Posted by PRO
Fri, 01 Dec 2006 16:59:00 GMT
SAMPLE
XYZ Brokerage Firm
Do Not Call Compliance Policy
(Note: These procedures must be tailored to the specific policies, methods and practices that a real estate firm intends to implement to insure that all personnel comply with the Federal Do Not Call telemarketing rules. Other provisions may be added, as necessary to insure compliance with other do not call requirements of state law.)
In order to comply with the requirements of the Federal Do Not Call telemarketing rules (“Rules”), all telemarketing by brokers and agents of XYZ Brokerage shall comply with the following:
1.Written procedures to comply with the DNC Rules:
………………………………………………
2. Training XYZ Brokerage Personnel:
………………………………………………
3. Establishing and maintaining the “company-specific” Do Not Call list:
a. If an agent telephones an individual who requests not to receive future telephone calls, the agent will record the name of the person called, the telephone number called, and the date and time of the call. The agent will report that information via written memorandum or email, to _____________
b. ______________ has the responsibility to maintain the “XYZ Brokerage–specific” do not call list. Within ___ hours or receiving a new name/telephone number, he/she will add such individual’s name and telephone number to the list.
c. The XYZ Brokerage–specific do not call list will be maintained (location) and accessible by (how)
4. Processes to prevent telephone solicitations of numbers on the DNC list:
………………………………………………
5. Process to ensure that the firm uses the DNC Registry for purpose of compliance with the Rules only:
Posted in Sample Office Policies
back to top
Posted by PRO
Fri, 01 Dec 2006 16:55:00 GMT
Creating a Office Policy for DNC Rules
Implementation of an office policy to comply with the federal Do Not Call rules ("Rules") and regulations is necessary for companies to qualify for the rules. Click here to learn more about the Rules. Qualifying for the "safe harbor" protects a company from a lawsuit if the company inadvertently calls a number on the national DNC registry ("Registry"). A company should create an office policy even if it plans to hire an outside service to assure its compliance with the Rules, since the safe harbor could still protect your company from lawsuits resulting from a failure of a DNC compliance service.
Creating a policy will require careful thought by the company and will require more than simply printing out a form. Consultation with your company’s legal counsel during the creation of your company policy is recommended. Management should consider how it wants to structure a policy that will ensure its firm is in compliance with the rules as well as create a system which works with the company’s business model. This article will describe each step of the process, and offers suggestions on what issues should be considered.
Please be aware that this entire article addresses the federal Telemarketing rules only. These Rules only preempt less restrictive state rules, so a company in a state which has rules more restrictive than the federal rules will need to be aware of those rules because those rules will not be preempted. Compliance with non-preempted state rules should be included in the brokerage’s policy.
A. Strategize DNC Compliance Plan
The first step for your company is to consider your options and develop a policy that best fits your company’s needs. Before embarking on this step, you should be familiar with the Rules and their requirements. Initial issues to consider:
- Who will have responsibility for accessing the Registry? Is your company going to hire a third party for Registry access or for other compliance services?
- In which area codes does your company make telemarketing calls?
- What process for compliance best suits your company’s business model? How do you want to involve the salespeople/employees in the compliance process?
- Who will train salespeople/employees about how to comply with the Rules and the company’s policies?
- Who will be in charge of administering the company-specific do not call list?
- What would be the best communication mechanism between the company and its salespeople/employees for compliance information with the Rules? Are the company’s salespeople/employees centrally located or do they work from a variety of different locations? If the salespeople/employees do not work in a central location, then your policy will need to make sure the salespeople/employees can access this information from other locations.
Once your company has developed its basic compliance strategy, it can begin the process of drafting its written Do Not Call Compliance policy ("Policy"). The five elements of a Rules compliance plan that satisfies the safe harbor requirements are the following:
(A) Written procedures to comply with the Rules;
(B) Training personnel to comply with the procedures established to comply with the Rules;
(C) Maintaining a list of telephone numbers the firm may not call (the "company-specific list");
(D) Use of a process to prevent telephone solicitations of numbers on the DNC list, using a version of the list not more than 31 days old and maintaining records documenting the process;
(E) Use of a process to ensure that the firm does not sell, rent, lease, purchase or use the DNC list for any purpose other than compliance with the Rules, including acquiring the list from the FTC and not participating in any effort to share the costs of obtaining the list with others.
What follows are the various elements that a Policy which satisfies these requirements must contain.
B. Registry Access
The Policy should describe how the company will purchase access to the Registry and comply with the Rules. Click here for a further description of the registration process. Registration is required even if your company uses a DNC compliance service.
The Policy should state your company has access to the Registry for the appropriate area codes. The Registry is organized in a way that is designed to provide flexibility to users. The phone numbers in the Registry are organized by area code, and they can be either downloaded from the Registry site or obtained through an interactive search feature on the Registry site. When a company creates a Registry account, it receives two passwords: one for the "Authorized Representative", one for the "Downloader". The Downloader password only allows access to the area codes which the "Authorized Representative" has selected.
The policy should describe how the company will provide Registry access to its salespeople/employees. Here are three options available:
1. Distribute the Downloader password to all individuals who make telemarketing calls, and require them to check the numbers against the Registry via the interactive search.
2. Designate one individual or group as responsible ("DNC Compliance Specialist") for providing a clean list to all who make telemarketing calls.
3. Designate a DNC Compliance Specialist to periodically download all area codes to which the company subscribes from the Registry and to make those area codes available to everyone who makes telemarketing calls. A company selecting this option could accomplish this in a number of different ways, from downloading the area code lists in Word Pad and distributing them electronically (i.e., via email) to creating its own interactive search feature on its company intranet site for its salespeople/employees to use for searching numbers.
Your plan should also set forth how often the Registry will be accessed. This will depend on your company’s compliance strategy. If, for example, you determine that agents must check every number to be called against the Registry via the interactive Registry search, your policy should state "All numbers not otherwise qualifying for one of the specific exceptions shall be checked via the Registry’s Interactive search feature no more than 24 hours prior to making the call." Or, if you intend to provide a list or searchable database for use by agents, your policy must provide that you update the database at least every three months, as required by the Rules.
D. Company Specific Do Not Call List
A company needs to have a process in place for creating and monitoring a list of numbers of individuals who requested not to receive any further phone calls from your company. A request to be placed on such a "company-specific do not call list" must be honored for up to five years and supercedes any exception that would otherwise allow a company to call a consumer. The Policy must address the process for creating the company-specific do not call list, such as by one individual being assigned the responsibility for maintaining the list, and implementing a centralized system where the DNC numbers will be available for access. Regardless of the company’s Policy, it must make sure all of its salespeople/employees know what to do when they receive a consumer request to be placed on the company-specific do not call list and also that all salespeople/employees have access to and know to check the company-specific do not call list prior to making any telemarketing phone calls.
E. Company Policy for Telephone Conduct & Training
A company is also required to provide training to its salespeople/employees on how to comply with the Rules. The Policy should describe the training process. Training should take place prior to any telemarketing. As part of the training , it is recommended that brokers obtain a signed acknowledgement that the employee has taken the training and received a copy of the company’s procedures for appropriate telephone conduct. The procedures the company gives to its salespeople/employees should include the following:
- Information on what the Rules require. NAR’s "Do Not Call/Do Not Fax Toolkit" collects a variety of resources on this topic- click here for ordering information.
- Procedures agents must follow prior to making telemarketing calls. These steps will depend on how your company requires salespeople/employees to comply with the Rules. Some firms may provide them with "clean" numbers (that is numbers which are not on the Registry or qualify for one of the exceptions). Other firms may require salespeople to check the numbers on their own, in which case the policy needs to list the steps that must be followed to check phone numbers before calling. These might include checking the number to see if any exceptions (written permission, "Existing Business Relationship", personal relationship with recipient, response to an inquiry) allow calls to consumer; if not, then check the Registry
- The times of day/night when calls can be made. The Rules permit calls to be made only from 8am-9pm (local time where call is going to be received) although some state laws shorten this time frame (it is permissible in every state to allow solicitations between 10 am- 8 pm, Monday-Saturday, local time)
- Allow phone to ring for the longer of four rings or fifteen seconds before hanging up
- Compliance with the Rules’ provisions on facsimile transmissions. While the FCC is currently reconsidering its proposed ban on commercial facsimile transmissions without prior written permission, note that unsolicited commercial facsimile transmissions remain illegal.
- Prohibiting use of autodialers or prerecorded messages
- Prohibiting the blocking of caller identification services
- Maintaining a company specific "do not call" list (see above)
- What telemarketers need to say during every call (name, company name, and have contact information available)
- Maintaining confidentiality of any lists downloaded from the Registry
- Specifying unacceptable conduct during a call (examples: repeatedly calling the same number; allowing phone to ring numerous times; abusive tactics such as threats or obscene language; or hanging up when consumer begins to request placement on company’s do-not-call list).
F. Conclusion
Creating an office policy is a necessary step for a company to qualify for the safe harbor provision contained in the Rules, which will allow the company to avoid liability for inadvertent calls made to numbers listed in the Registry. Since there are many different ways a company could choose to create its policy, there is no simple "one size fits all" policy. Rather, a company first needs to think through each step of the compliance process and then create its own policy to meet its company’s needs and business model.
Posted in Sample Office Policies
back to top
Posted by PRO
Thu, 30 Nov 2006 15:50:00 GMT
Password Policy
1.0 Overview
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of an entire corporate network. As such, all ABC REALTY employees (including contractors and vendors with access to ABC REALTY systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
2.0 Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
3.0 Scope
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any ABC REALTY facility, has access to the ABC REALTY network, or stores any non-public ABC REALTY information.
4.0 Policy
4.1 General
All system-level passwords (e.g., root, enable, administrator, application administration accounts, etc.) must be changed on at least a quarterly basis.
All production administrator passwords must be part of the ABC REALTY administered global password management database, to be stored in encrypted format and made available only to management staff with a need-to-know.
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months.
User accounts must have a unique password from all other accounts held by that user.
Passwords must not be inserted into email messages or other forms of electronic communication.
All user-level and system-level passwords must conform to the guidelines described below.
4.2 Guidelines
A. General Password Construction Guidelines
Passwords are used for various purposes at ABC REALTY. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.
Poor, weak passwords have the following characteristics:
- The password contains less than eight characters
- The password is a word found in a dictionary (English or foreign)
- The password is a common usage word such as:
- Names of family, pets, friends, co-workers, fantasy characters, etc.
- Computer terms and names, commands, sites, companies, hardware, software.
- The words "ABC REALTY", the name of the county, city, region, state, regional sports teams - or any derivation.
- Birthdays and other personal information such as addresses and phone numbers.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Any of the above spelled backwards.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Strong passwords have the following characterstics:
- Contain both upper and lower case characters (e.g., a-z, A-Z)
- Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=`{}[]:";’<>?,./)
- Are at least eight alphanumeric characters long.
- Are not a word in any language, slang, dialect, jargon, etc.
- Are not based on personal information, names of family, etc.
- Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
NOTE: Do not use either of these examples as passwords!
B. Password Protection Standards
Do not use the same password for ABC REALTY accounts as for other non-ABC REALTY access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don’t use the same password for various ABC REALTY access needs. For example, select one password for the accounting system and a separate password for logging on to your PC. Also, select a separate password to be used for an NT account and a UNIX account where applicable.
Do not share ABC REALTY passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, Confidential ABC REALTY information.
Here is a list of "don’ts":
- Don’t reveal a password over the phone to ANYONE
- Don’t reveal a password in an email message
- Don’t reveal a password to the boss
- Don’t talk about a password in front of others
- Don’t hint at the format of a password (e.g., "my family name")
- Don’t reveal a password on questionnaires or security forms
- Don’t share a password with family members
- Don’t reveal a password to co-workers while on vacation
If someone demands a password, refer them to this document or have them call someone in the Information Security Department.
Do not use the "Remember Password" feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
Change passwords at least once every six months (except system-level passwords which must be changed quarterly).
If an account or password is suspected to have been compromised, report the incident to ABC REALTY management and change all passwords.
Password cracking or guessing may be performed on a periodic or random basis by ABC REALTY or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.
C. Application Development Standards
Application developers must ensure their programs contain the following security precautions. Applications:
- should support authentication of individual users, not groups.
- should not store passwords in clear text or in any easily reversible form.
- should provide for some sort of role management, such that one user can take over the functions of another without having to know the other’s password.
D. Use of Passwords and Pass phrases for Remote Access Users
Access to the ABC REALTY Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong pass phrase.
E. Pass phrases
Pass phrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the pass phrase to "unlock" the private key, the user cannot gain access.
Pass phrases are not the same as passwords. A pass phrase is a longer version of a password and is, therefore, more secure. A pass phrase is typically composed of multiple words. Because of this, a pass phrase is more secure against "dictionary attacks."
A good pass phrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good pass phrase:
"The*?#>*@TrafficOnThe610Was*&#!#ThisMorning"
All of the rules above that apply to passwords apply to pass phrases.
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6.0 Definitions
|
Terms
|
Definitions
|
|
Application Administration Account
|
Any account that is for the administration of an application (e.g., Oracle database administrator, ISSU administrator).
|
7.0 Revision History
Posted in Sample Information Protection Policies
back to top
