Information Security Policy

B&N Enterprises, LLC (dba BN Commercial Cleaning and Fire Protection)

01/01/2025 

Contents

  • Introduction
  • Information Security Policy
  • Network Security
  • Acceptable Use Policy
  • Protect Stored Data
  • Information Classification
  • Access to Sensitive Information
  • Physical Security
  • Protect Data in Transit
  • Disposal of Stored Data
  • Security Awareness and Procedures
  • Incident Response Plan
  • Transfer of Sensitive Information Policy
  • User Access Management
  • Access Control Policy
  • Appendix A – Agreement to Comply Form
  • Appendix B – List of Devices

Introduction

This Policy document outlines the information security measures necessary to protect sensitive data and ensure compliance with applicable regulations. All employees of B&N Enterprises, LLC must review this document in its entirety, sign the acknowledgment form, and adhere to the policies herein. This document will be updated annually or as needed.

Information Security Policy

B&N Enterprises, LLC (BN Enterprises) is committed to protecting sensitive company and customer information. Safeguards are in place to maintain confidentiality, integrity, and availability of data while meeting regulatory compliance requirements. Key policies include:

1. Network Security

  • Maintain a network diagram detailing system configurations.
  • Conduct regular security scans and maintain results for 18 months. o Isolate systems with sensitive data and restrict unnecessary access.

2. Acceptable Use Policy

  • Use company systems responsibly and ensure data protection. o Keep passwords confidential and use secure passwords.
  • Avoid engaging in unauthorized or harmful online activity.

3. Protect Stored Data

  • Do not store sensitive authentication data or cardholder information electronically. o Secure physical copies of sensitive data.
  • Use encryption for data storage and transmission.

4. Information Classification

  • Classify data as Confidential, Internal Use, or Public. o Protect data based on its classification level.

5. Access to Sensitive Information

  • Restrict access to sensitive information based on job roles.
  • Maintain a list of third-party providers with access to sensitive data.

6. Physical Security

  • Limit access to sensitive areas to authorized personnel only.
  • Escort visitors in restricted areas.
  • Regularly inspect and maintain devices handling sensitive data.

7. Protect Data in Transit

  • Use strong encryption for data transmissions.
  • Prohibit sending sensitive data through unsecured channels.

8. Disposal of Stored Data

  • Implement secure data destruction procedures for both electronic and physical records. o Maintain records of data disposal activities.

9. Security Awareness and Procedures

  • Conduct regular training sessions for employees and contractors.
  • Ensure employees acknowledge and comply with security policies.

10. Incident Response Plan

  • Designate an incident response team.
  • Investigate incidents and mitigate risks promptly.
  • Report breaches to appropriate parties and authorities.

11. Transfer of Sensitive Information Policy

  • Establish service level agreements with third-party providers. o Ensure third-party compliance with security requirements.

12. User Access Management

  • Assign unique IDs for all users.
  • Restrict access rights based on job functions.
  • Disable accounts promptly upon employee separation.

13. Access Control Policy

  • Enforce least privilege access and need-to-know principles.
  • Conduct regular reviews of access rights.
  • Use complex passwords and implement multi-factor authentication.