The objective of the Information Security Training is to ensure that all customer information entrusted to us is protected in a manner consistent with industry best practices.

Intended Audience: All Employees and Contractors.

Training Requirements

  • All new employees and contractors are required to review the following guide with their immediate supervisor within 5 business days of start date.
  • If this guide is updated, you will receive an email requiring that you review all updates to this guide.
  • You will receive an annual email that requires you to review this guide.
  • After you complete the training, a digital signature will be used to verify that you have completed security awareness training. The generated artifact will be kept on file (see Internal Audit Policy for details) for a minimum period of 1 year.


  • When using email to transmit confidential documents, encrypt and password protect the documents before sending.
  • When printing, faxing or scanning confidential information, print/fax/scan devices (e.g. dedicated or Multi-Function) should be actively monitored by user/sender/receiver to ensure information is properly protected.
  • You are responsible for your use of confidential information.
  • You must not in any way divulge, copy, release, sell, loan, review, alter or destroy any information except as properly authorized within the scope of your professional activities.
  • You must take appropriate measures to protect confidential information wherever it is located:
    • in physical documents
    • stored on computer media
    • communicated over voice or data networks
    • exchanged in conversation
  • Avoid downloading confidential data to personal equipment.
  • When posting confidential documents to shared folders, encrypt and password protect the documents before posting.
  • All confidential data shall only be used in an appropriate manner. Confidential data shall not be:
    • Shared between customers
    • Shared with other employees and contractors that do not need access to the data
    • Used for any purpose outside of their job responsibility
  • Access Control
    • A small group of designated employees and contractors are given access to customer data on an as needed basis.
    • Background checks are required for all employees and contractors that may at any time access customer data. Please notify your supervisor if you have not had a background check BEFORE accessing customer data.
    • If your job function no longer requires that you to have access to a system containing customer data it is your responsibility to notify your supervisor.
    • Do not share your credentials (usernames/passwords) with other individuals.
  • Customer Access
    • Customer is solely responsible for granting/revoking access to their employees/agents.
    • Customer is responsible for making sure appropriate controls are in place for granting access privileges to their employees and contractors.


  • You must safeguard any physical key, ID card or computer/network account that allows you to access confidential information. This includes creating computer passwords that are difficult to guess.
  • You must render unusable confidential information held on any physical document or computer storage medium (e.g., diskette, CD, magnetic tape, hard disk) that is being discarded. Please consult with IT personnel if you need assistance.
  • Keep a “clean desk” – do not leave documents containing confidential information on your desk.
  • Make sure to lock your desktop and laptop computer when you leave it unattended.
  • Portable computing devices containing confidential information should be physically secured as one protects their wallet.
  • If using company equipment outside of the corporate network make sure to work with your IT person to enable software firewall services. This helps to secure your computer when working from a remote location.
  • Confidential documents should be stored in locked file cabinets in offices that are locked when not in use.
  • Shredders are available in all offices. Make sure to shred confidential documents/information when no longer needed. If a shredder is not available, please inform your local IT person.

In addition to the guidelines above:

  • Make sure that your mobile device is locked when not in use
  • That the latest security updates are applied in a timely manner
  • Only approved equipment shall be used for teleworking (e.g. must be approved by IT)
  • Equipment must adhere to standard guidelines (e.g. virus scanning, password protection, system lock after 5 minutes of inactivity, etc)
  • In the event that a virus scanner on your workstation reports a threat to your workstation, you must immediately report this threat to IT Management.
  • VPN (or other secure networking technologies) must be used at all time to perform work functions.


  • If not prompted automatically, make sure to change passwords on a regular basis (every 90 days is recommended).
  • Avoid transmission passwords using email. Do not use Instant Messaging software to communicate passwords. Voice communication is the best method for communicating passwords.
  • If receiver is not known to you, you should confirm prior to communicating credentials.
  • Passwords polices are enforced through technical means where possible; however, it is still your responsibility to manage your password properly.
  • If an employee or contractor has any suspicion that any unauthorized person has the ability to access or has accessed a restricted system, they should immediately notify their immediate supervisor.

Use the following guidelines when creating passwords:

  • Minimum password length should be 8 characters.
  • Mix use of uppercase and lowercase letters.
  • Use 1 or more numeric digits.
  • Consider using 1 or more special characters.
  • Passwords should not be based on a dictionary word in any language.
  • Passwords should not include dates.
  • Passwords should not be based on user’s name or login ID.
  • You should never reuse passwords. Create unique and strong passwords for each application (Slack, Jira, Salesforce, Outlook).
  • Where you store your passwords is important. To help with the challenge of having so many passwords, we have approved and recommend the LastPass password manager for storing and managing passwords.

Collaborative Computing

When collaborative computing devices are used (for example, screen share or web cams), you must protect sensitive information. Best practices:

  • Close or disable email and chat messaging before entering a web meeting
  • Close windows containing sensitive information before sharing screen with other employees or customers.
  • Make sure that web cams do not show sensitive information written on whiteboards

Customer Contracts

For certain job roles, you may be required to review customer specific documents. These documents typically contain additional information security requirements or guidelines that you must adhere to when supporting a specific customer (e.g. a 'Supplier Code of Conduct' or some contractual commitment). Please consult with your manager to determine the set of additional documents that you are required to review.


It is your responsibility to avoid engaging in unlawful conduct affecting the organization, and to assure upon such conduct, that these matters are handled appropriately, including reporting to the appropriate authorities.

See Corporate Compliance Policy and Procedure for more details.

Incident Reporting

Our organization requires personnel to report suspected security incidents to the organizational incident response capability within 24 hours of discovery. See Incident Response Plan for additional information.


A quarterly audit of security awareness training activities will be performed to ensure that training has been completed as required (see Internal Audit Policy for details).

The Management Oversight Policy and Procedure requires an annual review of this policy.


Review the following articles, policies and procedures. If you have questions or comments please discuss with your immediate supervisor.