Information Security Policy/ Written Information Security Program
Updated: June 2022

 1.    Overview

The security and protection of The Leadership Consortium’s (TLC) Confidential and Customer Data is vital to the success of our business.  This Information Security Policy/Written Information Security Program (“WISP”) (collectively “Policy” or “Security Policy”) outlines our commitment to information security and delivers assurance to our customers and other stakeholders that we have the appropriate controls, measures, and procedures which are designed to ensure that our information assets are protected from existing and emerging threats.  A failure to protect company information assets may pose a business risk and could adversely impact the reputation and value of our constituent businesses.

2.     Scope

This Policy governs all electronic and physical information that is created or received during TLC business operations, including Confidential Information and Client Data, which may include personally identifiable information as defined under applicable law. Confidential Information may include information that if accessed or disclosed could cause material harm to TLC, it’s employees, or its customers.  All employees, contractors, consultants, and business partners with access to TLC Information and IT Systems are expected to comply with this Policy. TLC shall limit the collection of personally identifiable information and Client Data to the amount reasonably necessary to accomplish its legitimate business purposes or to comply with state and federal regulations.

You are responsible for understanding and following the Information Security Policy regardless of the physical location (in an office, home, or other remote location) in which you may be accessing corporate or customer data or using TLC systems. 

3.    Responsibilities

Information Security Coordinator

  • TLC has designated Melissa Statires to implement, coordinate, and maintain this Policy. This includes assisting with staff training, coordinating the annual review of this Policy, and periodically reporting to TLC’s executive leadership regarding this Policy including information about risk assessments, risk management, cybersecurity incidents, policy violations, or recommendation revisions.

Staff (Information System Users)
Staff are responsible for:

  • Exercising due care when using TLC’s information, IT systems, brand and logo for the purpose of employment by, or engagement with, TLC, including all customer information and content;

  • Completing all assigned security training and security awareness requirements within the allotted timeframe;

  • Ensuring they are aware of the relevant information security controls, standards, and procedures that support this Policy and acting in accordance with them;

  • Promptly reporting any potential or confirmed information security/customer privacy related incidents to the CEO, and,

  • Apply sound security-aware and privacy related principles throughout the enterprise.

Application/System Owners
Application/system owners are responsible and accountable for ensuring TLC identifies, classifies, and protects all confidential information and customer data throughout its lifecycle, and are expected to:

  • Assess the criticality (confidentiality, integrity and availability requirements) of the information and supporting TLC Systems;

  • Authorize and review the access permissions and security controls of their critical TLC systems as requested, but at least on a semi-annual basis;

  • Identify relevant security-related regulations, legislation, and client requirements with legal counsel; and,

  • Ensure that all TLC information provided under non-disclosure or commercial agreements by or to third parties is appropriately managed and safeguarded.

Technology Service Providers
Internal and external Technology Service Providers are responsible for:

  • Implementing and maintaining security arrangements in coordination and concurrence with TLC Management that reflect the requirements of this Policy;

  • Working with the Application/system owner to implement the appropriate information security controls based the criticality of the application/system; and

  • Ensuring that the required level of security is maintained when performing day-to-day administrative tasks.

Executive Leadership
Executive Leaders are responsible for ensuring that:

  • They promote a security and privacy aware culture, from the top down, through leading by example, putting security and privacy at the forefront of decision making, and ensuring employees know they can come to Management at any time with security concerns without fear of repercussions;

  • Implement and maintain appropriate security arrangements that reflect the relevant requirements of this Policy;

  • Comply with relevant applicable security-related regulation, legislation, and customer requirements, as provided by the Legal Team.

4.    Risk Assessment

TLC shall work towards implementing annual risk assessments. The first step in such process is vetting third party vendors to assist with the risk assessment and security implementation. This assessment shall identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of records and evaluate the sufficiency of the current policies and safeguards. Following the risk assessment, TLC shall work towards implementing and maintaining appropriate safeguards to minimize the identified risks and regularly monitor the effectiveness of its policies and safeguards.

5.    Record Retention, Access, and Transport

  • TLC staff may not remove records containing Confidential Information or Client Data from TLC’s physical location or approved electronic locations without approval from management.

  • In rare cases where it is approved to do so, the user must take all reasonable precautions to safeguard the data.  Under no circumstances are documents, electronic devices, or digital media containing Confidential data to be left unattended in any unsecure location.

  • When there is a legitimate need to provide records containing Confidential Information to a third party outside TLC, electronic records shall be password-protected and encrypted, and paper records shall be marked confidential and securely sealed.

  • Access to Confidential Information or Client Data shall be limited to those who have a legitimate business need for such data, or in order to comply with state or federal regulations.

  • Upon termination of employment, TLC will immediately block such terminated employee from any physical or electronic access to Confidential Information or Client Data, including deactivating their passwords and usernames.  

  • Documents shall be stored and destroyed in accordance with TLC’s Data Retention Policy.

  • Any physical records shall be restricted and stored in a locked and secured location if such records contain Confidential Information or Client Data. TLC shall prevent, detect, and respond to any intrusions or unauthorized access to such records in accordance with its Incident Response Policy.

6.    Vendor Agreements Concerning Confidential Information or Client Data

  • TLC will oversee each of its service providers that may have access to or otherwise create, collect, use, or maintain Confidential Information or Client Data on its behalf by:

    • Evaluating the service provider's ability to implement and maintain appropriate security measures, consistent with this Policy and all applicable laws and TLC’s obligations.

    • Requiring the service provider by contract to implement and maintain reasonable security measures, consistent with this Policy and all applicable laws and TLC's obligations.

    • Monitoring and audit the service provider's performance to verify compliance with this Policy and all applicable laws and TLC’s obligations.

7.    Security of Electronic Documents

TLC will work towards developing, implementing, and maintaining reasonable safeguards in accordance with applicable law and standards to protect the security, confidentiality, and integrity of electronically store records. The safeguards will be appropriate for TLC’s size, scope, and business, its available resources, and the amount of Confidential Information or Client Data it maintains.

8.    Breach of Security

If there is a breach of security, it shall be handled in accordance with TLC’s Incident Response Policy.

9.    Compliance

Violations of this Policy will be investigated and if the cause is due to willful or intentional disregard or negligence, it will be treated as a disciplinary offense.  All disciplinary procedures are coordinated through the CEO.

All requests for exceptions to this Policy must be submitted to the CEO for review and subsequent approval by the relevant appropriate parties (e.g., Application/System Owner, Legal Counsel).

This Policy and security procedures shall be reviewed annually, or whenever there is a material change in TLC’s business practices that may affect the security or integrity of the records.