Data Security Policy. 1. Document Status. Version 1.0. Approval. Review By June 2011. Secure Research Database Analyst. Change History. 1 Version 1.



Similar documents
Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

ISO Controls and Objectives

ISO27001 Controls and Objectives

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

University of Liverpool

INFORMATION TECHNOLOGY SECURITY STANDARDS

How To Protect Decd Information From Harm

Remote Access and Mobile Working Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.1. Approval. Review By June 2012

LSE PCI-DSS Cardholder Data Environments Information Security Policy

CITY UNIVERSITY OF HONG KONG. Information Classification and

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Information Security Program Management Standard

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Access Control Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

University of Liverpool

Excerpt of Cyber Security Policy/Standard S Information Security Standards

Information Security Policies. Version 6.1

Cloud Software Services for Schools

Newcastle University Information Security Procedures Version 3

Third Party Security Requirements Policy

Information Security

Enterprise Information Security Procedures

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

PCI Data Security and Classification Standards Summary

Information Security Policy. Chapter 12. Asset Management

So the security measures you put in place should seek to ensure that:

CITY UNIVERSITY OF HONG KONG. Inventory and Ownership Standard

Protection of Computer Data and Software

Policy Document. Communications and Operation Management Policy

A practical guide to IT security

Information Security Policy

University of Aberdeen Information Security Policy

Scottish Rowing Data Protection Policy

Information Security Policy. Appendix B. Secure Transfer of Information

Standard. Information Security - Information Classification. Jethro Perkins. Information Security Manager. Page 1 of 12

BERKELEY COLLEGE DATA SECURITY POLICY

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

IT04 UO ACH Security Policy

INFORMATION SECURITY GUIDELINES

Secure Mobile Shredding and. Solutions

DATA PROTECTION AND DATA STORAGE POLICY

INFORMATION SECURITY MANAGEMENT POLICY

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February Title: Information Security Policy

IT asset disposal for organisations

Miami University. Payment Card Data Security Policy

Summary Electronic Information Security Policy

How To Protect School Data From Harm

Virginia Commonwealth University School of Medicine Information Security Standard

Encryption Policy Version 3.0

Working Practices for Protecting Electronic Information

A8.1 Asset Management Responsibility for assets: To identify organisational assets and define appropriate protection responsibilities.

Data Access Request Service

Web Site Download Carol Johnston

Information Services. Protecting information. It s everyone s responsibility

HSCIC Audit of Data Sharing Activities:

NETWORK SECURITY POLICY

Encryption Policy (ISP03)

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Accounting and Administrative Manual Section 100: Accounting and Finance

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ECSA EuroCloud Star Audit Data Privacy Audit Guide

DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Asset Management Policy #2430

INFORMATION SECURITY POLICY

Approved By: Agency Name Management

Physical Security Policy

Information Technology and Governance Committee

Guidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology

Information Security Incident Management Policy and Procedure

Information & ICT Security Policy Framework

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Corporate Information Security Policy

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY

University of Limerick Data Protection Compliance Regulations June 2015

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Estate Agents Authority

How To Protect Research Data From Being Compromised

DPA04 Information Security Management System

TELEFÓNICA UK LTD. Introduction to Security Policy

Version: 2.0. Effective From: 28/11/2014

DATA SECURITY POLICY. Data Security Policy

Supplier IT Security Guide

IT Data Security Policy

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Office 365 Data Processing Agreement with Model Clauses

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Data Protection Act Bring your own device (BYOD)

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Course: Information Security Management in e-governance

The potential legal consequences of a personal data breach

Human Resources Policy documents. Data Protection Policy

DiamondStream Data Security Policy Summary

Data Protection in Ireland

How To Audit Health And Care Professions Council Security Arrangements

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

Information Security Plan effective March 1, 2010

IT OUTSOURCING SECURITY

Data Protection Act Guidance on the use of cloud computing

Transcription:

Data Security Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2011 Owner Secure Research Database Analyst Change History 1

Contents Data Security Policy... 1 1. Document Status... 1 2. Overview... 3 3. System... 3 4. Scope... 3 5. Classification Guidance... 3 6. Encryption Guidance... 6 7. Electronic Data Retention and Deletion Guidance... 7 8. Data Security and Third Party Service Delivery... 8 9. Disposal of Media... 8 Appendix A: Cabinet Office minimum scope of protected personal data... 10 Appendix B: Risks, ISO27001 controls and remedial actions related to this policy... 11 1. Risks... 11 2. ISO 27001 Controls... 11 3. Remedial Actions... 11 2

2. Overview All data that the institute holds should be classified according to their sensitivity. Data should be stored, accessed and processed according to their classification. The classification of data is an important component to knowing how to use these data within the guidelines laid down by many of the Institute s data providers and project funders. Correctly classifying data and then using them only according to the appropriate stipulations is an important part of preventing data leaks, and minimising the impact of such leaks when they do occur. Inappropriate disclosure of Confidential or Restricted data, their accidental loss or deliberate theft, could all lead to the Institute being levied with a potentially unlimited fine, as well as experiencing a loss of reputation and a possible failure to win other research contracts. 3. System All IOE systems 4. Scope All IOE data 5. Classification Guidance I. Classification levels The UK Cabinet Office uses 4 levels of data classification: Top Secret, Secret, Confidential and Restricted. As Top Secret and Secret concern information that would potential destabilise the UK or its allies, we are not concerned with them here. This leaves us with two data classifications, plus protected, (used to take us in line with Becta s recommendations) and a category for all data we do not need to protect. 3. Protected II. How you should decide which category your data falls into: a. Highly personal data that will explicitly identify individuals 3

b. These data may, if disclosed, put the individual at risk from identity theft, social or legal sanctions, targeting by marketing corporations or pressure groups, exposure to the national press, threats from criminal or vigilante individuals or organisations c. Data elements would include, but are not restricted to: Name, address, ethnicity, qualifications, criminal records, schools attended, place of work, income, religion, bank details, social habits a. This would include business-sensitive data such as company accounts, information on commercial contracts, and intellectual property b. Any data that, if accidentally or deliberately leaked, could be commercially damaging or otherwise affect the reputation of the Institute c. It includes data that could be combined with publically accessible data in order to identify individuals for example names with postcodes along with criminal offences. d. Any database containing details (of any sort) of more than 1000 individuals, other than information sourced from the public domain e. Incomplete reports and other documents whose integrity may be damaged by uncontrolled/unauthorised changes, or whose leakage may cause damage to the project, the project funders or the Institute 3. Protected a. General Institute data: original copies of public-domain reports, timesheets, internal memoranda, expenses, correspondence, instructions b. Any data that, if accidentally leaked, could cause embarrassment to an individual or the Institute Public data will have no significant impact on the project if they are altered or viewed in an uncontrolled fashion. No names and addresses combined with any other identifying information. Data that is already in the public domain (e.g. information that is collated into literature reviews) III. How should data in each category be stored? a. On a file server that does not have Portal access to the outside world. b. Using strict access controls: NTFS file permissions, Windows Share permissions, c. Access should only be granted to explicitly authenticated users. These access requests should be made in writing by the project director. By default, access will be blocked. d. Logically separated from other data e. Machines granted access to the files should have access to usb mass storage devices blocked, and no DVD/CD writers. 4

f. Users should sign a non-disclosure form before being able to access the information g. Upon request of the data owner, placed on a dedicated isolated system that also uses controls 1.a 1.f. a. On the Q drive b. In its own logically separate folder, with access controlled by NTFS file permissions and user groups c. Access should only be granted to explicitly authenticated users. These access requests should be made in writing by the project directors. By default, access will be blocked. d. Machines granted access to the files should have access to usb mass storage devices blocked, and no DVD/CD writers e. Accessed externally on an Institute-owned, encrypted laptop that is not used for any other purpose, that has access to usb mass storage devices blocked and access to DVD writer blocked. A non-disclosure agreement must be signed before the laptop can be taken out. Controlled by NTFS and Windows share permissions. 3. Protected a. On the Q drive b. Access given to implicitly authenticated users c. Machines granted access to the files should have access to usb mass storage devices blocked, and no DVD/CD writers d. Accessed externally on an Institute-owned, encrypted laptop that is not used for any other purpose, that has access to usb mass storage devices blocked and access to DVD writer blocked. Controlled by NTFS and Windows share permissions. a. There are no conditions placed on the storage or transmission of public data b. Public data can be created or manipulated on any machine, not just IOE machines. IV. How can data in each category be used? a. Must never leave the boundaries of the logical container it is stored in. b. Must ideally be accessed by rdp session, or via a network drive if the PC connecting to it is placed in a secure environment and has usb mass storage device drivers and CD/DVD drives disabled. The rdp terminal services on the host machine must have copy and paste and printer redirect functionality disabled. c. Must not be emailed, accessed remotely or placed on a usb mass storage device. d. If the data have to be moved, they must be either encrypted to FIPS 140-2 AES 256- bit standard, or placed on a device that is encrypted to the same standard. If sent through the post, they must be sent recorded delivery. Ideally they should be transferred through the HTTPS SSL Portal, another organization s portal, or an sftp 5

box, with careful co-ordination at both ends to guarantee transmission and reception. a. Must only leave the boundaries of the logical container if they are moved and processed under very strict conditions (given below) and after a non-disclosure agreement has been signed by the end user b. Must be encrypted to 256-bit AES standard whilst in transit c. Must not be emailed d. Must never be placed on a machine that is not owned and administered by the IOE, or that is used for any purpose other than IOE-related work e. If sent through the post, they must be sent recorded delivery. Ideally they should be transferred through the HTTPS SSL Portal, another organization s portal, or an sftp box, with careful co-ordination at both ends to guarantee transmission and reception. 3. Protected a. Must only leave the boundaries of the Institute under the control of a user who has received data protection training and signed a non-disclosure agreement b. Must never be placed on a machine that is not owned and administered by the IOE, or that is used for any purpose other than IOE-related work c. Must not be emailed d. Must be transferred through the HTTPS SSL Portal, another organization s portal, or an sftp box a. Public data may be used and accessed from anywhere, within the normal boundaries of acceptable use, security and malware considerations. 6. Encryption Guidance a. If possible, the data should be encrypted at rest. This could take the form of full disk encryption, or database-level encryption. As both of these are either hardware or software specific, it is not always a currently available service. Newly purchased hardware and software will be able to meet these specifications b. The backups of these data must be encrypted to AES-256-bit standard c. The data must be encrypted to AES 256-bit standard before it is moved or removed from its place at rest d. If a case can be made using a formal risk assessment that the data must be accessed from outside the Institute, the access method must meet the following stipulations: i. be made via Remote Desktop across an https SSL connection, where the data is not transferred from the host system within the Institute s boundaries 6

ii. The connecting device must have an encrypted hard drive and be accessible only via a complex username and password, and must be an IOE owned and maintained device that is not used for any other purpose iii. The remote desktop environment of the host system must be tightly controlled to prevent the access of other data, prevent the transfer or printing of data from the system, and prevent the remote desktop environment being used for anything else. a. The data must be encrypted to AES 256-bit standard when in transit b. If accessed outside the Institute, the data must be accessed by and processed on an Institute laptop with a hard drive encrypted to 256-bit AES standard 3. Protected a. If accessed outside the Institute, the data must be accessed by and processed on an Institute laptop with a hard drive encrypted to 256-bit AES standard a. Public data do not need to be encrypted or accessed using an encrypted device. 7. Electronic Data Retention and Deletion Guidance All electronic data should be retained for the legally or contractually required minimum and maximum periods of time. This will vary depending on the type of data under consideration. Departments within the Institute may have stipulations on data retention over and above the legal minimums. Please refer to your departmental Data Retention Policy for guidance o n how data in your particular jurisdiction should be retained. Data must not be retained beyond its legal or contractual lifetime, or where to do so would otherwise break the terms of the legal contract, or break the Data Protection Act 1998, the Copyright, Designs and Patents Act 1988 or the Digital Economy Act 2010. The date at which specific data should be removed from IOE systems should be clearly marked on the data themselves. Methods of deletion of data from IOE systems at their legal or contractual point of removal must be concomitant with the data s classification: a. The data and data container must be wiped using a file shredder, conforming to US DoD 7 passes standard a. The data and data container must be wiped using a file shredder, conforming to US DoD 7 passes standard 7

3. Protected a. The data can be deleted using any standard deletion technique a. The data can be deleted using any standard deletion technique Please consult the helpdesk if you need to use a file shredder in order to delete data. 8. Data Security and Third Party Service Delivery 1. All third party service delivery must adhere to the Data Security Policy and handle IOE - owned data and data held by the IOE on behalf of another organisation in accordance with its data classification 2. Any necessary breach of the Data Classification rules must be agreed in writing by both parties, and must be risk assessed 3. The third party should provide regular reports and records of its activitie s, including access to and use of IOE-held data 4. The designated IOE data owner is responsible for monitoring and reviewing these reports, and initiating audits as required 5. Changes to third party service provision will be in addition to any contractual stipulations be subject to the process of change control as outlined in the Change Control Policy 9. Disposal of Media 1. All media should be disposed of at the end of the life of the team or project 2. Media should also be disposed of when no longer required 3. All Hard Drives will be degaussed or otherwise wiped to DoD 7 passes standard during decommissioning and before disposal 4. All tape media will be degaussed during decommissioning and before disposal 5. All other media (usb mass storage devices, CD/DVD RW) will be wiped to DoD 7 passes during decommissioning and before disposal 6. Non-erasable media will be destroyed during decommissioning and before disposal 8

7. As an aggregation of non-confidential data may become confidential, all collections of media awaiting disposal must be treated as potentially confidential. Therefore, prior to erasure and/or destruction, media awaiting disposal must be stored securely. 8. The disposal of confidential data should be logged by the data owner 9

Appendix A: Cabinet Office minimum scope of protected personal data From http://www.cabinetoffice.gov.uk/media/cabinetoffice/csia/assets/dhr/cross_gov080625.pdf Minimum scope of protected personal data Departments must identify data they or their delivery partners hold whose release or loss could cause harm or distress to individuals. This must include as a minimum all data falling into one or both categories below. A. Any information that links one or more identifiable living person with information about them whose release would put them at significant risk of harm or distress. 1. one or more of the pieces of information which can be used along with public domain information to identify an individual combined with Name / addresses (home or business or both) / postcode / email / telephone numbers / driving licence number / date of birth [Note that driving licence number is included in this list because it directly yields date of birth and first part of surname] 2. information about that individual whose release is likely to cause harm or distress Sensitive personal data as defined by s2 of the Data protection Act, including records relating to the criminal justice system, and group membership DNA or finger prints / bank, financial or credit card details / mother s maiden name / National Insurance number / Tax, benefit or pension records / health records / employment record / school attendance or records / material relating to social services including child protection and housing These are not exhaustive lists. Departments should determine whether other information they hold should be included in either category. B. Any source of information about 1000 or more identifiable individuals, other than information sourced from the public domain. This could be a database with 1000 or more entries containing facts mentioned in box 1, or an electronic folder or drive containing 1000 or more records about individuals. Again, this is a minimum standard. Information on smaller numbers of individuals may warrant protection because of the nature of the individuals, nature or source of the information, or extent of information. 10

Appendix B: Risks, ISO27001 controls and remedial actions related to this policy 1. Risks 1. Undocumented and unaudited access to Confidential or Restricted data 2. Leaking of Confidential or Restricted data 3. Financial or reputational damage to IOE due to uncontrolled data release 4. Financial or reputational damage to project due to uncontrolled data release 5. Lack of correct access to confidential or restricted data 6. Confidential or Restricted data held in inappropriate locations or on inappropriate devices 2. ISO 27001 Controls A.7.1.1 Inventory of Assets A.7.1.2 Ownership of Assets A.7.1.3 Acceptable Use of Assets A.7.2.1 Classification Guidelines A.10.2.1 Service Delivery A.10.2.2 Monitoring and Review of Third Party Services A.10.2.3 Managing Changes to Third Party Services A.10.7.2 Disposal of Media A.10.7.3 Information Handling Procedures A.11.6.2 Sensitive System Isolation A.12.3.1 Policy on the use of cryptographic controls A.12.5.4 Information Leakage 3. Remedial Actions 1. Classification of data to be undertaken by all research projects 2. Data to be handled in accordance with the guidelines provided below 3. Server and end user equipment provided to make compliance possible 4. Encryption guidelines laid out for all classes of data 5. Retention and classification of data laid out for all classes of data 6. Isolated systems to be set up if requested for Confidential data 7. Media will be disposed of safely and security 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information