Policies

Information Technology Security Policy

Preamble

Introduction

Premier Continuum recognizes that information is an essential asset that must be protected from unauthorized modification, destruction or disclosure, whether accidental or voluntary. The policy aims to minimize the risks to this asset. In fact, it will protect Premier Continuum and its employees.

It is Premier Continuum's management's responsibility to protect the company's information and it systems. Its responsibility is also committed in this regard. This means that Premier Continuum management must adopt measures to ensure that information and computer systems have relevant protection against a variety of threats. It is also responsible for establishing and maintaining information security and integrity measures, if only through the management of appropriate controls proportionally with the value of the information to be protected.

Scope and general principle

The overall scope and principle of this policy is to provide a comprehensive overview of information technology ("IT") security for Premier Continuum. The policies, guidelines, procedures and instructions outlined herein were created based on ISO 27001. The policy addresses not only the specific type of procedures that need to be developed in terms of information ownership and protection, physical security, IT security and data recovery, but also the obligations of Premier Continuum management and employees when implementing the procedures in question. The IT security policy aims to provide an advanced set of guidelines to draft, retain and implement specific guidelines governing the use and protection of information and associated technology. The objective of these policies is to establish the basic structure within which more specific guidelines, procedures and instructions will be established and will interact.

The Information Security Management System (ISMS) operates on a four-step cyclical model called "PDCA" that is Plan, Do, Check, Act also known as the Deming Wheel.

1. Phase Plan : is to plan the actions that the company will take in terms of security
2. Phase Do : The company realizes what it has planned in this area
3. Phase Check: The company verifies that there is no discrepancy between what it has said and what it has done
4. Phase Act : is to take corrective action for the discrepancies that have been identified previously

In order to ensure the implementation and continuous improvement of the ISMS, a register of activities is maintained.

Premier Continuum ensures that it complies with all information security laws and regulations and all contract clauses with its customers.  In addition, through various hosting groups and providers (Iweb, Cirrus Tech, Hostwinds, OVH, LeBleu, Tenable, Indusface, Synox, Webflow/AWS, etc.) Premier Continuum keeps itself informed of any changes or threats requiring the adjustment or addition of controls.  Mechanisms with suppliers are also in place to promptly inform the relevant authorities of any event requiring their involvement.

This policy applies to all Premier Continuum officers, directors and employees and all contractual resources.

Although Premier Continuum applies the Information Security Management System (ISMS) in all of its business activities, the scope of ISO27001 certification issued since 2013 by Registrar Perry Johnson Inc. and recertified by PECB 2017 covers ParaSolution's development, production and support environment.

Rules and warnings

Premier Continuum reserves the right to change its policies, guidelines, procedures or instructions, whether temporarily, due to an unforeseen event, or on a permanent basis, as a result of changing business conditions. Economic.  Premier Continuum ensures compliance with laws and regulations.

Any waiver, waiver or exception to approved policies or related documents must be authorized by Premier Continuum's IT Security Committee.

Please direct your questions or requests for clarification to premier Continuum's IT Security Committee.

Roles and responsibilities

Premier Continuum employees, consultants and suppliers: Premier Continuum employees, consultants and suppliers must comply with Premier Continuum's IT security policy provisions. They must also report to their supervisor or the IT Security Committee any violations of the policy committed by any person, whether accidentally or voluntarily. They are actively involved in ISMS-related activities.

Premier Continuum Management is responsible for ensuring that IT policies are relevant to and consistent with Premier Continuum's mission and evolution. She is responsible for the implementation and improvement of the ISMS. It has a responsibility to educate all users and keep them informed about all aspects of IT security. Management must ensure that the provisions for the IT security policy are consistently implemented across the company. The policy and the ISMS are related to the terms of the contracts with Premier Continuum Inc.'s customers.

Alignment with internal policies

Premier Continuum's IT security policy is aligned with the company's other policies, including Premier Continuum's record retention policy. The company's other policies, when relevant to the subject matter, are referred to by references.

Policy

‍1. Overview

1.1 Information: an important asset. Information is an extremely important asset. Accurate, timely, relevant and well-protected information remains absolutely essential to society. In order to ensure the proper management of information, access to, use and processing must be consistent with its policies and standards for IT infrastructure and systems.

1.2 Participation of the IT Security Committee. The IT Security Committee must participate in the periodic review of the following: (i) the current state of security and information management activities, (ii) security incidents within the company as well as related to information security projects, and (iii) approval of new information security policies and their potential changes.

1.3 People who must comply with information security policies. Company employees, consultants, suppliers or representatives (whether full-time, part-time or intern) must meet and be responsible for information security requirements.

1.4 Essential software and applications. Premier Continuum must maintain a list of essential software and applications that provide the company with a competitive or productivity advantage.

1.5 Office workstation. Premier Continuum must provide computers where the anti-virus and a firewall remain active and up to date. Employees should ensure that they always lock their position when they leave.

1.6 Telework and mobile device use. Premier Continuum allows its employees, when authorized, to work remotely.  Any employee who logs in must have an active firewall and antivirus at all times. All access between remote servers (between them) and the desktop (in the case of telework or mobile vpN) is also encrypted to protect applications or other data when transferring to secure servers. (e.g. VPN if externally, SSH Tunnels to the server then finally an RDP or VNC on this tunnel). Firewall rules are designed not to expose RDP or VNC ports, but only the SSH port.

1.7 Mandatory Confidentiality Agreement. All employees, consultants, suppliers or their representatives (whether they are full-time, part-time or fixed-term employees) must sign a confidentiality agreement when they join the company (this is implemented by confirming their understanding of the employee manual).

1.8 Data classification. All company information is confidential and intended for internal use only, unless permission is granted for external communications. Paper or medium information will be secured in offices or offices for this purpose. Parasolution's customer data must remain on production servers at all times and exclusively.

1.9 Confidentiality agreements and disclosures of sensitive information. All disclosures to third parties of sensitive information must be covered by a duly signed confidentiality agreement with restrictions on the subsequent distribution and use of the information.

Information responsibility

2.1 Obligation to appoint an information officer. Premier Continuum's executive committee must specify in writing who are the members of the IT security committee, the heads of databases, key files and other shared sources of information.

IT Security Committee :

-President and IT Systems Architect

-Security officer

-Information owner

-Developer

-Internal auditor

-Compliance with ISO27000 standards

-IT Operations Coordinator

-Databases and Paradocs Owner

-Responsible for the Parasolution app

-Users: All Premier Continuum employees (access to data based on their role in the organization - access policy only to the required directories)

‍

2.2 Information owner. The owner the information in the production environment used by a particular business unit must define the appropriate classifications and access controls. It must also adopt appropriate measures to ensure that controls relevant to the storage, handling, distribution and use of information are used.

Level 1: Account Administrator

Level 2: User account with limited access to make minor queries, searches and changes requested by the customer

2.3 Designated Security Administrator for all multi-user systems. For each multi-user system, a security administrator must be appointed to define user privileges, control the access log, and perform any comparable activity while meeting the information owner requirements. The IT Security Committee is responsible for overseeing this function. However, it can be entrusted to a representative. For the purposes of this policy, local network servers and the telephone system are deemed to be multi-user systems.

2.4 The Department of Information Technology cannot be an information officer. The Information Technology Department cannot be responsible for any information, except for data for the management and control of computer systems and operational networks.

2.5 Obligation to designate a custodian for all major types of information. A custodian is assigned for each main type of information. Each custodian must ensure the appropriate protection of the information in accordance with the basic requirements of Premier Continuum and the instructions of the designated manager.

2.6 Security Custodian Responsibilities. Custodians are responsible for defining specific control mechanisms, administering access to information, implementing and maintaining cost-effective control on these elements, and ensuring disaster recovery and safeguarding services that comply with Premier Continuum's basic requirements IT Security guidelines are in place.

2.7 Users responsibility in accordance to information security. Users of the information must treat the information as if they were material property belonging to the company. They have to take great care of it.  They are also actively involved in the ISMS. It is everyone's responsibility to protect their user account and password to avoid unauthorized abuse or activity. Users of the information may be employees, consultants, suppliers or representatives of the latter (whether they are full-time, part-time or temporary employees), or even third parties covered by specific provisions. Anyone who has been authorized to access information or computer systems is deemed to be an information user.

Information security management

3.1 Periodic analysis of information security issues and information security problems. A periodic analysis of information security problems and issues is required.

3.2 Information security reporting and management mechanism. The IT Security Committee should be kept informed periodically and in the event of a crisis caused by intrusions, denial-of-service attacks, virus attacks and other incidents affecting computer security. A formal incident/problem management mechanism is implemented to record problems, reduce their effects and avoid recurrence.

3.3 Mandatory risk assessment of production IT infrastructure and systems. The IT Security Committee must periodically evaluate all production IT infrastructure and Systems to establish a minimum set of controls to reduce risk to an acceptable level. Risk acceptability is based on residual risk and controls put in place to deal with risks.

3.4 Agreements with third parties exchanging information. All agreements dealing with third-party processing of information must have a specific clause. This clause should allow the organization to verify controls on information processing activities and to clarify how they will be protected. However, not all application development should be outsourced to third parties.

3.5 Agreements on data exchanged between Premier Continuum customers and employees. In order to ensure the protection of customer data, any exchange of data is carried out by SSH Tunnels or by a direct download on the application in production. Refer to the established procedure.

3.6 Disciplinary measures in case of breaches of information security measures. Failure to comply with information security policies, guidelines, procedures or instructions will result in disciplinary action up to employment termination and legal action. Management must make everyone understand that information security remains a critical issue that deserves attention at all times.

3.7 Minimal complexity of passwords. The length, duration and complexity of passwords should always be automatically checked when users create them or when accessing IT infrastructure and systems.

3.8 Prohibition of rotating passwords. Users should not create a password that would be based on an elementary sequence of characters and then partially modified based on the date or any other predictable factor.

3.9 Allocation of initial passwords. The initial password issued by a security administrator must only be valid for the user's first login. After the first login, the user must choose a new password.

3.10 Limiting the number of consecutive tries to enter an incorrect password. To prevent people from attacking systems by trying to guess passwords, the number of tries must be strictly limited.

3.11 Prohibition of sharing a password. A password should never be shared or disclosed to anyone who is not the authorized user. An authorized user who violates this directive could be held liable for actions that others might commit through the disclosure of their password. If users are required to share data that resides on a computer, they must use e-mail, public directories of local network servers, and other means of file exchange. When there is reason to believe that passwords have been disclosed, they must be changed. Reassignment an account to another person due to the absence of the holder for illness or leave is not considered to constitute password sharing. The account reassignment instruction addresses these specific cases and provides procedures to prevent multiple people from accessing the same account using the same password.

3.12 Username and password required to access a computer network. Before users are allowed to use computers connected to a network, their identity must be verified by a username and secret password, or even by any other means offering an equivalent or higher degree of security.

3.13 Mandatory unique username and password. In order to access a multi-user computer, telephone systems or a controlled computer network, all users must have a user code and a secret personal password.

3.14 Password encryption. Passwords must be encrypted at all points in the network. This measure also covers permanent files containing passwords, temporary data storage locations (e.g., disk memory) and network telecommunication lines and devices. Passwords must also be encrypted when they pass through external telecommunication channels (e.g., the Internet, wireless devices).

3.15 Data classification, backup and destruction. The data is classified into the following 5 categories:

• Level 1: Customer data (primary server)
• Level 2: Customer data (secondary server)
• Level 3: Business data exchanged with the customer
• Level 4: Development data and source code
• Level 5: Other data

Customer data is destroyed according to the standards set out in the contract or 7 years after it has changed for Levels 1 and 2.  Premier Continuum data (3.4.5) can be destroyed 7 years after it is changed.

Only the company's critical assets are transferred to an external secure server, otherwise in terms of customer information, these are pre-programmed according to the individual contractual agreement. In all cases, these transfers are encrypted and access is limited to administrators of the respective systems.

3.16 Registry A record of all ISMS-related activities is stored and maintained and verified through internal audit validations.

3.17 Compliance. An internal audit of the controls listed in ISO 27000 is to be conducted annually.  Penetration and vulnerability tests are carried out on all production systems.  See risk analysis and treatment document for more details on the controls implemented. As well, Premier Continuum ensures that all information security regulations are followed and that it adequately protects the personal information of its employees.

3.18 Distribution and management of user access rights. The allocation of access rights must be consistent with the employee's duties and role, so only the access required for the work associated with the position occupied is granted. When required, an employee may request a temporary additional access to the security team who will review the request. If an ill-identified need comes to the attention of the team, either access to an appropriate tool or a review of access rights will be carried out.

3.19 Key Management. All signature keys used in the company must be the result of an agreement with a trusted third-party supplier in the field. If the latter does not force it, the keys will be renewed annually or when an encryption key or a higher force cipher is available. (DigiCert is the selected supplier at the moment) All signature keys used in the company must be the result of an agreement with a trusted third-party supplier in the field. If the latter does not force it, the keys will be renewed annually.

Business Continuity Planning

4.1 Mandatory compliance with emergency, business continuity and disaster recovery standards. All organization business units must plan and communicate in writing their requirements, in accordance with Premier Continuum's business continuity plan.

4.2 Methodology for establishing priority for disaster recovery activities. An effective recovery after an interruption is based on established priorities set during the Business Impact Analysis Process. To enable an appropriate recovery, all services must use the same methodology when developing their continuity plans and disaster recovery plans.

4.3 Annual evaluation of the criticality of multi-user applications. In collaboration with relevant decision makers, the steering committee must periodically review with the IT department the assessment of the criticality of all multi-user production-related applications. Appropriate disaster recovery plans will therefore need to be completed.

4.4 Writing and updating a disaster recovery plan specific to IT infrastructure and systems. Premier Continuum's business continuity team must maintain and exercise their disaster recovery plan on a regular basis that will allow all critical IT systems and associated infrastructure and systems to be accessible, in line with recovery priorities, in the event of a major outage or loss (e.g., flood, earthquake). Business continuity objectives should include basic IT functions as well as relevant basic support.

4.5 Writing and updating a business continuity plan.  Premier Continuum's business continuity team must maintain and exercise their business continuity plan on a regular basis. The plan should specify what is planned for alternative facilities (workspaces, equipment, systems) so that employees can continue to work in the event of an emergency or disaster.

Policy relating to modification control

5.1 Separation of production, quality assurance and development environments. Development of news applications, quality assurance and production must be separate. If adequate space is available, this separation must result in the installation of software on separate IT systems. Where the very nature of the premises prevents such installation, separate password-protected directories and libraries must be used. The transfer of information between different environments is controlled (authentication required).

All access between remote servers (between them) and the desktop (in the case of telework or mobile VPN) is also encrypted to protect applications or other data when transferring to secure servers. (e.g. VPN if externally, SSH Tunnels then finally an RDP or VNC on the server). Firewall rules are designed not to expose RDP or VNC ports, but only the SSH port.

In the case of web files, they are also encrypted for transfer to protect information so accessible by port 443 (WebDAV, WebFolder), otherwise a tunnel must provide access to it as for direct access (FTP).

5.2 Separation of production, quality assurance and development tasks. Tasks are assigned by the IT architect and, where possible, they are divided. Tasks are recorded in a project management system. IT staff must authenticate on each platform. The separation of tasks and access to corporate assets is limited by groups or functions within the company, as the assets are mainly digital assets, it is the access rights and the policy referring to them that holds this separation.

5.3 Mandatory examination before the modules transfer through the production environment. Executable modules from test libraries should never be transferred directly to production libraries. Fully proven modules should be reviewed before transferring them to production libraries.

5.4 Formal change control mechanism mandatory for business applications. A formal change control mechanism is required to ensure that all business application software under development or at the quality assurance stage does not go into production until it has been properly authorized by IT management and the business users.

Policy relating to information and systems developed by the final user

6.1 Checking the development of user-designed production systems. Before they can be used for production, all software that deals with sensitive or essential information and has been developed by end-users must be accompanied by controls and documentation verified by the IT security department.

6.2 Checking the company's information made available on or outside Premier Continuum. Applications to file company-owned information in a public domain such as the Internet or third-party information infrastructure must be approved by Premier Continuum's Information Security Committee. Third-party infrastructure is subject to a security analysis.

6.3 Authorized copies of software. It is forbidden to copy the third party software in the possession of the company. Unless the copy complies with the relevant licensing agreements, it must be approved by management and meet only business continuity requirements.

6.4 Prohibited use of personal software, free software, free software and games are not permitted on Premier Continuum computers. Free games and software SHOULD NOT be stored or used on Premier Continuum's computer systems without the formal permission of the IT Security Committee.

6.5 Initial copies of computer software and backup. All software must be copied or cloned before first use. Copies must be stored in a safe place. These master copies cannot be used for the usual commercial activities. They are strictly reserved for recovery activities.

6.6 Periodic review of software licensing agreements. Compliance with all third-party computer programs must be regularly confirmed.

6.7 Sensitive information on IT devices. Sensitive information stored on the hard drive, USB sticks, or other internal components of a personal computer must be protected by a tangible locking device or encryption system, or both. These components, when not in use, must be handled and stored to the highest degree of safety classification relevant to them.

Validation

7.1 Checking IT infrastructure and IT Systems. A third party must regularly analyze the adequacy of controls on computer systems and ensure that they remain compliant.

Material security

8.1 Hardware security measures for computers and communication systems. Buildings that house computers or communication systems must be protected by physical security measures that prevent access to any unauthorized person.

8.2. Moving off-site material. Material, information or software should not be removed from the premises without prior authorization from the steering committee.

8.3. Destruction of equipment. All hardware containing storage media must be checked to ensure that any sensitive data has been removed and that any licensed software has been safely uninstalled or crushed before it is disposed of.

‍