DATA SECURITY POLICY. Data Security Policy

Transcription

1 Data Security Policy

2 Contents 1. Introduction 3 2. Purpose 4 3. Data Protection 4 4. Customer Authentication 4 5. Physical Security 5 6. Access Control 6 7. Network Security 6 8. Software Security 7 9. Disposing of Removable Media Destruction of Data Auditing and Monitoring Contingency Planning Recruitment and Training Summary 9 Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 2

3 1. Introduction Outsourcery understands the importance of data security and makes every effort to ensure that customer data held on systems and within the data centres are fully protected. The company recognises that the confidentiality, integrity and availability of information and data created, maintained and hosted by Outsourcery and its customer s is vital to the success of the business. The management of Outsourcery views these as primary responsibilities and fundamental to best business practice and as such has adopted the Information Security Management System Standard BS ISO/IEC 27001:2005 as its means to manage and meet the following objectives: 1.1. Comply with all applicable laws, regulations and contractual obligations including the Data Protection Act Implement continual improvement initiatives, including risk assessment and treatment strategies, while making the best use of its management resources to meet and improve information security system s requirements Communicate its Information Security objectives and its performance in achieving these objectives, throughout the Company and to interested parties Adopt an Information Security Management System (ISMS) comprising of a security manual and procedures that provides direction and guidance on information security matters relating to employees, customers, suppliers and interested parties who come into contact with the Company s work Work closely with their customers, business partners and suppliers in seeking to establish Information Security Standards Adopt a forward-looking view on future business decisions, including the continual review of risk evaluation criteria, which may have an impact on Information Security Train all members of staff in their needs and responsibilities for Information Security Management Constantly strive to meet, and when possible, exceed, its customers and staff expectations Information Security shall be considered in job descriptions and when setting staff objectives where applicable Appropriate Information Security training and awareness shall be provided to all staff to ensure principals and practices are embedded in the company culture. Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 3

4 2. Purpose The purpose of this document is to provide information about the procedures Outsourcery implements to ensure the security of its customers data, software and systems. This document will cover the following areas: Customer Authentication Physical Security Access Control Network Security Software Security Disposal of Removable Media Auditing and Monitoring Contingency Planning Recruitment and Training This policy applies to all Outsourcery employees or any other individual or supplier working for Outsourcery. The Outsourcery management team are responsible for ensuring full compliance with this policy. 3. Data Protection Data Protection relates to obtaining, disclosing, recording, holding, using, erasing or destroying personal information and ensures a business recognises what level of information an individual can be provided with. Outsourcery PLC and/or individuals can be liable to prosecution or an individual may seek compensation through the courts for any damage suffered as a result of disclosing sensitive information. Using inaccurate / out of date data annoys customers and can waste time and money. 4. Customer Authentication Any requests to Outsourcery from Customers, for information about their service, must be validated to ensure they are who they say they are. This will reduce the risk of loss of confidentiality, and breaches of the Data Protection Act Outsourcery employees must follow the process below to authenticate a customer prior to discussing a service or divulging any information. Obtain a Mobile Phone Number. / Account Number. / Domain Name (to access account). Verify the business address (including postcode). Confirm the password. If the password is confirmed NO FURTHER QUESTIONS ARE NECESSARY. Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 4

5 If there is no password, or it cannot be confirmed, it is NECESSARY TO OBTAIN TWO ADDITIONAL (therefore 4) pieces of account specific information from the following: No. of services Date of next/last change Payment method/ Bank details Tariff details including cost Bolt on s, Last billed amount If an individual has been verified by following the above process then the Data Protection Act has been adhered to. Particular care needs to be paid to any requests for specific usage or financial data. Please ensure this is sent directly to an address specific to the business and secured in-line with the Information Classification Policy. 5. Physical Security Outsourcery s data centre facilities are diversely located in London and Leicester and connected by secure, resilient high speed back-up links. Both of our data centres have the following physical security features in place to protect both equipment and customer data. All racks within the data centres are equipped with fully lockable doors which only authorised engineers have access to. Proximity door locks are fitted on all internal and external doors and extensive CCTV monitoring systems are installed on all internal and external walls. CCTV monitoring systems include motion detection features that trigger CCTV recording in the event of any movement both inside and outside of the data centres (within the cameras range). All windows are fitted with steel bars and anti-ram raid bollards are in place outside of the facility. There is also a third party manned security presence in place twenty four hours a day, seven days a week. In order to mitigate any potential threat associated with power and environmental conditions, Outsourcery operates Uninterruptible Power Supply (UPS) systems and diesel generators on all of it sites to ensure that services remain available in the event of a power failure. Outsourcery does not permit unaccompanied access to the data centre facilities. Full access control systems are in place that only allows 3rd Line Support Engineers access to secure areas; no other employees, customers or third parties are authorised to access these areas unless accompanied by an authorised engineer. All visitors are required to provide one week s prior written notice of their visit and produce photo ID upon arrival at the data centre. All Outsourcery staff are required to carry their site access and identification card with them at all times and access is restricted to authorised areas only. At Outsourcery s Head Office, the security team reserves the right to refuse access to anyone without a site access card. Site security must be informed of all visitors in advance of their visit and access is refused to any individual considered to be a security risk. Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 5

6 6. Access Control Access to Outsourcery s internal systems, hosting platform and customer servers is permitted for authorised personnel only. All persons must be positively identified by providing a secure User ID and password before being given access to system resources. All servers, routers, firewalls and network equipment are protected by password access controls. All passwords are randomly generated for optimum security to prevent intruders gaining unauthorised access to systems and data. Only Outsourcery s 3rd Line Engineers have full access to the hosted platforms, each engineer having their own individual login for optimum security. Authorised support staff have Admin access to hosted services in order to provide technical support to customers. Where 3rd Line Engineers require access to Outsourcery s network and systems remotely via VPN, advanced RSA security is implemented providing two factor authentication. Outsourcery only uses industry leading HP enterprise-class servers for all hosting infrastructure requirements and customer dedicated server solutions. All servers include security management features as standard that consist of power-on password, keyboard password, USB port control and administrator password. 7. Network Security Outsourcery s data centre facilities are either wholly owned or fully enclosed dedicated area s therefore not shared with any other providers or organisations. The sites all have secure back-up links to data centre facilities in both Manchester and London for network redundancy and security, and multiple internet breakouts across redundant and geographically disparate networks using BGP peering. This ensures that services are available to customers twenty four hours a day, seven days a week. Within our data centre facilities, fully layered networks are implemented with hardware load balanced front-end servers, clustered back-end servers and a high quality fibre channel storage network. Customer data is protected from outside access through a robust security and firewall solution. All managed services are protected by firewall installation and systems are pro-actively monitored around the clock for performance and availability. RSA authentication is implemented to control access to Outsourcery s network and systems remotely via secure VPN. Outsourcery uses industry leading Radware security appliances for parts of its network security. Radware Load Balancers incorporate a built-in Intrusion Prevention System (IPS), Access Control Lists (ACL) and an SSL-secured web interface for access by 3rd Line Engineers. All mobile devices used by Outsourcery staff to connect into the network are encrypted using Bitlocker, which prevents release of the contents in the event of loss or theft. Hard drives are encrypted to protect the hard drive in the event physical access has been obtained. Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 6

7 The Outsourcery hosting network on both primary and secondary sites is deployed behind a fully resilient Radware Defence Pro solution, providing Intrusion Prevention System (IPS), Network Behavioural Analysis (NBA) and Denial-of-Service (DoS) Protection, fully protecting our network against known and emerging network security threats. Resilient firewall pairs protect the hosted platforms from the outside world and finally application load balancers to manage fail over between primary and secondary services on both sites. Resilient edge firewalls are used for security, consisting of an integrated hardware and software solution that provides complete protection through twelve defence layers. These defence layers consist of the following: Network Denial of Service Protection Rate Control IP Reputation Analysis Sender Authentication Recipient Verification Virus Scanning Policy (user-specified rules) Spam Fingerprint Check Intent Analysis Image Analysis Bayesian Analysis Rule-based Scoring Our firewalls, internet connections, and production networks are all pro-actively monitored 24*7 with the network designed without any single points of failure. All customer dedicated server solutions hosted within Outsourcery s data centres are protected by dedicated firewalls. Customer data held within hosted SharePoint applications is protected by Microsoft Forefront anti-virus. For Hosted Microsoft Dynamics CRM 4.0 services, all data held within the system is automatically encrypted by 128 bit HTTPS encryption and all communications between applications on the hosted platform, regardless of service type, are encrypted by RC4 128 bit HTTPS security. 8. Software Security Outsourcery s 3rd Line Engineers are responsible for all software security updates on our hosting platforms. For customers with dedicated SharePoint solutions, 3rd Line Engineers manage the availability and control of security updates released to customers via Windows Update Server (WUS). In addition, Outsourcery operates a strict software security policy throughout the organisation to provide increased security across the network; this is governed by an IT Code of Conduct. All software loaded onto Outsourcery s IT systems must be legally purchased and licensed and access to install programmes is restricted to members of the internal IT Department. Any executable file launched on Outsourcery s infrastructure must have its suitability verified by Outsourcery s IT Department prior to rollout. Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 7

8 9. Disposing of Removable Media Where removable hardware or storage media requires disposal, all data is wiped from the device in advance using a Department of Defence (DoD) / Ministry of Defence (MOD) approved programme. Where a hardware component becomes faulty within a customer s server and it is necessary to return the hardware to a third party supplier or manufacturer, Outsourcery will retain the disk(s) containing data in order to maintain security and integrity. 10. Destruction of Data Data overwriting occurs on termination of service. After 30 days of being in a decommissioned state, the virtual machine and related data is removed via Systems Centre and/or storage level. Data destruction is carried out when a hardware device is being retired or has failed, but is still operable. Blancco is utilised to securely remove data. Disks that are not accessible through normal disk mounting processes will be securely destroyed or degaussed by an approved third party. Certificates of destruction are provided as evidence of secure and ethical destruction. Disks under warranty are replaced by the suppler only after the data removal process has been carried out. 11. Auditing and Monitoring Outsourcery implements Border Gateway Protocol (BGP) for network routing based on path, network policies and rule sets. All issues are logged by Service Requests and major faults or problems relating to the network are escalated to the Head of Infrastructure and the Operations Director where appropriate. 12. Contingency Planning In line with our ISO certification, Outsourcery operates its own disaster recovery procedures. In the event of any security issue being identified, an escalation process is in place whereby engineers are alerted by Service Request. Upon completion of the remedial work and resolution of the fault, the Service Request is closed. Where necessary, a Service Request will be escalated to the Head of IT Operations and, for major incidents, the Operations Director. Outsourcery has a continued, ongoing commitment to data security and availability. A full disaster recovery plan is in place across multiple geographic locations for complete network redundancy and data security. This plan is built in line with guidelines and best practice derived from ISO standard Business Continuity Management. In addition, Outsourcery reserves the right to restrict, suspend or terminate any aspect of a customer s service if it is believed that the use of the service constitutes a security threat to Outsourcery or any other users on the hosted platforms or Outsourcery network. Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 8

9 13. Recruitment and Training All candidates employed by Outsourcery are subject to screening. As part of this process, all references are followed up for new employees and security training is included within both the induction training programme and also ongoing. Outsourcery implements an internal IT Code of Conduct that all employees must adhere to so as to ensure security and integrity of software, systems, hardware and data, in line with the requirements of ISO All employees with operational responsibilities are subject to Baseline Personnel Security Standard checks. 14. Summary Outsourcery is a Microsoft Gold Partner holding a number of Microsoft competencies for which engineers are trained. Outsourcery has achieved the following Microsoft competencies: Midmarket Solution Provider Hosting Content Management OEM Hardware Customer Relationship Management Portals & Collaboration Search Outsourcery takes data security and data management very seriously. The security, availability and integrity of data held both within the data centre facility and on our hosted platforms are of utmost importance and a key priority of the business. Outsourcery therefore continues to review and develop its security policies, processes and procedures on an ongoing basis in order to both maintain and improve these levels, in line with Outsourcery s ISO certification. Any suspected breaches or incidents should be reported immediately via security@outsourcery.co.uk or via the internal Outsourcery Security Incident Process. Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 9