Data Loss Prevention (DLP)

The primary purpose of the TalentedCJ DLP policy is to establish guidelines and procedures to safeguard sensitive information, prevent data breaches, and ensure compliance with relevant regulations to:

1. Protect Confidential Information: Safeguard sensitive data to ensure confidentiality.
2. Ensure Regulatory Compliance: Align with data protection regulations and industry standards.
3. Minimize Data Breach Risks: Proactively detect and respond to threats to prevent data breaches.
4. Promote Accountability: Foster a culture of responsibility in handling sensitive information.
5. Preserve Business Continuity: Ensure the availability and integrity of critical data for uninterrupted operations.
6. Educate Employees: Provide ongoing training to empower employees in identifying and mitigating risks.

Scope

This policy applies to all parties who have access to TalentedCJ’s information systems and data. It covers a range of critical areas, including data classification, access controls, encryption standards, incident response, and employee training.

Who is covered under the Data Protection Policy?

Employees of TalentedCJ and its subsidiaries and contractors, consultants, partners and any other external entity. Key objectives include:

1. Safeguarding sensitive data from unauthorized access, disclosure, or theft.
2. Mitigating the risk of data breaches that could lead to financial loss, reputational damage, and legal consequences.
3. Aligning with relevant laws, regulations, and industry standards related to data protection and privacy.
4. Preserving the accuracy and reliability of data by preventing unauthorized alterations or deletions.

Access Control Procedures

• Access controls are implemented using Role-Based Access Control (RBAC) principles and users are assigned roles corresponding to their job functions, and access to sensitive data is granted based on these roles
• All sensitive data is classified, and access is restricted based on the classification level. Only authorized personnel with a business need-to-know have access to classified information
• All endpoint devices and servers storing sensitive data must implement Full Disk Encryption (FDE) to protect data at rest.
• Implement robust key management processes to securely store and manage encryption keys for devices employing Full Disk Encryption.

Incident Reporting

• Management must provide a means for all personnel to report potential incidents.
• IT is responsible for monitoring event logging, vulnerability management, and other logs for suspicious activities.

Notification and Communication

The IHT is responsible for ensuring that notification and communication both internally and with third parties (customers, vendors, law enforcement, etc.) based on legal, regulatory, and contractual requirements take place in a timely manner.

All Information concerning an incident is considered confidential, and at no time should it be discussed with anyone outside of TalentedCJ without approval of executive management and our legal counsel.

Personnel should be notified whenever an incident or incident response activities may impact their work activities

Customers and partners who are affected by the incident must be notified according to applicable contract language, service level agreements (SLAs), applicable statutes and/or regulations.