HMI is committed to maintaining the confidentiality, integrity, and security of personal information about our current customers, our prospective customers, and our customer’s customer. We protect our customer data and NEVER resell or comprise the privacy of our customers’ personal information.
We are proud of our privacy practices and want you to know how we protect this information and use it to service your programs. We hope you will take a moment to review the full security and privacy policies of HMI.
Please note that certain details of the HMI policies may depend on whether you deal with us through an established customer program, your employer, or directly as a customer.
If you are a former customer, these policies also apply to you; we treat your information with the same care as we do information about current customers. At the point the program concludes it is HMI policy to maintain the data for a period of up to one calendar year at which point HMI will securely delete, remove, degauss, or dispose of any customer data including personal information (see Data Destruction for further details or contact HMI to obtain a full security policy).
Treatment of Confidential Data
For clarity, the following sections on storage, transmission, and destruction of confidential data are restated from the HMI Data Classification Policy and employee training manual.
Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured.
Confidential data must not be 1) transmitted outside the company network without the use of strong encryption, 2) left on voicemail systems, either inside or outside the company’s network.
Confidential data must be destroyed in a manner that makes recovery of the information impossible. The following guidelines apply:
- Paper/documents: cross cut shredding is required.
- Storage media (CD’s, DVD’s): physical destruction is required.
- Hard Drives/Systems/Mobile Storage Media: at a minimum, data wiping must be used. Simply reformatting a drive does not make the data unrecoverable. If wiping is used, the company must follow U.S. DoD standards for data wiping. Alternatively, the company has the option of physically destroying the storage media.
Use of Confidential Data
A successful confidential data policy is dependent on the users knowing and adhering to the company’s standards involving the treatment of confidential data. The following applies to how users must interact with confidential data:
- Users must be advised of any confidential data they have been granted access. Such data must be marked or otherwise designated “confidential.”
- Users must only access confidential data to perform his/her job function.
- Users must not seek personal benefit, or assist others in seeking personal benefit, from the use of confidential information.
- Users must protect any confidential information to which they have been granted access and not reveal, release, share, email unencrypted, exhibit, display, distribute, or discuss the information unless necessary to do his or her job or the action is approved by his or her supervisor.
- Users must report any suspected misuse or unauthorized disclosure of confidential information immediately to his or her supervisor.
- If confidential information is shared with third parties, such as contractors or vendors, a confidential information or non-disclosure agreement must govern the third parties’ use of confidential information. Refer to the company’s outsourcing policy for additional guidance.
Security Controls for Confidential Data
Confidential data requires additional security controls in order to ensure its integrity. HMI requires that the following guidelines are followed:
- Strong Encryption: Strong encryption must be used for confidential data transmitted external to the company. If confidential data is stored on laptops or other mobile devices, it must be stored in encrypted form.
- Network Segmentation: Separating confidential data by network segmentation is strongly enforced (see Network Security Policy).
- Authentication: Strong passwords must be used for access to confidential data.
- Physical Security: Systems that contain confidential data should be reasonably secured.
- Printing: When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Printers that are used for confidential data must be located in secured areas.
- Faxing: When faxing confidential data, users must use the HMI cover sheet that informs the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving confidential data must be located in secured areas.
- Emailing: Confidential data must not be emailed outside the company without the use of strong encryption.
- Mailing: If confidential information is sent outside the company, the user must use a service that requires a signature for receipt of that information.
- Discussion: When confidential information is discussed it should be done in nonpublic places, and where the discussion cannot be overheard.