Data Security Policy

{Company name as you\’d like it to appear in your policy:6} Data Security Policy

You can view the most up to date version of this policy at this secure share link.

Last Updated:

Created By:


What is This Policy?

This Data Security Policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of data with which you should be concerned.

Key Takeaways

  • System Owners, Data Owners, and their designated custodians are responsible for properly classifying and protecting data (Public/Internal/Restricted).
  • Data in use at {Company name as you\’d like it to appear in your policy:6} is to be used only for its intended purpose.
  • Physical security measures including access control for employees and visitors must be implemented and enforced.
  • Encrypt data as outlined in this policy to provide security and integrity.
  • Mobile devices present additional risk to {Company name as you\’d like it to appear in your policy:6}; as such they require additional protections.

Overview, Purpose, and Scope

Effective security is a team effort, which means everybody at {Company name as you\’d like it to appear in your policy:6} has a crucial role to play. This policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of data with which you should be concerned.

This Data Security Policy applies to everyone who works for {Company name as you\’d like it to appear in your policy:6}, including our employees, contractors, and third parties who have access to any {Company name as you\’d like it to appear in your policy:6} data.

Roles & Responsibilities

It is the responsibility of every employee to know these guidelines, and to conduct their activities accordingly. {Company name as you\’d like it to appear in your policy:6} management reviews and approves this policy, but if you identify an issue you should bring it to the attention of your manager.

Requirements

Data Classification

At {Company name as you\’d like it to appear in your policy:6} we have access to different types of information. Some of it is more sensitive and needs special protection; this could be due to a law or industry regulation, or the information could have some business value.

We use the levels of data classification in the table below to determine how sensitive information is and what protection mechanisms are required. It is the responsibility of the system owner, data owner, and any custodians to ensure any data and systems are properly classified.

Level Definition & Examples Dos & Don’ts
Public Information may be shared with anyone.

e.g. Information on company website such as HQ address, published financial statements, marketing materials.

Do: Share it!

Don’t: Assume information is public unless you can verify it

Internal Information may be shared only internally or with external parties under an NDA; may require a valid need to know.

e.g. Company directory, company policies, unpublished financial statements, business plans

Do: Verify a user’s need to know (e.g. job function) before sharing. Check with your manager if you’re unsure. Use secure sharing methods, e.g. encrypted cloud storage.

Don’t: Share outside the company without verifying an NDA is signed. Send without encrypting.

Restricted Access is tightly restricted; only users with a verified need to know are allowed access.

e.g. HR data, Customer-provided data, Personally Identifiable Information, PCI data

Do: Implement tight access controls and encryption. Use extra diligence, such as formal access requests and approvals.

Don’t: Share this information.

Data Handling

{Company name as you\’d like it to appear in your policy:6} data requires protection in accordance with its classification label. Once data has been classified, the owner and/or custodian must ensure that appropriate safeguards are in place.

Minimum Standards for Protection

The table below details appropriate protection required for data, based on classification:

Classification Minimum Protection Required Primary Focus
Public – adequate backup and restoration capability

– measures to prevent unauthorized changes to data after it is published by {Company name as you\’d like it to appear in your policy:6}

Data Availability, Integrity
Internal – manual encryption

– manual measures to prevent unauthorized changes (e.g. manual public key cryptography, auditing)

Data Confidentiality, Integrity
Restricted – systematic enforcement of encryption

– systematic enforcement of measures to prevent unauthorized changes

Data Confidentiality, Integrity

Appropriate Use for Intended Purpose

Data in use at {Company name as you\’d like it to appear in your policy:6} may be highly sensitive, and is only to be used for its intended, management-approved purpose. All data collected must have a defined purpose (e.g. to support the service we provide to our customers, for regulatory compliance, etc.). Any use of this data must be in support of that defined purpose. Use for any other purpose, including personal snooping, unauthorized sharing with business partners, or other uses is prohibited.

Asset End of Life and Disposal

Data present on any assets must be handled appropriately when the asset reaches the end of its useful life. Data destruction must follow an approved method (see Backup & Retention Policy, Destruction Procedures), based on the classification of the data and the type of asset being disposed of.

Assets which require special handling include but are not limited to: removable optical media (CD/DVDs), USB thumb drives, smartphones, tablets, and cloud storage services. Devices containing hard disk drives (HDDs) and solid state drives (SSDs) must also be handled appropriately, including servers, workstations, laptops, printers, network devices, and cloud applications.

Physical Security

All {Company name as you\’d like it to appear in your policy:6}-owned resources must have identified Resource Custodians, who are responsible for securing their resources from unauthorized physical access. Resources can include facilities, computing systems, or devices such as laptops or tablets. The following physical security requirements must be met for all resources:

  • Need to know: Access must be allowed only for personnel who need to maintain devices and/or media, including restrictions on physical access to restricted areas and facilities containing {Company name as you\’d like it to appear in your policy:6}-owned resources.
  • Physical access control devices: Physical access control devices such as key card readers, doors, and cabinet locks must produce audit trails. Such devices should be tested prior to use and on a periodic basis (e.g. annually).  The audit logs must contain sufficient details to support security incident investigation. An inventory/review of physical access control devices and permissions should be conducted regularly, and any inappropriate access promptly removed.
  • Marking restricted areas: Restricted areas should display signs to designate that access is for authorized personnel only. Facilities containing {Company name as you\’d like it to appear in your policy:6}-owned resources should give minimum indication of their purpose, with no obvious signs identifying the presence of covered data or related functions.
  • Unauthorized removal: Resources such as server hardware, desktop computers, and storage media should be locked down to physical restraints that prevent unauthorized removal from restricted areas.
  • Visitors: Visitors to {Company name as you\’d like it to appear in your policy:6} must be escorted by an authorized employee at all times. The employee is responsible to restrict access to only appropriate areas. If you identify an unknown, unescorted, or otherwise unauthorized individual in {Company name as you\’d like it to appear in your policy:6}, immediately notify the appropriate personnel.
  • Clean desk/Clear screen: Ensure that any hardcopy media, including printed materials or data storage devices are not left unattended at your workstation. When leaving your workstation, activate a screensaver or put it to sleep – even in {Company name as you\’d like it to appear in your policy:6} facilities.
  • Device Loss or Theft: You must immediately notify {Company name as you\’d like it to appear in your policy:6} in the event that a device containing in scope data is lost (e.g. smartphones, laptops, tablets, etc).
  • Surveillance: Physical facilities in use by {Company name as you\’d like it to appear in your policy:6} must undergo surveillance appropriate to the type of data they process or store. This might include a routine guard presence, surveillance sweeps by guards or law enforcement, Closed Circuit Television (CCTV) monitoring, etc.

Encryption

{Company name as you\’d like it to appear in your policy:6} information requires protection, to ensure both confidentiality and integrity when data is stored or transmitted. Appropriate encryption should be used to protect all data classified Internal or Restricted; additional protection methods should also be used to provide layered security.

Encryption at Rest

Data should be encrypted at all times, where feasible, when stored on any medium. This includes removable storage such as USB drives, portable devices including laptops and tablets, and production environments such as servers or cloud hosting.

Encryption in Transit

All data in transit across untrusted networks must be encrypted, e.g. when transmitted across the internet. Data in transit across trusted networks should be encrypted. Data in transit may be encrypted via one or both of the following two methods:

  • Encryption of the data itself prior to transmission
  • Encryption of the communication channel.

Acceptable Algorithms and Key Management

When encryption is used, it must follow industry best practices, as well as any applicable laws and regulations. Guidance for acceptable encryption algorithms can be found in FIPS 140-2 and ISO/IEC 19790:2012; if there is a doubt regarding requirements, seek guidance from {Company name as you\’d like it to appear in your policy:6} management.

Acceptable Encryption Technologies

{Acceptable Encryption and Key Management Technologies:12}

Cryptographic keys are considered Restricted data under {Company name as you\’d like it to appear in your policy:6}’s data classification scheme, and therefore require additional protection. These should ideally be generated, stored, managed, and destroyed using a key management system; if manual procedures are used they should be documented and audited regularly.

Mobile Devices

{Company name as you\’d like it to appear in your policy:6}’s mobile devices are at increased risk due to their portability – it is much easier for them to be lost or stolen. It is therefore essential that such devices be considered especially when implementing protections.

A mobile device is any computing device capable of storing {Company name as you\’d like it to appear in your policy:6} data which is inherently portable. Examples include laptops, smartphones, tablets, USB drives, portable hard drives, smartwatches, etc.

Minimum Security Capabilities

Portable devices must meet the following security capabilities in order to be used for storing, processing, or transmitting {Company name as you\’d like it to appear in your policy:6} data:

  • Inventoried: all devices storing accessing data must be tracked. This inventory should ideally be automatic, e.g. when a user authenticates the device is registered. If no automated method is available, a routine process for reconciling the inventory should be implemented.
  • Encrypted: any mobile device storing {Company name as you\’d like it to appear in your policy:6} data must support encryption methods that meet or exceed the encryption requirements in this policy. If encryption is not available, compensating controls must be present, such as the use of additional physical security measures.
  • Mobile Device Management (MDM): any device capable of storing and processing data must support some form of MDM. This may include device authentication requirements (password/biometrics), the ability to revoke access to {Company name as you\’d like it to appear in your policy:6} data or services, remote wipe/deletion abilities, and remote lock capabilities.
  • Additional physical security: Due to their inherent portability, mobile devices should support additional physical security. This could include the use of a locking cable, inconspicuously marked bag/carrier, or additional procedure requirements such as use of a hotel safe when traveling.

Use of Untrusted Networks

Mobile devices which support network connectivity must support encryption in line with the Encryption in Transit requirements of this policy, especially when connecting to untrusted or public networks. Acceptable security on untrusted networks includes secure protocols such as HTTPS and TLS, a {Company name as you\’d like it to appear in your policy:6}-managed VPN, or the like.

Enforcement

Any exceptions to this policy must be approved by senior management in writing.

Any user found to have violated this policy will be subject to disciplinary actions, up to and including termination of employment.

Exceptions

Any exception to this policy must be approved in writing by management. Such exceptions will only be granted when there is a legitimate business need and adequate compensating controls exist to reduce the risk of the policy exception.

 

 

You don't have credit card details available. You will be redirected to update payment method page. Click OK to continue.