Connor Group 

Information Security 

Program


Feb 2025

 

v.1.3

Introduction 

 

This document codifies Connor Group’s Information Security Program. It is comprised of Standards, Procedures, and Guideline documents that define expectations for managing and protecting the Confidentiality, Integrity and Availability of company assets. These documents form Connor Group's Information Security Management System (ISMS). 

 

Purpose 

 

The purpose of the Information Security Program is to enable Connor Group and its Subsidiaries to consistently realize strategic business objectives while protect company assets through a strong security posture.

To achieve this, company operations must include safeguards to reduce risk from security threats and ensure the confidentiality, integrity, and availability of company information assets, both electronic and physical. The policies, standards, procedures, and guidelines that constitute the ISMS are intended to provide clarity on Connor Group’s expectations when working with company information and assets, as well as with clients and vendors. In general, documents referenced in this policy describe intended security profiles for cybersecurity functions and policies.

 

Scope  

 

At Connor Group, security is everyone’s responsibility. 

 

The Connor Group Security Program applies to all Connor Group employees, agents, contingent workers (e.g., Contractors, consultants, vendors), and persons belonging to third parties supporting business operations with access to company owned or leased networks, systems, applications or with access to any company information assets.  

 

Connor Group Policies, Standards, Procedures and Guidelines encompass all physical and information assets, including all data, systems, activities, applications and information—both electronic and physical—owned, leased, controlled or used by its employees, agents, contingent workers, or other business partners on behalf of Connor Group.

 

Framework

 

The company's approach to managing Information Security is directed towards strengthening the resilience of the company's infrastructure in alignment with business requirements, risk tolerance, and resources. The results of this approach in tandem with the NIST framework is meant to establish a customized framework founded on industry best practices to define standards, policies, processes, and guidelines. The result is a consistent yet iterative approach to identifying, assessing and managing information security and risk. 

 

Enforcement

 

Any employee, agent, business unit or contingent worker in violation of the security program may be subject to disciplinary action, up to and including termination of work.  

 

Other action(s) may include suspension or revocation of computing or network privileges, reimbursement to the Company for resources consumed, legal action to recover damages, referral to law enforcement authorities, or referral to appropriate Company authorities resulting in suspension, dismissal, or severance of contract, if applicable.  

 

Definitions 

 

Definitions specific to the ISMS are maintained in a separate document, the Information Security Glossary of Terms. 

 

Policy and Program Structure

 

Information Security documentation is comprised in a hierarchy of four parts; Policy, Standards, Procedures, and Guidelines. Policy objectives can be met by any combination of standards, procedures and guidelines.

 

 

Roles and Responsibilities

Successful Information Security Programs require engagement and support from the executive level. As such, Connor Group's Information Security Program is sponsored by the CEO and CFO positions. The program is technically led from a Director position with oversight from the CIO for integration with Information Technology (IT).

 

Program Sponsors

President: Brandon Moreno

CFO: Brian Johnson

 

Executive IT Oversight

CIO: Danny Russell

 IT Director: Matt Larsen

 

Program Management and Execution

Cybersecurity Director: Paul Kipping

 

 

 


 

 

Information Security Policy Provisions

 

Information Security documentation is comprised in standards and domains organized as defined below. Policy objectives can be met by any combination of Standards, Procedures, or Guidelines.

 

  1. Privacy and Communications:

 Persons interfacing with Company Data Assets or property must follow all rules defined in the Code of Conduct, Social Media Guidelines and End User Acceptable Use Policy.  

 

  1. Security Awareness: 

All persons interacting with Company and Client data are required to have received Security Awareness training and are required to successfully complete it at a level indicating competent understanding of the subject matter.  

 

  1. Asset Management: 

Asset Management constitutes the tracking and management of Connor Group assets, both digital and physical. Digital assets are broken down into data categories such as hosted, SaaS, and internal. Personal and physical assets are constituted from desktops, laptops, servers, network equipment.  All persons must comply with published instructions regarding the proper handling, storage and use of Connor Group assets, as defined in Connor Group’s Endpoint, Server, Data Classification, and Data Disposal Standards. 

 

  1. Digital Identity:  

Identity and Access management is central to securing the modern workforce. SaaS solutions and cloud implementations have distributed resources far beyond internal networks and controls, making identity the new border for security. Connor Group’s Identity and Access Management (IAM) Standard defines the requirements and expectations of managing access to resources from an identity-centric methodology. 

 

  1. Change Management: 

Well-planned changes to systems, networks, devices and applications are essential to minimize operational and business service downtime. All changes to production systems overseen by IT follow Connor Group’s Change Management Standard. 

 

  1. Software Sources: 

Company networks and systems must not run software from sources other than established software vendors, trusted user groups, or well-known security authorities. Unapproved software from untrusted  sources is not to be used without explicit approval or exception from Information Security and Information Technology. Details on required software management are available in Connor Group’s Asset Management Standard, Endpoint Management Standard, and End User Acceptable Use Policy. 

 

  1. Software Development: 

When developing solutions that reference, store, or manipulate Data Assets, developers must follow all published instructions regarding software development and design documented in Connor Group’s Secure SDLC Standard. Coding Guidelines will also be formally kept to maintain uniform development and release of internal code at Connor Group

 

  1. Data Destruction: 

Connor Group data may be destroyed, deleted or disposed of after the applicable retention period has been reached, as permissible by local and federal regulations. All published data protection and handling processes shall be followed in adherence to the Data Disposal Standard, congruent with applicable local and federal regulations.

 

  1. Vulnerability Management

Connor Group has established a process to monitor, maintain, and apply patches and remediations as necessary. Persons responsible for part of this process must follow the Vulnerability Management Standard and End User Acceptable Use Policy, where appropriate timeframes for vulnerability discovery and remediation are defined.

 

  1. Logging and Monitoring: 

Connor Group systems must be capable of generating security alerts for relevant events. Significant Operating system and application events must be captured and retained for response and review within appropriate timeframes, as defined in Connor Group’s Auditing and Logging Standard. 

 

  1. Incident Response: 

Security incidents must be reported to Information Security for action. Assigned responders shall react to reported events as designated by assigned Standards and Playbooks. Information for what might be considered an Information Security Incident as well as reporting procedures can be found in Connor Group’s Incident Response Standard, as well as the End User Acceptable Use Policy.   

 

  1. IT Audit and Compliance: It is the responsibility of all Connor Group employees to be able to demonstrate compliance on behalf of Connor Group and fulfill audit requests in a timely manner for all authorized internal and external audits. This will be primarily accomplished through adherence to documentation of implementation and changes stored within Connor Groups CMDB, Change Control Process, and Service Desk system for authorized access-level modifications, including changes and transfers.  

 

  1. Third Party Risk Management: In order to uphold the standards of security required by Connor Group, all relevant information security requirements must be covered in agreements with all third parties that access, store or process Company information. A documented risk assessment must be conducted as part of onboarding process for applicable partners and suppliers. Connor Group employees are responsible for monitoring third-party compliance against these requirements and ensuring contractual arrangements are adequate. For more information, please refer to the Third-Party Risk Management Standard. 

 

Compliance  

 

The Connor Group Information Security team will verify program compliance to policy and standards through various methods, including but not limited to, periodic walk-throughs, monitoring, business tool reports, internal and external audits, and feedback to the policy owner.  

 

Any exceptions to Program, Policy, or Standards constituting the Information Security Management System require a formally approved waiver against compliance which shall be approved prior to the exception entering live operation. Where a waiver is deemed necessary, the Security Waivers Procedure shall be followed.  

 

The following are required to adhere to this content explained in the Information Security Program, except where a formal exception has been granted as above:  

  • All Connor Group Systems, Employees, and engaged Independent Contractors. Any employee or Independent Contractor found to have violated this Standard is subject to disciplinary action, up to and including termination of employment.
  • Any Third-Party System that is used to support Connor Group data and/or Services. Any Third Party that violates this Standard will be considered to have breached their contract with the Connor Group.   

 

 

References  

 

Internal 

Security Waivers Procedure

External 

CIS 1, 2, 13

NIST 800-53 (inclusive)

 

 

REGULATORY AUTHORITY 

 

REVISION HISTORY  

Version 

Detail 

Author 

Date 

1.0 

Initial 

Connor Group Information Security 

June 2021 

1.1

Minor wording changes in the Standards and Domains section

Connor Group Information Security

May 2022
1.2 Annual Reivew
Added IT Director to Roles and Responsibilties
 Connor Group Information Security
 Dec 2023