Data Policy

1. Purpose

The company must restrict access to confidential and sensitive data to protect it from being lost or compromised in order to avoid adversely impacting our customers, incurring penalties for non-compliance and suffering damage to our reputation. At the same time, we must ensure users can access data as required for them to work effectively.

It is not anticipated that this policy can eliminate all malicious data theft. Rather, its primary objective is to increase user awareness and avoid accidental loss scenarios, so it outlines the requirements for data breach prevention.

2. Scope

2.1 In Scope

This data security policy applies all customer data, personal data, or other company data defined as sensitive by the company’s data classification policy. Therefore, it applies to every server, database and IT system that handles such data, including any device that is regularly used for email, web access or other work-related tasks. Every user who interacts with company IT services is also subject to this policy.

2.2 Out of Scope

Information that is classified as Public is not subject to this policy. Other data can be excluded from the policy by company management based on specific business needs, such as that protecting the data is too costly or too complex.

3. Policy

3.1 Principles

The company shall provide all employees and contracted third parties with access to the information they need to carry out their responsibilities as effectively and efficiently as possible.

3.2 General
3.3 Access Control Authorization

Access to company IT resources and services will be given through the provision of a unique user account and complex password. Accounts are provided by the IT department based on records in the HR department.

Passwords are managed by the IT Service Desk. Requirements for password length, complexity and expiration are stated in the company password policy.

Role-based access control (RBAC) will be used to secure access to all file-based resources in Active Directory domains.

3.4 Network Access
3.5 User Responsibilities
3.6 Application and Information Access
3.7 Access to Confidential, Restricted information

4. Technical Guidelines

Access control methods to be used shall include: Auditing of attempts to log on to any device on the company network Windows NTFS permissions to files and folders Role-based access model Server access rights Firewall permissions Network zone and VLAN ACLs Web authentication rights Database access rights and ACLs Encryption at rest and in flight Network segregation

Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications and websites, cloud storages, and services.

5. Reporting Requirements

6. Ownership and Responsibilities

Data owners are employees who have primary responsibility for maintaining information that they own, such as an executive, department manager or team leader. Information Security Administrator is an employee designated by the IT management who provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources. Users include everyone who has access to information resources, such as employees, trustees, contractors, consultants, temporary employees and volunteers. The Incident Response Team shall be chaired by an executive and include employees from departments such as IT Infrastructure, IT Application Security, Legal, Financial Services and Human Resources.

7. Enforcement

Any user found in violation of this policy is subject to disciplinary action, up to and including termination of employment. Any third-party partner or contractor found in violation may have their network connection terminated.

8. Definitions

Access control list (ACL) — A list of access control entries (ACEs) or rules. Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied or audited for that trustee. Database — An organized collection of data, generally stored and accessed electronically from a computer system. Encryption—The process of encoding a message or other information so that only authorized parties can access it. Firewall — A technology used for isolating one network from another. Firewalls can be standalone systems or can be included in other devices, such as routers or servers. Network segregation — The separation of the network into logical or functional units called zones. For example, you might have a zone for sales, a zone for technical support and another zone for research, each of which has different technical needs. Role-based access control (RBAC) — A policy-neutral access-control mechanism defined around roles and privileges. Server — A computer program or a device that provides functionality for other programs or devices, called clients. Virtual private network (VPN) — A secure private network connection across a public network. VLAN (virtual LAN) — A logical grouping of devices in the same broadcast domain.

9. Related Documents

This section lists all documents related to the policy and provides links to them.

    Data Classification Policy (TBD)
    Password Policy (TBD)
    Data Loss Protection Policy  (TBD) 
    Encryption Policy  (TBD)
    Incident Response Policy  (TBD)
    Workstation Security Policy  (TBD)
    Data Processing Agreement  (TBD)