To outline the responsibilities to all parties in MicroWarehouse on how they interact with personal data within the company. This also extends to how this data is stored and accessed.
This policy applies to all MicroWarehouse employees.
Data Security Policy
This document also sets out guidelines in several specific areas where particular attention should be paid in order to help protect the confidentiality of personal data held in a Department. There are, however, several general procedures which
Departments should follow: –
- Each department should know what data is held, where it is held and what the consequences would be should that data be lost or stolen. With that in mind, an audit should be conducted identifying the types of personal data held within the organisation & identifying and listing all information repositories holding personal data and their location. Risks associated with the storage, handling and protection of this data should be included in the document’s risk register. Departments can then establish whether the security measures in place are appropriate and proportionate to the data being held while also taking on board the guidelines available in this document.
- Access to all data centres and server rooms used to host hardware and software on which personal data is stored should be restricted only to those staff members that have clearance to work there. This should, where possible, entail swipe card and/or PIN technology to the room(s) in question – such a system should record when, where and by whom the room was accessed. These access records and procedures should be reviewed by management regularly.
- Access to systems which are no longer in active use and which contain personal data should be removed where such access is no longer necessary or cannot be justified.
- Passwords used to access PCs, applications, databases, etc. should be of sufficient strength to deter password cracking or guessing attacks. A password should include numbers, symbols, upper and lowercase letters. If possible, password length should be around 12+ characters. Passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates must be avoided. The use of password changes should be avoided as long as the user’s password has not been compromised.
- Departments should have procedures in place to properly evaluate requests from other organisations for access to personal data in its possession. Such procedures should assist Departments in assessing whether the release of personal data is fully justifiable under the Data Protection Acts. Departments should also ensure that access by staff of personal data for analysis or research purposes is fully justifiable and proportionate.
- Personnel who retire, transfer from the Department, resign etc. should be removed promptly from mailing lists and access control lists. Relevant changes should also occur when staff are transferred to other assignments internally. It is the responsibility of Departments to ensure that procedures are in place to support this, i.e. so that notification is provided to the relevant individual(s)/Unit in a timely fashion.
- Contractors, consultants and external service providers employed by MicroWarehouse should be subject to strict procedures with regard to accessing personal data by way of formal contract in line with the provisions of the Data Protection Acts. The terms of the contract and undertakings given should be subject to review and audit to ensure compliance. Use of an NDA should be considered.
- Departments should have in place an up-to-date Acceptable Usage Policy in relation to the use of Information and Communications Technology (e.g. telephone, mobile phone, fax, email, internet, intranet and remote access, etc.) by its staff. This policy should be understood and signed by each user of such technology in the Department.
- Procedures should be put in place in relation to disposal of files (both paper and electronic) containing personal data.
- New staff should be trained before being allowed to access confidential or personal files.
- Staff should ensure that callers to the office or other unauthorised persons are unable to view personal or sensitive information whether held on paper documents or information displayed on PC monitors, etc…
- All staff should ensure that PCs are logged off or ‘locked’ when left unattended e.g. Windows Key & L on Windows machines). Where possible, staff should be restricted from saving files to the local disk. Users should be instructed to only save files to their allocated network drive.
- Personal and sensitive information should be locked away when not in use or at end of day.
- Appropriate filing procedures (both paper and electronic) should be drawn up and followed.
- The Human Resources department should take security precautions in their use of the Personal Public Service Number (PPSN) in systems, on forms and documentation.
The Data Protection Acts apply equally to personal data held on ICT systems and on paper files. The following guidelines should be followed with regard to personal and sensitive data held on paper files: –
- Paper records and files containing personal data should be handled in such a way as to restrict access only to those persons with business reasons to access them;
- This should entail the operation of a policy whereby paper files containing such data are locked away when not required;
- Consideration should also be given to logging access to paper files containing such data and information items;
- Personal and sensitive information held on paper must be kept hidden from callers to offices;
- Secure disposal of confidential waste should be in place and properly used. If third parties are employed to carry out such disposal, they must contractually agree to MicroWarehouse’s data protection procedures and ensure that the confidentiality of all personal data is protected. Such contracts should contain clauses similar to those outlined in the section on ‘Data Transfers’ below;
- When paper files are transferred within a department, this usually entails hand delivery. Procedures must be in place for ensuring that the data is delivered only to the person to whom it is addressed, or another staff member clearly acting on their behalf, and not any other staff member. Consideration should also be given to the security of manual files when in transit internally;
- Facsimile technology (fax machines) should not be used for transmitting documents containing personal data.
- Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
- Computer workstations should be locked when workspace is unoccupied.
- Computer workstations should be shut completely down at the end of the work day if possible.
- Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day.
- File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.
- Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
- Laptops must be either locked with a locking cable or locked away in a drawer.
- Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
- Printouts containing Restricted or Sensitive information should be immediately removed from the printer.
- Upon disposal, Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.
- Whiteboards containing Restricted and/or Sensitive information should be erased.
- Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer.
All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.
Email and Personal Productivity Software
Email and other personal productivity software such as word processing applications, spreadsheets, etc. are valuable business tools which are in use across every department. However, departments must take extreme care in using this software where personal and sensitive data is concerned. In particular: –
- Standard unencrypted email should never be used to transmit any data of a personal or sensitive nature. Departments that wish to use email to transfer such data must ensure that personal or sensitive information is encrypted either through file encryption or through the use of a secure email facility which will encrypt the data (including any attachments) being sent. The strongest encryption methods available should be used. Departments should also ensure that such email is sent only to the intended recipient. In particular attention should be paid to any central solutions put in place for this purpose;
- Departments should consider implementing solutions that scan outgoing emails and attachments for keywords that would indicate the presence of personal data and, if appropriate, prevent its transmission;
- Where personal or sensitive data is held on applications and databases with relevant security and access controls in place, additional controls should be considered that would prevent such data from being copied to other office software (such as word processing applications, spreadsheets, etc.) where no security or access controls are in place and/or can be bypassed.
There is an increasing business requirement for mobile working from staff to remotely access the same systems that they can access from the office is increasing. This brings its own challenges in relation to data security which Departments must address. With regard to personal and sensitive data, the following guidelines should be followed: –
- In the first instance, all personal and sensitive data held electronically should be stored centrally (e.g. in a data centre or in a Department’s secure server room with documented security in place). Data that is readily available via remote access should not be copied to client PCs or to portable storage devices, such as laptops, memory sticks, etc. that may be stolen or lost;
- When accessing this data remotely, it must be done via a secure encrypted link (e.g. IPSEC or SSL VPN tunnel) with relevant access controls in place;
- Additional stringent security and access controls should be in place, e.g. the mandatory use of strong passwords and security token authentication (i.e. multi factor authentication);
- Data being accessed in this way should be prevented from being copied from the central location to the remote machine;
- Departments must utilise technologies that will provide for the automatic deletion of temporary files which may be stored on remote machines by its operating system;
- Departments should ensure that only known machines (whether desktop PC, laptop, mobile phone, PDA, etc.) configured appropriately to the Department’s standards (e.g. with up-to-date anti-virus and anti-spyware software, full encryption, etc.), are allowed to remotely access centrally held personal or sensitive data. The strongest encryption methods available should be used to encrypt data on these machines. In addition, ‘strong’ passwords/passphrases (see ‘General Procedures’) must be used to protect access to these machines and to encrypt/decrypt the data held on them;
- Staff should be aware that it is imperative that any wireless technologies/networks used when accessing the MicroWarehouse systems should be encrypted to the strongest standard available.
Laptops and Other Mobile Storage Devices (incl. Mobile Phones, PDAs, USB memory sticks, External Hard Drives, etc.)
The use of laptops, USB memory sticks and other portable or removable storage has increased substantially in the last number of years. Likewise, the use of personal communications and storage devices such as mobile phones, PDAs, etc. has also increased. These devices are useful tools to meet the business needs of staff. They are, however, highly susceptible to loss or theft. To protect the content held on these devices, the following recommendations should be followed:
- All portable devices must be encrypted in its entirety, ensuring that all data held on the device is not accessible without the correct access key.
- All portable devices should be password-protected to prevent unauthorised use of the device and unauthorised access to information held on the device. In the case of mobile phones, a PIN password should be used. Manufacturer or operator-provided PIN codes must be changed from the default setting by the user on receipt of the device;
- Passwords used on these devices should be of sufficient strength to deter password cracking or guessing attacks. A password should include numbers, symbols, upper and lowercase letters. Password length should ideally be around 12+ characters. Passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates must be avoided.
- Personal, private, sensitive or confidential data should not be stored on portable devices. In cases where this is unavoidable, all devices containing this type of data must be encrypted. With regard to laptops, full disk encryption must be employed regardless of the type of data stored;
- With regard to mobile technologies, staff should be aware that when ‘roaming’ abroad, communications may not be as secure as they would be within Ireland;
- Data held on portable devices should be backed up regularly to the MicroWarehouse’s servers;
- When portable computing devices are being used in public places, users must never connect to publicly provided Wi-Fi internet connections. Care must also be taken to avoid unwitting disclosure of information, e.g. through overlooking or overhearing by unauthorised persons;
- Portable devices must not contain unauthorised, unlicensed or personally licensed software. All software must be authorised and procured through a MicroWarehouse’s IT department;
- Anti-virus/Anti-spyware/Personal Firewall software must be installed and kept up to date on portable devices. These devices should be subjected to regular virus checks using this software; and will be monitored by MicroWarehouse’s IT department.
- Departments should ensure that when providing portable devices for use by staff members, each device is authorised for use by a specific named individual. The responsibility for the physical safeguarding of the device will then rest with that individual;
- Laptops must be physically secured if left in the office overnight. When out of the office, the device should be kept secure at all times;
- Portable devices should never be left in an unattended vehicle;
- Portable storage media should only be used for data transfer where there is a business requirement to do so, should only be used on approved workstations and must be encrypted;
- In order to minimise incidents of unauthorised access and/or incidents of lost/stolen data, Departments should restrict the use of personal storage media and devices (e.g. floppy disks, CDs, DVDs, USB memory sticks, etc.) to staff that require to use these media/devices for business purposes;
- Only storage media provided by MicroWarehouse’s IT Unit should be permitted for use with that department’s computer equipment. Departments must put in place solutions which only allow officially sanctioned media to be used on a MicroWarehouse’s computer equipment (i.e. on networks, USB ports, etc.);
- Staff owned devices such as portable media players (e.g. iPods, etc.), digital cameras, USB sticks, etc. must be technologically restricted from connecting to MicroWarehouse computers;
- Departments should consider implementing additional log-in controls on portable devices such as laptops;
- Departments should implement technologies that will allow the remote deletion of personal data from portable devices (such as mobile phones and PDAs) should such devices be lost or stolen. The use of Mobile Device Management is employed to control this. A procedure for early notification of such loss should be put in place. This would allow for the disconnection of the missing device from a Department’s email, calendar and file systems.
- MicroWarehouse’s IT department should implement procedures that will ensure that personal data held on mobile storage devices is fully deleted when the data is no longer required (e.g. through fully formatting the devices’ hard drive).
Data Transfers are a daily business requirement for most companies. With regard to personal and sensitive data, such transfers should take place only where absolutely necessary, using the most secure channel available. To support this, departments should adhere to the following: –
- Data transfers should, where possible, only take place via secure on-line channels where the data is encrypted rather than copying to media for transportation. Where this is not possible or appropriate at present, the safety of the data should be ensured before, during and after transit;
- Manual data transfers using removable physical media (e.g. memory sticks, CDs, tape, etc.) should cease where possible;
- In the meantime, where data is copied to removable media for transportation such data must be encrypted using the strongest possible encryption method available. Strong passwords/passphrases must be used to encrypt/decrypt the data;
- ‘Strong’ passwords must be used to protect any encrypted data. Such passwords must not be sent with the data it is intended to protect. Care should be taken to ensure that the password is sent securely to the intended recipient and that it is not disclosed to any other person;
- Standard email should never be used to transmit any data of a personal or sensitive nature. Departments that wish to use email to transfer such data must ensure that personal or sensitive information is encrypted either through file encryption or through the use of a secure email facility which will encrypt the data (including any attachments) being sent. Staff should ensure that such mail is sent only to the intended recipient. In order to ensure interoperability and to avoid significant key management costs, particular attention should be paid to any central solutions put in place for this purpose;
- When a data transfer with a third party is required (including to/from other Government Departments), a written agreement (Data Processing Agreement) should be put in place between both parties in advance of any data transfer. Such an agreement should define: –
- The information that is required by the third party (the purposes for which the information can be used should also be defined if the recipient party is carrying out processing on behalf of the organisation);
- Named contacts in each organisation responsible for the data;
- The frequency of the proposed transfers;
- An explanation of the requirement for the information/data transfer;
- The transfer method that will be used (e.g. Secure FTP, Secure email, etc.);
- The encryption method that will be used;
- The acknowledgement procedures on receipt of the data;
- The length of time the information will be retained by the third party;
- Confirmation from the third party that the information will be handled to the same level of controls that the Department apply to that category of information;
- Confirmation as to the point at which the third party will take over responsibility for protecting the data (e.g. on confirmed receipt of the data);
- The method of secure disposal of the transfer media and the timeline for disposal;
- The method for highlighting breaches in the transfer process;
- For data controller to data controller transfers (as opposed to a data controller to a data processor transfer), it needs to be clear that only necessary data is transferred to meet the purposes;
- Business procedures need to be in place to ensure that all such transfers are legal, justifiable and that only necessary data is transferred to meet the purposes;
- Particular attention should be focussed on data made available to third party data processors under contract for testing purposes. Live data should not be used for this purpose.
Appropriate Access and Audit Trail Monitoring
All organisations have an obligation to keep information ‘safe and secure’ and have appropriate measures in place to prevent “unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction” in compliance with sections 2(1)(d) and 2C of the Data Protection Acts 1988 & 2003.
It is imperative, therefore, that Departments have security in place to ensure that only those staff members with a business need to access a particular set of personal or sensitive data are allowed to access that data. In addition to this general requirement, the following guidelines should be followed: –
- The MicroWarehouse IT department should ensure that their ICT systems are protected by use of appropriate firewall technologies and that this technology is kept up-to-date and is sufficient to meet emerging threats;
- In order to capture instances of inappropriate access (whether internal or external), addition, deletion and editing of data, audit trails should be used where technically possible. In situations where systems containing personal data do not currently record ‘view’ or ‘read’ access, it should be investigated, as a matter of urgency whether such functionality can be enabled. In carrying out such an investigation, Departments should take into account whether there would be any effect on system performance that may hinder the ability of the department to conduct its business. If the functionality cannot be enabled and the risk of inappropriate access is sufficiently high, such systems should be scheduled for removal from use and replaced by systems with appropriate auditing functionality;
- Access to files containing personal data should be monitored by supervisors on an ongoing basis. Staff should be made aware that this is being done. IT systems may need to be put in place to support this supervision.