Internal Launch Industries documentation. Do not share outside the team.
Employee Handbook
12. Cybersecurity Policy

One-line summary: The NIST 800-161 / CMMC Level 1 cybersecurity framework Launch follows — six security standards, device identification, account management, the general policies every contractor and employee follows (passwords, MFA, access control, email security, software updates, backups, incident response), and the list of prohibited activities on Launch systems.

Cybersecurity Policy

Overview

Our small business takes the security of our systems and data very seriously. We recognize the importance of protecting our customers, employees, and organization from cyber threats. As such, we have implemented the following cybersecurity policies, which are based on NIST 800-161, CMMC Level 1. This comprises six standards.

  1. Physical Protection
  2. Media Protection
  3. Identification & Authentication
  4. Access Control
  5. Systems & Communications Protection
  6. System & Information Integrity

Identifying a device

You can identify a device through the Media Access Control (MAC) value that helps to identify the device. Devices will often list the MAC address next to the Serial Number on the back of a device.

Why does identification and authentication matter?

  1. Identify who is accessing company software.
  2. To provide protection against malicious users abusing company resources.
  3. To track the activity on company software and pinpoint abnormal behavior.

Guidelines for implementing security from the start

  1. Manage all accounts in a central management system within your organization.
  2. Create a policy that establishes the proper procedure for account creation.
  3. Assign unique accounts to all new employees, contractors, and subcontractors when hired.

General policies

Launch Contractors and Employees are integral to Cybersecurity defense. Please follow all the following guidelines.

  1. Passwords. All employees must create strong passwords and change them regularly. Use 1Password to create strong passwords. All passwords must be at least 12 characters; longer is better. NIST guidance focuses on length and screening against known-breach databases rather than complexity rules alone.
  2. Additional user authentication methods. There are other effective methods that can be added. User identification can be supported by adding:
    1. Multi-factor authentication (pin numbers, security questions, security cards)
    2. Biometric (laptop with a fingerprint scanner, or facial recognition as used for cell phone access)
  3. Access control. Access to sensitive data and systems is restricted to authorized personnel only.
  4. Email security. All employees must be vigilant for phishing attempts and suspicious emails. They should not open attachments or click on links from unknown sources.
  5. Software updates. All software and operating systems must be kept up to date with the latest patches and security updates.
  6. Data backup. All critical data must be backed up regularly to prevent data loss in the event of a cyber attack.
  7. Incident response. In the event of a cyber security incident, all employees should follow our incident response plan to minimize damage and prevent further attacks.

By adhering to these policies, we can help protect our organization and ensure the safety of our clients and employees.

Tips

Authentication helps us to know who the actor is. Knowing who the ACTOR is (generally a person, but could be a computer that has run automation) is one of the key principles of good cyber security.

Don't use the computer via your Admin account all the time. Use your individual user accounts.

Prohibited activities

  1. Activities involving: adult or "mature" content, gambling and online or interstate sales of alcohol, tobacco products, firearms or weaponry.
  2. Collecting or retaining others' Social Security Numbers for any purpose other than for: i) tax reporting to governmental authorities, ii) administration of benefits plans or related individual benefits, or iii) providing financial services or insurance to your clients.
  3. Retaining credit card information after settlement of any related credit card transaction unless applicant encrypts it for storage or masks all but the last four digits of the credit card number.
  4. In conjunction with a credit card transaction, the recording of any personally identifiable information (phone number, address etc.) other than the information appearing on the card unless: 1) the information is required for shipping, delivery, servicing or installation, 2) the transaction is for a security deposit or 3) the transaction is for a cash advance.
  5. Soliciting or collecting private information on minors without consent of parent or legal guardian, including "non-public personal information."
  6. Delivering unsolicited content or material to others that could be construed as "spam" or something similar (including "pop-ups").
  7. Distributing or installing software or other executable files on others' computers or networks without their written permission (installs that could be construed as spyware, adware or something similar).
  8. Sale of private information to others.

If you notice any outdated information or typos, or need clarification on any policies, please email hr@launchindustries.biz.

11. Confidentiality, Data Protection & InfoSec13. Company Property