Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Data Security Policy 1. Document Status

advertisement 
Data Security Policy
1. Document Status
Security Classification
Level 4 - PUBLIC
Version
1.0
Status
DRAFT
Approval
Life
3 Years
Review
By June 2011
Owner
Secure Research Database Analyst
Change History
1
Version 1.3
Contents
Data Security Policy .............................................................................................................................. 1
1.
Document Status .......................................................................................................................... 1
2.
Overview ...................................................................................................................................... 3
3.
System .......................................................................................................................................... 3
4.
Scope ............................................................................................................................................ 3
5.
Classification Guidance ................................................................................................................. 3
6.
Encryption Guidance .................................................................................................................... 6
7.
Electronic Data Retention and Deletion Guidance ........................................................................ 7
8.
Data Security and Third Party Service Delivery ............................................................................. 8
9.
Disposal of Media ......................................................................................................................... 8
Appendix A: Cabinet Office minimum scope of protected personal data ........................................... 10
Appendix B: Risks, ISO27001 controls and remedial actions related to this policy ............................. 11
1.
Risks ........................................................................................................................................... 11
2.
ISO 27001 Controls ..................................................................................................................... 11
3.
Remedial Actions ........................................................................................................................ 11
2
Version 1.3
2. Overview
All data that the institute holds should be classified according to their sensitivity. Data
should be stored, accessed and processed according to their classification.
The classification of data is an important component to knowing how to use these data
within the guidelines laid down by many of the Institute’s data providers and project
funders.
Correctly classifying data and then using them only according to the appropriate stipulations
is an important part of preventing data leaks, and minimising the impact of such leaks when
they do occur.
Inappropriate disclosure of Confidential or Restricted data, their accidental loss or deliberate
theft, could all lead to the Institute being levied with a potentially unlimited fine, as well as
experiencing a loss of reputation and a possible failure to win other research contracts.
3. System
All IOE systems
4. Scope
All IOE data
5. Classification Guidance
I.
Classification levels
The UK Cabinet Office uses 4 levels of data classification: Top Secret, Secret, Confidential and
Restricted.
As Top Secret and Secret concern information that would potential destabilise the UK or its
allies, we are not concerned with them here.
This leaves us with two data classifications, plus ‘protected’, (used to take us in line with
Becta’s recommendations) and a category for all data we do not need to protect.
1.
2.
3.
4.
II.
Confidential
Restricted
Protected
Public
How you should decide which category your data falls into:
1.
Confidential
a. Highly personal data that will explicitly identify individuals
3
Version 1.3
b.
c.
III.
These data may, if disclosed, put the individual at risk from identity theft, social or
legal sanctions, targeting by marketing corporations or pressure groups, exposure to
the national press, threats from criminal or vigilante individuals or organisations
Data elements would include, but are not restricted to: Name, address, ethnicity,
qualifications, criminal records, schools attended, place of work, income, religion,
bank details, social habits
2.
Restricted
a. This would include business-sensitive data such as company accounts, information
on commercial contracts, and intellectual property
b. Any data that, if accidentally or deliberately leaked, could be commercially damaging
or otherwise affect the reputation of the Institute
c. It includes data that could be combined with publically accessible data in order to
identify individuals – for example names with postcodes along with criminal
offences.
d. Any database containing details (of any sort) of more than 1000 individ uals, other
than information sourced from the public domain
e. Incomplete reports and other documents whose integrity may be damaged by
uncontrolled/unauthorised changes, or whose leakage may cause damage to the
project, the project funders or the Institute
3.
Protected
a. General Institute data: original copies of public-domain reports, timesheets, internal
memoranda, expenses, correspondence, instructions
b. Any data that, if accidentally leaked, could cause embarrassment to an individual or
the Institute
4.
Public
Public data will have no significant impact on the project if they are altered or viewed in
an uncontrolled fashion. No names and addresses combined with any other identifying
information. Data that is already in the public domain (e.g. information that is collated
into literature reviews)
How should data in each category be stored?
1.
Confidential
a. On a file server that does not have Portal access to the outside world.
b. Using strict access controls: NTFS file permissions, Windows Share permissions,
c. Access should only be granted to explicitly authenticated users. These access
requests should be made in writing by the project director. By default, access will be
blocked.
d. Logically separated from other data
e. Machines granted access to the files should have access to usb mass storage devices
blocked, and no DVD/CD writers.
4
Version 1.3
f.
g.
2.
Restricted
a. On the Q drive
b. In its own logically separate folder, with access controlled by NTFS file permissions
and user groups
c. Access should only be granted to explicitly authenticated users. These access
requests should be made in writing by the project directors. By default, access will
be blocked.
d. Machines granted access to the files should have access to usb mass storage devices
blocked, and no DVD/CD writers
e. Accessed externally on an Institute-owned, encrypted laptop that is not used for any
other purpose, that has access to usb mass storage devices blocked and access to
DVD writer blocked. A non-disclosure agreement must be signed before the laptop
can be taken out. Controlled by NTFS and Windows share permissions.
3.
Protected
a. On the Q drive
b. Access given to implicitly authenticated users
c. Machines granted access to the files should have access to usb mass storage devices
blocked, and no DVD/CD writers
d. Accessed externally on an Institute-owned, encrypted laptop that is not used for any
other purpose, that has access to usb mass storage devices blocked and access to
DVD writer blocked. Controlled by NTFS and Windows share permissions.
4.
IV.
Users should sign a non-disclosure form before being able to access the information
Upon request of the data owner, placed on a dedicated isolated system that also
uses controls 1.a – 1.f.
Public
a. There are no conditions placed on the storage or transmission of public data
b. Public data can be created or manipulated on any machine, not just IOE machines.
How can data in each category be used?
1.
Confidential
a. Must never leave the boundaries of the logical container it is stored in.
b. Must ideally be accessed by rdp session, or via a network drive if the PC connecting
to it is placed in a secure environment and has usb mass storage device drivers and
CD/DVD drives disabled. The rdp terminal services on the host machine must have
‘copy and paste’ and ‘printer redirect’ functionality disabled.
c. Must not be emailed, accessed remotely or placed on a usb mass storage device.
d. If the data have to be moved, they must be either encrypted to FIPS 140-2 AES 256bit standard, or placed on a device that is encrypted to the same standard. If sent
through the post, they must be sent recorded delivery. Ideally they should be
transferred through the HTTPS SSL Portal, another organization’s portal, or an sftp
5
Version 1.3
box, with careful co-ordination at both ends to guarantee transmission and
reception.
2.
Restricted
a. Must only leave the boundaries of the logical container if they are moved and
processed under very strict conditions (given below) and after a non-disclosure
agreement has been signed by the end user
b. Must be encrypted to 256-bit AES standard whilst in transit
c. Must not be emailed
d. Must never be placed on a machine that is not owned and administered by the IOE,
or that is used for any purpose other than IOE-related work
e. If sent through the post, they must be sent recorded delivery. Ideally they should be
transferred through the HTTPS SSL Portal, another organization’s portal, or an sftp
box, with careful co-ordination at both ends to guarantee transmission and
reception.
3.
Protected
a. Must only leave the boundaries of the Institute under the control of a user who has
received data protection training and signed a non-disclosure agreement
b. Must never be placed on a machine that is not owned and administered by the IOE,
or that is used for any purpose other than IOE-related work
c. Must not be emailed
d. Must be transferred through the HTTPS SSL Portal, another organization’s portal, or
an sftp box
4.
Public
a. Public data may be used and accessed from anywhere, within the normal
boundaries of acceptable use, security and malware considerations.
6. Encryption Guidance
1.
Confidential
a. If possible, the data should be encrypted at rest. This could take the form of full disk
encryption, or database-level encryption. As both of these are either hardware or
software specific, it is not always a currently available service. Newly purchased
hardware and software will be able to meet these specifications
b. The backups of these data must be encrypted to AES-256-bit standard
c. The data must be encrypted to AES 256-bit standard before it is moved or removed
from its place at rest
d. If a case can be made using a formal risk assessment that the data must be accessed
from outside the Institute, the access method must meet the following stipulations:
i. be made via Remote Desktop across an https SSL connection, where the
data is not transferred from the host system within the Institute’s
boundaries
6
Version 1.3
ii. The connecting device must have an encrypted hard drive and be accessible
only via a complex username and password, and must be an IOE owned and
maintained device that is not used for any other purpose
iii. The remote desktop environment of the host system must be tightly
controlled to prevent the access of other data, prevent the transfer or
printing of data from the system, and prevent the remote desktop
environment being used for anything else.
2.
Restricted
a. The data must be encrypted to AES 256-bit standard when in transit
b. If accessed outside the Institute, the data must be accessed by and processed on an
Institute laptop with a hard drive encrypted to 256-bit AES standard
3.
Protected
a. If accessed outside the Institute, the data must be accessed by and processed on an
Institute laptop with a hard drive encrypted to 256-bit AES standard
4.
Public
a. Public data do not need to be encrypted or accessed using an encrypted device.
7. Electronic Data Retention and Deletion Guidance
All electronic data should be retained for the legally or contractually required minimum and
maximum periods of time. This will vary depending on the type of data under consideration.
Departments within the Institute may have stipulations on data retention over and above
the legal minimums.
Please refer to your departmental Data Retention Policy for guidance o n how data in your
particular jurisdiction should be retained.
Data must not be retained beyond its legal or contractual lifetime , or where to do so would
otherwise break the terms of the legal contract, or break the Data Protection Act 1998, the
Copyright, Designs and Patents Act 1988 or the Digital Economy Act 2010.
The date at which specific data should be removed from IOE systems should be clearly
marked on the data themselves.
Methods of deletion of data from IOE systems at their legal or contractual point of removal
must be concomitant with the data’s classification:
1. Confidential
a. The data and data container must be wiped using a file shredder, conforming to US
DoD ‘7 passes’ standard
2.
Restricted
a. The data and data container must be wiped using a file shredder, conforming to US
DoD ‘7 passes’ standard
7
Version 1.3
3.
Protected
a. The data can be deleted using any standard deletion technique
4.
Public
a. The data can be deleted using any standard deletion technique
Please consult the helpdesk if you need to use a file shredder in order to delete data.
8. Data Security and Third Party Service Delivery
1.
All third party service delivery must adhere to the Data Security Policy and handle IOE owned data and data held by the IOE on behalf of another organisation in accordance
with its data classification
2.
Any necessary breach of the Data Classification rules must be agreed in writing by both
parties, and must be risk assessed
3.
The third party should provide regular reports and records of its activitie s, including
access to and use of IOE-held data
4.
The designated IOE data owner is responsible for monitoring and reviewing these
reports, and initiating audits as required
5.
Changes to third party service provision will be – in addition to any contractual
stipulations – be subject to the process of change control as outlined in the Change
Control Policy
9. Disposal of Media
1.
All media should be disposed of at the end of the life of the team or project
2.
Media should also be disposed of when no longer required
3.
All Hard Drives will be degaussed or otherwise wiped to DoD 7 passes standard during
decommissioning and before disposal
4.
All tape media will be degaussed during decommissioning and before disposal
5.
All other media (usb mass storage devices, CD/DVD RW) will be wiped to DoD 7 passes
during decommissioning and before disposal
6.
Non-erasable media will be destroyed during decommissioning and before disposal
8
Version 1.3
7.
As an aggregation of non-confidential data may become confidential, all collections of
media awaiting disposal must be treated as potentially confidential. Therefore, prior to
erasure and/or destruction, media awaiting disposal must be stored securely.
8.
The disposal of confidential data should be logged by the data owner
9
Version 1.3
Appendix A: Cabinet Office minimum scope of protected personal data
From http://www.cabinetoffice.gov.uk/media/cabinetoffice/csia/assets/dhr/cross_go v080625.pdf
Minimum scope of protected personal data
Departments must identify data they or their delivery partners hold whose release or loss could cause
harm or distress to individuals. This must include as a minimum all data falling into one or both
categories below.
A. Any information that links one or more identifiable living person with information about
them whose release would put them at significant risk of harm or distress.
1. one or more of the
pieces of information
which can be used along
with public domain
information to identify an
individual
combined with
2. information about that
individual whose release
is likely to cause harm or
distress
Name / addresses (home or business or both) /
postcode / email / telephone numbers / driving licence
number / date of birth
Sensitive personal data as defined by s2 of the Data
protection Act, including records relating to the criminal
justice system, and group membership
[Note that driving licence number is included in this list
because it directly yields date of birth and first part of
surname]
DNA or finger prints / bank, financial or credit card
details / mother’s maiden name / National Insurance
number / Tax, benefit or pension records / health
records / employment record / school attendance or
records / material relating to social services including
child protection and housing
These are not exhaustive lists. Departments should determine whether other information they hold
should be included in either category.
B. Any source of information about 1000 or more identifiable individuals, other than
information sourced from the public domain.
This could be a database with 1000 or more entries containing facts mentioned in box 1, or an
electronic folder or drive containing 1000 or more records about individuals. Again, this is a minimum
standard. Information on smaller numbers of individuals may warrant protection because of the nature
of the individuals, nature or source of the information, or extent of information.
10
Version 1.3
Appendix B: Risks, ISO27001 controls and remedial actions related to
this policy
1. Risks
1.
2.
3.
4.
5.
6.
Undocumented and unaudited access to Confidential or Restricted data
Leaking of Confidential or Restricted data
Financial or reputational damage to IOE due to uncontrolled data release
Financial or reputational damage to project due to uncontrolled data release
Lack of correct access to confidential or restricted data
Confidential or Restricted data held in inappropriate locations or on inappropriate devices
2. ISO 27001 Controls
A.7.1.1 Inventory of Assets
A.7.1.2 Ownership of Assets
A.7.1.3 Acceptable Use of Assets
A.7.2.1 Classification Guidelines
A.10.2.1 Service Delivery
A.10.2.2 Monitoring and Review of Third Party Services
A.10.2.3 Managing Changes to Third Party Services
A.10.7.2 Disposal of Media
A.10.7.3 Information Handling Procedures
A.11.6.2 Sensitive System Isolation
A.12.3.1 Policy on the use of cryptographic controls
A.12.5.4 Information Leakage
3. Remedial Actions
1.
2.
3.
4.
5.
6.
7.
Classification of data to be undertaken by all research projects
Data to be handled in accordance with the guidelines provided below
Server and end user equipment provided to make compliance possible
Encryption guidelines laid out for all classes of data
Retention and classification of data laid out for all classes of data
Isolated systems to be set up if requested for Confidential data
Media will be disposed of safely and security
11
Version 1.3
Related documents
NtregaBusinessPlanExpress 1.1 MB
NtregaBusinessPlanExpress 1.1 MB
Model Template Agency Release of Information Form
Model Template Agency Release of Information Form
Opt Out - Coastal Medical Group
Opt Out - Coastal Medical Group
Employee Confidentiality Agreement
Employee Confidentiality Agreement
Proprietary Information And Confidentiality Policy
Proprietary Information And Confidentiality Policy
Electronic Data Encryption Policy 2015
Electronic Data Encryption Policy 2015
Confidentiality Agreement - Western Carolina University
Confidentiality Agreement - Western Carolina University
Download
advertisement