Play Our Jingle

BOX IT. BAG IT. PROTECT IT. SEAL IT.

Carter Paper and Packaging Inc.

Expanded Catalog

Need Assistance?

We are here to help.

Call (309) 637-7711

Email info@carterpaper.com

Stop in our office for GREAT DEALS!!

Questions about our prices? CONTACT US!!

SECURITY POLICY

PURPOSE

The purpose of this policy is to create a prescriptive set of process and procedures to ensure that Carter Paper & Packaging Inc develops, disseminates, and updates the Security Policy. This policy and procedure establishes the minimum requirements for the Security Policy.

SCOPE

All Carter Paper & Packaging Inc employees as well as all Carter Paper & Packaging Inc systems.

BACKGROUND

The Security Policy at Carter Paper & Packaging Inc is intended to facilitate the effective implementation of the processes necessary to meet the standard security requirements.

STATEMENT OF POLICY

Carter Paper & Packaging Inc shall protect sensitive information and information systems by requiring specific procedures for personnel pre-employment, employment, and post-employment.

  1. PERSONNEL SCREENING
      1. Staff are screened at the time of interview, prior to hiring.
      2. If at any time there becomes a need for additional screening, it will be implemented.
  2. PERSONNEL TERMINATION
    1. Upon termination of individual employment:
      1. Information system access is terminated;
        1. If termination is voluntary (i.e., normal, scheduled), terminate information system access within the same day of notification of such termination (i.e., same day the individual is terminated).
        2. If termination is involuntary (i.e., emergency, adverse), terminate information system access within four (4) hours of notification of such termination (i.e., same day the individual is terminated).
      2. All security-related organizational information system-related property is retrieved (e.g., hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes).; and
      3. Access to organizational information and information systems formerly controlled by terminated individual is retained.
        1. Prior to archiving or permanent disabling of accounts, transfer all Carter Paper & Packaging Inc information to appropriate staff or archives.
        2. In the event of an adverse removal or involuntary termination, rotate the employee or contractor to a non-sensitive position or restrict access or rights to information systems before notification, whenever possible, to avoid the potential for malicious actions to information systems.
    2. The following activities must be performed for all personnel, including contractors, leaving, changing jobs, or on extended absences:
      1. Change or cancel all passwords, codes, user IDs, and locks.
      2. Disable user IDs for extended absences (60 days).
      3. Update access control lists, mailing lists, etc.
      4. Collect all keys, badges, and similar items.
      5. Reconcile any financial accounts over which the employee had control.
      6. Ensure electronic records are accessible and properly secured, filed, or appropriately disposed.
  3. PERSONNEL TRANSFER

Note: This control applies when the reassignment or transfer of an employee is permanent or of such an extended duration as to make the actions warranted. 

    1. It is required that:
      1. Logical and physical access authorizations to information systems and facilities must be reviewed when personnel are reassigned or transferred to other positions within Carter Paper & Packaging Inc and the appropriate actions must be initiated.
        1. The actions undertaken must be driven by the individual’s position risk designation.
      2. The following activities must be performed for all personnel, including contractors, upon personnel reassignment or transfer:
        1. Change or cancel all passwords, codes, and user IDs.
        2. Update access control lists, mailing lists, etc.
        3. Reconcile any financial accounts over which the employee had control. 
        4. Ensure electronic records are accessible and properly secured, filed, or appropriately disposed.
        5. Collect old keys, identification cards, authentication tokens, and building passes.
        6. Issue new keys, identification cards, authentication tokens, and building passes.
        7. Close previous information system accounts unless the original supervisor and the new supervisor carefully review the account to ensure that no resources or access privileges are left on the account and the account has only the resources and privileges appropriate to the person’s new role and responsibilities.  
        8. Establish new accounts.
          1. The individual’s access privileges and authorizations must be reviewed and updated to be in alignment with the new position on the effective date.
        9. Change information system and facility access authorizations.
          1. Individual information system and facility access authorizations must be reviewed and appropriately aligned or re-aligned with the new position’s required accesses and authorizations.
        10. Provide for access to official records to which the individual employee had access at the previous work location and in the previous information system accounts.
      3. The transfer or reassignment actions must be initiated within 24 hours following the formal transfer action.
      4. Access controls for information systems must be reviewed regularly to verify that the access lists have been updated regarding transferred individuals.

 

D.  THIRD-PARTY PERSONNEL SECURITY

                  1. It is required that:

      1. Security requirements including security roles and responsibilities for third-party providers (e.g., service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management) must be established.
      2. If there is ever any question, Third-Party personnel must provide reasoable clarification and documentation to satisfy any concerns.

 

  1.  PERSONNEL SANCTIONS
    1. Carter Paper & Packaging Inc shall employ a formal sanctions process for personnel failing to comply with established information security policies and procedures.
    2. The sanctions process must be consistent with applicable state laws, directives, policies, regulations, standards, and guidance where applicable.
      1. The sanctions process must also address the following:
        1. Informal corrective actions.
        2. Formal disciplinary actions.
        3. Severe disciplinary actions.
        4. Removal of system access.
        5. Possible criminal and/or civil penalties.