• No results found

DATA SECURITY POLICY. Data Security Policy

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "DATA SECURITY POLICY. Data Security Policy"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)
(2)

Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 2

Contents 1. Introduction 3 2. Purpose 4 3. Data Protection 4 4. Customer Authentication 4 5. Physical Security 5 6. Access Control 6 7. Network Security 6 8. Software Security 7

9. Disposing of Removable Media 8

10. Destruction of Data 8

11. Auditing and Monitoring 8

12. Contingency Planning 8

13. Recruitment and Training 9

(3)

Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 3

1. Introduction

Outsourcery understands the importance of data security and makes every effort to ensure that customer data held on systems and within the data centres are fully protected.

The company recognises that the confidentiality, integrity and availability of information and data created, maintained and hosted by Outsourcery and its customer’s is vital to the success of the business.

The management of Outsourcery views these as primary responsibilities and fundamental to best business practice and as such has adopted the Information Security Management System Standard BS ISO/IEC 27001:2005 as its means to manage and meet the following objectives:

1.1. Comply with all applicable laws, regulations and contractual obligations including the Data Protection Act 1998.

1.2. Implement continual improvement initiatives, including risk assessment and treatment strategies, while making the best use of its management resources to meet and improve information security system’s requirements.

1.3. Communicate its Information Security objectives and its performance in achieving these objectives, throughout the Company and to interested parties.

1.4. Adopt an Information Security Management System (ISMS) comprising of a security manual and procedures that provides direction and guidance on information security matters relating to employees, customers, suppliers and interested parties who come into contact with the Company’s work.

1.5. Work closely with their customers, business partners and suppliers in seeking to establish Information Security Standards.

1.6. Adopt a forward-looking view on future business decisions, including the continual review of risk evaluation criteria, which may have an impact on Information Security. 1.7. Train all members of staff in their needs and responsibilities for Information Security

Management.

1.8. Constantly strive to meet, and when possible, exceed, its customers and staff expectations.

1.9. Information Security shall be considered in job descriptions and when setting staff objectives where applicable.

(4)

Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 4

2. Purpose

The purpose of this document is to provide information about the procedures Outsourcery implements to ensure the security of its customers’ data, software and systems.

This document will cover the following areas: · Customer Authentication

· Physical Security · Access Control · Network Security · Software Security

· Disposal of Removable Media · Auditing and Monitoring · Contingency Planning · Recruitment and Training

This policy applies to all Outsourcery employees or any other individual or supplier working for Outsourcery.

The Outsourcery management team are responsible for ensuring full compliance with this policy.

3. Data Protection

Data Protection relates to obtaining, disclosing, recording, holding, using, erasing or

destroying personal information and ensures a business recognises what level of information an individual can be provided with.

Outsourcery PLC and/or individuals can be liable to prosecution or an individual may seek compensation through the courts for any damage suffered as a result of disclosing sensitive information.

Using inaccurate / out of date data annoys customers and can waste time and money.

4. Customer Authentication

Any requests to Outsourcery from Customers, for information about their service, must be validated to ensure they are who they say they are. This will reduce the risk of loss of confidentiality, and breaches of the Data Protection Act 1998.

Outsourcery employees must follow the process below to authenticate a customer prior to discussing a service or divulging any information.

 Obtain a Mobile Phone Number. / Account Number. / Domain Name (to access account).

 Verify the business address (including postcode).  Confirm the password.

(5)

Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 5

If there is no password, or it cannot be confirmed, it is NECESSARY TO OBTAIN TWO

ADDITIONAL (therefore 4) pieces of account specific information from the following:

 No. of services

 Date of next/last change  Payment method/ Bank details  Tariff details including cost Bolt on’s,  Last billed amount

If an individual has been verified by following the above process then the Data Protection Act has been adhered to.

Particular care needs to be paid to any requests for specific usage or financial data. Please ensure this is sent directly to an address specific to the business and secured in-line with the Information Classification Policy.

5. Physical Security

Outsourcery’s data centre facilities are diversely located in London and Leicester and connected by secure, resilient high speed back-up links. Both of our data centres have the following physical security features in place to protect both equipment and customer data. All racks within the data centres are equipped with fully lockable doors which only authorised engineers have access to. Proximity door locks are fitted on all internal and external doors and extensive CCTV monitoring systems are installed on all internal and external walls. CCTV monitoring systems include motion detection features that trigger CCTV recording in the event of any movement both inside and outside of the data centres (within the cameras’ range). All windows are fitted with steel bars and anti-ram raid bollards are in place outside of the facility. There is also a third party manned security presence in place twenty four hours a day, seven days a week.

(6)

Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 6

6. Access Control

Access to Outsourcery’s internal systems, hosting platform and customer servers is

permitted for authorised personnel only. All persons must be positively identified by providing a secure User ID and password before being given access to system resources.

All servers, routers, firewalls and network equipment are protected by password access controls. All passwords are randomly generated for optimum security to prevent intruders gaining unauthorised access to systems and data.

Only Outsourcery’s 3rd Line Engineers have full access to the hosted platforms, each engineer having their own individual login for optimum security. Authorised support staff have Admin access to hosted services in order to provide technical support to customers. Where 3rd Line Engineers require access to Outsourcery’s network and systems remotely via VPN, advanced RSA security is implemented providing two factor authentication. Outsourcery only uses industry leading HP enterprise-class servers for all hosting infrastructure requirements and customer dedicated server solutions. All servers include security management features as standard that consist of ‘power-on password’, ‘keyboard password’, ‘USB port control’ and ‘administrator password’.

7. Network Security

Outsourcery’s data centre facilities are either wholly owned or fully enclosed dedicated area’s therefore not shared with any other providers or organisations. The sites all have secure back-up links to data centre facilities in both Manchester and London for network redundancy and security, and multiple internet breakouts across redundant and

geographically disparate networks using BGP peering. This ensures that services are available to customers twenty four hours a day, seven days a week.

Within our data centre facilities, fully layered networks are implemented with hardware load balanced front-end servers, clustered back-end servers and a high quality fibre channel storage network. Customer data is protected from outside access through a robust security and firewall solution. All managed services are protected by firewall installation and systems are pro-actively monitored around the clock for performance and availability. RSA

authentication is implemented to control access to Outsourcery’s network and systems remotely via secure VPN.

Outsourcery uses industry leading Radware security appliances for parts of its network security. Radware Load Balancers incorporate a built-in Intrusion Prevention System (IPS), Access Control Lists (ACL) and an SSL-secured web interface for access by 3rd Line Engineers.

(7)

Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 7

The Outsourcery hosting network on both primary and secondary sites is deployed behind a fully resilient Radware Defence Pro solution, providing Intrusion Prevention System (IPS), Network Behavioural Analysis (NBA) and Denial-of-Service (DoS) Protection, fully protecting our network against known and emerging network security threats. Resilient firewall pairs protect the hosted platforms from the outside world and finally application load balancers to manage fail over between primary and secondary services on both sites.

Resilient edge firewalls are used for email security, consisting of an integrated hardware and software solution that provides complete email protection through twelve defence layers. These defence layers consist of the following:

· Network Denial of Service Protection · Rate Control

· IP Reputation Analysis · Sender Authentication · Recipient Verification · Virus Scanning

· Policy (user-specified rules) · Spam Fingerprint Check · Intent Analysis

· Image Analysis · Bayesian Analysis · Rule-based Scoring

Our firewalls, internet connections, and production networks are all pro-actively monitored 24*7 with the network designed without any single points of failure.

All customer dedicated server solutions hosted within Outsourcery’s data centres are protected by dedicated firewalls. Customer data held within hosted SharePoint applications is protected by Microsoft Forefront anti-virus. For Hosted Microsoft Dynamics CRM 4.0 services, all data held within the system is automatically encrypted by 128 bit HTTPS encryption and all communications between applications on the hosted platform, regardless of service type, are encrypted by RC4 128 bit HTTPS security.

8. Software Security

Outsourcery’s 3rd Line Engineers are responsible for all software security updates on our hosting platforms. For customers with dedicated SharePoint solutions, 3rd Line Engineers manage the availability and control of security updates released to customers via Windows Update Server (WUS).

In addition, Outsourcery operates a strict software security policy throughout the

(8)

Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 8

9. Disposing of Removable Media

Where removable hardware or storage media requires disposal, all data is wiped from the device in advance using a Department of Defence (DoD) / Ministry of Defence (MOD) approved programme. Where a hardware component becomes faulty within a customer’s server and it is necessary to return the hardware to a third party supplier or manufacturer, Outsourcery will retain the disk(s) containing data in order to maintain security and integrity.

10. Destruction of Data

Data overwriting occurs on termination of service. After 30 days of being in a

decommissioned state, the virtual machine and related data is removed via Systems Centre and/or storage level.

Data destruction is carried out when a hardware device is being retired or has failed, but is still operable. Blancco is utilised to securely remove data. Disks that are not accessible through normal disk mounting processes will be securely destroyed or degaussed by an approved third party. Certificates of destruction are provided as evidence of secure and ethical destruction. Disks under warranty are replaced by the suppler only after the data removal process has been carried out.

11. Auditing and Monitoring

Outsourcery implements Border Gateway Protocol (BGP) for network routing based on path, network policies and rule sets.

All issues are logged by Service Requests and major faults or problems relating to the network are escalated to the Head of Infrastructure and the Operations Director where appropriate.

12. Contingency Planning

In line with our ISO 27001 certification, Outsourcery operates its own disaster recovery procedures.

In the event of any security issue being identified, an escalation process is in place whereby engineers are alerted by Service Request. Upon completion of the remedial work and resolution of the fault, the Service Request is closed. Where necessary, a Service Request will be escalated to the Head of IT Operations and, for major incidents, the Operations Director.

Outsourcery has a continued, ongoing commitment to data security and availability. A full disaster recovery plan is in place across multiple geographic locations for complete network redundancy and data security. This plan is built in line with guidelines and best practice derived from ISO standard 22301 – Business Continuity Management.

(9)

Issue Date: 02-Feb-15 Classification: PUBLIC Version: 1.6 Page: 9

13. Recruitment and Training

All candidates employed by Outsourcery are subject to screening.

As part of this process, all references are followed up for new employees and security training is included within both the induction training programme and also ongoing.

Outsourcery implements an internal IT Code of Conduct that all employees must adhere to so as to ensure security and integrity of software, systems, hardware and data, in line with the requirements of ISO 27001.

All employees with operational responsibilities are subject to Baseline Personnel Security Standard checks.

14. Summary

Outsourcery is a Microsoft Gold Partner holding a number of Microsoft competencies for which engineers are trained. Outsourcery has achieved the following Microsoft

competencies:

· Midmarket Solution Provider · Hosting

· Content Management · OEM Hardware

· Customer Relationship Management · Portals & Collaboration

· Search

Outsourcery takes data security and data management very seriously. The security, availability and integrity of data held both within the data centre facility and on our hosted platforms are of utmost importance and a key priority of the business. Outsourcery therefore continues to review and develop its security policies, processes and procedures on an ongoing basis in order to both maintain and improve these levels, in line with Outsourcery’s ISO 27001 certification.

Any suspected breaches or incidents should be reported immediately via

References

Download now ( PDF - 9 Page - 548.94 KB )

Related documents

Architectural Support for High-Performance, Power-Efficient and Secure Multiprocessor Systems

In this section, we describe a generic router architecture and a buffer structure in NoC and present our hybrid buffer design that maximizes the mutually comple- mentary features of

ADTTFFATATDFFTFTAATADTAFTAFDFTDDTAFDFFADFFDDAATFFDATDDFTAAAAAFAFT

As you may recall, last year Evanston voters approved a referendum question for electric aggregation and authorized the city to negotiate electricity supply rates for its residents

Data Protection and Data security Policy

The Station Manager has overall responsibility for ensuring that all personal information is handled in compliance with the law and has appointed the Production & Systems

IRB Policy for Security and Integrity of Human Research Data

 Includes a new process for submitting plan  Provides revised requirements for electronic.. and paper

Permeable Interlocking Concrete Pavements

9 Design Considerations for Pedestrians and Disabled Persons ...10 Infiltration Rates of Permeable Interlocking Concrete Pavement Systems ...10 Site Design Data ...11

The Challenge of Data and Application Security and Privacy (DASPY): Are We Up to It?

 audit trail (including physical video)  retail loss tolerance with recourse  wholesale loss avoidance. 

Microarchitectural Support for Program Code Integrity Monitoring in Application-specific Instruction Set Processors ∗

If the basic block is found in the hash table but the dynamic hash does not match the expected one (defined as hash mismatch), or the basic block is not found in the hash table at

Meeting of the West of England Academic Health Science Network Board. Agenda Item: 6.2 Patient Flow

West of England Academic Health Science Network – 10 June 2015 – Patient Flow Six coaches will be trained (clinicians and managers) and assisted to redesign clinical pathway of