Information Technology Policies
Bijan Boutiques, LLC and Bijan Boutiques Las Vegas, LLC
443 N. Rodeo Drive
Beverly Hills CA 90210
Date: March 2020
Bijan Information Technology Policies
Bijan’s overall information technology ensures that reasonable security measures are taken for all client or customer data it may collect. As such, the data we hold is encrypted and we guard that information from unauthorized use or dissemination.
Topics for security awareness training.
Content/ Asset Security and Handling:
All servers and server shares are password protected and firewalled. Every user that accesses data has a unique and individual user credentials. Server share permissions are controlled with group policy and on a method of least access granted. All data is stored centrally and managed. Data backups are performed nightly and monitored remotely.
Data that is to be transferred or delivered is encrypted with either TLS encryption or is delivered via physical encrypted media. No FTP or other unencrypted technology is used. Pass keys are never sent along with the drive and will be emailed or texted to a trusted party once confirmation of the physical devices has been reported successfully. All physical media used to deliver files is logged and tracked.
In the event of a lost or stolen drive, password, or asset the escalation matrix is to be followed and acted on immediately. All parties should be notified and assessment of the breach should also follow with a post mortem assessment to avoid similar situations in the future.
General IT Security and Acceptable Use
All policies are set to match the best practices outlined by the best practices documentation available as of January 2019. These include but are not limited to Firewalls, Servers, Workstations, Data Encryption, Virus Software, Wireless Systems, etc.
Workstation Security (user info):
All workstations are password protected and in a physically accessed controlled area. Users are given an unprivileged account to work on. User accounts cannot install software and or change configurations. This password is never to be handed out, shared, or posted on a publicly viewable ‘sticky note’.
Password and Account Policy:
Complexity rules are enforced to 8 characters, with at least one upper, lower, number, and special character.
Any accounts or user will be disabled upon closure of work hired for. In events this was not accounted for old accounts will be disabled when noticed or at regular intervals during routine maintenance every 60 days.
External account passwords will be changed every 6 months and 2 factor authentication will be activated where possible.
Social Engineering Prevention
We explain to our clients that there are literally thousands of variations to social engineering attacks. The only limit to the number of ways they can socially engineer users through this kind of exploit is the criminal’s imagination.
Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
Don’t let a link be in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
Curiosity leads to careless clicking. If you don’t know what the email is about, clicking links is a poor choice. Similarly, never use phone numbers from the email; it is easy for a scammer to pretend you’re talking to a bank teller.
Email hijacking is rampant. Hackers, spammers, and social engineers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control someone’s email account they prey on the trust of all the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
Foreign offers are fake. If you receive email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.
Set your spam filters to high. Every email program has spam filters. To find yours, look under your settings options, and set these high–just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there. You can also search for a step-by-step guide to setting your spam filters by searching on the name of your email provider plus the phrase ‘spam filters.’
Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or third party to alert you to risks.
Asset Disposal exists in response to a number of considerations in replacing business equipment, disposal will be handled on a case by case basis, with extreme prejudice to total destruction of company data, with best practices for environmental concerns.
Data security best practice means storage devices must be securely wiped and/or completely destroyed and disposed of in separated (impossible to reassemble) fashion. Proper disposal of ecologically-sensitive materials must be done properly or the business may face fines.