Skip to main content

Information Security Policy

Source basis

This document is the structured Markdown port of Core 12 Security Policy - v1.8.docx, revision 329, modified 2026-01-26. The content is intentionally preserved as the primary policy basis while related standards and procedures are split into separate maintained documents.

Current access and password implementation

Where this legacy policy basis references shared account credentials, password-control standards, or access-control processes, the maintained Access Control Policy and Password Control Policy define the current Core 12 implementation. Current shared credentials must use approved Apple Passwords shared groups administered through services@core12.com; shared spreadsheets, documents, email, chat, and unapproved password stores are not approved systems of record.

Policy

A. It is the policy of Core 12, LLC that information, as defined hereinafter, in all its forms--written, spoken, recorded electronically or printed--will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.

B. Policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. Activities identified by the policies and procedures should also be documented where appropriate. Documentation must be periodically reviewed for appropriateness and currency, a period to be determined by the entity within Core 12, LLC as defined in Core 12 Security Policy - Security Event Contacts.

C. At each entity and/or department level, additional policies, standards and procedures may be developed as needed, detailing the implementation of this policy and set of standards and addressing any additional information systems functionality in such entity and/or department. Departmental policies must be consistent with this policy. Systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where possible. Existing systems are expected to be brought into compliance where possible and as soon as practical.

Scope

A. The scope of information security includes the protection of the confidentiality, integrity and availability of information.

B. The framework for managing information security in this policy applies to all Core 12, LLC entities and workers, and other Involved Persons and all Involved Systems throughout Core 12, LLC as defined below in INFORMATION SECURITY DEFINITIONS.

C. This policy and all standards apply to all protected information and other classes of protected information in any form as defined below in INFORMATION CLASSIFICATION.

D. Applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect have been used to create and maintain the policies contained in this document and all processes and procedures associated with this Policy.

E. The security team as defined in Core 12 Security Policy - Security Event Contacts is responsible for the regular review, maintenance, and compliance of the Core 12 Security Policy and all related activities.

F. An external assessment will be conducted as needed based on changes to security practices and requirements. These requirements will be determined by Core 12, LLC.

Information Security Definitions

Involved Persons: Every worker at Core 12, LLC -- no matter what their status. Any user of a system in the Core 12, LLC environment. This includes employees, contractors, and interns.

Involved Systems: All computer equipment and network systems that are operated within the Core 12, LLC environment. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems.

Risk: The probability of a loss of confidentiality, integrity, or availability of information resources.

Information Security Responsibilities

All of the following types of users must adhere to the terms and conditions in the relevant employee, contractor, or intern agreement.

A. Information Security Officer: The Information Security Officer (ISO) is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of Core 12, LLC. Specific responsibilities include:

1. Ensuring security policies, procedures, and standards are in place and adhered to by all involved persons.

2. Providing basic security support for all systems and users.

3. Advising owners in the identification and classification of computer resources. See Section VI Information Classification.

4. Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation.

5. Educating custodian and user management with comprehensive information about security controls affecting system users and application systems.

6. Providing on-going employee security education.

7. Identifying and responding to all security incidents and initiating appropriate actions when problems are identified. See Section VIII.

B. Information Owner: The owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual by completing the Core 12, LLC Information Owner Delegation Form. The owner of information has the responsibility for:

1. Knowing the information for which she/he is responsible.

2. Determining an information asset retention period for the information, relying on advice from the Legal Department. See Core 12 Security Policy - Information Asset Retention Guidelines for details on retention periods for each type of data.

3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the unit.

4. Authorizing and administering access.

5. Specifying controls and communicating the control requirements to the users of the information.

6. Reporting promptly to the ISO the loss or misuse of Core 12, LLC information.

7. Initiating corrective actions when problems are identified.

8. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.

9. Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.

10. Providing and/or recommending physical safeguards.

11. Providing and/or recommending procedural safeguards.

12. Evaluating the cost effectiveness of controls.

13. Maintaining information security policies, procedures and standards as appropriate and in consultation with the ISO.

14. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.

C. User: The user is any person who has been authorized to read, enter, or update information. A user of information is expected to:

1. Access information only in support of their authorized job responsibilities.

2. Comply with Information Security Policies and Standards and with all controls established by the owner and custodian.

4. Keep personal authentication devices (e.g. passwords, PINs, etc.) confidential.

5. Reporting promptly to the ISO the loss or misuse of Core 12, LLC information.

6. Initiate corrective actions when problems are identified.

Information Classification

Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, report) must have the same classification regardless of format. The following levels are to be used when classifying information:

A. Confidential Information

1. Confidential Information is very important and highly sensitive material. This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access.

Confidential Information may include, but is not limited to personnel information, key financial information, client customer master data, and system access passwords.

2. Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations, or may cause significant problems for Core 12, LLC, its customers, or its business partners. Decisions about the provision of access to this information must always be cleared through the information owner.

B. Internal Information

1. Internal Information is intended for unrestricted use within Core 12, LLC, and in some cases within affiliated organizations such as Core 12, LLC business partners. This type of information is already widely distributed within Core 12, LLC, or it could be so distributed within the organization without advance permission from the information owner.

Examples of Internal Information may include internal policies and procedures, most internal electronic mail messages.

2. Any information not explicitly classified as Confidential or Public will, by default, be classified as Internal Information.

3. Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions.

C. Public Information

1. Public Information has been specifically approved for public release by a designated authority within each entity of Core 12, LLC. Examples of Public Information may include marketing brochures and material posted to Core 12, LLC entity internet web pages.

2. This information may be disclosed outside of Core 12, LLC.

Computer and Information Control

All involved systems and information that are part of Core 12, LLC and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.

A. Ownership of Software: All computer software developed by Core 12, LLC employees or contract personnel on behalf of Core 12, LLC or licensed for Core 12, LLC use is the property of Core 12, LLC and must not be copied for use at home or any other location, unless otherwise specified by the license agreement.

B. Installed Software: All software packages that reside on computers and networks within Core 12, LLC must comply with applicable licensing agreements and restrictions and must comply with Core 12, LLC acquisition of software policies.

C. Data Processing: IT systems that process data must be identified and the data processing must be clearly defined. A data protection assessment must be completed on each Client Project, IT Service, and Managed Device involved in data processing and protection.

1. Data Protection Assessment: The data protection assessment ensures that all security, regulator and contractual requirements are considered, and all data processing relationships are understood. The primary requirements include:

a. Data Processing Overview

b. Location of Data Processing

c. Data Transmission and Security

d. Data Subject Rights

e. Risk Assessment

f. Regulatory and Contractual Compliance

3. Software Development: All software developed or modified by Core 12, LLC must comply with all applicable security standards and processes. Details on these processes are included in Core 12 Security Policy - Development Security Standards.

D. Virus Protection: Virus checking systems approved by the Information Security Officer and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems.

E. Access Controls: Physical and electronic access to Confidential and Internal information and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the Information Security Officer and approved by Core 12, LLC. Mechanisms to control access to Confidential and Internal information include (but are not limited to) the following methods:

1. Authorization: Access will be granted on a "need to know" basis and must be authorized by the immediate supervisor and application owner with the assistance of the ISO. Any of the following methods are acceptable for providing access under this policy:

a. Context-based access: Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The "external" factors might include time of day, location of the user, strength of user authentication, etc.

b. Role-based access: An alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization's structure and business activities. Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.

c. User-based access: A security mechanism used to grant users of a system access based upon the identity of the user.

2. Identification/Authentication: All systems used to store confidential or internal information require user identification (user id) and authentication. Access to these systems are approved and created by the ISO. As appropriate, the user is either granted an individual account or given access to the shared account credentials. See Core 12 Security Policy - Password Control Standards and Core 12 Security Policy - Clean Desk Policy for full details. The following requirements must be met for all accounts:

a. Login Information cannot be shared with any third parties. An individual account should not be shared with anyone. A shared password must not be shared with anyone outside of t.

b. Login password must be changed after first login.

c. IT Systems are configured to meet password control standards when available.

d. Default accounts in IT Systems must be disabled or have passwords changed.

e. Temporary accounts have a defined end date. Accounts are disabled on that date.

3. Data Integrity: Core 12, LLC must be able to provide corroboration that Confidential, and Internal Information has not been altered or destroyed in an unauthorized manner. Listed below are some methods that support data integrity:

a. Transaction audit

b. Disk redundancy (RAID)

c. ECC (Error Correcting Memory)

d. Checksums (file integrity)

e. Encryption of data in storage

f. Digital signatures

4. Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks. The following features must be implemented:

a. Integrity controls and encryption, where deemed appropriate

b. All confidential information must be sent securely using approved transmission protocols in the following order. Confidential information should never be shared over insecure transfers such as email, http, or ftp.

i. SFTP / SSL transfers are to be used whenever possible. User credentials to these resources must meet all user and password policies in Core 12 Security Policy - Password Control Standards.

ii. WinZip/File Level Password Encryption

The last alternative for encrypted electronic communications is the use of WinZip / 7-Zip. When uploading files within a WinZip folder, there is the option to encrypt. Additionally, within Office 365 / Adobe documents there is the option to protect with password encryption (256-bit AES). User must use the 256-bit AES encryption option and choose a password that meets password policies in Core 12 Security Policy - Password Control Standards. The encrypted WinZip file may then be placed into an email as an attachment. The password should then be sent using out of band communication (i.e. text message, phone, etc.).

5. Remote Access: Access into Core 12, LLC network from outside will be granted using Core 12, LLC approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further, Confidential and/or Internal Information that is stored or accessed remotely must maintain the same level of protections as information stored and accessed within the Core 12, LLC network.

6. Managed and Unmanaged Devices: Managed devices are primary workstations and cloud infrastructure. The organization ensures that all servers and workstations are secured according to industry best practices and internal security policies. Managed Devices are protected through access controls, endpoint security tools, encryption, regular updates, and robust monitoring systems. Data protection is enforced through technical measures such as disk encryption, secure backups, and secure disposal of hardware. Device configurations are aligned with defined hardening standards, and employee awareness is maintained through regular training. Any other devices connected to Core 12, LLC IT Services are considered an unmanaged device. All unmanaged devices, whether owned by Core 12, LLC or owned by personnel (Employees, Contractors, Interns) follow similar standards as managed devices with the responsibility for compliance belonging to the device owner. Unmanaged devices must follow the guidelines in Core 12 Security Policy - Unmanaged Devices.

7. Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals. See Core 12 Security Policy - Clean Desk Policy for full details.

a. Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. Local policies and procedures must be developed to address the following facility access control requirements:

  1. Contingency Operations - Procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

2. Facility Security Plan - Policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

3. Access Control and Validation - Procedures to control and validate a person's access to facilities based on their role or function, including visitor control.

4. Maintenance records - Policies and procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks).

8. Emergency Access:

a. Each entity is required to establish a mechanism to provide emergency access to systems and applications in the event that the assigned custodian or owner is unavailable during an emergency.

9. Access Control Audits:

a. All IT Systems with Identification / Authentication need to be reviewed at least once per quarter. During this review the following items must be verified. Any accounts that don't meet the requirements below must be removed or updated immediately.

1. All accounts are still in use, the owner is supposed to access the system, and their current role requires the same level of access.

2. Accounts have MFA configured when available.

F. Equipment and Media Controls: The disposal of information must ensure the continued protection of Confidential and Internal Information. The following Items must be considered when moving or disposing of media:

1. Information Disposal / Media Re-Use of:

a. Hard copy (paper and microfilm/fiche)

b. Storage media (floppy disks, hard drives, zip disks, etc.) and CD ROM Disks

c. All equipment and media (physical and cloud based) are information assets and must be disposed of properly in accordance with the data guidelines in Core 12 Security Policy - Information Asset Retention Guidelines. .

2. Accountability: Each entity must maintain a record of the movements of hardware and electronic media and any person responsible, therefore.

3. Data backup and Storage: When needed, create a retrievable, exact copy of electronic data before movement of equipment.

G. Other Media Controls:

1. Confidential Information stored on external media (diskettes, CD-ROMs, portable storage, memory sticks, etc.) must be protected from theft and unauthorized access. Such media must be appropriately labeled to identify it as Confidential Information. Further, external media containing Confidential Information must never be left unattended in unsecured areas. See Core 12 Security Policy - Clean Desk Policy.

2. Confidential Information is stored on external medium or mobile computing devices and there is a breach of confidentiality as a result, then the owner of the medium/device will be held personally accountable and is subject to the terms and conditions of Core 12, LLC Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation with Core 12, LLC.

H. Data pass/Printing:

1. Electronic Mass Data Transfers: Downloading and uploading Confidential, and Internal Information between systems must be strictly controlled. Mass downloads of information must be approved by the Application Owner and include only the minimum amount of information necessary to fulfill the request.

2. Other Electronic Data Transfers and Printing: Confidential and Internal Information must be stored in a manner inaccessible to unauthorized individuals. Confidential information must not be downloaded, copied or printed indiscriminately or left unattended and open to compromise.

I. Oral Communications: Core 12, LLC staff should be aware of their surroundings when discussing Confidential Information. This includes the use of cellular telephones in public areas. Core 12, LLC staff should not discuss Confidential Information in public areas if the information can be overheard. Caution should be used when conducting conversations in semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.

J. Evaluation: Core 12, LLC requires that periodic technical and non-technical evaluations be performed in response to environmental or operational changes affecting the security of electronic Confidential Information to ensure its continued protection.

1. Clients - Core 12, LLC, is responsible for evaluating the IT Security of the organization and their clients on a regular basis defined in the Core 12 Security Policy - Information Management Schedule. This includes Data Classification, Data Protection, Risk Assessment and Access Control. All client projects need to be included in the review. All activities related to these evaluations are to be completed and documented in the Core 12 - Information Management Log.

2. Managed Devices - Core 12, LLC, is responsible for evaluating the security of all Managed Devices on a regular basis defined in the Core 12 Security Policy - Information Management Schedule. This includes Risk Assessment, Access Control, Inventory, Security Maintenance, and Applications Audit. All activities related to these evaluations are to be completed and documented in the Core 12 - Information Management Log.

3. IT Services and Cloud Providers: Approved IT Services and Cloud Providers have a responsibility to provide all agreed upon security and maintenance controls outlined in the agreement made with Core 12, LLC. These IT Services and Cloud providers evaluate and maintain environments that meet the requirements outlined in our agreements. The providers are reviewed on a regular basis as defined in the Core 12 Security Policy - Information Management Schedule. A risk assessment is maintained to verify that they meet these requirements.

4. 3rd Party Vendors: Approved 3rd Party Vendors have a responsibility to provide all agreed upon security and maintenance controls outlined in the agreement made with Core 12, LLC. The vendors are reviewed regularly and a risk assessment is maintained according to the schedule set in the Core 12 Security Policy - Information Management Schedule to verify that they meet these requirements.

Risk Management

A. A thorough analysis of all Core 12, LLC information networks and systems will be conducted on a regular basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats - internal or external, natural or manmade, electronic and non-electronic-- that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets as defined in Core 12 Security Policy - Information Asset Retention Guidelines and the technology associated with its collection, storage, dissemination and protection.

From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. The frequency of the risk analysis will be determined at the entity level.

B. Based on the periodic assessment defined in the Core 12 Security Policy - Information Management Schedule, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities. Risk assessments must be completed according to the Risk Assessment Plan on all Clients, Managed Devices, IT Services, and 3rd-Party Vendors. Risks must be documented and tracked as part of the process.

Business Continuity

Controls must ensure that Core 12, LLC can recover from any events that destroy, damage, degrade, or otherwise impact Core 12 personnel, offices, client projects, IT services, managed devices, or 3rd party vendors within a reasonable period. Each entity is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain Core 12 information assets. This will include having policies and procedures to address the following:

  1. Disaster Recovery Process: A disaster recovery plan should be developed which contains a process enabling the entity to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.

  2. Employee & Office Strategy: Processes and plans put in place to ensure the safety and business continuity of employees and office.

  3. IT Systems Strategy: A backup and recovery time SLA for all IT Systems put in place to ensure business continuity within our IT Systems.

The plan is defined in the Core 12 Security Policy - Business Continuity Plan and is followed for the entire organization as well as the clients that depend on Core 12, LLC. developed and maintained IT Services.

Information Security Events

A security event as defined in this security policy is any suspicious or concerning activity detected on an IT System that could affect information security, data security, or physical security that has either happened or been observed by employees, interns, contractors, clients, suppliers, customers, or monitoring systems.

The information security officer will investigate all security events and determine if there is any reason to believe that the event exposed Core 12, LLC or clients to risk of a data breach. Those events are classified as Security Incidents and a Security Review must be completed.

The information security officer and security team must understand and consider regulatory, and contractual reporting obligations when determining what should be considered a Security Incident. Security events reported by suppliers must be treated as a security incident if the risk of a data breach exists.

All security events discovered by involved users and monitoring systems must be reported to the Information Security Officer. Security events must be investigated on the same business day they are reported by the security team. The reporting person must escalate reporting if they have not received feedback by the end of the business day. The contact information for security events is in Core 12 Security Policy - Security Event Contacts. Public facing IT systems have support contact information to report security events.

The resolution to all security events will be shared with the reporting person when the investigation is complete. Feedback from investigations that is relevant will be shared with all Core 12, LLC employees.

The procedures for handling an Information Security Incident to an involved system are to be followed each time an event is reported:

  1. As soon as an information security event is determined to be a security incident, the ISO will immediately assign an incident response team to handle the reported event.

  2. The team will include:

    1. Chief Operations Officer

    2. Information Security Officer

    3. Human Resources

    4. Legal

    5. Client Primary Contact (if applicable)

    6. Client Legal Team (if applicable)

  3. The team will perform a full security review of the incident with all involved users and systems to verify the report.

  4. The team will determine if there is a confirmed breach of data. Confirmed breaches will be investigated immediately. See section VIII C.

  5. In crisis situations, the incident response team must be prepared to work through multiple security incidents affecting multiple IT systems, stakeholders, and data protection concerns. To mitigate security incidents in crisis situations, the incident response team plan includes:

  6. Understanding connected IT Systems and impact of outages to some or all of those systems during the incident.

  7. Acting quickly to mitigate the potential for a breach can span across multiple IT systems affecting more clients and customers.

  8. Individual responsibilities within the incident response team are defined.

  9. A confirmed data breach of Core 12, LLC. systems require the following will be completed to ensure proper remediation and reporting.

  10. All access to the affected involved systems will be removed and the data will be isolated.

  11. As provided by Core 12, LLC cyber insurance, the insurer will need to provide access to forensic investigators and experts that will determine how the breach occurred; the types of data involved; the number of individuals impacted; and analyze the breach to determine the root cause.

  12. Work with legal teams and authorities to file official reports and seek prosecution of potentially criminally relevant aspects of security incidents.

  13. Work with Core 12 LLC Human Resources and Legal departments as well as Client Primary Contact and Legal team to decide how to communicate the breach to internal employees, the public, and those directly affected. The regulatory, legal, and contractual obligations must be considered when determining the appropriate communication plan including how and what will be included for the incident.