Information security, including cyber security and confidentiality, was given greater focus as part of a 2016 cycle of improvement, and it is now under the umbrella of the Company’s Risk Information Security Program (RISP). Part of the RISP included the creation of a new role, IT Systems and Security Administrator, who is a Certified Information Systems Security Professional (CISSP). The following are the RISP’s priorities: • Protect information assets • Ensure organizational awareness of emerging cybersecurity threats • Continually improve the program The RISP also governs security measures to protect appropriate use procedures for IPM employees, including extensive permission levels. To protect our systems from cybersecurity attacks, all computers and servers have anti-virus to protect from malware, Sophos Intercept X to detect ransomware, and Safe Links for scanning emails and their attachments and links. All serve to detect any breaches; early detection serves to limit the impact of the attack, so the first response is to determine the scope of the breach. Once the threat has been neutralized, IPM will fix the problem and replace any damaged system/hardware. Additionally, in 2016 IPM purchased a comprehensive cyber liability insurance policy, which protects the Company if any of our clients’ data is compromised. 6.2c Safety and Emergency Preparedness 6.2c(1) Safety IPM’s Safety Program exists to provide a safe operating environment for IPM employees. The program establishes standards and guidelines that have been created to advance the understanding of safety while utilizing all available communication channels (e.g., The Pulse, email, The Hub) to keep IPMers informed of safety, health, and environmental concerns and issues. With a stated commitment to the safety and health of our employees, IPM management evaluates new and revised safety regulations and procedures and incorporates them as needed. The Company pledges to support regulatory agencies and others endeavoring to improve safety awareness, responsibility, and the elimination of hazards. Employees receive safety training within the first two weeks of employment. The safety training is designed to address accident prevention, open the lines of communication, and highlight IPM’s commitment to safety. IPM has had only one lost-time accident or injury in the past 10 years, resulting in one lost day of work. Our process is to complete all required OSHA forms and investigate the issues to find the root cause and allow for full recovery. At our customer sites, IPM consultants must complete all client-mandated safety-related training, and our contracts include language on safety requirements when pertinent. IPM supports purchasing safety equipment to mitigate ergonomic issues and to comply with any safety regulations stipulated by
our clients. Safety equipment, such as hard hats and safety goggles, is provided to employees whenever needed. 6.2c(2) Business Continuity Emergency preparedness plans are in place for each office to address specific weather-related safety concerns, as determined by region. For example, the Central Region (CR) offices’ emergency plans include tornado safety, and the West Region (WR) plans include earthquake safety. In the event of a fire or severe weather affecting IPM’s ability to conduct business from the office, the Company’s Disaster Recovery Team (DRT) would be activated immediately to begin implementing IPM’s business continuity procedures, known as the Disaster Recovery Plan (DRP). After employee safety, communicating with employees to ensure they are fully updated is IPM’s highest priority during an emergency. The DRP has procedures to maintain continuity and limit the duration of disruption to business functions. IPM’s business relies fully on our workforce. The nature of our operations enables employees to work from home if a disaster were to strike near a regional office, resulting in minimal business interruption. The DRP includes the basic approach, general assumptions, and roles and responsibilities of the DRT whose members have been identified and trained to implement the plan. In addition, the plan provides an assessment tool to determine when conditions constitute a disaster, and if one occurs, provides the steps members of the DRT should consider to manage it and restore business operations. A unique DRP simulation exercise is undertaken biannually, and the DRP itself is reviewed annually and processes or details are changed based on the current set of circumstances. IPM also has an IT Service Continuity Plan to ensure our IT systems continue to be secure in the face of a disaster. The IT Service Continuity Plan is designed to facilitate the quick recovery of mission-critical applications and hardware components, including access to duplicate hardware for all mission-critical devices, vendor contact and support information, backup and restoration procedures, on-site and off-site locations, specifications of required software components and configuration files, and a network diagram including system configurations and specifications; the plan is updated biannually. IPM data and information are protected through daily backups and off-site cloud storage. Should a disaster occur, IPM would purchase new IT hardware and restore from backup within a few days of the occurrence. IPM utilizes Evault cloud backup to ensure a quick, reliable recovery.
Page | 30
Made with FlippingBook interactive PDF creator