Page 16 - Employee Handbook
P. 16

EMPLOYEE HANDBOOK
                                                                                                Version 2025.10.28




              Policy Enforcement:
                   •   Failure  to  comply  with  this  policy  may  result  in  corrective  action,  up  to  and  including  termination  of
                       employment. Unlawful conduct may be reported to law enforcement where appropriate.
              Nothing in this policy is intended to interfere with or restrict employees' rights under Section 7 of the National Labor
              Relations Act, including the right to engage in protected concerted activity.


            3.8 CYBERSECURITY POLICY

              Purpose                                         and                                           Scope
              The purpose of this Cybersecurity Policy is to establish guidelines for securing the Company’s information systems and
              protecting sensitive business data from unauthorized access, disclosure, alteration, and destruction. This policy applies to
              all employees, contractors, vendors, and third-party service providers who have access to the Company’s IT systems,
              networks, and data.

              Roles                                      and                                        Responsibilities
              All employees and contractors are responsible for safeguarding the Company’s information systems and data. Specific
              responsibilities include:
                   •   Adhering to all security policies and procedures.
                   •   Reporting any security breaches, suspicious activities, or vulnerabilities to the IT Department immediately.
                   •   SEND TO: cybersecurity@amaxinsurance.com.
                   •   Completing required cybersecurity training programs.

              Access Control
                   •   Access to Company information systems and data is granted based on the principle of "least privilege" — users
                       are only provided with the access necessary for their job functions.
                   •   All user accounts must be password-protected, and passwords must meet the Company’s minimum complexity
                       requirements (e.g., length, character mix, expiration period).
                   •   Multi-factor authentication (MFA) is required for access to sensitive systems or data.
                   •   Access rights will be reviewed regularly (at least quarterly) to ensure users still require the permissions they’ve
                       been granted.
                   •   Former employees’ accounts and access privileges will be deactivated immediately upon separation from the
                       company.

              Use of Company Systems
                   •   Company-issued devices (computers, mobile devices, etc.) must be used exclusively for business purposes, and
                       personal use should be limited.
                   •   Employees  are  prohibited  from  using  personal  devices  to  access  Company  systems  or  data  without  prior
                       approval.
                   •   Employees must not install unauthorized software on any Company-issued devices.
                   •   All devices must be secured with passwords, screen locks, and encryption, as required by the IT Department.

              Data Protection and Confidentiality
                   •   Sensitive  and  confidential  Company  data  must  be  stored,  transmitted,  and  processed  in  accordance  with
                       security best practices and applicable laws (e.g., data encryption, secure email protocols).





                                                             16
   11   12   13   14   15   16   17   18   19   20   21