employees to comply with our social media and internet usage policy.

Our IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com should:

• Install firewalls, malwarebytes software and access authentication systems.
• Arrange for security training to all employees.
• Inform employees regularly about new scam emails or viruses and ways to combat them.
• Investigate security breaches thoroughly.
• Follow this policies provisions as other employees do.

Our company will have all physical and digital shields to protect information.

Remote employees

Remote employees must follow this policy’s instructions too. Since they will be accessing our company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure.

We encourage them to seek advice from our IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com

Disciplinary Action

We expect all our employees to always follow this policy and those who cause security breaches may face disciplinary action:

• First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the employee on security.
• Intentional, repeated or large scale breaches (which cause severe financial or other damage): We will invoke more severe disciplinary action up to and including termination.
   We will examine each incident on a case-by-case basis.

Additionally, employees who are observed to disregard our security instructions will face  progressive discipline, even if their behavior hasn’t resulted in a security breach.

Take security seriously

Everyone, from our customers and partners to our employees and contractors, should feel that their data is safe. The only way to gain their trust is to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security top of mind.

System Administrator Access

System Administrators, network administrators, and security administrators will have (type of access) access to host systems, routers, hubs, and firewalls as required to fulfill the duties of their job.

All system administrator passwords will be DELETED immediately after any employee who has access to such passwords is terminated, fired, or otherwise leaves the employment of the company.

Penalty for Security Violation

The company takes the issue of security seriously.  Those people who use the technology and information resources of company must be aware that they can be disciplined if they violate this policy.   Upon violation of this policy, an employee of company may be subject to discipline up to and including discharge.   The specific discipline imposed will be determined by a case-by-case basis, taking into consideration the nature and severity of the violation of the Cyber Security Policy, prior violations of the policy committed by the individual, state and federal laws and all other relevant information.  Discipline which may be taken against an employee shall be administrated in accordance with any appropriate rules or policies and the company Policy Manual.

Criminal Hackers and Saboteurs.

The probability of this type of attack is low, but not entirely unlikely given the amount of sensitive information contained in databases.  The skill of these attackers is medium to high as they are likely to be trained in the use of the latest hacker tools.  The attacks are well planned and are based on any weaknesses discovered that will allow a foothold into the network.

Security Incident Handling Procedures

This section provides some policy guidelines and procedures for handling security incidents.  The term “security incident” is defined as any irregular or adverse event that threatens the security, integrity, or availability of the information resources on any part of the company network.  Some examples of security incidents are:

• Illegal access of a company computer system.  For example, a hacker logs onto a production server and copies the password file.
• Damage to a company computer system or network caused by illegal access.   Releasing a virus or worm would be an example.
• Denial of service attack against a company web server.  For example, a hacker initiates a flood of packets against a Web server designed to cause the system to crash.
• Malicious use of system resources to launch an attack against other computer outside of the company network.  For example, the system administrator notices a connection to an unknown network and a strange process accumulating a lot of server time.

Employees, who believe their terminal or computer systems have been subjected to a security incident, or has otherwise been improperly accessed or used, should report the situation to Our IT company FlagshipIT phone number 6176693645 or email q@flagshipit.com  immediately.   The employee shall not turn off the computer or delete suspicious files.  Leaving the computer in the condition it was in when the security incident was discovered will assist in identifying the source of the problem and in determining the steps that should be taken to remedy the problem.

Policy Review

The Policy Review will be done every two years from the Policy Effective Date and should be carefully deliberated with the Committee and higher management for the Boston Neurobehavioral Associates to keep up with the latest updates, changes, and innovations within the Cyber World.

The Boston Neurobehavioral Associates is full of great expectations that all the concerned subjects adhere, carefully read, understand, and agree to the Policy.

We are asking for your usual cooperation.