This Cybersecurity Policy addresses the guidelines of Goodwood Capital Management, LLC d/b/a Goodwood Consulting for preserving the security of our data and technology infrastructure. The more we rely on technology to collect, store and manage information, the more vulnerable we become to security breaches. Human errors, attacks and system malfunctions could cause damage to the company and our clients and may jeopardize our company’s reputation. For this reason, we have implemented a number of security measures. We have also prepared instructions that may help mitigate security risks.
This policy applies to all of our employees and anyone who has permanent or temporary access to our systems and hardware.
Confidential data is secret and valuable. Common examples are: unpublished financial information; customers/partners/vendors data; undisclosed intellectual property; customer lists (existing and prospective) and; client information. Our employees are obliged to protect this data. Our employees are instructed on how to avoid security breaches.
When employees use their digital devices to access company emails or accounts, they introduce security risk to our data. We advise our employees to keep both their personal and company-issued computer, tablet and cell phone secure. They can do this by: keeping all devices password protected; antivirus software; ensure they do not leave their devices exposed or unattended; install security updates of browsers and systems monthly or when updates are available; log into company accounts and systems through secure and private networks, only. We also advise our employees to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others.
Emails often host scams and malware. To avoid virus infection or data theft, we instruct employees to: avoid opening attachments and clicking on links when the content is not adequately explained; be suspicious of clickbait titles (e.g. offering prizes, advice); check email and names (including accurate spelling) of people they received a message from to ensure they are legitimate and; look for inconsistencies or give-aways (e.g. grammar mistakes, capital letters, excessive number of exclamation marks). If an employee is not sure that an email they received is safe, they are to refer it to management.
Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advise our employees to: choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed; remember passwords instead of writing them down; exchange credentials only when absolutely necessary and; change their passwords every two months. Remembering a large number of passwords can be daunting. We purchase the services of a password management tool which generates and stores passwords. Employees are obliged to create a secure password for the tool itself, following the above-mentioned advice.
Transferring data introduces security risk. Employees must: avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary; share confidential data over the company network/system and not over public Wi-Fi or private connections; ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies and; report scams, privacy breaches and hacking attempts. We advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible. We advise employees on how to detect scam emails. We encourage our employees to reach out with any questions or concerns.
To reduce the likelihood of security breaches, we also instruct our employees to: turn off their screens and lock their devices when leaving their devices unattended; report stolen or damaged equipment as soon as possible; change all account passwords at once when a device is stolen; report a perceived threat or possible security weakness in company systems; refrain from downloading suspicious, unauthorized or illegal software on their company equipment and; avoid accessing suspicious websites. We also: install anti-malware software and access authentication systems (including regular system updates); provide security training to all employees; regularly inform employees about new scam emails or viruses and ways to combat them and; investigate security breaches thoroughly.
Goodwood enforces Single Sign On (SSO) for employee access to HubSpot. SSO lets users sign in just one time to get access to all their enterprise cloud applications. When SSO is set up, users can sign in to their third-party IdP, then access Google apps directly without a second sign-in.The HubSpot products allow users to login to their HubSpot accounts using built-in HubSpot login, “Sign in with Google” login, or Single Sign On (SSO). The built-in login enforces a uniform password policy which requires a minimum of 8 characters and a combination of lower and upper case letters, special characters, whitespace, and numbers. People who use HubSpot’s built-in login cannot change the default password policy.
While the “Sign in with Google” feature is available to all HubSpot customers. Goodwood utilizes the more advanced SAML-based SSO, which is integrated with our SAML-based IDP, Google Workspace.
Employees that work remotely must follow this policy’s instructions. Since they access our company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure.
We expect all our employees to always follow this policy and those who cause security breaches may face disciplinary action. For a first-time, unintentional, small-scale security breach we may issue a verbal warning and train the employee on security. For intentional, repeated or large-scale breaches we will invoke more severe disciplinary action up to and including termination.
We strive to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security at the top of our mind. We maintain a continuous process of evaluation and improvement for our cybersecurity systems and processes. We address deviations from this policy promptly with our employees and anyone who has access to our systems and hardware. We also investigate and address any known data breach or security incident and take available corrective and preventative measures.