IT Policy Flow-Down Requirements to Vendors

Purpose

The Acceptable Use Policy (AUP) establishes guidelines for the appropriate use of the company’s IT resources, including hardware, software, network, and data systems. This policy ensures that all users understand their responsibilities in maintaining security, privacy, and efficiency in their use of company resources.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other workers at the company, including all personnel affiliated with third parties who access company IT resources.

Policy

1. Authorized Use

Markon systems are to be used for authorized purposes only and may grant access to sensitive and protected information, including but not limited to FCI, CUI, CDI, or CTI. Distribution of any such information is only permitted through adherence to established protocols. Sensitive information may only be shared with authorized recipients. Sensitive information may only be shared with authorized recipients.

2. Accountability

Users are responsible for the security of the accounts issued to them. Passwords must not be shared with others, and accounts should be locked or logged of when not in use.

3. Network Usage

Employees must not use the company’s internet or network services to engage in activities that are illegal, unethical, or violate company policies. This includes accessing inappropriate websites, downloading unauthorized software, and using bandwidth excessively for non-work-related activities.

4. Email and Communication Tools

Employees are expected to use email, messaging, and collaboration tools provided by the company in a professional manner. Personal or inappropriate use of these tools is prohibited, and all communications should align with company standards and guidelines.

5. Prohibited Actions:

• Installing or using unauthorized software or hardware

• Accessing, creating, or distributing content that is offensive, defamatory, or harassing

• Sharing confidential company data without authorization

• Engaging in illegal or unethical activities, including hacking, data theft, or unauthorized access to systems

6. Monitoring and Consent

By accessing any system at Markon, users acknowledge and agree that there is no expectation of privacy, either explicit or implicit. All usage of these systems and any data stored or transmitted within them may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized compliance and law enforcement personnel, as well as authorized officials of other agencies. Unauthorized or improper use of Markon systems may result in administrative disciplinary action and civil and criminal penalties. Use of these systems indicates awareness of and consent to these terms and conditions of use.

7. Data Maintenance

Users are required to update and maintain any data requested of them in our Corporate Directory and Talent Pool systems. Ensuring accuracy and currency of information in these systems is essential for organizational efficiency and compliance. 

Markon systems are to be used for authorized purposes only and may grant access to sensitive and protected information, including but not limited to FCI, CUI, CDI, or CTI. Distribution of any such information is only permitted through adherence to established protocols. Sensitive information may only be shared with authorized recipients. By accessing any system at Markon, users acknowledge and agree that there is no expectation of privacy, either explicit or implicit. All usage of these systems and any data stored or transmitted within them may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized compliance and law enforcement personnel, as well as authorized officials of other agencies. Unauthorized or improper use of Markon systems may result in administrative disciplinary action and civil and criminal penalties. Use of these systems indicates awareness of and consent to these terms and conditions of use.

Purpose

The Data Security Policy establishes guidelines for protecting sensitive data within Markon. It ensures that all users understand their responsibilities in safeguarding confidential information and maintaining the integrity and security of company data.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other personnel with access to Markon's data systems. It covers all types of data, including but not limited to CUI, financial records, and personally identifiable information (PII).

Policy

1. Data Sensitivity Labels

• None: Data that is public and does not require protection
• Markon Sensitive: Data for internal use that is not to be disclosed outside of Markon without authorization
• CUI (Controlled Unclassified Information): Sensitive information that is protected by government regulation and must adhere to strict handling protocols

2. Access Control

Access to data is granted on a need-to-know basis. Users are assigned roles with the least amount of privilege required to perform their duties. Unauthorized access, sharing, or modification of data is strictly prohibited.

3. Data Encryption

Sensitive data, including Markon Sensitive and CUI, must be encrypted both at rest and in transit. Encryption standards will be maintained in accordance with industry best practices and regulatory requirements.

4. Data Sharing

Sensitive data may only be shared with authorized recipients who have the appropriate clearance and have agreed to follow Markon's data security policies. Data shared externally must follow established protocols for encryption and verification.

5. Data Storage

Company data should only be stored on authorized devices and systems. Storing sensitive information on personal devices, external storage, or non-approved cloud services is not allowed without explicit permission.

6. Incident Reporting

Any actual or suspected data breach, unauthorized access, or data loss must be reported immediately to the IT security team at Helpit@markonsolutions.com. The company will investigate all incidents and take corrective measures as necessary.

7. Data Retention and Disposal

Data must be retained for the period specified by regulatory and company policies. Upon expiration, data must be securely destroyed using methods that prevent reconstruction of the information.

8. User Responsibility

Users are responsible for protecting the integrity of Markon’s data. This includes using strong passwords, securing workstations, and complying with data protection protocols.

9. Monitoring and Auditing

Markon reserves the right to monitor and audit access to sensitive data. Regular reviews of data access logs will be conducted to ensure compliance with this policy and to detect any unauthorized activities.

Purpose

The Password Management Policy establishes guidelines for creating, managing, and safeguarding passwords at Markon. It ensures that all users understand their responsibility in maintaining strong password security to protect the company's systems and data.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other personnel who have access to Markon's IT systems, applications, and data.

Policy

1. Password Creation

• Must be at least 12 characters in length (if possible using the software or service; if not, max settings should be used)
• Must contain a combination of uppercase and lowercase letters, numbers, and special characters
• Must not contain easily guessable information such as user names, birthdays, or common words
• Passwords must not be reused across multiple accounts or from previous password cycles

2. Password Management

• Occasionally, passwords may need to be shared for specific external systems. In such cases, storing passwords in unencrypted files (e.g., Word, Excel, or text files) is not permitted. All shared passwords must be securely stored in the corporate password manager
• Users must not use the same password for different systems or applications, especially between personal and professional accounts
• Temporary passwords issued for initial login or password resets must be changed immediately upon first use

3. Multi-Factor Authentication (MFA)

All users are required to enable multi-factor authentication (MFA) for systems that support it. The second factor can be either:

• A phone running the Microsoft Authenticator app, or
• A TOTP (Time-based One-Time Password) security token issued by IT

4. Password Resets

Users who forget their passwords or believe their credentials have been compromised must first attempt to reset their password through company-approved self-service tools. If further assistance is required, they should contact their manager to request a reset through the Help Desk system (via HappyFox or HelpIT@markonsolutions.com).

5. Monitoring and Auditing

Markon reserves the right to monitor and audit password usage and authentication logs. This helps to identify any suspicious behavior or potential threats related to password management.

Purpose

The Cloud Access Policy defines the guidelines for accessing Markon's cloud-based systems and networks. It ensures that all users understand their responsibilities in maintaining the security and integrity of company resources while working remotely or off-site.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other personnel who require access to Markon's cloud-based IT systems, applications, or data.

Policy

1. Secure Connections

All access to the company’s cloud systems must be made through secure, encrypted channels. Users must not bypass security measures or use unauthorized software for accessing cloud services.

2. Multi-Factor Authentication (MFA)

Users must enable multi-factor authentication (MFA) when accessing company cloud resources. The second factor can be either:

• A phone running the Microsoft Authenticator app, or
• A TOTP (Time-based One-Time Password) security token issued by IT

3. Device Security

Devices used to access cloud systems must comply with company security standards, including:

• Installing the latest security updates and patches
• Running updated antivirus software
• Enabling firewalls and encryption where applicable
• Not sharing access with unauthorized users or third parties

4. Data Protection

Users must ensure that sensitive company data is not stored or transferred to unauthorized devices or services. Cloud access should not be used to store or process Markon Sensitive or CUI data on personal or unapproved devices.

5. Usage Monitoring

Markon reserves the right to monitor all access activity to its cloud-based systems to ensure compliance with security policies and to detect any unauthorized activities.

6. Incident Reporting

Any suspected or actual security incidents, breaches, or unauthorized access attempts must be reported immediately to the IT security team at helpIT@markonsolutions.com.

Purpose

The Incident Response Policy outlines the procedures for detecting, responding to, and recovering from security incidents at Markon. This policy ensures that all incidents are handled swiftly and effectively to mitigate risks and protect company assets.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other personnel who use Markon's IT systems or networks. It covers incidents related to data breaches, unauthorized access, malware, phishing attacks, and other security-related events.

Policy

1. Incident Identification

Users are responsible for reporting any suspected or actual security incidents, including unauthorized access, data breaches, phishing attempts, or malware infections. Incidents must be reported immediately to the IT security team at HelpIT@markonsolutions.com.

2. Incident Classification

All reported incidents will be classified based on severity and impact. Classifications include:

• Low: Minimal impact, no data compromised
• Medium: Potential impact on internal systems, minor data compromised
• High: Significant impact, including compromised sensitive data (e.g., Markon Sensitive or CUI)

3. Incident Response Team

The IT security team, in coordination with relevant departments, will act as the Incident Response Team (IRT). The IRT will:

• Assess the severity of the incident
• Contain the incident to prevent further damage
• Eradicate the cause (e.g., remove malware, block unauthorized access)
• Recover any affected systems or data

4. Notification and Communication

If an incident involves sensitive data (Markon Sensitive or CUI), relevant stakeholders, including the data owner, will be notified. External parties, including clients or regulators, may be informed if legally required.

5. Post-Incident Review

After the incident is resolved, a post-incident review will be conducted. The review will:

• Document the root cause of the incident
• Assess the response and containment efforts
• Provide recommendations to prevent similar incidents in the future

6. Training and Awareness

All employees are required to undergo regular training on recognizing and reporting security incidents. Additional training will be provided following any significant incident to address weaknesses identified during the review.

Purpose

The Backup and Disaster Recovery Policy defines the procedures for ensuring the continuity of Markon’s operations in the event of a system failure, data loss, or other disaster scenarios. This policy ensures that critical data is regularly backed up and that recovery processes are in place to restore services swiftly.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other personnel responsible for managing, storing, or processing company data. It covers all systems, databases, applications, and cloud services used by Markon.

Policy

1. Data Backup

• Data is to be backed up via Microsoft OneDrive, either through the sync client on Markon-issued computers or manually for non-laptop-based employees
• Any data intended to be kept long-term must be stored in Egnyte or in SharePoint Online for the life of the project
• Upon project completion, data from SharePoint Online must be moved to Egnyte for long-term storage, either automatically or upon request of the data site owner

2. Disaster Recovery Plan (DRP)

Markon maintains a Disaster Recovery Plan (DRP) to ensure the swift restoration of services following any system failure or data loss. The DRP includes:

• Recovery Objectives: Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) to ensure minimal disruption
• Recovery Procedures: Step-by-step instructions to restore critical systems and data
• Responsibility Assignment: Specific roles and responsibilities for team members in the event of a disaster

3. Testing and Audits

An audit of 10-15 random data sources will be conducted at least once a year to ensure the effectiveness of the backup and recovery processes. Any weaknesses identified during testing will be addressed and corrected.

4. Monitoring and Reporting

Backup processes will be monitored regularly to ensure successful execution. Any failed backups or system failures will be reported immediately to the IT/Security team at HelpIT@markonsolutions.com for corrective action.

5. Third-Party Cloud Services

In cases where third-party cloud services are used, Markon will ensure that these vendors have robust backup and disaster recovery procedures in place, aligning with company standards.

Purpose

The Software Installation and Licensing Policy establishes guidelines for the authorized installation, use, and management of software at Markon. This policy ensures that all software is licensed, compliant with legal standards, and installed in a secure manner.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other personnel who install or use software on any Markon devices or access the company’s network. It covers both locally installed software and cloud-based applications.

Policy

1. Authorized Software

Only software that has been approved by the IT department may be installed on company-owned devices. This includes:

• Business applications
• Productivity tools

No software is to be installed without prior approval from the IT department. Requests for new software installations must be submitted to the IT team for review and approval.

2. Licensing Compliance

• All software used at Markon must be properly licensed; the IT department will maintain records of software licenses and ensure compliance with vendor agreements
• Use of unlicensed or pirated software is strictly prohibited
• Software owners must request termination of renewals prior to the renewal date; otherwise, the item will be automatically renewed and charged as normal
• No software sharing is allowed; all software must be licensed to individual users and not to a group

3. Software Updates

All software must be set to update. If an update cannot be applied for reasons such as compatibility issues, a written request via a helpdesk ticket is required. Failure to comply with this may result in security vulnerabilities.

4. Monitoring and Auditing

The IT department reserves the right to monitor software installations and usage to ensure compliance with this policy. Regular audits will be conducted to ensure that only approved and licensed software is installed on company systems.

Purpose

The BYOD Policy defines the guidelines for employees, contractors, and other personnel who use personal devices to access Markon's systems, data, and networks. The policy ensures that personal devices are used securely and responsibly in a way that protects company data and resources.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff and other personnel who use their own devices (e.g., laptops, tablets, smartphones) for work-related purposes at Markon.

Policy

1. Device Approval

Any personal device used for accessing company systems or data must be approved by IT. Approval will be based on the device’s ability to meet security and compatibility requirements. Note: Phones and BYOD devices are not supported by Markon IT.

2. Security Requirements

All personal devices must adhere to the following security standards:

• Devices must have the latest operating system updates and security patches installed
• All devices must be up to date and supported by their manufacturers for continued security updates
• Antivirus software must be installed and regularly updated
• Devices must be protected by a password, PIN, or biometric authentication
• Multi-factor authentication (MFA) must be enabled when accessing company systems

3. Data Access and Storage

• No CUI (Controlled Unclassified Information) is allowed on BYOD devices or phones, with the exception of the Microsoft Outlook app or Microsoft Teams app on Android or iOS
• Employees must not store Markon Sensitive data on personal devices unless explicitly authorized; any authorized data stored on personal devices must be encrypted, and employees are responsible for ensuring that company data is not shared or accessed by unauthorized users

4. Usage Restrictions

Personal devices must not be used for:

• Downloading unauthorized software or apps that could compromise company security
• Accessing inappropriate content or engaging in activities that violate company policy
• Sharing access to company data or systems with unauthorized individuals

The following laptop/phone manufacturers are not permitted for use with Markon systems:

• HUAWEI
• Lenovo

5. Monitoring and Management

Markon reserves the right to monitor activity on personal devices accessing its systems. IT may request access to devices to ensure compliance with company policies, especially in the event of a security incident

7. Lost or Stolen Devices

Any lost or stolen personal device used for company work must be reported to the IT security team immediately at HelpIT@markonsolutions.com. The IT team will take steps to remotely lock or wipe the device if necessary to protect company data.

8. Disabling Access

Markon reserves the right to disable access to its systems and data if a personal device is found to be non-compliant with the BYOD policy or if a security risk is identified.

9. Employee Responsibilities

Employees are responsible for:

• Ensuring their devices comply with the company’s security requirements
• Reporting any security incidents or breaches immediately
• Maintaining backups of personal data, as the company is not responsible for personal data loss resulting from security measures

Purpose

The Network Security Policy establishes guidelines to protect Markon’s network infrastructure, systems, and data from unauthorized access, breaches, and other security threats. It ensures that the network is secure, monitored, and properly managed.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other personnel who access Markon's network, systems, or cloud-based services.

Policy

1. Network Access Control

Access to the Markon network is restricted to authorized users only. Users must authenticate using their unique credentials, and multi-factor authentication (MFA) is required for all external access. 

2. Firewalls and Security Appliances

Firewalls and security appliances are used to protect the network perimeter and critical systems. These devices must be configured to block unauthorized traƯic, and regular reviews of firewall rules and logs must be conducted.

3. Wireless Network Security

Wireless access to the network is secured with encryption, and only approved devices are permitted to connect to the wireless network. Guest users must use the guest Wi-Fi, and Markon Wi-Fi must not be posted publicly at the office.

4. Network Monitoring and Logging

The IT department will continuously monitor network traffic and activity for suspicious behavior. All network activity is logged, and logs are regularly reviewed for security incidents and performance issues.

5. Data Encryption

All sensitive data transmitted across the network must be encrypted using secure protocols (e.g., SSL/TLS). Unencrypted data transmission over the network is prohibited.

6. Incident Response

In the event of a network security breach or incident, the IT security team will respond immediately to mitigate the threat. Incident details will be documented, and steps will be taken to prevent future occurrences.

7. Third-Party Network Access

Third parties requiring network access must be pre-approved and comply with Markon's security standards. Third-party access must be closely monitored and limited to only necessary resources.

8. Network Maintenance and Patching

Regular maintenance, updates, and security patches must be applied to network infrastructure and devices to address vulnerabilities and ensure ongoing security. 

Purpose

The Asset Management Policy defines the procedures for tracking, managing, and safeguarding Markon's IT assets. This policy ensures that all company-owned hardware and other digital assets are properly accounted for and maintained throughout their lifecycle.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other personnel responsible for handling or managing IT assets at Markon.

Policy

1. Asset Inventory

All IT assets, including hardware (e.g., laptops, servers, mobile devices), must be recorded in the company’s asset inventory. The inventory will track:

• Asset ownership
• Asset status (active, inactive, retired)

2. Asset Assignment and Sharing

• IT assets cannot be shared in the field unless specifically coordinated with IT prior; laptops cannot be "given" to employees replacing someone in a role without proper coordination with IT
• Employees are responsible for company-issued IT assets assigned to them; any transfer of assets between employees must be approved and recorded by the IT department

3. Asset Maintenance and Support

All IT assets must be regularly maintained, and any issues with hardware must be reported to the IT department. Preventative maintenance will be performed to extend the life of assets.

4. Laptop Refresh

• Laptops are replaced on a 4-year cycle regardless of their stability
• If a laptop requires repair during its 3rd year, it will be replaced
• All laptops must be returned to factory defaults, and all data erased before being re-issued; in the event of a concern about removing sensitive data, the laptop can be placed into storage at the manager's request for 30 days

5. Asset Security

Employees must ensure that all IT assets are securely stored and protected against theft, loss, or damage. This includes using encryption, strong passwords, and physical security measures. If any asset is lost or stolen, it must be reported immediately to the IT department at HelpIT@markonsolutions.com.

6. Return of Assets

Prior to leaving the company, all IT assets (e.g., laptops, MFA tokens, monitors) must be returned to Markon IT or handed over to the employee’s manager, who will then ensure the assets are returned to Markon HQ.

Purpose

The User Access Control Policy establishes guidelines for granting, managing, and revoking access to Markon's IT systems, applications, and data. This policy ensures that only authorized users have access to company resources, maintaining security and compliance.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other personnel who require access to Markon's IT systems and applications.

Policy

1. Access Requests

Access to company systems and data must be requested through a formal process. Access will only be granted based on job roles and responsibilities, and users must have the appropriate level of clearance for sensitive information (e.g., Markon Sensitive, CUI).

2. Approval by Data Owners

The data owner must approve any access to specific data or systems. This request must be made via a helpdesk ticket (help.markonsolutions.com) and must include the user’s name(s) and the specific systems or data they need access to.

3. Role-Based Access Control (RBAC)

Access to systems and data will be based on a user's role within the company. Only the minimum necessary access privileges (least privilege) will be granted to complete their job functions.

4. Periodic Access Reviews

IT will conduct regular reviews of user access to ensure that permissions are aligned with job responsibilities and that inactive accounts are disabled or removed.

5. Unused Accounts

Unused accounts will be locked out after 60 days of inactivity. If the account remains unused for 90 days, it will be deleted unless specifically requested not to be deleted. This policy applies to both contractors and employees.

6. Access Revocation

Access to company systems must be revoked immediately upon termination or role change. Data owners are responsible for informing IT about revocation in cases where a user loses access to data due to a position change or role change but is not terminated. Managers are responsible for notifying IT of any changes in employment status to ensure access is revoked promptly.

7. Multi-Factor Authentication (MFA)

All users must use multi-factor authentication (MFA) when accessing critical systems or data. This enhances security by requiring a second form of verification beyond the user’s password.

8. User Responsibilities

Users are responsible for:

• Keeping their credentials confidential and secure
• Reporting any unauthorized access or suspicious activity to the IT/Security team immediately
• Using only their assigned accounts and not sharing credentials with others

Purpose

The Physical Security Policy establishes guidelines for securing Markon's physical locations, equipment, and infrastructure to prevent unauthorized access, theft, damage, or loss.

Scope

This policy applies to all employees, contractors (1099), consultants, temporary staff, and other personnel who have access to Markon's physical facilities and assets.

Policy

1. Access Control

Access to Markon’s offices, data centers, and other restricted areas is limited to authorized personnel only. Employees must use access cards, keys, or other company-approved authentication methods to enter secure areas.

2. Visitor Management

All visitors must sign in at the reception area and be escorted by authorized personnel at all times while on company premises. Visitors are not permitted in secure areas without prior approval and must be provided with temporary visitor badges.

3. Physical Security Measures

• Secure locks, surveillance cameras, and alarm systems must be installed in all sensitive areas to monitor and restrict access
• Equipment rooms, server rooms, and areas storing sensitive data must have additional security measures, including restricted access and surveillance

4. Device Security

Company equipment, including laptops and mobile devices, must be securely stored when not in use. Employees must lock devices in secure cabinets or use cable locks to prevent theft when equipment is left unattended.

5. Reporting Incidents

Any physical security incidents, such as theft, unauthorized access, or tampering with equipment, must be reported immediately to the IT security team and facilities management. An investigation will be conducted to assess the situation and take corrective actions. 

6. Securing Sensitive Areas

Areas containing sensitive equipment or data, such as server rooms, must have limited access. Only authorized personnel may enter these areas, and access must be logged and regularly audited.

7. Personal Responsibility

Employees are responsible for securing their workspaces and ensuring that sensitive documents and devices are not left unattended. At the end of each workday, employees must ensure that all sensitive materials are locked away and that workstations are secured.

8. Asset Tracking

All physical assets, such as laptops, mobile devices, and hardware, must be tagged and tracked in the company’s asset management system. Any missing or stolen assets must be reported immediately to IT and facilities management. 

Purpose

This AI Usage Policy defines the acceptable and secure use of Artificial Intelligence (AI) tools at Markon. It ensures that AI is used responsibly, without exposing Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) to unauthorized platforms.

Scope

This policy applies to all Markon personnel who use AI tools for work purposes, including both company-provided and personal devices.

Policy

1. Approved AI Platforms

Currently, only the following AI services are authorized for work-related use:

• OpenAI ChatGPT (Markon-paid Team ccount)
• Claude.ai (Markon-paid account)

No other AI platforms are approved at this time.

2. Data Restrictions

• Prohibited Data Types: The following must never be entered, uploaded, or otherwise shared with any AI system:
  • Controlled Unclassified Information (CUI)
  • Federal Contract Information (FCI)
  • Any data classified under U.S. government security protocols
• Company Data Use Rules:
  • Markon data may only be used in AI tools via Markon-paid accounts
  • Personal AI accounts are strictly prohibited for any Markon-related work, regardless of device used

3. Accuracy and Verification

All output from AI tools must be fact-checked before being used in any official Markon deliverable, client communication, or internal report.

• AI-generated content should be treated as draft material, not final authority
• Users are responsible for verifying accuracy against trusted, authoritative sources

4. Security and Compliance

• AI use must comply with all applicable Markon security policies, data handling requirements, and client contractual obligations
• Violations of this policy may result in disciplinary action, up to and including termination, and may carry legal consequences

5. Policy Review and Updates

This policy will be reviewed annually or when significant changes occur in AI technology, security requirements, or government regulations.

6. Acknowledgement

By using AI tools for Markon business purposes, you agree to abide by this policy and understand the associated responsibilities.