Enterprise Information Security Procedures



Similar documents
Human Resources Policy documents. Data Protection Policy

So the security measures you put in place should seek to ensure that:

Scottish Rowing Data Protection Policy

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

ABERDARE COMMUNITY SCHOOL

DATA PROTECTION AND DATA STORAGE POLICY

Protection of Computer Data and Software

This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business.

DATA AND PAYMENT SECURITY PART 1

Data Protection Policy

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Estate Agents Authority

LSE PCI-DSS Cardholder Data Environments Information Security Policy

Information Security Policy. Appendix B. Secure Transfer of Information

Sample Data Security Policies

Incident reporting procedure

CORK INSTITUTE OF TECHNOLOGY

Newcastle University Information Security Procedures Version 3

SECURITY POLICY REMOTE WORKING

Merthyr Tydfil County Borough Council. Data Protection Policy

Policy Document. Communications and Operation Management Policy

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

HIPAA Security Alert

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

University of Liverpool

Information Security

INFORMATION SECURITY POLICY

Portable Devices and Removable Media Acceptable Use Policy v1.0

Small businesses: What you need to know about cyber security

Data Protection Guidance

BERKELEY COLLEGE DATA SECURITY POLICY

Angard Acceptable Use Policy

Data and Information Security Policy

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

Ixion Group Policy & Procedure. Remote Working

A practical guide to IT security

The Manitowoc Company, Inc.

Highland Council Information Security Policy

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Introduction to the NHS Information Governance Requirements

Acceptable Use of Information Systems Standard. Guidance for all staff

Data Protection and Data security Policy

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Small businesses: What you need to know about cyber security

Web Site Download Carol Johnston

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

HIPAA and Health Information Privacy and Security

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

PHI- Protected Health Information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Authorized. User Agreement

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

How To Protect School Data From Harm

DATA PROTECTION POLICY

Acceptable Use Guidelines

A Guide to Information Technology Security in Trinity College Dublin

How To Protect Decd Information From Harm

Information Governance Policy (incorporating IM&T Security)

European Investment Bank Group. Video-surveillance policy

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Life Cycle of Records

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA Training for Staff and Volunteers

ISO27001 Controls and Objectives

Encryption Policy Version 3.0

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Follow the trainer s instructions and explanations to complete the planned tasks.

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

University of Limerick Data Protection Compliance Regulations June 2015

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

FINAL May Guideline on Security Systems for Safeguarding Customer Information

The virtual safe: A user-focused approach to data encryption

Supplier Information Security Addendum for GE Restricted Data

IT Data Security Policy

Summary Electronic Information Security Policy

John Leggott College. Data Protection Policy. Introduction

Transcription:

GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1

Contents 1. Openwork s Information Security Policy...3 2. Enterprise Information Security Procedures...3 3. 4. Physical Security - Business Premises...3 IT Security...4 5. Staff Recruitment and Leavers...4 6. Training...5 7. 8. Third Party Vetting & Contracts...5 Email & Fax Procedures...6 8.1 Email...6 8.2 Fax...6 9. Caller Verification - Release of Client Information...6 10. Retention & Disposal of Client Information and IT Hardware...7 10.1 Methods of destruction - Physical files...7 10.2 Electronic files and documents...7 11. 12. Reporting the loss or theft of information...7 Information Classification and Ownership...8 13. Monitoring...9 2

1. Openwork s Information Security Policy Openwork s Policy and procedures are intended to ensure that personal information is hard to steal or lose and that only authorised people have access to it. Openwork will ensure client information is treated as a precious resource. This means: - We keep it secure - We only share it when we need to - We only allow fit and proper people to see it - We use it skilfully. This policy is driven from the need to support statements we have made to our clients and to fulfil our obligations to our regulators: - We ve told the client, in the DP leaflet, You can be sure we ll keep your personal information confidential and use it with care FSA connection between the loss of personal information, identity theft and financial crime they therefore require all FSA regulated firms to take appropriate care of client personal information as made clear in the FSA papers: - o Fact Sheet Your responsibilities for customer data security (April 2008) o Data Security in Financial Services (April 2008) The Data Protection Act requires you to keep information secure Principle 7 Appropriate measures shall be taken against unauthorised or unlawful processing or accidental loss of personal data 2. GHL Network Services Ltd ( GHL ) Information Security Procedures This document draws all the Information Security Policy and Procedures into one place. The procedures define the minimum standards that must be achieved. Everyone in GHL will have received a copy of these procedures and confirmed they have been received and the content understood. GHL will maintain a record of when they were seen. 3. Physical Security - Business Premises Access to client information is controlled by: - Locked building, room or cabinet as appropriate. - Clear Desk policy - Screen Savers which are password protected, automatically activated after 10 minutes (see IT Security Standards on the Portal - Home -> Financial Crime Prevention - > Information Security -> Procedure Templates and Guides->IT Security Standards ) - Desktops and laptops that have whole disk encryption (see IT Security Standards on the Portal - Home -> Financial Crime Prevention - > Information Security -> Procedure Templates and Guides->IT Security Standards ) - Locking business premises when unattended Access restrictions - Computer security when out of office e.g. not left in the boot of a car Clear Desk Policy In accordance with Openwork s requirements GHL operate a clear desk policy. This means keeping desks and other surfaces clear of any client information and records of logon IDs and passwords. 3

4. IT Security The security of computer hardware and the client information held on them are documented in the IT Security Standards on the Portal (Home -> Financial Crime Prevention -> Information Security -> Procedure Templates and Guides -> IT Security Standards) This covers high level requirements including: - - Encryption - Anti-virus - Passwords (changes & complexity) - Maintenance of computer equipment logs (records of serial numbers and encryption keys etc - Backups & safe storage - Networks wireless internet - External storage (CD, Data Stick, Smart Phones and other portable media) - Data bases - Access rights limiting access to systems (such as Senro or Quay) - Specialist IT consultancy All PC s ( laptops & desktops ) must be encrypted to protect clients against the possibility of their details being lost or stolen. In addition, all USB data sticks used must similarly be encrypted using AES 256 bit hardware encryption. 5. Staff Recruitment and Leavers Taking on staff GHL will ensure that all staff have the honesty and integrity to handle client information. GHL has staff that are subject to vetting by Openwork and also those with access to client information that are not. These are, for example, Category 2 PAs, Admin Plus, receptionists and admin staff and it may also have temporary and contract staff (see also Third Party Vetting and Contracts). Staff not vetted by Openwork. With access to client information: - GHL is responsible for the vetting of all staff with access to client information - A record of the information obtained is kept on the staff members personnel files to show why it was satisfied that the person was fit and proper - For evidence of identification GHL will complete a proof of identity (similar to the client CVI form) template form on the Portal (Financial Crime Prevention -> Information Security -> Related Documents). The authenticity of this identification should be tested as far as is reasonably possible with recourse to publicly available information sources - References from previous employers are obtained covering the last 12 months where appropriate. - References provided by the staff member are not appropriate to accept - If a credit check is to be undertaken the staff member must give permission - Where GHL decides to carry out a Criminal Records Bureau check it must obtain permission before doing so Staff with no access to client information - Where staff members do not have access to client information, it is not necessary to carry out a fit and proper check, however, evidence will be retained of why the staff member does not require the vetting Changes in Role and Responsibilities GHL must be alert to the risk that a change of role or multi-tasking may allow a non-vetted staff member to handle client information. If this happens, the vetting procedure above must be applied and the information collected recorded on the Personnel File. 4

Leavers When any staff leave, precautions are taken to ensure they no longer have access to client information. Where appropriate the following will take place: - Return of keys / swipe cards - Cancellation of personal computer passwords and user accounts - Return of all portable IT equipment and software provided by GHL - Providers microsites will be notified for cancellation of logon rights - Where leavers have their own machines, Openwork software and client data belonging to GHL will be removed (e.g. OTPm and ETi software and databases) - Regulated Support will be notified of any staff member that leaves in order to remove Portal access. - Change of other user passwords if there is a possibility they are known to the leaver 6. Training It is important that everyone, the Practice Principals, the Advisers and the administrators, understands the importance and relevance of information security and how to keep client information secure. Openwork has training modules, available through the Portal, on Financial Crime (FC) and Data Protection (DP). All Advisers and Enterprise staff must complete the FC and DP modules before they start handling client information: - - Advisers the training modules are available through Insight and are part of the annual refresher cycle (and induction training) - Enterprise Staff - with Portal access - the training modules are available on the FC and DP pages (Home->Quality->Financial Crime, and Home->Quality->Data Protection) - Enterprise Staff - without Portal access print off the training modules from the FC and DP pages and log the completion of the training on their personnel file. Manual records will be kept of the date of the training in order that refresher training can be undertaken once a year 7. Third Party Vetting & Contracts GHL may involve third parties in a number of aspects of its activities which may allow access to or the opportunity to access client information. These are (but may not be limited to): - Maintenance of premises (including landlords) - Physical security of premises - Cleaning - Secure disposal of waste, including waste containing client information - Delivery of urgent documents - Remote back-up of computer records - IT support - File Archiving - Appointment making Vetting of Third Parties A reasonable risk based approach is taken when carrying out due diligence checks on third parties. The arrangements may not be as formal as a contract as they may be with an individual on a personal arrangement (e.g. a cleaner) - Evidence of identity will be obtained from each company or individual providing a service. This may be a certificate of incorporation or evidence of the company s existence taken from Companies House. GHL takes account of Openwork s CVI Procedures. - For individuals doing some work for GHL evidence of identification is required. GHL will complete a proof of identity (similar to the client CVI form) template form on the Portal (Financial Crime Prevention -> Information Security -> Related Documents). The authenticity of this identification should be tested as far as is reasonably possible with recourse to publicly available information sources - Where a contract exists between GHL and a third party; this will contain specific clauses detailing the third parties obligations in respect of information security where appropriate - Copies of the third parties recruitment and information security procedures should be reviewed. These should be equivalent to those in place at GHL - Evidence of the checks carried out and the procedures reviewed, evidence of the assessment carried out and a copy of the contract, should be retained on a file specific to each third party supplier 5

8. Email & Fax Procedures 8.1 Email Email is not a confidential means of communication. GHL recognises that email messages can be very easily read by those for whom they were not intended and recognises particularly that e-mails can be: - intercepted by third parties (legally or otherwise) - wrongly addressed - forwarded accidentally - forwarded by initial recipients to third parties against our wishes - viewed accidentally on recipients computer screens Personal information is not communicated by email unless the express permission of the subject has been obtained and can be evidenced or unless adequate protection (password or encryption) has been employed. See Portal Home -> IT Support - > IT How To Guides -> IT Security and Guidelines. Email is not relied on for record-keeping purposes. Where long term accessibility is an issue e-mail records are transferred to a more lasting medium or other electronic environment. Your GHL Network Services email address must be used for all business communications and personal data relating to clients must be encrypted. Further details of the email procedures are documented in the Openwork IT Security and Guidelines (see Portal Home -> IT Support - > IT How To Guides -> IT Security and Guidelines ). 8.2 Fax Fax services are not reliable and are replaced with secure email wherever possible as documents may be intercepted or misdirected due to operator or technical error. Personal medical details are not faxed. When sending a fax, it is good practice to check the recipient's number before sending. The person sending the fax will phone ahead to warn the recipient of the transmission of personal information. 9. Caller Verification - Release of Client Information. Before personal client information is released the identity of the caller will be verified using the table below: Who s calling? Client Openwork Support Centre Adviser / Administrator Who s answering? Adviser / Administrator Adviser / Administrator If the callers have a well established relationship 1 Client Voice recognition Voice recognition Voice recognition Compulsory Caller Full Name Caller Full Name information 2 Caller Address Caller Job Role Caller DOB Caller phone number Caller to inform Client who they are and who they represent Two items of Optional Information required 3 Plan Number NI Number Product Held Provider/Lender Maiden name Partners name Partners DOB Full Plan Numbers Case ID If Adviser / Administrator is concerned, offer them the opportunity to call back via the switchboard number from the Portal If client is concerned, offer client the opportunity to check the callers identity via the published phone number /switchboard of the firm ID Checks fail 4 The call may be returned but If the Adviser / Administrator If the client does not wish to 6

only to a number that was previously known to belong to the caller does not wish to proceed, end the call politely and write to them proceed, end the call politely and write to them 1. Voice recognition alone is an acceptable verification, but only if the caller is known well enough. If the caller can be confidently verified from their voice, then the compulsory or optional information is not needed. Relying solely on voice recognition must be used with extreme caution and should be backed up by conversational identification checks. The FSA has cast doubt on the ability of an adviser or other person to recognise the voice of all their clients. The reliance on voice recognition must be proportionate to the number of clients you have and how often you speak to them. 2. If the caller cannot quickly confirm the details, i.e. without stuttering or unreasonable delay, then the call will be ended without releasing the requested information. 3. These lists are not exhaustive and are provided to indicate the nature of information that may be considered suitable. 4. If the ID checks fail, the call may still be returned but only to a number that was known to belong to the caller prior to the call e.g. previously noted home number, SWIFT recorded phone number or via the appropriate switchboard. If this approach is used, the verification checks will still be made but different optional information will be used to identify the person being spoken to. 10. Retention & Disposal of Client Information and IT Hardware Personal information will only be collected and kept if there is a regulatory requirement or a good business reason to do so. Keeping information for longer than is necessary increases the risk of information loss. GHL follows Openwork s guidance on the retention period for client information as set out in the Compliance Manual and the Data Protection pages (see Portal Home -> Quality > Data protection ). 10.1 Methods of destruction - Physical files These are treated as confidential waste and disposed of securely. 10.2 Electronic files and documents Electronic material and computer memories (hard drives, magnetic tapes, CDs, DVDs etc.) are erased prior to (or as part of) the disposal procedure. This is done by: - Physical destruction of the hard drive or other storage medium - or - Specialist software is used to ensure computer disks are completely erased before they are disposed of Records of the date and method of destruction including which software was used are retained in the GHL s Computer Equipment Log. 11. Reporting the loss or theft of information Loss of or theft of information could include: - Laptop being lost or stolen - Missing memory stick - Paper records missing or stolen - Back-up disks lost or stolen - Misdirected fax or email - Physical damage (by, for example, fire, flood etc.) Action for Advisers and administrators Immediately report discovery or suspicion to the GHL Data Protection Officer (DPO) and the Openwork DPO) providing as much detail as possible as to the circumstances and the nature of the information at risk. 7

Action for GHL s Data Protection Officer Inform the Openwork DPO immediately (See Portal Home -> Quality > Data protection -> Loss or theft of data. Openwork Support Openwork will support GHL to ensure appropriate action is taken to mitigate the risks of Clients, Advisers, Enterprises, Openwork and its partner businesses falling victim to financial crime. GHL and Openwork will work together to: - Inform the Police if theft or criminal activity is suspected and obtain a crime report number - Review the circumstances leading to the information loss to assess whether new procedures or controls are required, or whether existing ones need updating - Contact clients and providers (where necessary) to ensure they ll be able to take steps to prevent loss (they may both seek compensation if loss can be demonstrated as arising from the compromised information) 12. Information Classification and Ownership This table lists the information classifications for Openwork. When determining how information is to be treated these criteria are referred to: UNCLASSIFIED/INTERNAL USE Low Risk Low to Medium Value UNCLASSIFIED information can be disclosed to anyone. It is known to the market and would not violate an individual s right to privacy. Knowledge of this information does not expose the Enterprise or Openwork, to financial loss, embarrassment, or jeopardise the security of our assets. INTERNAL USE ONLY information, due to its technical or business sensitivity, is limited to the Enterprise or Openwork, staff or personnel covered by a non-disclosure agreement. If there is unauthorised disclosure, there would be minimal impact to the Enterprise, Openwork, its clients, or staff. Examples Unclassified Marketing information Published annual and interim reports Business cards Interviews with news media Issued press releases Internets (unless otherwise marked) Internal Use Only Routine administrative & office information Policies and procedures System requirements CONFIDENTIAL /HIGHLY CONFIDENTIAL High Risk High Critical Value CONFIDENTIAL information is defined as information whose unauthorised disclosure, compromise, or destruction would have an adverse impact on the Enterprise, Openwork, its clients, or staff. Financial loss, damage to reputation, loss of business, and potential legal action could occur. It is intended solely for use within the Enterprise or Openwork and is limited to those with a business need-to-know. HIGHLY CONFIDENTIAL information (the highest level of classification) is information that is shareprice sensitive or whose unauthorised disclosure, compromise, or destruction would result in severe damage, provide a significant advantage to a competitor, or cause penalties or great embarrassment to the Enterprise, Openwork, its clients or staff. It is intended solely for restricted use within the Enterprise or Openwork and is limited to those explicitly identified in advance as requiring access to the information. Examples Confidential Business plans Budget information System configurations Proprietary software Highly Confidential Credit card/bank account details Client databases Client personal or policy Information Sensitive personal information (which include data on racial or ethnic origin, political, religious 8

UNCLASSIFIED/INTERNAL USE CONFIDENTIAL /HIGHLY CONFIDENTIAL Telephone directory or philosophical opinions, beliefs or activities, trade union membership and related activities and opinions, health, private life or sex life, social welfare measures, administrative and criminal prosecution and sanctions 13. Monitoring GHL will conduct an annual Data Security Controls Assessment (DSCA) see Portal Home -> Quality -> Information Security -> DSCA) GHL will make an Annual Declaration that the assessment has been done. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information