- SecurityControl (“Sec-Con”) is a personnel management platform provided by Industrial Security Integrators, LLC (“IsI”).
- IsI is committed to protecting data privacy of the information contained in Sec-Con. To perform its functions, Sec-Con collects, submits, stores, and uses Personally Identifiable Information (“PII”). PII means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means, such as name, address, social security number or other identifying number or code, telephone number, email address, or information by which an Agency intends to identify specific individuals in conjunction with other data elements, such as a combination of gender, race, birth date, geographic indicator, and other descriptors. Users, Managers, Operators, and Developers must understand, acknowledge, and agree that Sec-Con requires the submission, use, storage, and dissemination of various PII.
- It is the policy of IsI to comply with all Federal, State, and Local laws, regulations, and Government-wide policies regarding the protection of PII, Unclassified Controlled Information, and Classified Information, including strict compliance with the National Industry Security Program Operating Manual (“NISPOM”). IsI complies with all Executive Orders, directives, policies, standards, instructions, regulations, contractual requirements, and procedures related to the security of information systems. IsI ensures that data contained in Sec-Con, to which authorized Users, Managers, Operators, and Developers have access in the performance of their duties, are protected so the security and confidentiality of the information is preserved.
- Sec-Con only collects information it is permitted by law to collect. The collection, maintenance, and disclosure of background investigative information are governed by the Privacy Act of 1974. The Agency that requested the investigation and the Agency that conducted the investigation have published notices in the Federal Register describing the systems of records in which your records will be maintained. The information you provide to Sec-Con, and information collected during a background investigation, may be disclosed without your consent by an Agency maintaining the information in a system of records as permitted by the Privacy Act, 5 U.S.C. 552a(b), and by routine uses, a list of which are published by the Agency in the Federal Register. Additionally, Sec-Con may collect, maintain, store, and disclose information for government records that are exempt from certain Privacy Act procedures, and thus, may be transmitted to third parties without advanced written consent of the person to whom the records pertain.
- No IsI Employee or Contractor may be permitted to have or retain access to a system of records; create, collect, use, process, store, maintain, disseminate, disclose, dispose of, or otherwise handle PII; or design, develop, maintain, or operate a system of records, unless the Employee has completed all training as required by law or contractual obligation.
- PII provided to, used by, or stored in Sec-Con may be used by IsI only in connection with the purposes as are described at the point of collection. Any PII provided in connection with the use of Sec-Con will not be publicly viewable. Any PII provided in connection with the use of Sec-Con will not be sold, leased, or rented to third parties. IsI never collects information or creates individual profiles for commercial marketing purposes.
- No unauthorized equipment may be used to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access PII.
- Sec-Con uses a number of security measures to protect customer data and PII including: x.509 Authorization; password encryption; two-factor authentication; roll-based access control; user session expiration; double data encryption, encryption in transit using SSL on the server and encryption keys rotated every three months; encryption at rest with a fully encrypted database, file systems, and encryption key required for access to servers; user activity auditing, and digital signatures for training; built-in solution and database protection designed to prevent unauthorized access to information, including layers of redundancy, encryption, network and web firewalls, IP whitelisting that restricts access to application servers and databases by specific IP address; information systems protected by GovCloud Physical Protections which are pre-accredited and compliant with the Federal Information Security Management Act and the Federal Risk and Authorization Management Program; data-based access control enforcement; network isolation on a virtual private subnet so servers and databases are not addressable from the internet; a patching schedule; intrusion detection; full-time security management personnel (many of whom are accredited as Certified Information Systems Security Professionals); proactive business continuity planning and protection strategy with geographically dispersed centers that have fully redundant power subsystems and protection against potential threats; nightly backup of customer data sent to an alternate facility; incremental backups of uploaded documents and nightly snapshots of database and file systems; segmented data for each customer and continuous, automatic monitoring for viruses to ensure privacy and data integrity.
- IsI implements a separation of concerns policy that limits access for Developers, IT Employees, Program Managers, Database Engineers, and other employees to only their necessary functions. Access to systems and records are limited to the types of transactions and functions that Authorized Users are permitted to execute. Record and/or field level access controls are implemented on all databases. Facility Security Officers have authorized access to view Sec-Con records as required for the performance of their duties. Individual Users may access only their own information for authorized purposes.
- IsI limits physical access to information systems, information system equipment, and the respective operating environments to Authorized Individuals. IsI maintains a Defense Security Service-audited secure facility that protects the security of the physical facilities and the essential utilities and infrastructure that support Sec-Con’s information systems and provide appropriate environmental controls in facilities containing information systems.
- An individual’s data will remain in the Sec-Con system for up to a period of one (1) year, two (2) years, if they have North Atlantic Treaty Organization (NATO) Access per the NISPOM, or will be removed at any time prior to that at the request of the client. Should a client terminate from our services in writing we will remove their PII from the system within ninety (90) days.
- All Sec-Con Users, Managers, Operators, and Developers are personally accountable for their actions, which may be tracked by an audit trail that logs user activities. IsI adheres to any obligations to create, protect, and retain information system audit records to the extent needed to enable monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
- Sec-Con Users, Managers, Operators, and Developers are required to protect the confidentiality of data to which they have access. Such personnel are required to handle, maintain, and dispose of PII with prudent care to ensure proper security. Users, Managers, Operators, and Developers implement and maintain responsible security procedures and practices appropriate to the nature of the information to protect any PII to prevent any unauthorized access, destruction, use, modification or disclosure.
- Use of Sec-Con is at the User’s own risk. It is the responsibility of the User to protect data to which he or she has access. Users are responsible for compliance with all Federal, State, and Local laws regarding data privacy and data protection.
- In the event of a suspected or confirmed breach of system records, Users, Managers, Operators, and Developers are required to follow all protocol related to suspected or confirmed breaches of a system of records or unauthorized disclosure, access, handling, or use of PII. If any User, Manager, Operator, and Developer becomes aware of any theft or loss of PII, that person must inform IsI’s Sec-Con Administrator immediately. IsI has established and implemented incident handling capability that includes adequate preparation, detection, analysis, containment, recovery, and user response activities which require strict compliance. In these cases, IsI will track, document, and report incidents to the appropriate authorities.
- IsI performs periodic and timely maintenance on information systems, provides effective controls on the mechanisms, techniques, tools, and personnel used to conduct information system maintenance, and performs periodic and timely updates of information security and privacy policies and procedures.
- The Sec-Con website uses “cookies” measurement and customization technology to remember a user’s online interaction with the website or online application to conduct analysis of usage and customize user experience. The website uses a cookie for the “remember me” option for log in purposes. The website also uses a cookie to track user sessions. Use of these cookies does not involve the collection of a user’s PII.
Updated January 17, 2018
72 2020-09-25 17:28:24 EDT