Information Security Policy
Season 12 June 1-4, 2023 Austin, Texas
The purpose of this Information Security Policy (“Policy”) is to establish appropriate physical, technical, and administrative safeguards to help prevent destruction, loss, alteration, unauthorized disclosure of or access to data.
For any information security safeguard described within this Policy, PME Music, LLC, d/b/a ATX TV (“ATX”) reserves the right to vary any safeguard by the sensitivity of the information that it collects and stores.
1.1 Effective Date
This Policy is effective as of January 1, 2023 (“Effective Date”).
The following events may necessitate changes to this Policy:
- A change in applicable regulations, laws, standards, or other mandates;
- A material change in system configuration;
- A material change in the operational environment (to include threat, vulnerability and risk assessment findings);
- A change in ATX’s organizational structure or ownership; or
- Assumption of a new or modified contractual obligation.
Material changes to the Policy will be made available to all ATX employees, officers, directors, and contractors (collectively, “personnel”).
ATX will maintain a copy of this Policy, in written or electronic form, for a period of at least five (5) years from the Effective Date (or longer if subject to an applicable legal hold).
2. Protection of ATX Confidential Information
All non-public data maintained by, regarding or used by ATX is considered to be ATX Confidential Information (“CI”). Personnel may not disclose CI to anyone inside or external to ATX who is not authorized to receive such information under applicable contracts or ATX policies. Examples of CI include, but are not limited to, subscriber data, employee/human resources data, company financial information, internal company policies, and company legal documents.
3. Security in Vendor and Third-Party Contracting
ATX engages outside vendors that may have access to ATX’s internal network or CI. ATX shall make commercially reasonable efforts to ensure that all contracts with vendors or third parties that may have access to CI or ATX systems specify security measures that the vendor or third party must implement or maintain to protect such information. ATX maintains a list of all vendors and third-party services that are used by ATX, as well as copies of the applicable contracts.
4. Protection of Devices and Documents Containing CI
4.1 Asset Inventory
ATX IT maintains an inventory of all ATX systems and devices (collectively, “assets”) that connect to, or are capable of connecting to, the ATX network. The inventory includes, at minimum, the device name, internal and external IP addresses, and asset assignee.
4.2 Encryption of Devices Containing CI
All ATX-owned portable devices containing CI must be password protected. As of the Effective Date, ATX will make commercially reasonable efforts to implement encryption on all ATX-owned portable devices containing CI.
4.3 Disposal of Media
ATX will securely wipe any ATX-owned devices prior to reuse. Disposal of devices is handled by an e-cycling vendor that is contractually required to provide a certification of data destruction upon request.
4.4 Documents Containing CI
ATX personnel shall secure all unattended documents containing CI (for example, in a filing cabinet). When traveling, personnel must take care to ensure that documents containing CI are not left unattended or are stored in locked containers. ATX personnel should take steps to ensure that documents containing CI that are no longer needed are destroyed after they no longer need to be retained. With respect to sensitive customer CI (such as credit card information, health information, passwords and otherwise), personnel should use commercially reasonable efforts to destroy documents containing such sensitive customer CI in a manner that renders the information unreadable, such as shredding, after they no longer need to be retained.
5. Access Control for ATX Systems
5.1 User IDs
All ATX personnel requiring access to ATX’s electronic systems are assigned a unique user ID. Personnel are prohibited from sharing accounts except when no other alternative exists and only with approval from ATX’s management.
5.2 Access Privileges
Any request for administrator level access to ATX domain systems must be approved by ATX IT and management.
Users will not be given local administrative level access to their ATX computer unless their role explicitly requires it.
All temporary staff and independent contractor domain accounts will be set to expire at the end of their expected engagement date. If no end date is known, the account will be set to expire at one (1) month. If the contract staff will be continuing to work beyond the expiry date, the manager will need to confirm an extension is required by submitting a request to ATX IT.
ATX personnel must select a complex password that contains at least ten alphanumeric and special characters. Personnel are required to change their passwords at least every twelve (12) months and may not reuse the last 3 passwords.
All personnel must take reasonable measures to protect their passwords and keep them confidential, ensuring that they are securely stored. It is not appropriate, for example, to write passwords on visible notes kept on or by your computer.
Personnel shall not use any of the same passwords that they use in personal commercial accounts (e.g., email or online bank accounts). In the event that a password is forgotten or compromised, personnel shall contact IT or management who will reset the password after authenticating the requester’s identity.
5.4 Termination of Access Privileges
When personnel no longer need access to a ATX user account (i.e., when they are terminated or re-assigned), ATX IT will immediately terminate the individual’s access to that account. ATX may continue to maintain and use any disabled accounts. ATX shall periodically review all system accounts and disable any account that is not currently in use.
Personnel shall receive cybersecurity awareness training upon hire and annually thereafter.
7. Systems and Network Security
7.1 Baseline Configuration
No computer, server, network appliance or other device may be connected to ATX’s network without approval of ATX IT.
Prior to installation, all computers, servers and/or network appliances that will connect to ATX network must be configured such that:
- All features and functionality that do not need to be enabled for business purposes are removed or disabled;
- All default passwords are changed to passwords that adhere to the ATX’s complex password requirements; and
- All default or test user accounts and test data are deleted.
- Anti-virus / malware protection software is installed.
- Local administrator account is reset to standard ATX local admin account.
- All other local admin accounts are removed/disabled.
- All remote access tools not explicitly allowed by ATX IT should be removed.
- All systems must be fully patched (OS)
- All systems should be added to ATX IT’s centralized document repository.
- All systems should be added to ATX IT’s centralized monitoring system.
7.2 Transmission Security
All sensitive authentication information (e.g., passwords) and sensitive personal information (e.g., social security numbers, financial account information, etc.) must be encrypted using industry-standard encryption when transmitted over public networks.
7.3 Viruses and Malware
Anti-virus software (designed to detect malware, Trojans, worms and other malicious files) must be installed, continuously enabled, and kept updated no less than monthly on all ATX devices.
7.4 Vulnerability and Patch Management
ATX shall monitor, scan for, and evaluate vulnerabilities on devices and servers. Application and operating system updates and patches shall be installed on a timely basis in accordance with the risk posed by the vulnerability, with critical security patches being applied as soon as possible.
7.5 Remote Access
ATX requires personnel working remotely to use two-factor authentication to access ATX systems. ATX personnel must use an ATX business account to conduct ATX business. Except in rare instances or with the approval of ATX IT, ATX personnel should not use personal email accounts to conduct business, as such use may subject the personal account to ATX review in the event of an internal investigation, legal and/or regulatory matter.
7.6 Data Backup and Archiving
All critical operational data is backed up daily in a cloud-hosted location.
8. Secure Development
All code, whether developed internally or outsourced to a vendor, must be reviewed for common security vulnerabilities and security best practices prior to deployment. ATX will maintain and update its own guidelines for the current security best practices.
9. Risk Assessment Program
ATX maintains a security risk assessment program to assess, track, and address security risks on an ongoing basis. This program includes regular internal reviews and periodic engagement of independent third-party risk assessors. Risk assessment findings shall be taken into account when considering changes to ATX’s systems and environment and this Policy.
10. Mobile Device Security
Mobile devices used to access CI must be password-protected. ATX personnel who use their own mobile devices are responsible for ensuring their compliance with the foregoing.
11. Workstation Security
All ATX workstations must be configured to lock automatically, or to log off the current User ID, after a maximum of 15 minutes of inactivity, pending entry of a valid username and password. User accounts shall be locked after 5 failed login attempts; the IT Team may only unlock the account after verifying the identity of the user.
Only software and applications approved by ATX IT are allowed on ATX workstations. Users may not install any software or applications on their ATX workstations without explicit approval from the ATX IT Team.
Users must allow their ATX computer to restart, no less than once a month, in order to allow critical patches and updates to properly install on their machines.
12. Incident Response Plan
ATX shall maintain an Incident Response Plan (“IRP”) for use in responding to any actual or suspected security incident. The IRP is designed to mitigate and remediate, to the extent practicable, the impact of an information security incident. The IRP will be made available to personnel who are assigned incident response responsibilities.