Data Security Policy. 1. Document Status. Version 1.0. Approval. Review By June Secure Research Database Analyst. Change History. 1 Version 1.

Transcription

1 Data Security Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2011 Owner Secure Research Database Analyst Change History 1

2 Contents Data Security Policy Document Status Overview System Scope Classification Guidance Encryption Guidance Electronic Data Retention and Deletion Guidance Data Security and Third Party Service Delivery Disposal of Media... 8 Appendix A: Cabinet Office minimum scope of protected personal data Appendix B: Risks, ISO27001 controls and remedial actions related to this policy Risks ISO Controls Remedial Actions

3 2. Overview All data that the institute holds should be classified according to their sensitivity. Data should be stored, accessed and processed according to their classification. The classification of data is an important component to knowing how to use these data within the guidelines laid down by many of the Institute s data providers and project funders. Correctly classifying data and then using them only according to the appropriate stipulations is an important part of preventing data leaks, and minimising the impact of such leaks when they do occur. Inappropriate disclosure of Confidential or Restricted data, their accidental loss or deliberate theft, could all lead to the Institute being levied with a potentially unlimited fine, as well as experiencing a loss of reputation and a possible failure to win other research contracts. 3. System All IOE systems 4. Scope All IOE data 5. Classification Guidance I. Classification levels The UK Cabinet Office uses 4 levels of data classification: Top Secret, Secret, Confidential and Restricted. As Top Secret and Secret concern information that would potential destabilise the UK or its allies, we are not concerned with them here. This leaves us with two data classifications, plus protected, (used to take us in line with Becta s recommendations) and a category for all data we do not need to protect. 3. Protected II. How you should decide which category your data falls into: a. Highly personal data that will explicitly identify individuals 3

4 b. These data may, if disclosed, put the individual at risk from identity theft, social or legal sanctions, targeting by marketing corporations or pressure groups, exposure to the national press, threats from criminal or vigilante individuals or organisations c. Data elements would include, but are not restricted to: Name, address, ethnicity, qualifications, criminal records, schools attended, place of work, income, religion, bank details, social habits a. This would include business-sensitive data such as company accounts, information on commercial contracts, and intellectual property b. Any data that, if accidentally or deliberately leaked, could be commercially damaging or otherwise affect the reputation of the Institute c. It includes data that could be combined with publically accessible data in order to identify individuals for example names with postcodes along with criminal offences. d. Any database containing details (of any sort) of more than 1000 individuals, other than information sourced from the public domain e. Incomplete reports and other documents whose integrity may be damaged by uncontrolled/unauthorised changes, or whose leakage may cause damage to the project, the project funders or the Institute 3. Protected a. General Institute data: original copies of public-domain reports, timesheets, internal memoranda, expenses, correspondence, instructions b. Any data that, if accidentally leaked, could cause embarrassment to an individual or the Institute Public data will have no significant impact on the project if they are altered or viewed in an uncontrolled fashion. No names and addresses combined with any other identifying information. Data that is already in the public domain (e.g. information that is collated into literature reviews) III. How should data in each category be stored? a. On a file server that does not have Portal access to the outside world. b. Using strict access controls: NTFS file permissions, Windows Share permissions, c. Access should only be granted to explicitly authenticated users. These access requests should be made in writing by the project director. By default, access will be blocked. d. Logically separated from other data e. Machines granted access to the files should have access to usb mass storage devices blocked, and no DVD/CD writers. 4

5 f. Users should sign a non-disclosure form before being able to access the information g. Upon request of the data owner, placed on a dedicated isolated system that also uses controls 1.a 1.f. a. On the Q drive b. In its own logically separate folder, with access controlled by NTFS file permissions and user groups c. Access should only be granted to explicitly authenticated users. These access requests should be made in writing by the project directors. By default, access will be blocked. d. Machines granted access to the files should have access to usb mass storage devices blocked, and no DVD/CD writers e. Accessed externally on an Institute-owned, encrypted laptop that is not used for any other purpose, that has access to usb mass storage devices blocked and access to DVD writer blocked. A non-disclosure agreement must be signed before the laptop can be taken out. Controlled by NTFS and Windows share permissions. 3. Protected a. On the Q drive b. Access given to implicitly authenticated users c. Machines granted access to the files should have access to usb mass storage devices blocked, and no DVD/CD writers d. Accessed externally on an Institute-owned, encrypted laptop that is not used for any other purpose, that has access to usb mass storage devices blocked and access to DVD writer blocked. Controlled by NTFS and Windows share permissions. a. There are no conditions placed on the storage or transmission of public data b. Public data can be created or manipulated on any machine, not just IOE machines. IV. How can data in each category be used? a. Must never leave the boundaries of the logical container it is stored in. b. Must ideally be accessed by rdp session, or via a network drive if the PC connecting to it is placed in a secure environment and has usb mass storage device drivers and CD/DVD drives disabled. The rdp terminal services on the host machine must have copy and paste and printer redirect functionality disabled. c. Must not be ed, accessed remotely or placed on a usb mass storage device. d. If the data have to be moved, they must be either encrypted to FIPS AES 256- bit standard, or placed on a device that is encrypted to the same standard. If sent through the post, they must be sent recorded delivery. Ideally they should be transferred through the HTTPS SSL Portal, another organization s portal, or an sftp 5

6 box, with careful co-ordination at both ends to guarantee transmission and reception. a. Must only leave the boundaries of the logical container if they are moved and processed under very strict conditions (given below) and after a non-disclosure agreement has been signed by the end user b. Must be encrypted to 256-bit AES standard whilst in transit c. Must not be ed d. Must never be placed on a machine that is not owned and administered by the IOE, or that is used for any purpose other than IOE-related work e. If sent through the post, they must be sent recorded delivery. Ideally they should be transferred through the HTTPS SSL Portal, another organization s portal, or an sftp box, with careful co-ordination at both ends to guarantee transmission and reception. 3. Protected a. Must only leave the boundaries of the Institute under the control of a user who has received data protection training and signed a non-disclosure agreement b. Must never be placed on a machine that is not owned and administered by the IOE, or that is used for any purpose other than IOE-related work c. Must not be ed d. Must be transferred through the HTTPS SSL Portal, another organization s portal, or an sftp box a. Public data may be used and accessed from anywhere, within the normal boundaries of acceptable use, security and malware considerations. 6. Encryption Guidance a. If possible, the data should be encrypted at rest. This could take the form of full disk encryption, or database-level encryption. As both of these are either hardware or software specific, it is not always a currently available service. Newly purchased hardware and software will be able to meet these specifications b. The backups of these data must be encrypted to AES-256-bit standard c. The data must be encrypted to AES 256-bit standard before it is moved or removed from its place at rest d. If a case can be made using a formal risk assessment that the data must be accessed from outside the Institute, the access method must meet the following stipulations: i. be made via Remote Desktop across an https SSL connection, where the data is not transferred from the host system within the Institute s boundaries 6

7 ii. The connecting device must have an encrypted hard drive and be accessible only via a complex username and password, and must be an IOE owned and maintained device that is not used for any other purpose iii. The remote desktop environment of the host system must be tightly controlled to prevent the access of other data, prevent the transfer or printing of data from the system, and prevent the remote desktop environment being used for anything else. a. The data must be encrypted to AES 256-bit standard when in transit b. If accessed outside the Institute, the data must be accessed by and processed on an Institute laptop with a hard drive encrypted to 256-bit AES standard 3. Protected a. If accessed outside the Institute, the data must be accessed by and processed on an Institute laptop with a hard drive encrypted to 256-bit AES standard a. Public data do not need to be encrypted or accessed using an encrypted device. 7. Electronic Data Retention and Deletion Guidance All electronic data should be retained for the legally or contractually required minimum and maximum periods of time. This will vary depending on the type of data under consideration. Departments within the Institute may have stipulations on data retention over and above the legal minimums. Please refer to your departmental Data Retention Policy for guidance o n how data in your particular jurisdiction should be retained. Data must not be retained beyond its legal or contractual lifetime, or where to do so would otherwise break the terms of the legal contract, or break the Data Protection Act 1998, the Copyright, Designs and Patents Act 1988 or the Digital Economy Act The date at which specific data should be removed from IOE systems should be clearly marked on the data themselves. Methods of deletion of data from IOE systems at their legal or contractual point of removal must be concomitant with the data s classification: a. The data and data container must be wiped using a file shredder, conforming to US DoD 7 passes standard a. The data and data container must be wiped using a file shredder, conforming to US DoD 7 passes standard 7

8 3. Protected a. The data can be deleted using any standard deletion technique a. The data can be deleted using any standard deletion technique Please consult the helpdesk if you need to use a file shredder in order to delete data. 8. Data Security and Third Party Service Delivery 1. All third party service delivery must adhere to the Data Security Policy and handle IOE - owned data and data held by the IOE on behalf of another organisation in accordance with its data classification 2. Any necessary breach of the Data Classification rules must be agreed in writing by both parties, and must be risk assessed 3. The third party should provide regular reports and records of its activitie s, including access to and use of IOE-held data 4. The designated IOE data owner is responsible for monitoring and reviewing these reports, and initiating audits as required 5. Changes to third party service provision will be in addition to any contractual stipulations be subject to the process of change control as outlined in the Change Control Policy 9. Disposal of Media 1. All media should be disposed of at the end of the life of the team or project 2. Media should also be disposed of when no longer required 3. All Hard Drives will be degaussed or otherwise wiped to DoD 7 passes standard during decommissioning and before disposal 4. All tape media will be degaussed during decommissioning and before disposal 5. All other media (usb mass storage devices, CD/DVD RW) will be wiped to DoD 7 passes during decommissioning and before disposal 6. Non-erasable media will be destroyed during decommissioning and before disposal 8

9 7. As an aggregation of non-confidential data may become confidential, all collections of media awaiting disposal must be treated as potentially confidential. Therefore, prior to erasure and/or destruction, media awaiting disposal must be stored securely. 8. The disposal of confidential data should be logged by the data owner 9

10 Appendix A: Cabinet Office minimum scope of protected personal data From Minimum scope of protected personal data Departments must identify data they or their delivery partners hold whose release or loss could cause harm or distress to individuals. This must include as a minimum all data falling into one or both categories below. A. Any information that links one or more identifiable living person with information about them whose release would put them at significant risk of harm or distress. 1. one or more of the pieces of information which can be used along with public domain information to identify an individual combined with Name / addresses (home or business or both) / postcode / / telephone numbers / driving licence number / date of birth [Note that driving licence number is included in this list because it directly yields date of birth and first part of surname] 2. information about that individual whose release is likely to cause harm or distress Sensitive personal data as defined by s2 of the Data protection Act, including records relating to the criminal justice system, and group membership DNA or finger prints / bank, financial or credit card details / mother s maiden name / National Insurance number / Tax, benefit or pension records / health records / employment record / school attendance or records / material relating to social services including child protection and housing These are not exhaustive lists. Departments should determine whether other information they hold should be included in either category. B. Any source of information about 1000 or more identifiable individuals, other than information sourced from the public domain. This could be a database with 1000 or more entries containing facts mentioned in box 1, or an electronic folder or drive containing 1000 or more records about individuals. Again, this is a minimum standard. Information on smaller numbers of individuals may warrant protection because of the nature of the individuals, nature or source of the information, or extent of information. 10

11 Appendix B: Risks, ISO27001 controls and remedial actions related to this policy 1. Risks 1. Undocumented and unaudited access to Confidential or Restricted data 2. Leaking of Confidential or Restricted data 3. Financial or reputational damage to IOE due to uncontrolled data release 4. Financial or reputational damage to project due to uncontrolled data release 5. Lack of correct access to confidential or restricted data 6. Confidential or Restricted data held in inappropriate locations or on inappropriate devices 2. ISO Controls A Inventory of Assets A Ownership of Assets A Acceptable Use of Assets A Classification Guidelines A Service Delivery A Monitoring and Review of Third Party Services A Managing Changes to Third Party Services A Disposal of Media A Information Handling Procedures A Sensitive System Isolation A Policy on the use of cryptographic controls A Information Leakage 3. Remedial Actions 1. Classification of data to be undertaken by all research projects 2. Data to be handled in accordance with the guidelines provided below 3. Server and end user equipment provided to make compliance possible 4. Encryption guidelines laid out for all classes of data 5. Retention and classification of data laid out for all classes of data 6. Isolated systems to be set up if requested for Confidential data 7. Media will be disposed of safely and security 11