By registering, you certify that all information you provide, now or in the future, is consistent. capitalvia.com reserves the right, in its sole discretion, to deny you access to this website or any portion thereof without notice for the following reasons (a) immediately by capitalvia.com for any unauthorized access or use by you (b) immediately by capitalvia.com if you assign or transfer (or attempt the same) any rights granted to you under this Agreement; (c) immediately, if you violate any of the other terms and conditions of this User Agreement
I agree to get periodic SMS alerts.
I agree to get periodic newsletters.
Organization information must be protected against unauthorized exposure, tampering, loss and destruction, wherever it is found, in a manner that is consistent with applicable laws and with the information’s significance to the Organization and any individual whose information is collected. Achieving this objective requires that Organization information be segregated into logical collections (e.g., Customer personal documents, employee benefit data, payroll data, personal data regarding, and financial records), and that each collection be associated with an individual known as an “Information Guardian” who must :
1. Define the collection’s requirements for confidentiality, integrity, availability and security.
2. Convey the collection’s requirements in writing to the managers of departments that will have access to the collection,
3. Work with Office Heads to determine what users, groups, roles or job functions are authorized to access the information in the collection and in what manner (e.g., who can view the information, who can update the information).
The guardian of a logical information collection is typically the head of the department on whose behalf the information is collected or that is most closely associated with such information. Each Information Guardian may designate one or more individuals on his or her staff to perform the above duties. However, the Information Guardian retains ultimate responsibility for their actions.
Office Heads are required to:
1. Understand the security-related requirements for the information collections used within their respective departments by working with the appropriate Information Guardians and their designates.
2. Develop procedures that support the objectives for confidentiality, integrity, availability and security defined by the Information Guardians and designate, and ensure that those procedures are followed.
3. Effectively communicate any restrictions to those who use, administer, process, store or transfer the information in any form, physical or electronic.
4. Ensure that each staff member understands his or her information security - related responsibilities and acknowledges that he or she understands and intends to comply with those requirements.
5. Report any evidence that information has been compromised or any suspicious activity that could potentially expose, corrupt or destroy information to the Organization IT Security Officer.
a. Protecting Information Wherever It Is Located
Each individual who has access to information owned by or entrusted to the Organization is expected to know and understand its security requirements and to take measures to protect the information in a manner that is consistent with the requirements defined by its Information Guardian, wherever the information is located, i.e.,
1. On printed media (e.g., forms, reports, microfilm, microfiche, books),
2. On computers,
3. On networks (data and voice),
4. On magnetic or optical storage media (e.g., hard drive, diskette, tape, CD),
5. In physical storage environments (e.g., offices, filing cabinets, drawers),
If an authorized user is not aware of the security requirements for information to which he or she has access, he or she must provide that information with maximum protection until its requirements can be ascertained. Any individual who has been given a physical key, ID card or logical identifier (e.g., computer or network account) that enables him or her to access information is responsible for all
activities performed by anyone using that key or identifier. Therefore, each individual must be diligent in protecting his or her physical keys and ID cards against theft, and his or her computer and network accounts against unauthorized use. Passwords created for computer and network accounts should be difficult to guess. Furthermore, passwords should never be shared or recorded and stored in a location that is easily accessible by others. Stolen keys and ID cards, and computer and network accounts suspected of being compromised should be reported to the appropriate authorities immediately. The assignment of a single network or system account to a group of individuals sharing the same password is highly discouraged and may only occur in cases where there is no reasonable, technical alternative.
b. Information Associated with “Identity Theft”
Identity theft is a serious and growing problem in our society. Anyone who can obtain certain pieces of information about an individual can open credit cards, take out loans, create forged documents or steal assets in the individual’s name. Being sensitive to the identity theft threat, the Organization requires that extra precaution be taken when collecting, using and storing non-public “personally identifiable” information, such as:
a. Date of birth,
b. Place of birth,
c. Mother’s maiden name,
d. Credit card numbers,
e. Bank account numbers,
Income tax records Collection and use of any of the above pieces of information should be limited to situations where there is legitimate business need and no reasonable alternative. Managers must ensure that their employees understand the need to safeguard this information, and that adequate procedures are in place to minimize this risk. Access to such information may only be granted to authorize individuals on a need to know basis.
c. Limitations on Sharing Per
sonally Identifying Information All non-public information gathered and maintained by employees of Organization, for the purpose of conducting Organization business, that personally identifies any living or deceased individual –names and other personal information pertaining to individual employees, clients, contractors, subcontractors etc. –is considered “confidential” unless otherwise specified by this document or by the appropriate Information Guardian or designate.
1. Implement the provisions of the policy.
2. Ensure that staffsthathandle, or have access to, personal data are fully familiar with the policy.
Check that the policy is being implemented (e.g. by conducting periodic audits of data protection procedures) and identify any issues arising.
1. Review and evaluate the impact of the policy at a pre -determined time, taking into account feedback from other developments.
2. Revise as necessary, in light of the review and evaluation process.
Direct termination of service if someone is found to be violating the norms