We employ a broad array of policies, procedures and methodologies to ensure your data is safe with us – across all of CCRA’s brands. We take the responsibility of data security very seriously, and it’s at the core of everything we do. Here are some specifics that should make you feel confident in your partnership with us.
CCRA continues to invest in the latest technology to ensure confidential and sensitive information are both respected and protected.
Our security policies cover network and computer systems and applications, operational processes and procedures and physical locations.
We follow the guiding principles recommended by the SANS Institute Information Security Research resource center, which are as follows:
Our servers are all located in a Savvis data center. Savvis Data Centers offer world-class facilities for Power Management, Heating/Ventilation/Air Conditioning (HVAC), Fire Suppression, Seismic Engineering, Physical Security, Tier 1 Internet connectivity and access to our Intelligent IP and IP MPLS network. Our servers which power your services are protected with redundant power, internet, switches, cooling, fire suppression, security devices and remote hands gold support.
In addition, we have all of our servers and data securely replicated to a cloud based backup for easy and fast recovery in the event of any server loss.
This security enables us to spend less time concerned with infrastructure, and more time spent working on additional features, automation and innovation for our clients.
We utilize the full efficiency and agility of cloud computing by virtualizing, pooling and automating all data center resources—servers, storage, networking, security and availability—and tying everything together with policy-based provisioning and automated operations management. The result is a software-defined data center where:
To provide the basis for protecting the confidentiality of data at CCRA by establishing a data classification system. Further policies and standards will specify handling requirements for data based on their classification.
This standard applies to all data or information that is created, collected, stored or processed by CCRA, in electronic or non-electronic formats.
All data at CCRA shall be assigned one of the following classifications. Collections of diverse information should be classified as to the most secure classification level of an individual information component with the aggregated information.
Procedure for Monitoring of IT Resources
CCRA may monitor IT resources and retrieve communications and other records of specific users of CCRA IT resources, including individual login session and the content of individual communications, without notice. The criteria and steps required for approval of such monitoring or retrieval without notice are set forth in this policy. A request for such monitoring or retrieval of records and documents must be provided to the CTO (or designee) with the necessary approvals. Approvals must be obtained from the President and CEO (or designee) who supervises the unit requesting such access. If the records are being monitored or retrieved for the purposes of reviewing or investigating employee conduct, the approval of Human Resources is also required.
Prior approval is not required to monitor CCRA IT resources or retrieve communications and other records in the following situations:
The communications and/or records have been made accessible to the public, as by posting to a webpage.
A person’s authorization to access or use any CCRA IT resources ends, for example upon termination of employment or appointment.
The monitoring or retrieval is in response to an emergency. An emergency occurs when there is an imminent threat to life or property and there is not sufficient time available to obtain approval. In such a situation, monitoring or retrieval may be conducted without prior approval, with notification to the appropriate leadership as soon as possible. The scope of access should be reasonable in relation to the emergency situation involved.
Approval may be granted to monitor communications or retrieve records when any one or more of the following situations apply:
It reasonably appears necessary or appropriate to do so to protect the integrity, security or functionality of CCRA or other computing resources.
It reasonably appears necessary or appropriate to do so to comply with legal or contractual requirements or to protect CCRA from liability or disruption. Examples of situations in which access and retrieval are authorized under this paragraph include but are not limited to responses to public records requests, subpoenas, court orders, and discovery requests.
There is reasonable cause to believe that the user has violated or is violating the Acceptable Use Policy or that the user has violated, or is violating, any other CCRA rule, regulation, policy, or collective bargaining agreement, or any other law or regulation and the access is reasonable in relation to the believed violation.
It is part of any investigation or review of an already asserted, threatened or potential complaint or grievance or of a credible allegation of a violation of the law, including without limitation local, state or federal law, or foreign law as applicable, CCRA rule, regulation or policy, or the subject of a law enforcement review or investigation, and the scope of access to the account or activity is reasonable in relation to the complaint, grievance or allegation. An account appears to be engaged in unusual or unusually excessive activity.
CCRA has a legitimate need to access an account or activity and the access is reasonable in relation to the need.
The results of any such general or individual monitoring, including but not limited to the contents and records of individual communications, may be released pursuant to a public records request. In addition, CCRA, in its discretion, may disclose the results of any such general or individual monitoring for any legitimate purpose to appropriate CCRA staff or law enforcement agencies and may use those results in appropriate external and internal disciplinary and other proceedings.
Acceptable Use of Information Technology Resources
This represents a summary of CCRA’s Acceptable Use Policy. Users are required to comply with the entire policy. Approval requirements are detailed in the full policy.
CCRA's Information Technology (IT) resources are to be used for CCRA-related business purposes. Some examples of IT resources are computers, software, networks, and electronic devices. This policy applies to all users of CCRA's IT resources, whether affiliated with the CCRA or not, and to all users of those resources, whether in HQ or from remote locations. Users are responsible for following the CCRA's Acceptable Use Policy.
Additional requirements apply to the collection, use, storage, and maintenance of Restricted Data.
Consequences of Violations
Users who violate this policy may be subject to penalties and disciplinary action, including expulsion, dismissal, or revocation of user access.
Authentication mechanisms such as passwords are the primary means of protecting access to computer systems and data. It is essential that these authenticators be strongly constructed and used in a manner that prevents their compromise.
This policy applies to all passwords and other authentication methods used at CCRA.
CCRA adheres to all applicable laws when it comes to marketing and your privacy. We do not share your information with third parties and we always take it seriously when you opt-out of a communication.
We assure equal opportunity of employment for all applicants and employees of CCRA without regard to race, color, religion, national origin, gender, disability, age, marital status or sexual preference.