Fuuz terms and policies
Written-Information-Security-Program (WISP)
Home » Written-Information-Security-Program (WISP)
Fuuz™ from MFGx, LLC., (“Fuuz”, “we”, “us”, and “our”) is a no-code, low-code, pro-code applications platform that delivers on the promise of industry 4.0 with rapid deployment of stand-alone apps and connectors to existing software, businesses can capture data, connect processes, people and machines – all in a single platform ecosystem.
The objectives of this comprehensive written information security program (“WISP“) include defining, documenting, and supporting the implementation and maintenance of the administrative, technical, and physical safeguards Fuuz™ from MFGx, LLC (“FUUZ”) has selected to protect the personal information it collects, creates, uses, and maintains. This WISP has been developed in accordance with the requirements of the Ohio Data Protection Act, Ohio Revised Code 1354.01-05; Massachusetts 210 CMR 17.00; and other similar laws. If this WISP conflicts with any legal obligation or other FUUZ policy or procedure, the provisions of this WISP shall govern, unless the Information Security Coordinator specifically reviews, approves, and documents an exception (see Section 3).
- Purpose. The purpose of this WISP is to:
- Ensure the security, confidentiality, integrity, and availability of personal and other sensitive information FUUZ collects, creates, uses, and maintains.
- Protect against any anticipated threats or hazards to the security, confidentiality, integrity, or availability of such information.
- Protect against unauthorized access to or use of FUUZ-maintained personal and other sensitive information that could result in substantial harm or inconvenience to any customer or employee.
- Define an information security program that is appropriate to FUUZ’s size, scope, and business, its available resources, and the amount of personal and other sensitive information that FUUZ owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.
2. Scope. This WISP applies to all employees, contractors, officers, and directors of FUUZ. It applies to any records that contain personal or other sensitive information in any format and on any media, whether in electronic or paper form. Notably, other than information about its employees, FUUZ only collects information from customers and, thus, operates as a business-to-business (“B2B”) business information collector, as opposed to collecting information from individuals. Further, FUUZ stores information it collects via Amazon Web Services (“AWS”), and, as such, does not engage in any cross-border transfer of information triggering transfer requirements of the EU’s General Data Protection Regulation (“GDPR”).
- For purposes of this WISP, “personal information” means either an individual’s first and last name or first initial and last name in combination with any one or more of the following data elements, or any of the following data elements standing alone or in combination, if such data elements could be used to commit identity theft against the individual:
- Social Security number;
- Driver’s license number, other government-issued identification number, including passport number, or tribal identification number;
- Account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to the individual’s financial account, or any personally identifiable financial information or consumer list, description, or other grouping derived from personally identifiable financial information.
- Health information, including information regarding the individual’s medical history or mental or physical condition, or medical treatment or diagnosis by a health care professional/created or received by FUUZ, which identifies or for which there is a reasonable basis to believe the information can be used to identify the individual and which relates to the past, present, or future physical or mental health or condition of the individual, the provision of health care to the individual, or payment for the provision of health care to the individual;
- Health insurance identification number, subscriber identification number, or other unique identifier used by a health insurer;
- Biometric data collected from the individual and used to authenticate the individual during a transaction, such as an image of a fingerprint, retina, or iris; or
- Email address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.
- Personal information does not include lawfully obtained information that is available to the general public, including publicly available information from federal, state, or local government records.
- For purposes of this WISP, “sensitive information” means data that:
- FUUZ considers to be highly confidential information; or
- If accessed by or disclosed to unauthorized parties, could cause significant or material harm to FUUZ, its customers, or its business partners.
- For purposes of this WISP, “personal information” means either an individual’s first and last name or first initial and last name in combination with any one or more of the following data elements, or any of the following data elements standing alone or in combination, if such data elements could be used to commit identity theft against the individual:
3. Information Security Coordinator. FUUZ has designated Craig Scott to implement, coordinate, and maintain this WISP (the “Information Security Coordinator“). The Information Security Coordinator shall be responsible for:
- Initial implementation of this WISP, including:
- Assessing internal and external risks to personal [and other sensitive] information and maintaining related documentation, including risk assessment reports and remediation plans (see Section 4);
- Coordinating the development, distribution, and maintenance of information security policies and procedures (see Section 5);
- Coordinating the design of reasonable and appropriate administrative, technical, and physical safeguards to protect personal and other sensitive information (see Section 6);
- Ensuring that the safeguards are implemented and maintained to protect personal and other sensitive information throughout FUUZ, where applicable (see Section 6);
- Overseeing service providers that access or maintain personal and other sensitive information on behalf of FUUZ (see Section 7);
- Monitoring and testing the information security program’s implementation and effectiveness on an ongoing basis (see Section 8);
- Defining and managing incident response procedures (see Section 9); and
- Establishing and managing enforcement policies and procedures for this WISP, in collaboration with FUUZ human resources and management (see Section 10).
- Engaging qualified information security personnel, including:
- Providing them with security updates and training sufficient to address relevant risks; and
- Verifying that they take steps to maintain current information security knowledge.
- Employee, contractor, and (as applicable) stakeholder training, including:
- Providing periodic training regarding this WISP, FUUZ’s safeguards, and relevant information security policies and procedures for all employees, contractors, and (as applicable) stakeholders who have or may have access to personal or other sensitive information, updated as necessary or indicated by FUUZ’s risk assessment activities (see Section 4);
- Ensuring that training attendees formally acknowledge their receipt and understanding of the training and related documentation, through written acknowledgement forms; and
- Retaining training and acknowledgment records.
- Reviewing this WISP and the security measures defined here at least annually, when indicated by FUUZ’s risk assessment (see Section 4) or program monitoring and testing activities (see Section 8), or whenever there is a material change in FUUZ’s business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information (see Section 11).
- Defining and managing an exceptions process to review, approve or deny, document, monitor, and periodically reassess any necessary and appropriate, business-driven requests for deviations from this WISP or FUUZ’s information security policies and procedures.
- Periodically, reporting to FUUZ’s management/Board of Directors regarding the status of the information security program and FUUZ’s safeguards to protect personal and other sensitive information.
- Initial implementation of this WISP, including:
4. Risk Assessment. As a part of developing and implementing this WISP, FUUZ will conduct and base its information security program on a periodic, documented risk assessment whenever there is a material change in FUUZ’s business practices that may implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information.
- The risk assessment shall:
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of any electronic, paper, or other records containing personal or other sensitive information and include criteria for evaluating and categorizing those identified risks;
- Define assessment criteria and assess the likelihood and potential damage that could result from such risks, including the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the personal or other sensitive information, taking into consideration the sensitivity of the personal and other sensitive information; and
- Evaluate the sufficiency of relevant policies, procedures, systems, and safeguards in place to control such risks, in areas that include, but may not be limited to:
- Employee, contractor, and (as applicable) stakeholder training and management;
- Employee, contractor, and (as applicable) stakeholder compliance with this WISP and related policies and procedures;
- Information systems, including network, computer, and software acquisition, design, implementation, operations, and maintenance, as well as data processing, storage, transmission, retention, and disposal; and
- FUUZ’s ability to prevent, detect, and respond to attacks, intrusions, and other security incidents or system failures.
- Following each risk assessment, FUUZ will:
- Design, implement, and maintain reasonable and appropriate safeguards to minimize identified risks;
- Reasonably and appropriately address any identified gaps, including documenting FUUZ’s plan to remediate, mitigate, accept, or transfer identified risks, as appropriate; and
- Regularly monitor the effectiveness of FUUZ’s safeguards, as specified in this WISP (see Section 8).
- The risk assessment shall:
5. Information Security Policies and Procedures. As part of this WISP, FUUZ will develop, maintain, and distribute information security policies and procedures in accordance with applicable laws and standards to relevant employees, contractors, and (as applicable) other stakeholders to:
- Establish policies regarding:
- Information classification;
- Information handling practices for personal and other sensitive information, including the storage, access, disposal, and external transfer or transportation of personal and other sensitive information;
- User access management, including identification and authentication (using passwords or other appropriate means);
- Encryption;
- Computer and network security;
- Physical security;
- Incident reporting and response;
- Employee and contractor use of technology, including Acceptable Use and Bring Your Own Device to Work (BYOD); and
- Information systems acquisition, development, operations, and maintenance.
- Detail the implementation and maintenance of FUUZ’s administrative, technical, and physical safeguards (see Section 6).
- Establish policies regarding:
6. Safeguards. FUUZ will develop, implement, and maintain reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of personal or other sensitive information that FUUZ owns or maintains on behalf of others.
- Safeguards shall be appropriate to FUUZ’s size, scope, and business, its available resources, and the amount of personal and other sensitive information that FUUZ owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.
- FUUZ shall document its administrative, technical, and physical safeguards in FUUZ’s information security policies and procedures (see Section 5).
- FUUZ’s administrative safeguards shall include, at a minimum:
- Designating one or more employees to coordinate the information security program (see Section 3);
- Identifying reasonably foreseeable internal and external risks, and assessing whether existing safeguards adequately control the identified risks (see Section 4);
- Training employees in security program practices and procedures, with management oversight (see Section 3);
- Selecting service providers that are capable of maintaining appropriate safeguards, and requiring service providers to maintain safeguards by contract (see Section 7); and
- Adjusting the information security program in light of business changes or new circumstances (see Section 11).
- FUUZ’s technical safeguards shall include maintenance of a security system covering its network (including wireless capabilities) and computers that, at a minimum, and to the extent technically feasible, supports:
- Secure user authentication protocols, including:
- Controlling user identification and authentication with a reasonably secure method of assigning and selecting passwords (ensuring that passwords are kept in a location or format that does not compromise security) or by using other technologies, such as biometrics or token devices;
- Restricting access to active users and active user accounts only and preventing terminated employees or contractors from accessing systems or records; and
- Blocking a particular user identifier’s access after multiple unsuccessful attempts to gain access or placing limitations on access for the particular system.
- Secure access control measures, including:
- Restricting access to records and files containing personal or other sensitive information to those with a need to know to perform their duties; and
- Assigning to each individual with computer or network access unique identifiers and passwords (or other authentication means, but not vendor-supplied default passwords) that are reasonably designed to maintain security.
- Encryption of all personal or other sensitive information traveling wirelessly or across public networks;
- Encryption of all personal or other sensitive information stored on laptops or other portable or mobile devices, and to the extent technically feasible, personal or other sensitive information stored on any other device or media (data-at-rest)];
- Reasonable system monitoring for preventing, detecting, and responding to unauthorized use of or access to personal or other sensitive information or other attacks or system failures;
- Reasonably current firewall protection and software patches for systems that contain (or may provide access to systems that contain) personal or other sensitive information; and
- Reasonably current system security software (or a version that can still be supported with reasonably current patches and malicious software (“malware”) definitions) that (1) includes malware protection with reasonably current patches and malware definitions, and (2) is configured to receive updates on a regular basis.
- Secure user authentication protocols, including:
- FUUZ’s physical safeguards shall, at a minimum, provide for:
- Defining and implementing reasonable physical security measures to protect areas where personal or other sensitive information may be accessed, including reasonably restricting physical access and storing records containing personal or other sensitive information in locked facilities, areas, or containers;
- Preventing, detecting, and responding to intrusions or unauthorized access to personal or other sensitive information, including during or after data collection, transportation, or disposal; and
- Secure disposal or destruction of personal or other sensitive information, whether in paper or electronic form, when it is no longer to be retained in accordance with applicable laws or accepted standards.
7. Service Provider Oversight. FUUZ will oversee each of its service providers that may have access to or otherwise create, collect, use, or maintain personal or other sensitive information on its behalf by:
- Evaluating the service provider’s ability to implement and maintain appropriate security measures, consistent with this WISP and all applicable laws and FUUZ’s obligations.
- Requiring the service provider by contract to implement and maintain reasonable security measures, consistent with this WISP and all applicable laws and FUUZ’s obligations.
- Monitoring and periodically auditing the service provider’s performance to verify compliance with this WISP and all applicable laws and FUUZ’s obligations.
8. Monitoring. FUUZ will regularly test and monitor the implementation and effectiveness of its information security program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal or other sensitive information. FUUZ shall reasonably and appropriately address any identified gaps. FUUZ’s testing and monitoring program shall address the effectiveness of FUUZ’s safeguards, specifically their key controls, systems, and procedures, including those FUUZ uses to detect attempted and actual attacks on or intrusions into its networks and systems that handle personal or other sensitive information. Specifically, FUUZ will implement and maintain as appropriate for its networks and systems that handle personal or other sensitive information either:
- Continuous monitoring or other systems to detect on an ongoing basis changes that may create vulnerabilities; or
- A combination of the following according to FUUZ’s risk assessment (see Section 4):
- Annual penetration testing; and
- Periodic vulnerability assessments, including scans or reviews reasonably designed to identify publicly known security vulnerabilities, conducted at least every six months and whenever there are material changes to FUUZ’s operations or business arrangements or circumstances occur that may have a material impact on FUUZ’s information security program.
9. Incident Response. FUUZ will establish and maintain written policies and procedures regarding information security incident response (see Section 5). Such procedures shall include:
- Documenting the response to any security incident or event that involves a breach of security.
- Performing a post-incident review of events and actions taken.
- Reasonably and appropriately addressing any identified gaps.
10. Enforcement. Violations of this WISP will result in disciplinary action, in accordance with FUUZ’s information security policies and procedures and human resources policies. Please see the Employee Handbook for disciplinary measures.
11. Program Review. FUUZ will review this WISP and the security measures defined herein at least annually, when indicated by FUUZ’s risk assessment (see Section 4) or program monitoring and testing activities (see Section 8), or whenever there is a material change in FUUZ’s business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information.
- FUUZ shall retain documentation regarding any such program review, including any identified gaps and action plans.