Security Statement

Server Security Policy

1. Overview 
Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors.  Consistent Server installation policies, ownership and configuration management are all about  doing the basics well.  

2. Purpose 
The purpose of this policy is to establish standards for the base configuration of internal server  equipment that is owned and/or operated by Milk Moovement. Effe

ctive implementation of this  policy will minimize unauthorized access to Milk Moovement proprietary information and  technology. 

3. Scope 
All employees, contractors, consultants, temporary and other workers at Milk Moovement must  adhere to this policy.  

4. Policy 
4.1 General Requirements 
4.1.1 All internal servers deployed at Milk Moovement must be owned by an operational group that is responsible for system administration. Approved server configuration guides must  be established and maintained by each operational group, based on business needs and  approved by Milk Moovement senior management. Operational groups should monitor  configuration compliance and implement an exception policy tailored to their  environment. Each operational group must establish a process for changing the  configuration guides, which includes review and approval by Milk Moovement senior  management. The following items must be met: 

  • Servers must be registered within the corporate enterprise management system. At a  minimum, the following information is required to positively identify the point of  contact:  o Server contact(s) and location, and a backup contact  o Hardware and Operating System/Version  o Main functions and applications, if applicable 43 
  • Information in the corporate enterprise management system must be kept up-to-date.
  • Configuration changes for production servers must follow the appropriate change  management procedures 

4.1.2 For security, compliance, and maintenance purposes, authorized personnel may monitor  and audit equipment, systems, processes, and network traffic per the Audit Policy
4.1.3 Configuration Requirements 
4.1.4 Operating System configuration should be in accordance with approved Milk Moovement  guidelines.  
4.1.5 Services and applications that will not be used must be disabled where practical.
4.1.6 Access to services should be logged and/or protected through access-control methods  such as a web application firewall, if possible.  
4.1.7 The most recent security patches must be installed on the system as soon as practical, the  only exception being when immediate application would interfere with business  requirements.  
4.1.8 Trust relationships between systems are a security risk, and their use should be avoided.  Do not use a trust relationship when some other method of communication is sufficient. 
4.1.9 Always use standard security principles of least required access to perform a function.  Do not use root when a non-privileged account will do.  
4.1.10 If a methodology for secure channel connection is available (i.e., technically feasible),  privileged access must be performed over secure channels, (e.g., encrypted network  connections using SSH or IPSec).  
4.2 Monitoring 
4.2.1 All security-related events on critical or sensitive systems must be logged and audit trails  saved as follows:  • All security related logs will be kept online for a minimum of 1 week. 

  • Daily incremental tape backups will be retained for at least 1 month.  • Weekly full tape backups of logs will be retained for at least 1 month. 
  • Monthly full backups will be retained for a minimum of 2 years. 
    4.2.2 Security-related events will be reported to Milk Moovement senior management, who  will review logs and report incidents to IT management. Corrective measures will be  prescribed as needed. Security-related events include, but are not limited to:  
  • Port-scan attacks  
  • Evidence of unauthorized access to privileged accounts  
  • Anomalous occurrences that are not related to specific applications on the host.  

5. Policy Compliance 
5.1 Compliance Measurement The Infosec team will verify compliance to this policy through various methods, including but  not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external  audits, and feedback to the policy owner.  
5.2 Exceptions Any exception to the policy must be approved by the Milk Moovement senior management team  in advance.  
5.3 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and  including termination of employment.  

6 Related Standards, Policies and Processes 
• Audit Policy45 


Server Audit Policy

1. Overview 
See Purpose. 

2. Purpose 
The purpose of this policy is to ensure all servers deployed at Milk Moovement are configured  according to the Milk Moovement security policies. Servers deployed at Milk Moovement shall  be audited at least annually and as prescribed by applicable regulatory compliance.  
Audits may be conducted to:  
• Ensure integrity, confidentiality and availability of information and resources 
• Ensure conformance to Milk Moovement security policies


3. Scope
This policy covers all servers owned or operated by Milk Moovement. This policy also covers  any server present on Milk Moovement premises, but which may not be owned or operated by  Milk Moovement. 

4. Policy 
4.1 Specific Concerns Servers in use for Milk Moovement support critical business functions and store company  sensitive information. Improper configuration of servers could lead to the loss of confidentiality,  availability or integrity of these systems. 
4.2 Guidelines Approved and standard configuration templates shall be used when deploying server systems to include: 
• All system logs shall be sent to a central log review system 
• All Sudo / Administrator actions must be logged 
• Use a central patch deployment system 
• Host security agent such as antivirus shall be installed and updated
• Network scan to verify only required network ports and network shares are in use
• Verify administrative group membership 
• Conduct baselines when systems are deployed and upon significant system changes 
• Changes to configuration template shall be coordinated with approval of change control board. 
4.3 Responsibility Milk Moovement shall conduct audits of all servers owned or operated by Milk Moovement.  Server and application owners are encouraged to also perform this work as needed. 
4.4 Relevant Findings All relevant findings discovered as a result of the audit shall be listed in the Milk Moovement  tracking system to ensure prompt resolution or appropriate mitigating controls. 
4.5 Ownership of Audit Report.  All results and findings generated must be provided to appropriate Milk Moovement  management within one week of project completion. This report will be considered company  confidential.  

5. Policy Compliance 
5 Compliance Measurement The Milk Moovement Team will verify compliance to this policy through various methods,  including but not limited to, business tool reports, internal and external audits, and feedback to  the policy owner.  
5.1 Exceptions Any exception to the policy must be approved by the Milk Moovement senior management team  in advance.  
5.2 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and  including termination of employment.  

6. Related Standards, Policies and Processes 
None.

7. Definitions and Terms
None.


Data Breach Response Policy

1.0 Purpose
The purpose of the policy is to establish the goals and the vision for the breach response  process. This policy will clearly define to whom it applies and under what circumstances, and it  will include the definition of a breach, staff roles and responsibilities, standards and metrics  (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback  mechanisms. The policy shall be well publicized and made easily available to all personnel  whose duties involve data privacy and security protection. Milk Moovement Information Security's intentions for publishing a Data Breach Response Policy  are to focus significant attention on data security and data security breaches and how Milk  Moovement’s established culture of openness, trust and integrity should respond to such  activity. Milk Moovement Information Security is committed to protecting Milk Moovement's  employees, partners and the company from illegal or damaging actions by individuals, either  knowingly or unknowingly.  

1.1 Background 
This policy mandates that any individual who suspects that a theft, breach or exposure of Milk  Moovement Protected data or Milk Moovement Sensitive data has occurred must immediately  provide a description of what occurred via e-mail to info@milkmoovement.com, by calling 709- 743-4030, or through the use of the help desk reporting web page at  https://www.milkmoovement.com. This e-mail address, phone number, and web page are  monitored by the Milk Moovement’s Information Security Administrator. This team will  investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or  exposure has occurred. If a theft, breach or exposure has occurred, the Information Security  Administrator will follow the appropriate procedure in place.   

2.0 Scope 
This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use,  transmit, dispose of, or otherwise handle personally identifiable information or Protected Health  Information (PHI) of Milk Moovement members. Any agreements with vendors will contain  language similar that protects the fund.  

3.0 Policy
Confirmed theft, data breach or exposure  of Milk Moovement Protected data or Milk  Moovement Sensitive data As soon as a theft, data breach or exposure containing Milk Moovement Protected data or Milk  Moovement Sensitive data is identified, the process of removing all access to that resource will  begin. The CEO will chair an incident response team to handle the breach or exposure.  The team will include members from: 
• IT Infrastructure 
• IT Applications 
• Finance (if applicable) 
• Legal 
• Communications 
• Member Services (if Member data is affected) 
• Human Resources 
• The affected unit or department that uses the involved system or output or whose data  may have been breached or exposed 
• Additional departments based on the data type involved, Additional individuals as  deemed necessary by the Executive Director Confirmed theft, breach or exposure of Milk Moovement data. The CEO will be notified of the theft, breach or exposure. IT, will analyze the breach or  exposure to determine the root cause. Develop a communication plan.Work with Milk Moovement communications, legal and human resource departments to decide  how to communicate the breach to: a) internal employees, b) the public, and c) those directly  affected. 

3.1 Ownership and Responsibilities
Roles & Responsibilities: • Sponsors - Sponsors are those members of the Milk Moovement community that have  primary responsibility for maintaining any particular information resource. Sponsors may be  designated by any Milk Moovement Executive in connection with their administrative  responsibilities, or by the actual sponsorship, collection, development, or storage of information. • Information Security Administrator is that member of the Milk Moovement community,  designated by the CEO or the Director, Information Technology (IT) Infrastructure, who provides  administrative support for the implementation, oversight and coordination of security procedures  and systems with respect to specific information resources in consultation with the relevant  Sponsors. • Users include virtually all members of the Milk Moovement community to the extent they  have authorized access to information resources, and may include staff, trustees, contractors,  consultants, interns, temporary employees and volunteers. • The Incident Response Team shall be chaired by Executive Management and shall  include, but will not be limited to, the following departments or their representatives:  IT-Infrastructure, IT-Application Security; Communications; Legal; Management; Financial  Services, Member Services; Human Resources. 

4.0 Enforcement  
Any Milk Moovement personnel found in violation of this policy may be subject to disciplinary  action, up to and including termination of employment. Any third party partner company found in  violation may have their network connection terminated.    

5.0 Definitions  
Encryption or encrypted data – The most effective way to achieve data security. To read an  encrypted file, you must have access to a secret key or password that enables you to decrypt it.  Unencrypted data is called plain text; 
Plain text – Unencrypted data. 
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning  programming languages and computer systems and can often be considered an expert on the  subject(s). 
Protected Health Information (PHI) - Under US law is any information about health status,  provision of health care, or payment for health care that is created or collected by a "Covered  Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
Personally Identifiable Information (PII) - Any data that could potentially identify a specific  individual. Any information that can be used to distinguish one person from another and can be  used for de-anonymizing anonymous data can be considered 
Protected data - See PII and PHI 
Information Resource - The data and information assets of an organization, department or  unit. 
Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize  security risks to physical property, information, computer systems, or other assets. Safeguards  help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack  against an asset. 
Sensitive data - Data that is encrypted or in plain text and contains PII or PHI data. See PII  and PHI above.


Security Response Plan Policy 

1. Overview 
A Security Response Plan (SRP) provides the impetus for security and business teams to  integrate their efforts from the perspective of awareness and communication, as well as  coordinated response in times of crisis (security vulnerability identified or exploited).  Specifically, an SRP defines a product description, contact information, escalation paths,  expected service level agreements (SLA), severity and impact classification, and  mitigation/remediation timelines. By requiring business units to incorporate an SRP as part of  their business continuity operations and as new products or services are developed and prepared  for release to consumers, ensures that when an incident occurs, swift mitigation and  remediation ensues. 

2. Purpose 
The purpose of this policy is to establish the requirement that all business units supported by the  Milk Moovement team develop and maintain a security response plan. This ensures that security  incident management team has all the necessary information to formulate a successful response  should a specific security incident occur. 

3. Scope 
This policy applies any established and defined business unity or entity within Milk Moovement. 

4. Policy 
The development, implementation, and execution of a Security Response Plan (SRP) are the  primary responsibility of the specific business unit for whom the SRP is being developed in  cooperation with the Milk Moovement Team. Business units are expected to properly facilitate  the SRP for applicable to the service or products they are held accountable. The business unit  security coordinator or champion is further expected to work in the development and  maintenance of a Security Response Plan. 
4.1 Service or Product Description The product description in an SRP must clearly define the service or application to be deployed  with additional attention to data flows, logical diagrams, architecture considered highly useful. 
4.2 Contact InformationThe SRP must include contact information for dedicated team members to be available during  non-business hours should an incident occur and escalation be required. This may be a 24/7  requirement depending on the defined business value of the service or product, coupled with the  impact to customer. The SRP document must include all phone numbers and email addresses for  the dedicated team member(s). 
4.3 Triage The SRP must define triage steps to be coordinated with the security incident management team  in a cooperative manner with the intended goal of swift security vulnerability mitigation. This  step typically includes validating the reported vulnerability or compromise. 
4.4 Identified Mitigations and Testing The SRP must include a defined process for identifying and testing mitigations prior to  deployment. These details should include both short-term mitigations as well as the remediation  process. 
4.5 Mitigation and Remediation Timelines The SRP must include levels of response to identified vulnerabilities that define the expected  timelines for repair based on severity and impact to consumer, brand, and company. These  response guidelines should be carefully mapped to level of severity determined for the reported  vulnerability. 

5. Policy Compliance 
5.1 Compliance Measurement Each business unit must be able to demonstrate they have a written SRP in place, and that it is  under version control and is available via the web. The policy should be reviewed annually. 
5.2 Exceptions Any exception to this policy must be approved by the Milk Moovement Team in advance and  have a written record. 
5.3 Non-Compliance Any business unit found to have violated (no SRP developed prior to service or product deployment) this policy may be subject to delays in service or product release until such a time as the SRP is developed and approved. Responsible parties may be subject to disciplinary action, up  to and including termination of employment, should a security incident occur in the absence of an SRP

6. Related Standards, Policies and Processes
None.  

7. Definitions and Terms 
None.


Email Policy

1. Overview 
Electronic email is pervasively used in almost all industry verticals and is often the primary  communication and awareness method within an organization. At the same time, misuse of email  can post many legal, privacy and security risks, thus it’s important for users to understand the  appropriate use of electronic communications.  

2. Purpose 
The purpose of this email policy is to ensure the proper use of Milk Moovement email system  and make users aware of what Milk Moovement deems as acceptable and unacceptable use of its  email system. This policy outlines the minimum requirements for use of email within Milk  Moovement Network.  

3. Scope 
This policy covers appropriate use of any email sent from a Milk Moovement email address and  applies to all employees, vendors, and agents operating on behalf of Milk Moovement. 

4. Policy 
4.1 All use of email must be consistent with Milk Moovement policies and procedures of ethical  conduct, safety, compliance with applicable laws and proper business practices. 
4.2 Milk Moovement email account should be used primarily for Milk Moovement business related purposes; personal communication is permitted on a limited basis, but non-Milk  Moovement related commercial uses are prohibited. 
4.3 All Milk Moovement data contained within an email message or an attachment must be  secured according to the Data Protection Standard
4.4 Email should be retained only if it qualifies as a Milk Moovement business record. Email is  a Milk Moovement business record if there exists a legitimate and ongoing business reason  to preserve the information contained in the email. 
4.5 Email that is identified as a Milk Moovement business record shall be retained according to  Milk Moovement Record Retention Schedule. 
4.6 The Milk Moovement email system shall not to be used for the creation or distribution of  any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice,  political beliefs, or national origin. Employees who receive any emails with this content  from any Milk Moovement employee should report the matter to their supervisor  immediately. 
4.7 Users are prohibited from automatically forwarding Milk Moovement email to a third party  email system (noted in 4.8 below). Individual messages which are forwarded by the user  must not contain Milk Moovement confidential or above information.  
4.8 Users are prohibited from using third-party email systems and storage servers such as  Google, Yahoo, and MSN Hotmail etc. to conduct Milk Moovement business, to create or  memorialize any binding transactions, or to store or retain email on behalf of Milk  Moovement. Such communications and transactions should be conducted through proper  channels using Milk Moovement-approved documentation. 
4.9 Using a reasonable amount of Milk Moovement resources for personal emails is acceptable,  but non-work related email shall be saved in a separate folder from work related email.  Sending chain letters or joke emails from a Milk Moovement email account is prohibited.  
4.10 Milk Moovement employees shall have no expectation of privacy in anything they  store, send or receive on the company’s email system.  
4.11 Milk Moovement may monitor messages without prior notice. Milk Moovement is  not obliged to monitor email messages. 

5. Policy Compliance 
5.1 Compliance Measurement The Milk Moovement senior management team will verify compliance to this policy through  various methods, including but not limited to, periodic walk-throughs, video monitoring, business  tool reports, internal and external audits, and feedback to the policy owner. 
5.2 Exceptions Any exception to the policy must be approved by the Milk Moovement senior management team  in advance. 
5.3 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and  including termination of employment.  

6. Related Standards, Policies and Processes 
• Data Protection Standard 

Server Security Policy 
1. Overview 
Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors.  Consistent Server installation policies, ownership and configuration management are all about  doing the basics well.  

2. Purpose 
The purpose of this policy is to establish standards for the base configuration of internal server  equipment that is owned and/or operated by Milk Moovement. Effective implementation of this  policy will minimize unauthorized access to Milk Moovement proprietary information and  technology. 

3. Scope 
All employees, contractors, consultants, temporary and other workers at Milk Moovement must  adhere to this policy.  

4. Policy 
4.1 General Requirements 
4.1.1 All internal servers deployed at Milk Moovement must be owned by an operational group  that is responsible for system administration. Approved server configuration guides must  be established and maintained by each operational group, based on business needs and  approved by Milk Moovement senior management. Operational groups should monitor  configuration compliance and implement an exception policy tailored to their  environment. Each operational group must establish a process for changing the  configuration guides, which includes review and approval by Milk Moovement senior  management. The following items must be met: • Servers must be registered within the corporate enterprise management system. At a  minimum, the following information is required to positively identify the point of  contact:  o Server contact(s) and location, and a backup contact  o Hardware and Operating System/Version  o Main functions and applications, if applicable 43 • Information in the corporate enterprise management system must be kept up-to-date.  • Configuration changes for production servers must follow the appropriate change  management procedures 
4.1.2 For security, compliance, and maintenance purposes, authorized personnel may monitor  and audit equipment, systems, processes, and network traffic per the Audit Policy
4.1.3 Configuration Requirements 
4.1.4 Operating System configuration should be in accordance with approved Milk Moovement  guidelines.  
4.1.5 Services and applications that will not be used must be disabled where practical.
4.1.6 Access to services should be logged and/or protected through access-control methods  such as a web application firewall, if possible.  
4.1.7 The most recent security patches must be installed on the system as soon as practical, the  only exception being when immediate application would interfere with business  requirements.  
4.1.8 Trust relationships between systems are a security risk, and their use should be avoided.  Do not use a trust relationship when some other method of communication is sufficient. 
4.1.9 Always use standard security principles of least required access to perform a function.  Do not use root when a non-privileged account will do.  
4.1.10 If a methodology for secure channel connection is available (i.e., technically feasible),  privileged access must be performed over secure channels, (e.g., encrypted network  connections using SSH or IPSec).  
4.2 Monitoring 
4.2.1 All security-related events on critical or sensitive systems must be logged and audit trails  saved as follows:  • All security related logs will be kept online for a minimum of 1 week.  • Daily incremental tape backups will be retained for at least 1 month.  • Weekly full tape backups of logs will be retained for at least 1 month.  • Monthly full backups will be retained for a minimum of 2 years. 
4.2.2 Security-related events will be reported to Milk Moovement senior management, who  will review logs and report incidents to IT management. Corrective measures will be  prescribed as needed. Security-related events include, but are not limited to:  
• Port-scan attacks  
• Evidence of unauthorized access to privileged accounts  
• Anomalous occurrences that are not related to specific applications on the host.  

5. Policy Compliance 
5.1 Compliance Measurement The Infosec team will verify compliance to this policy through various methods, including but  not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external  audits, and feedback to the policy owner.  
5.2 Exceptions Any exception to the policy must be approved by the Milk Moovement senior management team  in advance.  
5.3 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and  including termination of employment.  

6 Related Standards, Policies and Processes 
• Audit Policy45 

Server Audit Policy 
1. Overview 
See Purpose. 

2. Purpose 
The purpose of this policy is to ensure all servers deployed at Milk Moovement are configured  according to the Milk Moovement security policies. Servers deployed at Milk Moovement shall  be audited at least annually and as prescribed by applicable regulatory compliance.  
Audits may be conducted to:  
• Ensure integrity, confidentiality and availability of information and resources 
• Ensure conformance to Milk Moovement security policies  

3. Scope 
This policy covers all servers owned or operated by Milk Moovement. This policy also covers  any server present on Milk Moovement premises, but which may not be owned or operated by  Milk Moovement. 

4. Policy 
4.1 Specific Concerns Servers in use for Milk Moovement support critical business functions and store company  sensitive information. Improper configuration of servers could lead to the loss of confidentiality,  availability or integrity of these systems. 
4.2 Guidelines Approved and standard configuration templates shall be used when deploying server systems to include: 
• All system logs shall be sent to a central log review system 
• All Sudo / Administrator actions must be logged 
• Use a central patch deployment system 
• Host security agent such as antivirus shall be installed and updated
• Network scan to verify only required network ports and network shares are in use
• Verify administrative group membership 
• Conduct baselines when systems are deployed and upon significant system changes 
• Changes to configuration template shall be coordinated with approval of change control board. 
4.3 Responsibility Milk Moovement shall conduct audits of all servers owned or operated by Milk Moovement.  Server and application owners are encouraged to also perform this work as needed. 
4.4 Relevant Findings All relevant findings discovered as a result of the audit shall be listed in the Milk Moovement  tracking system to ensure prompt resolution or appropriate mitigating controls. 
4.5 Ownership of Audit Report.  All results and findings generated must be provided to appropriate Milk Moovement  management within one week of project completion. This report will be considered company  confidential.  

5. Policy Compliance 
5 Compliance Measurement The Milk Moovement Team will verify compliance to this policy through various methods,  including but not limited to, business tool reports, internal and external audits, and feedback to  the policy owner.  
5.1 Exceptions Any exception to the policy must be approved by the Milk Moovement senior management team  in advance.  
5.2 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and  including termination of employment.  

6. Related Standards, Policies and Processes 
None.

7. Definitions and Terms
None.

Data Breach Response Policy 
1.0 Purpose
The purpose of the policy is to establish the goals and the vision for the breach response  process. This policy will clearly define to whom it applies and under what circumstances, and it  will include the definition of a breach, staff roles and responsibilities, standards and metrics  (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback  mechanisms. The policy shall be well publicized and made easily available to all personnel  whose duties involve data privacy and security protection. Milk Moovement Information Security's intentions for publishing a Data Breach Response Policy  are to focus significant attention on data security and data security breaches and how Milk  Moovement’s established culture of openness, trust and integrity should respond to such  activity. Milk Moovement Information Security is committed to protecting Milk Moovement's  employees, partners and the company from illegal or damaging actions by individuals, either  knowingly or unknowingly.  

1.1 Background 
This policy mandates that any individual who suspects that a theft, breach or exposure of Milk  Moovement Protected data or Milk Moovement Sensitive data has occurred must immediately  provide a description of what occurred via e-mail to info@milkmoovement.com, by calling 709- 743-4030, or through the use of the help desk reporting web page at  https://www.milkmoovement.com. This e-mail address, phone number, and web page are  monitored by the Milk Moovement’s Information Security Administrator. This team will  investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or  exposure has occurred. If a theft, breach or exposure has occurred, the Information Security  Administrator will follow the appropriate procedure in place.   

2.0 Scope 
This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use,  transmit, dispose of, or otherwise handle personally identifiable information or Protected Health  Information (PHI) of Milk Moovement members. Any agreements with vendors will contain  language similar that protects the fund.  

3.0 Policy
Confirmed theft, data breach or exposure  of Milk Moovement Protected data or Milk  Moovement Sensitive data As soon as a theft, data breach or exposure containing Milk Moovement Protected data or Milk  Moovement Sensitive data is identified, the process of removing all access to that resource will  begin. The CEO will chair an incident response team to handle the breach or exposure.  The team will include members from: 
• IT Infrastructure 
• IT Applications 
• Finance (if applicable) 
• Legal 
• Communications 
• Member Services (if Member data is affected) 
• Human Resources 
• The affected unit or department that uses the involved system or output or whose data  may have been breached or exposed 
• Additional departments based on the data type involved, Additional individuals as  deemed necessary by the Executive Director Confirmed theft, breach or exposure of Milk Moovement data. The CEO will be notified of the theft, breach or exposure. IT, will analyze the breach or  exposure to determine the root cause. Develop a communication plan.Work with Milk Moovement communications, legal and human resource departments to decide  how to communicate the breach to: a) internal employees, b) the public, and c) those directly  affected. 

3.1 Ownership and Responsibilities
Roles & Responsibilities: • Sponsors - Sponsors are those members of the Milk Moovement community that have  primary responsibility for maintaining any particular information resource. Sponsors may be  designated by any Milk Moovement Executive in connection with their administrative  responsibilities, or by the actual sponsorship, collection, development, or storage of information. • Information Security Administrator is that member of the Milk Moovement community,  designated by the CEO or the Director, Information Technology (IT) Infrastructure, who provides  administrative support for the implementation, oversight and coordination of security procedures  and systems with respect to specific information resources in consultation with the relevant  Sponsors. • Users include virtually all members of the Milk Moovement community to the extent they  have authorized access to information resources, and may include staff, trustees, contractors,  consultants, interns, temporary employees and volunteers. • The Incident Response Team shall be chaired by Executive Management and shall  include, but will not be limited to, the following departments or their representatives:  IT-Infrastructure, IT-Application Security; Communications; Legal; Management; Financial  Services, Member Services; Human Resources. 

4.0 Enforcement  
Any Milk Moovement personnel found in violation of this policy may be subject to disciplinary  action, up to and including termination of employment. Any third party partner company found in  violation may have their network connection terminated.    

5.0 Definitions  
Encryption or encrypted data – The most effective way to achieve data security. To read an  encrypted file, you must have access to a secret key or password that enables you to decrypt it.  Unencrypted data is called plain text; 
Plain text – Unencrypted data. 
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning  programming languages and computer systems and can often be considered an expert on the  subject(s). 
Protected Health Information (PHI) - Under US law is any information about health status,  provision of health care, or payment for health care that is created or collected by a "Covered  Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
Personally Identifiable Information (PII) - Any data that could potentially identify a specific  individual. Any information that can be used to distinguish one person from another and can be  used for de-anonymizing anonymous data can be considered 
Protected data - See PII and PHI 
Information Resource - The data and information assets of an organization, department or  unit. 
Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize  security risks to physical property, information, computer systems, or other assets. Safeguards  help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack  against an asset. 
Sensitive data - Data that is encrypted or in plain text and contains PII or PHI data. See PII  and PHI above.

Security Response Plan Policy 

1. Overview A Security Response Plan (SRP) provides the impetus for security and business teams to  integrate their efforts from the perspective of awareness and communication, as well as  coordinated response in times of crisis (security vulnerability identified or exploited).  Specifically, an SRP defines a product description, contact information, escalation paths,  expected service level agreements (SLA), severity and impact classification, and  mitigation/remediation timelines. By requiring business units to incorporate an SRP as part of  their business continuity operations and as new products or services are developed and prepared  for release to consumers, ensures that when an incident occurs, swift mitigation and  remediation ensues. 

2. Purpose The purpose of this policy is to establish the requirement that all business units supported by the  Milk Moovement team develop and maintain a security response plan. This ensures that security  incident management team has all the necessary information to formulate a successful response  should a specific security incident occur. 

3. Scope This policy applies any established and defined business unity or entity within Milk Moovement. 

4. Policy The development, implementation, and execution of a Security Response Plan (SRP) are the  primary responsibility of the specific business unit for whom the SRP is being developed in  cooperation with the Milk Moovement Team. Business units are expected to properly facilitate  the SRP for applicable to the service or products they are held accountable. The business unit  security coordinator or champion is further expected to work in the development and  maintenance of a Security Response Plan. 
4.1 Service or Product Description The product description in an SRP must clearly define the service or application to be deployed  with additional attention to data flows, logical diagrams, architecture considered highly useful. 
4.2 Contact InformationThe SRP must include contact information for dedicated team members to be available during  non-business hours should an incident occur and escalation be required. This may be a 24/7  requirement depending on the defined business value of the service or product, coupled with the  impact to customer. The SRP document must include all phone numbers and email addresses for  the dedicated team member(s). 
4.3 Triage The SRP must define triage steps to be coordinated with the security incident management team  in a cooperative manner with the intended goal of swift security vulnerability mitigation. This  step typically includes validating the reported vulnerability or compromise. 
4.4 Identified Mitigations and Testing The SRP must include a defined process for identifying and testing mitigations prior to  deployment. These details should include both short-term mitigations as well as the remediation  process. 
4.5 Mitigation and Remediation Timelines The SRP must include levels of response to identified vulnerabilities that define the expected  timelines for repair based on severity and impact to consumer, brand, and company. These  response guidelines should be carefully mapped to level of severity determined for the reported  vulnerability. 

5. Policy Compliance 
5.1 Compliance Measurement Each business unit must be able to demonstrate they have a written SRP in place, and that it is  under version control and is available via the web. The policy should be reviewed annually. 
5.2 Exceptions Any exception to this policy must be approved by the Milk Moovement Team in advance and  have a written record. 
5.3 Non-Compliance Any business unit found to have violated (no SRP developed prior to service or product deployment) this policy may be subject to delays in service or product release until such a time as the SRP is developed and approved. Responsible parties may be subject to disciplinary action, up  to and including termination of employment, should a security incident occur in the absence of an SRP

6. Related Standards, Policies and Processes
None.  

7. Definitions and Terms 
None.

Email Policy 
1. Overview 
Electronic email is pervasively used in almost all industry verticals and is often the primary  communication and awareness method within an organization. At the same time, misuse of email  can post many legal, privacy and security risks, thus it’s important for users to understand the  appropriate use of electronic communications.  

2. Purpose 
The purpose of this email policy is to ensure the proper use of Milk Moovement email system  and make users aware of what Milk Moovement deems as acceptable and unacceptable use of its  email system. This policy outlines the minimum requirements for use of email within Milk  Moovement Network.  

3. Scope 
This policy covers appropriate use of any email sent from a Milk Moovement email address and  applies to all employees, vendors, and agents operating on behalf of Milk Moovement. 

4. Policy 
4.1 All use of email must be consistent with Milk Moovement policies and procedures of ethical  conduct, safety, compliance with applicable laws and proper business practices. 
4.2 Milk Moovement email account should be used primarily for Milk Moovement business related purposes; personal communication is permitted on a limited basis, but non-Milk  Moovement related commercial uses are prohibited. 
4.3 All Milk Moovement data contained within an email message or an attachment must be  secured according to the Data Protection Standard
4.4 Email should be retained only if it qualifies as a Milk Moovement business record. Email is  a Milk Moovement business record if there exists a legitimate and ongoing business reason  to preserve the information contained in the email. 
4.5 Email that is identified as a Milk Moovement business record shall be retained according to  Milk Moovement Record Retention Schedule. 
4.6 The Milk Moovement email system shall not to be used for the creation or distribution of  any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice,  political beliefs, or national origin. Employees who receive any emails with this content  from any Milk Moovement employee should report the matter to their supervisor  immediately. 
4.7 Users are prohibited from automatically forwarding Milk Moovement email to a third party  email system (noted in 4.8 below). Individual messages which are forwarded by the user  must not contain Milk Moovement confidential or above information.  
4.8 Users are prohibited from using third-party email systems and storage servers such as  Google, Yahoo, and MSN Hotmail etc. to conduct Milk Moovement business, to create or  memorialize any binding transactions, or to store or retain email on behalf of Milk  Moovement. Such communications and transactions should be conducted through proper  channels using Milk Moovement-approved documentation. 
4.9 Using a reasonable amount of Milk Moovement resources for personal emails is acceptable,  but non-work related email shall be saved in a separate folder from work related email.  Sending chain letters or joke emails from a Milk Moovement email account is prohibited.  
4.10 Milk Moovement employees shall have no expectation of privacy in anything they  store, send or receive on the company’s email system.  
4.11 Milk Moovement may monitor messages without prior notice. Milk Moovement is  not obliged to monitor email messages. 

5. Policy Compliance 
5.1 Compliance Measurement The Milk Moovement senior management team will verify compliance to this policy through  various methods, including but not limited to, periodic walk-throughs, video monitoring, business  tool reports, internal and external audits, and feedback to the policy owner. 
5.2 Exceptions Any exception to the policy must be approved by the Milk Moovement senior management team  in advance. 
5.3 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and  including termination of employment.  

6. Related Standards, Policies and Processes 
• Data Protection Standard 

Empowering Dairy Cooperatives to get the right milk, to the right place, at the right time.