Audit, Risk Management and Compliance Sky Supplier Security Standard V2.9. Supplier Security Standard v2.9

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Audit, Risk Management and Compliance Sky Supplier Security Standard V2.9. Supplier Security Standard v2.9"

Transcription

1 Supplier Security Standard v2.9

2 Introduction Sky operates in an environment of significant legislative, regulatory and industry standards compliance requirements and must have continued assurance that information and data for which Sky is responsible is secure against accidental or unauthorised disclosure, manipulation, damage or loss. Sky implements security controls across its business and in its computer facilities with the aim of ensuring the confidentiality, integrity and availability of data. Sky requires that the same level of protection is in place for data handled by its suppliers and that they are aware of the risks that exist if controls are missing or where known vulnerabilities remain to be addressed. This Sky Security Standard (the Standard ) contains the information assurance controls Sky requires its suppliers and business partners to employ when they are entrusted with handling Sky Data or materials. Sky considers these controls to be the minimum standards to be implemented across a supplier's systems and infrastructure. This document forms part of the Agreement and as such sets out the contractual obligations Sky places on suppliers in regards to security controls. All suppliers who process personal data are categorised by Sky as either Tier 1, Tier 2 or Tier 3. Tier 1 suppliers are those who process data that is classified as Secret by Sky; while Tier 2 suppliers are those who process Confidential data. Suppliers that process all other types of personal data are classified as Tier 3. Guidance on the application of these definitions can be found in Appendix 1. This Standard sets out in separate sections the controls that are applicable to suppliers who process Tier 1 or Tier 2 data. While these controls do not apply to Tier 3 data, all Sky Data should be processed safely and securely regardless of its classification. Sky wishes to draw particular attention to the fact that the Supplier who is originally classified as Tier 2 but then, by virtue of receiving additional data in the course of that service or additional services are provided, becomes the holder of Tier 1 data will be expected to adhere to the standards set out in the Tier 1 section before receiving the new data or providing the additional services. We also draw attention to the fact that the requirements of this Standard apply only to those locations and associated systems and controls that are used to process Sky Data. This means that if the Supplier has multiple locations, only those that are used to process Sky Data are within scope of this Standard, and for systems, only those systems used to process Sky Data. The provisions contained in this Standard are supplemental to, and in addition to, any other contractual terms contained in the Agreement and, except to the extent that the Supplier and Sky expressly agree to the contrary, in writing and signed between them, the terms of the Agreement shall not be construed as limiting the provisions of this Standard (and vice versa). To the extent that there is any conflict between the provisions of this Standard and the Agreement, this Standard shall prevail. Version 2.9 Review Date March 2015 Page 2 of 32

3 Tier 2 Suppliers The requirements set out in this section are only for those suppliers who are categorised by Sky as Tier 2, which are those that hold Sky s Confidential Data. The Supplier s compliance with these requirements, as they apply to personal data, will be assessed by Sky s Audit, Risk Management and Compliance ( ARMC ) department. This work will be performed prior to Supplier being given access to Sky Data and will entail, at a minimum, an assessment of the Supplier s responses to this Standard and may include an on-site audit, depending on the type of data to be held, and the volume. The process to be followed will already have been set out in writing by your Sky Business Relationship Owner. ARMC is happy to work with suppliers to address any issues that arise as a result of requiring compliance with this Standard. Where the Supplier holds external validation or certification over the systems and processes that will be used to protect Sky s Data and/or Sky Materials such as an SSAE16 (or equivalent), a copy should be provided to Sky in addition to the completion of obligations in this Standard. Suppliers will be required to complete an annual re-certification when requested by ARMC which may also involve an on-site visit, in accordance with Sky s policy of visiting all suppliers who hold Sky Data as part of a rolling programme of audits. Tier 1 Suppliers The requirements set out in this section are only for those suppliers who are categorised by Sky as Tier 1, which are those that hold Sky s Secret Data. Tier 1 suppliers must obtain annual independent certification to demonstrate the operation of the controls set out in this Standard. The independent certification must be provided prior to the initial receipt of data, and annually thereafter, in accordance with the timetable communicated to the Supplier by ARMC. The review to support such independent certification should be conducted against appropriate professional standards and be delivered against the International Standard on Assurance Engagements 3402; Assurance Reports on Controls at a Service Organisation ; an SSAE16 report; or a report in an equivalent format. The SSAE16 reports for new suppliers should be in the form of type 1, as at a point in time, to demonstrate that controls are in place prior to receiving Sky Data and, in subsequent years, in the form of type 2, which confirms the operation of the controls over the preceding 12 month period. The report must set out the controls that are in operation to demonstrate compliance with this Standard and specify the testing that has been performed by the independent verifier and the results. Version 2.9 Review Date March 2015 Page 3 of 32

4 The review should be commissioned directly by the Supplier and should, after the initial submission, be for the 12 month period ending 31 December of each year. The report should be executed by PriceWaterHouseCoopers, E&Y, Deloitte, KPMG, Grant Thornton or Detica. A Supplier who intends to use an alternative verifier must seek approval in writing from Sky in advance to confirm that the verifier is acceptable to Sky. The terms used in this standards document are defined in Appendix 1. Version 2.9 Review Date March 2015 Page 4 of 32

5 Sky Security Standard for Tier 2 Suppliers The following requirements apply only to those suppliers who have been designated by Sky as Tier 2. The requirements for Tier 1 suppliers are set out in a separate section in this document. 1 Anti-Bribery and Corruption 1.1 The Supplier shall provide a copy of employee codes of conduct covering anti-bribery and corruption, whistle-blowing and ethics policies in place that have been clearly communicated to all staff. 1.2 Show that there are mechanisms in place to ensure compliance with these policies. 2 Data Protection Governance 2.1 Accountability for data protection across all jurisdictions is clearly assigned. 2.2 A clear data protection policy, which includes retention and destruction times, is in place. 2.3 Day to day responsibilities for data protection have been clearly defined and communicated to all relevant staff. 2.4 A training log demonstrating that all staff with access to Sky Data have successfully completed data protection training is maintained. 2.5 Staff are aware that they need to notify Sky of any security breaches relevant to Sky. 2.6 A process is in place to advise Sky of any data protection breaches. 2.7 There have been no unreported data breaches in the last 12 months. 3 Notice, Choice and Consent 3.1 Supplier will advise Sky in writing if the processing of data changes from what was originally intended under the contract with Sky, and this must be notified to Sky before any change in processing occurs. 3.2 The Supplier will provide individuals whose data is likely to be processed with an additional privacy notice, before such additional processing, that specifies how the Supplier intends further to process the data and for what specified purpose. 3.3 The processing of Sky Data will be justified either: Version 2.9 Review Date March 2015 Page 5 of 32

6 (i) (ii) through having obtained the consent of the individuals; or by another condition notified to Sky in advance of the change. 4 Data Collection 4.1 Data collected and/or processed by the Supplier will be restricted only to that which is required to fulfil the Services. 4.2 Where marketing activities are carried out on Sky s behalf, such marketing must be carried out in accordance with the scope of the individuals permissions, and such scope and permissions can be evidenced for each individual. 4.3 There are controls in place to ensure that consumers chosen marketing preferences are adhered to. 4.4 Where web sites are used to collect Sky Data and/or cookie codes, this is done in accordance with the privacy notice displayed on the website and any other applicable privacy and cookie statements. 4.5 Supplier has a policy explaining how it uses personal data and cookies (if they are used). 5 Subject Data Access 5.1 Supplier staff are aware how to identify a subject access request ( SAR ) and what to do when they receive a SAR relating to Sky Data. 5.2 The Supplier has the requisite functionality on all systems which will hold Sky Data and/or Sky Materials to enable the Supplier to comply with SARs on a timely basis. 6 Data disclosure to Third Parties (including for all Subcontractors) 6.1 Where Sky Data will be processed by third parties including Subcontractors, the Supplier will provide: (i) A list of all third parties; (ii) What data will be accessible by them; and (iii) How the Supplier will ensure the data is kept secure. This includes, for example, outsourced data centres or call recording suppliers. Version 2.9 Review Date March 2015 Page 6 of 32

7 6.2 Where Sky Data is processed by a third party, written contracts are in place with all such third parties to cover the disclosure of Sky Data to them. The Supplier will state whether those contracts require the third parties to have in place the same levels of control and security as set out in this standard and how the Supplier assures this is the case. 6.3 If Sky Data will be processed outside the European Economic Area, there is a written agreement in place covering such processing. This would include, for example, where data or backups are processed by teams in overseas outsourced data centres or in the Cloud. 7 Supplier Responsibilities and Subcontractor Management 7.1 Responsibilities for physical security, risk management and IT security are clearly defined and allocated. 7.2 The Supplier has a contractual obligation to conduct a full annual security audit of all Subcontractors who will hold Sky Data. The Supplier has conducted such audits at the Subcontractor in the past; or The Supplier intends to conduct such audits if the Subcontractor is new under the proposed contract and the Supplier will notify Sky by when these audits will be conducted. 7.3 The Supplier will notify Sky if it intends to process Sky Data and/or Sky Materials in such a way as to aggregate and/or anonymise the data for Supplier use. 7.4 The Supplier will notify Sky if it intends to process or otherwise make use of Sky Data, and/or Sky materials for any purpose other than that which is directly required for the supply of the Services. 7.5 The Supplier maintains a register of data protection breaches, reportable to Sky, which includes breaches that have arisen under the conduct of a Subcontractor. 7.6 All complaints relating to personal data, including complaints received by Subcontractors are captured and recorded. 8 Personnel Security 8.1 Where appropriate to the nature and classification of data handled by the Supplier, and as agreed with Sky, screening checks may be conducted on Supplier Personnel including reference checks and, where applicable, financial probity checks. As appropriate to the job role and permitted by law, criminal record checks are to be conducted. Where appropriate, these checks are refreshed on a periodic basis. Version 2.9 Review Date March 2015 Page 7 of 32

8 The results are logged and recorded. 8.2 All Supplier Personnel sign an agreement which requires them to keep information confidential. This also covers Sky Data and/or Sky Materials. 8.3 The Supplier has a comprehensive code of conduct in place which includes requirements for Supplier Personnel to demonstrate awareness of procedures around breaches of security. 8.4 As part of the Agreement, Supplier Personnel are required to agree to adhere to all Supplier company policies, rules and procedures, including applicable data protection policies. 8.5 There is a clear process to handle Supplier Personnel who terminate their services with the Supplier. Access to Sky Data, facilities and Sky Materials is removed from those Supplier Personnel within one week. 9 Physical and Environmental Security 9.1 The Supplier has a clearly defined physical security policy and related standards. 9.2 The requirements of the physical security policy are applied to all locations that will be used to support Sky operations, including locations used by Subcontractors who will process Sky Data. 9.3 Access to all entry points where Sky Data will be processed, including those at locations used by Subcontractors, is restricted and logged. 9.4 The access logs are reviewed. 9.5 Controls are in place at all premises where Sky Data will be held, to prevent unauthorised individuals from entering. 9.6 Physical and environmental controls are in place within the data centre(s) and communications rooms, including those provided or used by Subcontractors, in order to protect against the loss or damage to the premises or equipment. 9.7 The areas in 9.6 above are covered by an internal and external CCTV system which is used and monitored. The system has sufficient coverage and capability to monitor reception areas, exit / entry points, and vulnerable or sensitive / confidential working areas. 9.8 A monitored alarm system is in place across all sites to be used for Services. 9.9 A clear desk policy is operated at all sites where Sky Data is processed. Version 2.9 Review Date March 2015 Page 8 of 32

9 10 Incident Response 10.1 All security incidents are logged with their origin and resolution recorded There is a clear escalation process. 11 Business Continuity and Disaster Recovery 11.1 There are business continuity and disaster recovery plans in place The plans are tested annually Off-site backups are taken on a regular basis and are encrypted and securely transported Capacity monitoring is in place for those systems that will support the Services 12 IS Security 12.1 The Supplier adopts Sky s IS security policy and standards; or The Supplier has its own IS Security policy of equal rigour in place, and will provide a copy to Sky All Supplier systems and related control processes to be used to process Sky Data are compliant with Sky s Group IS Security policies and standards; or Supplier systems that will be used to transmit and/or store Sky Data adhere to the supplier's own IS security policy. This includes but is not limited to: Network (including firewall and intrusion detection) security Malicious code prevention including anti-virus (state frequency of updates) Encryption (provide type) Masking of personal data (for financial transactions) Patching (state frequency and approach, particularly with reference to security patches and associated criticality) Cookies (state how supplier adheres to applicable privacy law requirements as illustrated by ICO guidance) 12.3 All Sky Data is transferred or exchanged via secure channels and/or where technically possible, subject to an appropriate level of encryption Penetration testing is regularly conducted on the network perimeter and infrastructure, and websites used to host, process or transmit Sky Data. Version 2.9 Review Date March 2015 Page 9 of 32

10 12.5 The Supplier will provide details of the date the last tests were performed and whether any identified issues have been resolved Reviews of firewall and remote access logs are performed on a periodic basis Systems which will hold Sky Data enforce areas such as: (i) Unique user identification and prevention of shared logon credentials; (ii)complex passwords (state the minimum length enforced by the systems and applications processing Sky Data, whether they are alpha numeric and what the expiry period is); (iii) Controls to track the addition and deletion of users and regular review of allocated rights and privileges; (iv) Controls to log sensitive user transactions; (v) Default (admin) user name and passwords are changed; and (vi) Segregation of duties System development, test, and production environments are separated to reduce the risks of unauthorised access or changes All new services, applications and tools used to enable or support the hosting, processing or transmission of Sky Data, or changes made to them, are subject to an appropriate level of testing conducted in accordance with appropriate guidance (such as OWASP) before launch. Sky Data is not used for testing purposes unless it has been suitably anonymised such that it no longer represents personally identifiable data Use of any media to record, store or process Sky Data (including hard copy output, laptops, USB sticks, pen drives, CDs, or other magnetic media) is suitably authorised, handled, transported and encrypted There is a log of system changes which details why the changes were required, who approved them and how and when the changes were executed. 13 Data Management 13.1 The Supplier follows Sky s Data Retention and Destruction policy and standards or alternatively the Supplier has its own policy of equal rigour, and will provide a copy to Sky The Supplier will state its proposed retention period for Sky Data (listed by type if a single period is not to be enforced) Processes are in place to ensure and demonstrate compliance with the policy The Supplier has a process in place to ensure maintenance of the integrity and accuracy of Sky Data. Version 2.9 Review Date March 2015 Page 10 of 32

11 13.5 The Supplier has a process to authorise who receives all reports that the Supplier intends to generate that contain Sky Data. 14 Customer Protection 14.1 Where Services involve the Supplier in direct interaction with customers, the Supplier provides ID passes for those personnel who will interact with customers, for example by visiting customers premises The Supplier has a procedure in place for dealing with vulnerable customers. 15 Continued Compliance 15.1 The Supplier will maintain compliance with this Standard at all times during the provision of the Services and will notify Sky promptly in the event that it is not at any time fully compliant The Supplier will provide any other information that would assist Sky in assessing the Supplier s control environment relevant to the services provided to Sky. Version 2.9 Review Date March 2015 Page 11 of 32

12 Sky Security Standards for Tier 1 Suppliers The following requirements apply only to Tier 1 suppliers and should, as noted, be subject to independent verification. 1 Anti-bribery and Corruption 1.1 The Supplier shall at all times: - maintain an anti-bribery and corruption policy which complies with the Bribery Act 2010 and any other applicable statute, regulation or industry code, and has top level management support; - ensure that proportionate procedures are put in place to mitigate the bribery risks faced by its organisation; - ensure that the anti-bribery and corruption policies are adequately communicated to employees and appropriate training is provided and can be evidenced; and - ensure that a whistle blowing policy/grievance procedure exists so that alleged instances of bribery and/or corruption can be reported on a confidential basis and that there is a means available for personnel to report security issues other than via line management as necessary. 2 Data Protection 2.1 The Supplier shall at all times ensure that a Data Protection policy exists, across all jurisdictions, to safeguard data in accordance with the terms of the Agreement, the Data Protection Act 1998 and any other applicable statute, regulation or industry code. 2.2 Where any Sky Data is intended to be transferred, stored or processed outside the European Economic Area ( EEA ) the Supplier shall provide in advance of any transfer full details of the locations and what data is to be transferred, stored or processed outside the EEA for Sky approval, such approval not to be unreasonably withheld. 2.3 The Supplier shall maintain a controlled paper environment by ensuring that paperwork shall be kept to a minimum and where appropriate for the services provided to or on behalf of Sky, that Sky customer financial data (including, but not limited to, payment card or bank detail) is never written down or otherwise extracted from the appropriate system. 2.4 The Supplier shall ensure that shredding facilities or confidential waste bins are present in each operations area and a process is implemented to suitably dispose of such material securely. Version 2.9 Review Date March 2015 Page 12 of 32

13 3. Payment Card Industry Data Security Standards (where applicable to services) 3.1 Where financial transactional functionality is (or becomes) a part of Services to Sky, the Supplier shall: - comply with the latest version under the PCI DSS requirements; - maintain a strategy for PCI DSS compliance in accordance with the Supplier s corporate information security policy which addresses each of the PCI DSS requirements and shall assign responsibility for PCI DSS to a designated person or compliance function; - provide evidence annually to Sky of PCI compliance through external certification or self-assessment declaration; - provide Sky with access to evidence that is used in supporting the supplier s PCI compliance accreditation upon request; - ensure that a current network configuration diagram is produced and maintained to show clear data flows (including Sky s payment card transactions) and to ensure that all connections (including Sky s cardholder data) are identified, including any wireless networks; - not disclose Sky cardholder data to any third party or entity with the exception of where this is authorised by Sky under the provision of Services to Sky or required by law; - maintain and provide on request a scope of the environment that is included in the assessment (e.g. Internet access points, internal corporate network) and identify any areas that are excluded from the PCI DSS Sky cardholder data environment; - maintain and provide on request details of any gap analysis that has been produced either internally or by a PCI DSS Qualified Security Advisor (QSA). This shall include details of the most recent Self-Assessment Questionnaire or Report on Compliance; - maintain and provide on request results of the most recent mandatory compliance or vulnerability scans as required by the PCI DSS; - maintain and provide on request details around any compensating controls to achieve risk mitigation in areas which do not meet the PCI DSS requirements; and - inform Sky immediately on any changes affecting the Supplier s compliance status. Version 2.9 Review Date March 2015 Page 13 of 32

14 4 Suppliers Responsibilities and Subcontractor Management (including Cloud services) 4.1 The Supplier shall have in place a dedicated in-house security risk management function or nominate an appropriate member of the Supplier personnel to take ownership of the control areas. A nominated individual shall act as the point of contact for Sky, ensure adherence to the escalation process, facilitate any review meetings and manage any remediation and restoration plan in the event of any breach. 4.2 The Supplier shall maintain a register of the security risks related to the provision of its Services to Sky, to Sky Data and to Sky Materials. That register shall be maintained to show the nature and extent of, and progress made in, mitigating the identified risks. 4.3 The Supplier shall notify Sky, and obtain Sky approval, before engaging any subcontractors including but not limited to data centres used in the provision of the Services to Sky. 4.4 The Supplier shall provide full details of any Subcontractor(s) that as a minimum shall include company name, address, location, type of services to be provided and the volume, frequency and nature of Sky Data to be used. 4.5 The Supplier shall: - not process or otherwise make use of Sky Data, and/or Sky Materials for any purpose other than that which is directly required for the supply of the Services; - only perform such Services in accordance with the Agreement; - not purport to sell, let for hire, assign rights in or otherwise dispose of any of Sky Data or Sky Materials; - not make Sky Data or Sky Materials available to any third party without the prior approval of Sky; and - not commercially exploit Sky Data or Sky Materials unless expressly approved by Sky. 4.6 The Supplier shall establish and at all times maintain safeguards against the destruction, loss or alteration of Sky Data and Sky Material in the possession of the Supplier. 4.7 The Supplier shall ensure that it maintains written agreements with all Subcontractors that contain security controls, service definitions and delivery levels commensurate with the requirements set out in this document, and such are implemented, operated, and maintained by the Subcontractor(s) at all times and in any event the Supplier must ensure that such controls, definitions and levels are in place before: - any data is processed by the Subcontractor; and Version 2.9 Review Date March 2015 Page 14 of 32

15 - the Subcontractor commences the provision of services to Sky or the Supplier. 4.8 The Supplier shall conduct annual security audits at all Subcontractors to confirm that the controls set out in this document and as noted in 4.7 above are in place and being operated by the Subcontractor and the Supplier will maintain evidence of these audits to include any security risks, recommendations and remedial actions suggested and implemented. Supplier security audits shall be conducted in accordance with this Standard and in any event before: - any data is processed by the Subcontractor; and - the Subcontractor commences the provision of services to Sky or the Supplier. 4.9 The Supplier shall provide a copy of the audit reports to Sky upon request. The Supplier shall notify Sky of any identified issues or deficiencies and the timeframes for their resolution on an on-going basis The Supplier shall ensure that it is not reliant on any key single individual to support Services anywhere in its supply chain. 5 Personnel Security before employment 5.1 The Supplier shall ensure that a written policy exists for pre-employment screening and that the screening status and results of all Supplier personnel on the Sky account or with access to Sky Data or materials are fully collated, kept on record and made available to Sky for audit and compliance purposes. 5.2 The Supplier shall obtain two references prior to personnel completing training, and commencing operations to process Sky s data. Such references may be verbal, but must be verified, fully documented and auditable. Where reasonably possible, the Supplier shall obtain at least one reference from a previous employer or academic professional. 5.3 The Supplier shall ensure that the application process and contractual process contain declarations to cover criminal convictions as per the terms of the Rehabilitation of Offenders Act 1974, pending criminal investigations or adverse financial probity judgements such as county court judgments or bankruptcy rulings. 5.4 The Supplier shall have a comprehensive disciplinary policy, code of conduct & work rules in place to protect the interests and safety of Supplier personnel and the Services. That policy, code of conduct or work rules shall clearly define breaches of security, indicating examples of what is classed as misconduct and the possible consequences of such misconducts. 5.5 The Supplier shall ensure that the application process and contractual process include requirements to obtain authorisation to cover pre or post-employment ( Security Screening Waivers ), including authorisation for the Supplier to obtain County Court Judgment, and/or Criminal Record reports where appropriate and relevant. Version 2.9 Review Date March 2015 Page 15 of 32

16 5.6 As appropriate to the job role and permitted by law, the Supplier shall ensure that a basic level criminal record check and security disclosure is conducted with Disclosure Scotland or other reputable agency (the Criminal Record Checks ) against all Supplier personnel who process Sky s data or materials and that these checks are completed before the personnel process Sky s data. If the declarations or the relevant Criminal Record Check reveal adverse findings then the Supplier shall comply with Sky s CRC non-acceptance criteria guidelines (provided by Sky to the Supplier from time to time and incorporated into the Agreement by reference) and outlined at Appendix 2 and shall in every case bring this to Sky s attention for consultation. 5.7 Where the Supplier s business function includes financial payment transactions, the Supplier shall ensure that a financial probity check (including checks for adverse County Court Judgments and bankruptcy rulings) is conducted with Experian or other reputable agency (the Financial Probity Check ) against all Supplier personnel who process Sky Data. If the declarations or the relevant Financial Probity Check reveal any adverse County Court Judgments or bankruptcy rulings then the Supplier shall comply with Sky s financial probity non-acceptance criteria guidelines as provided by Sky to the Supplier from time to time and outlined at Appendix Where appropriate to the nature and classification of data handled by the Supplier and as agreed with Sky, the Supplier shall ensure that all Background Checks (which shall mean reference check, if appropriate to the job role and permitted by law, criminal record checks and, if applicable, the Financial Probity Check) shall be conducted at the Supplier s cost and within a reasonable time period and in any event shall be completed prior to such Supplier personnel commencing provision of the Services (excluding training). The Supplier shall bear all training and attrition costs if any Supplier personnel are removed from the Services as a result of an adverse finding on any declaration or Background Check. 5.9 The Supplier shall ensure that all personnel sign a non-disclosure agreement relating to Sky Data and Sky Materials in the possession of the Supplier The Supplier shall ensure that all personnel enter into a written contract of employment under which they agree to adhere to all company policies, rules/procedures, including all data protection policies, and agree to assign all intellectual property created in the course of providing the Services The Supplier shall ensure that a Security module forms part of the compulsory induction and training programme sufficient to include data protection, acceptable use policy, issues of confidentiality and company standards. 6 Personnel Security during employment 6.1 Where appropriate to the nature and classification of data handled by the Supplier and as agreed with Sky, the Supplier shall conduct a sample of random Background Checks on existing personnel on an annual basis. 6.2 The Supplier shall review requirements on a regular basis with respect to security Version 2.9 Review Date March 2015 Page 16 of 32

17 awareness and knowledge of fraud and security issues with Supplier personnel and its pre-approved Subcontractors throughout the provision of the Services. 6.3 The Supplier shall ensure that all personnel who process Sky Data have the appropriate qualifications, skills and training to support the Services. 6.4 The Supplier shall consult Sky Group Security on a timely basis where personnel are subject to a change of circumstance and assessed to be a risk to the Services, Sky Data or Sky Materials. 7 Personnel Security - termination of employment 7.1 The Supplier shall carry out a check list of actions, including exit interview, prior to the conclusion of the departing personnel s employment/assignment. This checklist of actions shall also cover cancellation of access control privileges, user ID's/passwords and all other entitlements required for access to the Supplier and Sky Systems and recovery of any asset(s) that may contain Sky Data and Sky Materials. 8 Facilities and Equipment Security 8.1 The Supplier shall provide and maintain suitable accommodation, facilities, equipment, space, furnishing, utilities and fixtures necessary to provide secure physical premises that provide a safe working environment to provide the Services to Sky and which adequately protect against loss or damage to the premises or to the equipment. 8.2 The Supplier shall protect power and telecommunications infrastructure carrying data or supporting information services from interception or damage. 8.3 The Supplier shall implement uninterruptible power supplies ( UPS ) for critical infrastructure and shall test the UPS regularly. 8.4 The Supplier shall ensure that all power supplies and fire safety mechanisms undergo regular maintenance checks and that facilities comply with appropriate health and safety standards. 8.5 Where Sky Data or Sky Materials are stored or processed, the Supplier shall provide sufficient secure storage space for personnel to store those personal effects that are capable of capturing and storing Sky Data and shall ensure that personnel utilise such storage space. 8.6 The Supplier shall ensure that prominent security signage or information in suitable electronic form detailing security policies and requirements are provided and displayed in all relevant locations where Sky Data is processed. 8.7 The Supplier will not perform the Services from alternate sites, without obtaining the prior written consent of Sky, and any processing at alternate sites will be approved by, and implemented at no additional cost to, Sky (unless any relocation is due to a specific request from Sky) and as far as reasonably practicable without causing any material Version 2.9 Review Date March 2015 Page 17 of 32

18 disruption to the business of Sky or the Services. 8.8 Where Sky agrees to a shared Site, the Supplier shall: - as a minimum, segregate or ring-fence the area in which the Services take place for Sky or advise Sky in advance if this is not possible and obtain agreement to the site security being implemented; and - ensure that the Services and facilities required to provide the Services to Sky permit Sky s data to be separately identified from the Supplier s other customers. 9 Physical Security 9.1 The Supplier shall implement a policy identifying the requirements for physical access and control of such access at its Sites. 9.2 Where an automated access control system is deployed, the Supplier shall ensure that the system captures and records all access control events and that this record is reviewed on an appropriate on-going basis. In the event that an automated access control system is not able to check and verify all access enabled is using employee ID passes, and is not able to prevent tailgating, the Supplier shall deploy a physical security function, or other mitigating control, to enforce compliance in this area. 9.3 The Supplier shall ensure that all Supplier personnel are individually identifiable and issued with unique ID passes, which shall then be worn and visible at all times unless alternative arrangements have been agreed in advance with Sky. 9.4 The Supplier shall be responsible for retrieving the identification cards of any Supplier personnel that have had their assignment/employment terminated, transferred or where those personnel otherwise no longer require access to the Site. 9.5 The Supplier shall ensure that an appropriate policy is in place to manage loss of ID cards and ID cards not available for use at a specific location by Supplier personnel. 9.6 The Supplier shall operate a sign-in procedure for any visitors to the Sites, which, as a minimum, requires visitors to prove their identity, log their name, company, the time and date and the name of the person whom they are visiting at the relevant Sites. 9.7 Without prejudice to any of Sky s remedies, sanctions for breaches of security requirements shall be governed by the Supplier s disciplinary policy. 9.8 The Supplier shall deny entry to visitors to the Sites who are not legitimately connected with the Services being performed unless they are duly authorised to do so by the appropriate management. 9.9 The Supplier shall inform all visitors of the existence of Site security policies. Version 2.9 Review Date March 2015 Page 18 of 32

19 9.10 The Supplier shall ensure that there is a manned guarding or other physical security presence during hours of operation to Sites which are processing or storing Sensitive Sky Data unless alternative arrangements have been agreed in advance with Sky in writing The Supplier shall ensure that there is a physical security response capability during out of hours periods for those Sites storing or processing Sky Data The Supplier shall ensure security response personnel are instructed to take action as appropriate or escalate the incident to a manager The Supplier shall have in place an internal and external CCTV system with sufficient coverage to monitor reception areas, exit/entry points, and vulnerable or sensitive/confidential working areas The Supplier shall implement, operate, support, and maintain alarm systems (including appropriate environmental alarms), and access mechanisms The Supplier shall ensure a clear desk policy is operated and maintained within the Sites where Sky Data is stored or processed When using data centre rackspace, the Supplier shall have the ability to identify Sky rackspace and equipment used in the provision of the Services as well as implement appropriate access controls to the equipment used in the provision of the Services With the exception of key Supplier personnel, the Supplier shall ensure that no mobile devices are taken into the operations area. 10 Incident Response 10.1 The Supplier shall at all times maintain a security incident response procedure In the provision of Services to Sky and as part of the security incident response procedure, if the Supplier becomes or is made aware of any contravention of privacy or security requirements relating to the data, or of unauthorised access to the Systems, Sky Data, Sky Materials or any Sky Systems including the Sky Network, the Supplier shall: - immediately report the incident to Sky Group Security and to the business relationship owner; - promptly provide Sky with a written report setting out the details of the contravention of the data security requirements and describing any Sky Data, Sky Materials and/or Sky Systems which have or may have been compromised; - provide Sky, at no additional cost, with all assistance required to restore the Sky Data and any other assistance that may be required by Sky - preserve evidence to include collection, retention and presentation to Sky Group Security; Version 2.9 Review Date March 2015 Page 19 of 32

20 - return to Sky any Sky Data and/or Sky Materials; - comply with all reasonable directions of Sky; and - take immediate remedial action to secure the Sky Data, Sky Materials and /or Sky Systems and to prevent reoccurrences of the same or similar contravention and provide Sky with details of such remedial action If either a criminal situation or a breach of security rules occurs involving personnel providing Services to Sky and such criminal situation or breach of security becomes known to the Supplier, Sky must be notified as soon as practicable of the facts surrounding the same. 11 Business Continuity Management 11.1 The Supplier shall identify the activities and processes that support Sky Services and conduct a risk assessment of potential interruptions and identify their likely consequences The Supplier shall develop a business continuity plan to restore business operations following an interruption or failure to business processes ( Business Continuity Plan ) within a time period agreed to be acceptable by Sky The Business Continuity Plan shall include arrangements to inform and engage appropriate Sky personnel in its execution The Supplier shall test the Business Continuity Plan at least annually, unless otherwise agreed in advance by Sky The Supplier shall at least annually review and update, as necessary, the Business Continuity Plan. 12 Network Security 12.1 The Supplier shall maintain the confidential nature and integrity of Sky Data and Sky Materials and the consistency of the Supplier and the Systems and data isolation needs by: - utilising secure network architecture and operations; - ensuring that networks carrying Sky Data are designed, built, monitored, and managed according to industry standards, best practices and frameworks such as, but not limited to, ISO27001, TOGAF, OWASP ITIL., such that they enforce the required information security policy boundaries; - boundaries must prevent unauthorised access to Systems and Sky Data by default and allow only explicitly authorised and authenticated access; Version 2.9 Review Date March 2015 Page 20 of 32

21 - restricting and monitoring the use of tools and utility programs capable of overriding Systems; - utilising and maintaining appropriate firewall and security screening technology that is designed to: o o prevent unauthorised access to the Supplier and Sky Systems by prohibiting all access by default and explicitly allowing authorised access; and appropriately limit access to Sky Data and Sky Material processed by the Supplier Systems The Supplier shall ensure that anti-virus and firewall protection systems are implemented in relation to both internal and external traffic and ensure that: - firewall platforms are hardened; - firewalls have real-time logging and alerting capabilities; - intrusion detection systems are implemented where Internet connections exist; and - access lists are implemented on network routers to restrict access to sensitive internal networks or servers Remote support access shall be controlled via a secure gateway that implements the following controls: - two factor authentication (e.g. security tokens) combined with a valid, unique, user account which ensures personal accountability; - access via a secure gateway (e.g. a firewall); - remote support accounts only enabled for the duration of troubleshooting activity; and - all activity is logged and reviewed The Supplier shall provide evidence that any third party remote support of Supplier systems is authorised, governed by a contract detailing security requirements, including logging of activity and that access is given with the minimum required privileges and revoked on completion The Supplier shall have in place an internet, and acceptable use policy and shall ensure that appropriate controls are in place and documented to prevent unauthorised access or download of software or web content by Supplier personnel The Supplier shall ensure that utility programs capable of overriding system and application controls shall be restricted and tightly controlled. Version 2.9 Review Date March 2015 Page 21 of 32

22 12.7 The Supplier shall provide evidence on request by Sky of a chosen intrusion detection strategy ( IDS ), what methods are employed, whether these are recognised IDSs or whether there is a reliance on other controls in place (firewalls, network router/switch protection) and whether the function is outsourced The Supplier shall ensure that regular penetration testing exists as part of a vulnerability strategy and shall agree the scope of penetration testing for the Services with Sky. Further, the Supplier shall notify Sky of the results of testing and take action on the recommendations in timescales commensurate with the associated risks. 13 Protection against Malicious Code 13.1 The Supplier shall install and maintain operational anti-virus protection software on all relevant Supplier systems. The Supplier and its Subcontractor(s) shall use all reasonable endeavours to detect hidden code or data that is designed to, or may have the effect of: - destroying, altering, intercepting, withholding, corrupting or facilitating the theft of, any Sky Data or Sky Material; - disabling or locking software or systems; or - using undocumented or unauthorised access methods for gaining access to Sky Data, Sky Material or the Systems The Supplier shall ensure that anti-virus software and anti-virus definition files are updated for all Supplier Systems that receive, hold, process or send Sky Data in accordance with the relevant vendor s guidelines and on a timely basis The Supplier shall promptly notify Sky as soon as it becomes aware of viruses in the Systems, directly affecting Sky Data, and provide a report to Sky describing any incident and what measures were taken to prevent any reoccurrence. 14 Platform and Application Security 14.1 The Supplier shall ensure that: - platforms and infrastructure used to receive, store, process or send Sky Data are built using consistent and formally documented platform build standards; - all unnecessary services are removed or disabled from platforms in accordance with the vendors recommendations and active settings and software are security hardened; - development, testing, production and operational facilities are separated both physically and logically to reduce the risks of unauthorised access or changes to the operational system; - duties and responsibilities are segregated to reduce opportunities for Version 2.9 Review Date March 2015 Page 22 of 32

23 unintentional or unauthorised modification or misuse of Sky Data; - applicable policies and procedures are enforced to protect Sky Data associated with the interconnection of Supplier and Sky Systems; - appropriate patch management procedures are in place to remain current with platform security fixes, and conduct adequate testing; - all software installed on platforms used to receive, store or process Sky Data is authorised and fully licensed; and - where cryptographic controls are implemented, they are securely managed using documented policy procedures, keys are subject to appropriate management and key changes are made under dual control Where financial transactional functionality is (or becomes) a part of the Services, the Supplier shall provide data masking functionality in relation to bespoke software in respect of any financial data (including but not limited to debit/credit card and direct debit banking information) which Supplier handles for, or on behalf of, Sky This section is applicable only where the Supplier is providing application development and/or service provision - The Supplier must document and implement a formal and secure process for software development and/or the acquisition of software and systems receiving, storing, processing or sending Sky Data, whether in-house or through one of its Subcontractors; - The Supplier shall define, document and maintain, and make available to Sky upon request, technical security standards (including secure build configuration) for applications and systems used for receiving, storing, processing or sending Sky Data. New systems and applications must comply with this Standard (as updated from time to time and notified to Supplier); - The Supplier shall ensure that change control procedures are agreed and documented as regards the development of or implementation of or operation of bespoke systems used for receiving, storing, processing or sending Sky Data and that such documented procedures require that detail as to why the change was required and how and when the changes were executed are recorded and also include an emergency change process; - The Supplier shall ensure that all new application developments, changes to existing systems, upgrades, and new software in relation to the Services have considered security control requirements, based upon the identified risks, and that all deliverables are tested and subject to an appropriate level of vulnerability scanning prior to being released to Sky, or being used as part of the Services; - The Supplier shall ensure that application development is done in accordance with generally accepted good practice and that appropriate code review and validation controls are operated; Version 2.9 Review Date March 2015 Page 23 of 32

24 - The Supplier shall ensure that live Sky Data and information may not be used for test purposes without the explicit agreement of Sky. Data and information to be used for test purposes must otherwise be anonymised, scrambled or otherwise rendered in such a way that no live Sky Data or information can be reconstructed from that used for test purposes unless explicitly approved by Sky; - The Supplier shall ensure that access to program source code is restricted and strictly controlled; and - The Supplier shall ensure that back out procedures are documented prior to implementing any change or promoting a new piece of software. 15 System Management 15.1 The Supplier shall maintain systems security measures to guard against unauthorised access, alteration, interception, destruction, corruption of information through processing errors, system faults, loss or misuse of Sky Data. As a minimum, these measures should: - require all users of the Systems to enter a unique user identification code or number and password prior to gaining access to the Systems; - control the data which a user can access and/or amend and ensures that appropriate authorisation has been granted before processing any change; - control and track the addition and deletion of users of the Systems; - control and track user access to areas and features of the Systems; and - require the Supplier to operate controls to ensure that access to Sky Data and systems is granted at the minimum level necessary to achieve business objectives, access privileges are amended or removed when business requirements or objectives change and leavers accounts are removed promptly The Supplier shall provide Sky with a record of such access from time to time where Sky reasonably requests such information The Supplier shall ensure that system clocks are synchronised with an agreed accurate time source. The Supplier shall ensure that logs are maintained which contain times stamped details on user activity and critical system events and which are periodically reviewed by an appropriate level of management; 15.4 The Supplier shall ensure that sufficient segregation is applied to any equipment operated by the Supplier for services offered to Sky unless explicit authorisation is given by Sky for exceptions The Supplier shall ensure that capacity requirements are monitored and Systems and networks are regularly reviewed so that they are scaled accordingly. Version 2.9 Review Date March 2015 Page 24 of 32

Third Party Security Compliance Standard for BBC Suppliers

Third Party Security Compliance Standard for BBC Suppliers Third Party Security Compliance Standard for BBC Suppliers BBC Third Party Security Requirements Standard Author Christina Coutts Department ISGC (Policy, Compliance and Risk) Version History Version Date

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Introduction. The steps involved in using this tool

Introduction. The steps involved in using this tool Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

Intel Enhanced Data Security Assessment Form

Intel Enhanced Data Security Assessment Form Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

Draft Information Technology Policy

Draft Information Technology Policy Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software

More information

Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

A Rackspace White Paper Spring 2010

A Rackspace White Paper Spring 2010 Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

Information Security Policy

Information Security Policy Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. PRIVACY POLICY 1. Introduction Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. We will only collect information that

More information

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

Access Control Policy

Access Control Policy Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Introduction... 3 1.1 Spillemyndigheden s certification programme... 3 1.2 Objectives of the... 3 1.3 Scope of this document... 4 1.4 Definitions...

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Name: Position held: Company Name: Is your organisation ISO27001 accredited: Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version November 3, 2015 1. Scope and order of precedence This agreement (the Data Processing Agreement ) applies to Oracle s Processing of Personal

More information

Huddersfield New College Further Education Corporation

Huddersfield New College Further Education Corporation Huddersfield New College Further Education Corporation Card Payments Policy (including information security and refunds) 1.0 Policy Statement Huddersfield New College Finance Office handles sensitive cardholder

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

6-8065 Payment Card Industry Compliance

6-8065 Payment Card Industry Compliance 0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card

More information

Information Security Policy

Information Security Policy Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

Information Circular

Information Circular Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...

More information