DefinitionsWithin this document, the term “personnel” will refer to any employee, contract personnel, officers, and board members of Cadence Sports Incorporated and its subsidiaries, Cadence Event Management, LLC, Cadence Equipment, LLC, H2O Operations, LLC (collectively the “Company”). Within this document, the term “technology device” includes desktop computers, laptops, tablets, smartphones, or any other electronic devices that house or are used to work with Company data or are used to access Company systems.
Organization of Information Security
Policy & Program Responsibility
The Company’s Chief Executive Officer (the “CEO”) is responsible and accountable for the organization’s information security, and the Board of Directors includes security periodically in its regular review of overall corporate governance. Annually, the company’s CEO reviews and updates the Privacy and Security Policies. The company also has an ongoing process in place to monitor, assess, and address the effect on privacy and security requirements from on-going changes resulting from:
-Legal and regulatory environments
-Industry requirements
-Contract requirements
-Business operations and processes
-Personnel assigned responsibility for privacy and security matters
-Technology (prior to implementation)Policies and procedures are updated where required as a result of any changes.
Policies may also be updated to resolve inconsistencies between the policies and new contracts entered into by the Company. All changes to the policies must be approved by the CEO, legal counsel, and the Board of Directors.If changes are made to the policies, the Company will provide revised copies of the policies to all employees, contract employees, subcontractors, and vendors along with a summary of the changes that were made. Monitoring activities include but are not limited to the review of control reports, trend analysis, complaint resolutions, and/or regular internal reviews. All security exceptions or situations not specifically addressed in the Company’s policies are referred to and handled by the CEO.
Information Collection & Retention
Company does not collect personal information or any information directly from individuals. Individuals’ personal information is received from clients, potential clients, and strategic partners.
Information Classification
Company classifies data in four categories, ranging from most sensitive to least sensitive:
1. Personally identifiable information (“PII”) means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can be used to distinguish or trace and individual's identity, the term PII is necessarily broad. PII can include names and other elements such as date of birth (DOB), Social Security number (SSN), Passport Number, fingerprints, etc.
2. Client Confidential Information includes any non-PII information about Company clients or prospective clients that would be considered confidential by the client. This would include information such as financial data or client lists, and also includes any personal information related to client personnel collected or submitted through Company’s websites.
3. Company Confidential Information includes any confidential information about the Company’s business. This would include information such as financial data or client lists.
4. Public Information. This includes any information that does not fall into one of the other three categories.
Information Labeling
To the extent possible, all PII data should be clearly labeled “PII Confidential,” and all Client and Company Confidential information should be clearly labeled either “Client Confidential” or “Company Confidential”.
Data Handling
Data handling standards vary based on which category in the classification system a piece of information is in. Standards by category are detailed below.
the Company’s Google Workspace
1. PII Acces
a. May only be accessed by personnel with a valid business need;
b. Access may only be granted by the CEO;
c. Accessed for only for business operations and only if necessary; and
d. Never accessed on unsecured laptops, tablets, smart phones or other devices.b. Storage – Stored only in Company’s Google Workspac
e. Email – Generally Prohibited
d. Printing – Generally Prohibited
e. Destruction – If no longer needed, erased from Google Workspace environment as authorized by the CEO.
2. Client Confidential Information
a. Access – May only be accessed by personnel with a valid business need the Company’s Google Workspace
b. Storage – Controlled by client contract
c. Email – Controlled by client contract
d. Printing – Allowed
e. Destruction – Physical data (e.g. printouts) must be shredded. Electronic data must be deleted.
3. Company Confidential Information
a. Access – May only be accessed by personnel with a valid business need.
b. Storage – Stored only in Company’s Google Workspace
c. Email – Allowed
d. Printing – Allowede. Destruction – Physical data (e.g. printouts) must be shredded. Electronic data must be deleted.
4. Public Information
a. No standards set by this policy.
Communications & Operations ManagementDisclosure of Personal Information
Company discloses personal information only with implicit or explicit consent, unless a law or regulation specifically requires or allows otherwise.
Human Resources PrivacyEmployees & Contract Personnel
Background checks are performed on all employees during the hiring process and prior to any access grants to company data. These checks are renewed annually as part of our annual risk assessment process as well. Employees must remain in good standing in order to retain access privileges. Company requires all personnel to attest to reading all policy and procedure documents.
Part-time Employees & Vendors
Company investigates all complaints related to the misuse of personal information by a part-time employee or vendor and responds to any knowledge of a variance with Company’s privacy policies and procedures or contractual arrangements in accordance with its privacy incident management policies. Company will also take remedial action, where appropriate, and will mitigate, to the extent practicable, any harm caused by the misuse of a subcontractor or vendor.
Violations & Sanctions
Personnel found to violate this policy will be subject to escalating sanctions up to and including termination of their relationship with Company.
Personnel Termination & Security
In the event Company terminates its relationship with personnel or vice versa.Access credentials to all systems will be revoked at close of business on personnel’s final day with Company.Personnel will be notified they have one week to return any Company owned assets including laptops or other technology devices.However, if Company determines that the terminated personnel pose a security or privacy risk:Access credentials to all systems will be revoked prior to Company notifying personnel of termination or within one hour if personnel terminates the relationship with Company.Personnel will be notified they have 1 week to return any Company owned assets including laptops or other technology devices.
Asset Management
The CEO is responsible for maintaining a log of all applicable Company owned servers, technology devices, certificates, and software.
End User Computing Policies
This policy covers the use of technology devices owned by and provided to personnel by Company or owned by personnel and used to access Company systems. Technology devices provided by Company may be used only to conduct Company business. Technology devices provided by Company may only be used to access internet sites necessary for conducting Company business. Examples of acceptable use include accessing SaaS websites and conducting internet- based research. Email accounts provided by Company may be used only to conduct Company business. All technology devices whether or not provided by Company must be secured with a system login password that conforms to any password requirements for server/system access as specified by the CEO. All personnel must take reasonable security measures to protect technology devices, whether or not owned by Company, from theft or breach. This includes not leaving a technology device out in public when personnel is not present. Personnel may use any technology devices whether or not provided by Company to access Company systems remotely provided said devices comply with the provisions of this policy. Company allows personnel to use their own technology devices to access Company systems and conduct Company business provided said devices comply with the provisions of this policy with the exception of the acceptable use and internet use provisions, which apply only to technology devices provided by Company.
Information Systems Acquisition, Development, & MaintenanceSystem Acquisition & Development
The CEO is responsible for testing, evaluating, and authorizing any hardware, technology device, and/or software prior to purchase and before implementation.
System Maintenance
The CEO is responsible for all system changes and maintenance. Physical & Environmental SecurityCompany hosts all data on an enterprise-level Google Workspace.
Access & Logical ControlsUser Access Management
All system access is granted according to minimum business need as determined by CEO. Revalidation of personnel need for access to each system is performed annually as part of the risk assessment process or upon any change in job responsibility.
Security Incident Management
A “security incident” is any incident which may put at risk Company’s infrastructure, systems, or critical data (including PII, Confidential Client Information, and Confidential Company Information). Examples of “security incidents” would include, but are not limited to, virus/malware infection of servers, denial of service attacks, or lost/stolen laptops.All personnel are required to immediately raise security incidents to the attention of the CEO. Immediately upon notification, the CEO will work with the appropriate parties to establish technical and business action plans. The Board of Directors will coordinate with legal counsel if necessary to identify any remediation actions and/or notification requirements under applicable laws and regulations. The Board of Directors will also contact law enforcement, regulatory, or other authorities when required by law or when warranted by the specific nature of the incident. The Board of Directors will then notify any affected third- parties including clients, partners, suppliers, or vendors.After any “security incident”, a review is conducted to identify root-causes and remedies to prevent similar incidents in the future.
Risk Assessment & Treatment
Company conducts an annual risk assessment process that identifies and prioritizes both internal and external risks. As part of this process, Company:
-Reviews all privacy and/or security incidents that occurred during the prior year
-Reviews existing privacy and security policies for legal and contractual compliance.
-Tests administrative and technical controls safeguarding personal information.
-Categorizes each risk as High, Mid, or Low
-The CEO is responsible for the annual risk assessment process, and the results and recommendations are reported to the Board of Directors.When new risks or changes to risk assessments are identified, Company’s policies, procedures, training programs, and response strategies are updated as necessary. Company will also create a risk mitigation plan to address any high-risk issues identified during the process.