Appendix A. Employee Handbook

Employee Handbook and Policy Quick Reference¶

2025.2

This is an abridged version of CAP Index’s security policy that all workforce members are required to be familiar with and comply with. You are assumed to have read and acknowledged the employee handbook in its entirety.

The full downloadable version is available here: Employee Handbook.

You are assumed to have read and fully understood the corporate security and privacy policies, standards, guidelines, controls and procedures even if you haven’t. So, it’s probably best you still go through the whole thing at some point.

Security is everyone’s responsibility. If this is not your first job, don’t do anything that might get you in trouble at your previous workplace. When in doubt, stop and ask.

You are required to follow detailed procedures defined in certain policies related to your job role.

Acknowledgement

Our Expectations and Your Responsibilities as Our Employee¶

When accepting employment, each employee acknowledges a personal responsibility for ensuring that his or her workplace conduct, attendance, and job performance meet the expectations of CAP Index.

While these expectations are set forth in greater detail throughout the Employee Handbook and will be communicated to employees further in the course of their employment with CAP Index, both formally and informally, in general, employees are expected to:

Conduct all activities ethically and honestly.
Approach job responsibilities with professionalism.
Work in a cooperative manner with supervisors, co-workers, and non-employees with whom you come into conduct in the course of your employment.
Refrain from engaging in unlawful discrimination, harassment, retaliation, or other unacceptable conduct (even if not unlawful) in violation of CAP Index’s Equal Employment Opportunity Policy.
Refrain from engaging in violent, hostile, abusive, intimidating, or threatening behavior (whether or not the behavior is unlawful).
Report to work physically and mentally fit for duty (that is, free from the influence of either drugs or alcohol).
Report to work promptly and regularly, in the office or remotely as permitted.
Provide appropriate notice of an unavoidable absence or lateness.
Perform your job responsibilities efficiently, thoroughly, and properly, seeking continually to improve quality.
Remain actively engaged in the performance of your job responsibilities, when working.
Perform job responsibilities prudently and carefully, observing all health, safety, and security rules at all times.
Protect the Company’s confidential business and proprietary information.
Safeguard the property of the Company and its employees, customers, and other third parties with whom it does business.
Report accidents, injuries, fire, death, or other unusual incidents immediately after the discovery.
Abide by the Company policies, rules, and procedures as well as specific instructions of your supervisor.
Refrain from improperly using the Company property, services, or supplies for personal reasons.
Provide complete and honest information in connection with all business records, such as pay, time, business, expense, and employment records.
Ensure that personal appearance, oral communication, and conduct are consistent with high standards of professionalism.
Comply with all compliance, certification, and licensure policies, procedures, and guidelines.
Comply with all federal, state, and local laws as well as accrediting, licensing, and regulatory authorities. Although your employment with CAP Index is at-will (i.e., either party can terminate the employment relationship at any time with or without cause and with or without prior notice), your failure to meet these expectations may result in Corrective Counseling, the goal of which is to preserve your employment by turning around unsatisfactory job performance and/or unacceptable conduct.

Training¶

You will be prompted as part of onboarding, and periodically going forward, to complete the following security training:

Review and Acknowledgement of Emplyee Handbook
- Employee Handbook
General security policy and procedures training, including
Ongoing security awareness training (currently provided by Microsoft Defender)
Role-based security training
- all members of the Technology team must carefully review the following policies and procedures
- all members of the Administrative, and Marketing teams must review the following policies and procedures
  - Third Party Security, Vendor Risk Management and Systems/Services Acquisition
- all members of the Administrative and Senior Leadership/Executive teams must review the following policies and procedures
- all members of the HR and Facilities teams must review the following policies and procedures
  - HR and Personnel Security
  - Facility Access and Physical Security
- all team members responsible for Product Management and Business Development must review the following policies and procedures
  - Privacy and Consent
- all members of the Security, Compliance and IT teams must review all policies and procedures in its entirety

Acceptable use policy for end-user computing¶

CAP Index policy requires that:

(a) Per CAP Index security architecture, all workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.

(b) Use of CAP Index computing systems is subject to monitoring by CAP Index IT and/or Security team.

(c) Employees may not leave computing devices (including laptops and smart devices) used for business purpose, including company-provided and BYOD devices, unattended in public.

(d) Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.

(e) Use only legal, approved software with a valid license. Do not use personal software for business purposes and vice versa.

(f) Encrypt all email messages containing sensitive or confidential data.

(g) Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.

(h) Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that are commonly affected by malware, including workstations, laptops and servers.

(i) All data storage devices and media must be managed according to the CAP Index Data Classification specifications and Data Handling procedures.

(j) Mobile devices are not allowed to connect directly to CAP Index production environments.

Your responsibilities for computing devices¶

CAP Index provides company-issued laptops and workstations to all employees. CAP Index currently does not require or support employees bringing their own computing devices.

The laptops and/or workstations assigned are management and configured using Microsoft End-Point Management Solution, Intune. Configuration and security policies are pushed according to CAP Index security policy and standards. This includes the following:

configure the system to meeting the configuration and management requirements, including password policy, screen protection timeout, host firewall, etc.;
ensure the required anti-malware protection and security monitoring agent is installed and running; and
install the latest security patches timely or enable auto-update.
encrypts physical disk using Micrsoft BitLocker

IT and Security provides automated scripts for end-user system configurations and/or technical assistance as needed.

You are also responsible for maintaining business files local on your laptop/workstation to the appropriate location on CAP Index file sharing / team site (e.g. SharePoint). Business files are to reside within the local My Documents so to utilize Microsoft’s OneDrive for backup and redundancy and keeping within CAP Index Security Policies. Examples of business files include, but are not limited to:

Documents (e.g. product specs, business plans)
Presentations
Reports and spreadsheets
Design files/images/diagrams
Meeting notes/recordings
Important records (e.g. approval notes)

Important

DO NOT backup critical data such as customer data or PII to file sharing sites. If you have such critical data locally on your device, contact IT and Security for the appropriate data management and protection solution.

Unless the local workstation/device has access to Critical data, backups of user workstations/devices are self managed by the device owner. Backups may be stored on an external hard drive or using a cloud service such as Citrix Sharefile if and only if the data is both encrypted and password protected (passwords must meet CAP Index requirements).

Getting help¶

Support for most of our business applications are self-service, such as password reset.

If needed, users may use our internal service desk to request IT and Security support. Common requests include:

Password reset and access requests
Request new software and hardware
Technical support
Recommend changes to policies and processes

How to report an incident or suspicious activity¶

You are responsible to report all suspicious activities and security-related incidents immediately to the Information Security team, by one of the following channels:

(preferred) “Report a security incident” by creating an issue on Jira and/or via the [internal help desk](](mailto:security@capindex.com)
For non-sensitive, non-confidential security issues and concerns, employees may post questions on CAP Index’s Technology Team’s channel.
Additionally, employees may report the incident to their direct manager.
To report a concern under the Whistleblower Policy, you may first discuss the concerns with your immediate manager, or report it directly to the CEO. See the Whistleblower Policy section in the HR Security Policy for additional details.