Skip to main content
All CollectionsGeneral FAQs
Information Security and Employee Conduct Policy
Information Security and Employee Conduct Policy

Read Goodworld's policy on data security, access controls, and ethics

Richie Kendall avatar
Written by Richie Kendall
Updated over 4 months ago

January 2024

1701 Rhode Island Ave NW

Washington, DC 20036

Goodworld, Inc

Information Security and Employee Conduct Policy

The purpose of this policy is to provide a security framework that will ensure the protection of Goodworld proprietary and sensitive Company Information from unauthorized access, loss or damage while supporting the open, information-sharing needs of our customers, both donors and charitable organizations. Company Information may be verbal, digital, and/or collateral, individually-controlled or shared, stand-alone or networked, used for administration, research, teaching, or other purposes.

Failure to comply with this policy may subject you to disciplinary action and to potential penalties including termination and legal action.

The Information Security Policy applies to all Goodworld officers, employees, interns, and contractors, as well as to any third party authorized to represent or act on behalf of Goodworld, Inc. This policy also applies to any other individuals or entities granted use of Company Information, including, but not limited to, contractors, temporary employees, and volunteers.

I. Access Control Policy

A. Access Control systems are in place to protect the interests of all users of Goodworld computer systems by providing a safe, secure and readily accessible environment in which to work.

B. Goodworld will provide all employees and other users with the information they need to carry out their responsibilities in an as effective and efficient manner as possible.

C. Generic or group access IDs are not permitted, unless specifically granted by the COO, CTO or CEO under exceptional circumstances. In such circumstance sufficient other controls on access must be in place.

D. The allocation of privilege rights (e.g. local administrator, domain administrator, super-user, root access) will be restricted and controlled by the CTO, and authorization provided jointly by the system owner and CTO. Technical teams may not issue blanket privilege rights to groups.

E. Access rights will be accorded following the principles of least privilege and need to know.

F. Every user should attempt to maintain the security of data at its classified level even if technical security mechanisms should fail.

G. Users electing to place information on digital media or storage devices or maintaining a separate database must only do so where such an action is in accord with the data's classification.

H. All Users (employees, interns, contractors, vendors) are obligated to report instances of non-compliance to a Goodworld company officer immediately.

I. No access to any Goodworld resources and services will be provided without prior authentication and authorization of a user's Goodworld account.

J. Password issuing, strength requirements, changing and control will be managed through formal processes overseen by the CTO. User Passwords will be complex, dynamic, multi-factor and changed every 90 days.

K. Access to Confidential, Restricted or Protected information will be limited to only authorized persons whose job responsibilities require it, as determined by the data owner and the COO. Requests for access permission to be granted, changed or revoked must be made in writing.

L. Users are expected to become familiar with and abide by Goodworld policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.

II. Application Security.

Web based Goodworld applications are subject to security assessments based on the following criteria:

A. New or Major Application Release – subject to a full assessment prior to approval of the change control documentation and/or release into the live environment.

B. Third Party or Acquired Web Application – subject to full assessment after which it will be bound to policy requirements.

C. Point Releases – subject to an appropriate assessment level based on the risk of the changes in the application functionality and/or architecture.

D. Patch Releases – subject to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture.

E. Emergency Releases – An emergency release may be allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out.

F. Emergency releases will be designated as such by the COO or an authorized manager who has been delegated this authority by the COO.

III. Change Management

A. All system and application changes in Goodworld (e.g. operating system, computing hardware, networks, applications, data centers) are subject to this policy and will follow unit change management procedures. For the purpose of Section III, "Stakeholders" applies to both Goodworld employees and contractors as well as Goodworld commercial partners and users.

B. The following general requirements are mandatory parts of anychange management process:

  1. Scheduled change calendars and departmental communications operational procedures will be executed to inform stakeholders of upcoming application and system changes that impact system availability or operations

  2. Regular planned changes will be communicated to all stakeholders on a monthly basis through a communication mechanism of the CTO/COO choosing.

  3. Unplanned outages will be communicated immediately to stakeholders via email with regular updates on progress towards resolution and resumption of service

  4. Regular system and application patching schedules will be communicated to users and performed in such a way as to minimize system downtime and user productivity

  5. Processes will ensure that production data is not unnecessarily replicated or used in non-production environments

  6. Device configurations will be backed up and rollback procedures must exist prior to implementing a change

IV. Secure Workplace

A. Goodworld is committed to providing a workplace that is free from acts or threats of violence. It is therefore essential that every employee understand the importance of workplace safety and security.

B. Every threat of violence is potentially serious and must be treated as such. Threatening behavior can include such actions as throwing objects, making verbal threats to harm another individual or destroy property, displaying an intense or obsessive romantic interest that exceeds the normal bounds of interpersonal interest, or attempting to intimidate or harass other individuals.

C. Individuals who become aware of any threats of workplace violence must report these threats immediately to a Goodworld Officer.

D. For an individual who becomes aware of any actual violence, imminent violence, or threat of imminent violence, obtaining emergency assistance must be a matter of first priority. The individual should immediately contact Goodworld and, if appropriate, should contact the Police Department by dialing 911.

E. Compliance with this anti violence policy is a condition of employment for all members of the company.

V. Data Classification, Usage and Retention.

User information found in computer system files and databases will be classified as either confidential or non-confidential. The company will classify the information controlled by them. Goodworld is required to review and approve the classification of the information and determine the appropriate level of security to best protect it.

Furthermore, the CTO/COO will classify information controlled by units not administered by Goodworld.

VI. Disaster Recovery and Business Continuity

A. Business Risk Assessment and Business Impact Analysis

  1. Each Goodworld Officer (CEO, COO, CTO) will assess Business Risk and Business Impact for the Key Business Systems in his/her area of responsibility. The assessor should identify the criticality of Key Business Systems and the repositories that contain the relevant and necessary Data for the Key Business System. The assessment should also address the Disaster Contingency and Recovery Plan (the "Contingency Plan") for his/her area of responsibility. Such Plans shoud consider:

a) Key business processes; b) Applicable risk to availability; c) Prioritization of recovery; d) Recovery Time Objectives; and e) Recovery Point Objectives.

  1. For purposes of this Policy, a "Recovery Time Objective" is the duration of time and a service level within which a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity and a "Recovery Point Objective" is the maximum tolerable period during which Data might be lost from an Information Resource.

B. Contingency Plans

  1. Key Business Systems will have a Contingency Plan for when hardware, software or Networks become critically dysfunctional or cease to function (short term or long term outages). This Plan will address the process that would be implemented to continue operations during the outage, including the incorporation of alternative off-site operations. Specifically, the Contingency Plan will consider:

a) An Emergency Mode Operations Plan for continuing operations in the event of temporary hardware, software or Network outage. This Plan should include information relating to the end user process for continuing operations. b) A Recovery Plan for returning functions and services to normal on-site operations when a disaster is over. c) A procedure for periodic testing, review and revision of the Contingency Plan for all affected Systems, as a group and individually as needed.

C. Data Plans

  1. The CTO will implement a Data Plan.

a) CTO (codebase) and COO (operational) are responsible for taking reasonable steps to ensure the backup of Data, particularly Sensitive Data and Confidential Data; b) A backup schedule; c) The Key Business Systems that are to be backed up; d) Where backup media is to be stored and workforce members who may access the stored backup media; e) Where backup media is to be kept secure before it is moved to storage, if applicable; f) Who may remove the backup media and transfer it to storage; g) Restoration procedures to restore Key Business System Data from backup media to the appropriate System; h) Test restoration procedures and frequency of testing to confirm the effectiveness of the Plan; i) The retention period for backup media; and j) A method for restoring encrypted backup media, including encryption key management.

VII. Encryption of Data and Encryption or Hashing of Passwords

A. Information

  1. If Goodworld Classified Information is created or received, it must be stored within a Goodworld managed secured system.

  2. However, when Goodworld Information is transmitted outside such a secure system, it will be encrypted in transit. Encryption in transit may include encrypting a file sent via email, encrypting a portable hard disk being used to transfer data or the use of encrypted transmission protocols such as SSL.

B. Devices. If a device is capable of device encryption and recovery keys can be safely made available to the Company, it is required that device encryption be applied.

C. Personally Owned Laptops

  1. Employees are prohibited from creating or storeing Classified Information on personally owned laptops, including via the use of file synchronisation tools. Non-classified information will not be stored on the device unless a copy is also stored in a Goodworld owned system.

  2. The worker handling Goodworld Information takes full responsibility for the application of the required security controls and for ensuring that the information is secure throughout its lifecycle, which will include ensuring the device is securely wiped of Company Information before disposal.

D. Other Portable Devices

  1. Particular care will be taken with the physical security of other portable devices with less inherent security features, such as digital cameras, external hard disks, USB sticks and recording devices.

  2. Where device encryption is available it should be used and the relevant recovery passphrases or keys securely stored on the Goodworld's network.

  3. The use of these devices should be avoided for Classified Information where possible, but if the a Goodworld Officer assesses that they are required to collect Classified Information that information will not be stored on the device beyond the minimum length of time required to transfer that data to a secure location such as a secure laptop or on the Goodworld network. Whilst the device holds Classified Information that information must be protected either with device encryption or file encryption. All records of the Classified Information will be securely deleted from the device immediately after successful transfer and the device must be disposed of securely when no longer required by Goodworld

VIII. Mobile Computing

A. All mobile computing and storage devices that access Goodworld data must be compliant with Goodworld Security Policies and Standards.

B. Any and all mobile computing devices used within the Goodworld information and computing environments must meet all applicable Goodworld encryption standards. mobile computing devices purchased with Goodworld funds, including, but not limited to contracts, grants, and gifts, must also be recorded in the unit's information assets inventory.

C. Goodworld information security policies are applicable to desktop or workstation computers apply to mobile computing devices.

IX. Network Security

A high-level network diagram of the network is maintained and reviewed on a yearly basis. The network diagram provides a high level overview of the cardholder data environment (CDE), which at a minimum shows the connections in and out of the CDE. Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable should also be illustrated.

X. Secure System Builds

A. Systems include but are not limited to servers, platforms, networks, communications, databases and software applications.

  1. An individual or group must be assigned responsibility for maintenance and administration of any system deployed on behalf of Goodworld. A list of assigned individuals or groups must be centrally maintained.

  2. Security must be considered at system inception and documented as part of the decision to create or modify a system.

  3. All systems must be developed, maintained and decommissioned in accordance with a secure system development lifecycle (SSDLC).

  4. Each system must have a set of controls commensurate with the classification of any data that is stored on or passes through the system.

  5. Separation of environments (e.g., development, test, quality assurance, production) is required, either logically or physically, including separate environmental identifications (e.g., desktop background, labels).

  6. Formal change control procedures for all systems must be developed, implemented and enforced. At a minimum, any change that may affect the production environment and/or production data must be included.

B. Databases and Software (including in-house or third party developed and commercial off the shelf (COTS):

  1. All software written for or deployed on Goodworld systems must incorporate secure coding practices, to avoid the occurrence of common coding vulnerabilities and to be resilient to high-risk threats, before being deployed in production.

  2. Once test data is developed, it must be protected and controlled for the life of the testing in accordance with the classification of the data.

  3. Where technically feasible, development software and tools must not be maintained on production systems.

  4. Where technically feasible, source code used to generate an application or software must not be stored on the production system running that application or software.

  5. Scripts must be removed from production systems, except those required for the operation and maintenance of the system.

  6. Privileged access to production systems by development staff must be restricted.

  7. Migration processes must be documented and implemented to govern the transfer of software from the development environment up through the production environment.

XI. Physical Security

Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.

A. Media is defined as any printed or handwritten paper, received faxes, floppy disks, backup tapes, computer hard drive, etc.

B. Media containing sensitive cardholder information must be handled and distributed in a secure manner by trusted individuals.

C. Visitors must always be escorted by a trusted employee when in areas that hold sensitive cardholder information.

D. Procedures must be in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. "Employee" refers to full-time and part-time employees, temporary employees and personnel, and consultants who are "resident" on Company sites. A "visitor" is defined as a vendor, guest of an employee, service personnel, or anyone who needs to physically enter the premises for a short duration, usually not more than one day.

E. Strict control is maintained over the external or internal distribution of any media containing card holder data and has to be approved by management.

F. Strict control is maintained over the storage and accessibility of media

G. All computer that store sensitive cardholder data must have a password protected screensaver enabled to prevent unauthorized use.

XII. Remote Access

Only authorized persons may remotely access the company network. Remote access is provided to those employees, contractors and business partners of the company that have a legitimate business need to exchange information, copy files or programs, or access computer applications. Authorized connection can be remote PC to the network or a remote network to company network connection. The only acceptable method of remotely connecting into the internal network is using a secure ID.

XIII. Security Incident Management and Response

A. The company takes the issue of security seriously. Those people who use the technology and information resources of company must be aware that they can be disciplined if they violate this policy. Upon violation of this policy, an employee of company may be subject to discipline up to and including discharge. The specific discipline imposed will be determined by a case-by-case basis, taking into consideration the nature and severity of the violation of the Security Policy, prior violations of the policy committed by the individual, state and federal laws and all other relevant information. Discipline which may be taken against an employee will be administered in accordance with any appropriate rules or policies of the company.

B. In a case where the accused person is not an employee of company the matter will be submitted to a Goodworld officer immediately. Goodworld may refer the information to law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s).

C. In a case where data loss or compromise consists of any customer data, Goodworld will notify the affected party(s) within 6 hours of discovery.

D. The Goodworld CFO will ensure that a current insurance policy is active and covers up to $1M per incident for both third parties and first party. CFO will provide a current Certificate of Insurance to customers upon request.

XIV. Secure Disposal of Information and Assets

A. All data must be securely disposed of when no longer required by Goodworld, regardless of the media or application type on which it is stored.

B. An automatic process must exist to permanently delete online data, when no longer required.

C. Goodworld will have procedures for the destruction of hard copy (paper) materials. These will require that all hard copy materials are crosscut shredded, incinerated or pulped so they cannot be reconstructed.

XV. Vulnerability and Patch Management

A. Goodworld CTO will ensure routine assessment of risk from technical vulnerabilities and the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores or transmits;

B. Goodworld CTO will update the risk assessment on a defined schedule (every 3 months) or whenever there are significant changes to the

XVII. Anti-Fraud

The Company Officers are responsible for the prevention and detection of fraud. All parties should be familiar with the types of fraud that might occur and should be alert for any indication of fraud. This policy applies equally to any fraudulent activity involving not only employees but also directors, vendors, outside agencies, and/or unknown parties; without regard to length of service, title/position, or relationship.

The terms fraud, misappropriation and irregularities refer to, but are not limited to:

  • Any dishonest or fraudulent act Misapplication of funds or assets

  • Profiting on insider knowledge

  • Destruction of records or assets

  • Disclosure of confidential information

  • Forgery or alteration of documents

  • Impropriety in reporting transactions

Any individual who has knowledge of any suspected fraudulent activity can

anonymously report these suspicions.

  1. Awareness Training and Education. The policies and procedures outlined below will be incorporated into company practice to maintain a high level of security awareness. COO and CTO will ensure the protection of sensitive data by requiring regular training of all employees and contractors.

A. All employees will review of handling procedures for sensitive information and incorporate these procedures into day to day company practice.

B. COO will distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document when they sign their annual PIIA and NDA.

C. Any employees that handle sensitive information may undergo background checks (such as criminal and credit record checks, within the limits of the local law) before they will be authorized access to such information.

D. Any and all third parties with access to credit card account numbers or tokens will be contractually obligated to comply with card association security standards (PCI/DSS).

E. Company security policies will be reviewed annually and updated as needed.

XIX. Ethics

Goodworld expects and will accept no less than the highest standards of ethical and professional conduct from all employees. Employees are expected to avoid even the appearance of impropriety in all business dealings. Any employee who violates the standards in this Code of Ethics will be subject to disciplinary action. Any employee who believes himself or herself to be in a situation that may violate this Code should reporting such violations to a Company Officer immediately.

Goodworld expects all employees to respect and obey the laws of the cities, states and countries in which we operate. While it is impossible for any one person to know all the details of all laws, we expect our employees to have a working knowledge of the appropriate laws and just as importantly to know when to ask for advice from a manager regarding legal matters.

The Company is committed to maintaining a fair and ethical workplace and condemns all human rights violations including human trafficking and modern slavery. As part of this directive, Goodworld takes or will take appropriate steps to ensure human servitude and modern slavery do not exist at the Company or at any of the Company’s partners and affiliates. The Company has a zero-tolerance policy for any human rights violations and is taking appropriate steps to communicate this perspective to all relevant interested parties.

Company employees are prohibited from making any contribution or providing any financial support to any political party or candidate on behalf of the Company, except as may be pre-approved by the CEO.

The Company takes a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly and with integrity in all our business dealings and relationships wherever we operate. This Anti-Bribery and Anti-Corruption Policy is designed to ensure compliance with the U.S. Foreign Corrupt Practices Act (the “FCPA”) and any other local anti-bribery or anti-corruption law where we operate.

Goodworld does not discriminate on the basis of race, color, religion, national origin, ancestry, age, sex, sexual orientation, gender identity, pregnancy, disability, genetic information, veteran or military status, or any other legally protected status. All employees of Goodworld are expected to treat people with dignity, respect and compassion to foster a work environment free of harassment, intimidation, and unlawful discrimination.

Every employee of Goodworld is expected to report what he or she believes in good faith are violations of the law or of Goodworld policy, whether accidental or deliberate, by any other Goodworld employee. Should you become aware of a violation, it is your responsibility and obligation to disclose the matter fully. The failure to report such violations is itself a violation of Goodworld policy. Should any employee feel it necessary to report any suspected illegal or unethical behavior, the employee should call or write the Vice President or any other officer of the Company.

You may report suspected legal or ethical violations in confidence and without fear of retaliation. Goodworld does not permit retaliation of any kind against employees for good faith reports of suspected or actual ethical or legal violations.

Did this answer your question?