INFORMATION AND DATA SECURITY POLICY
CHAPTER 1. INTRODUCTION.
The Employer is committed to ensuring that access to and use of confidential information is carried out in a secure manner and is committed to following a policy that minimizes the risk of unauthorized, accidental or intentional disclosure of confidential data. To comply with relevant legislation, confidential information must be collected and used appropriately, stored securely and not unlawfully disclosed to any other person.
The purpose of this Information and Data Security Policy is to define the security controls necessary to ensure the confidentiality and integrity of the Employer's information and data. This policy provides a framework within which threats to the security of the Employer's information systems can be identified and managed on a risk-based basis and sets out the terms of reference that ensure the uniform application of data security controls across the Employer's business.
This Information and Data Security Policy applies to all Associates and Employees and to anyone else authorized to access Employer Data (as defined in Chapter 2). Failure to comply with these policies may result in loss of data access privileges and possible disciplinary and legal action.
CHAPTER 2 – DEFINITIONS.
For the purposes of this policy, the following terms are defined as follows:
Access Administrator: A person or department with primary responsibility for managing access rights for users to one or more data systems, including granting new access rights, modifying existing user access rights, and reducing or eliminating user access rights. A list of Access Administrators and the systems they manage is maintained by the Employer's IT Department.
Employer: the Region of Eastern Macedonia and Thrace.
Management data: Data collected, maintained or used by the Employer for the purposes of carrying out institutional activities.
Employer Network: The system of personal computers, servers, storage devices, printers, telecommunications devices and other related equipment owned by the Employer and used for the processing, transmission, reception, storage and management of the Employer's electronic data.
Input Data: Actual material or information.
Data Steward: An individual or department with primary responsibility for determining the purpose and operation of a data resource. One becomes a Data Steward either by defining or by acquiring, developing, or creating information resources for which no one else has management. A list of Data Stewards is maintained by the Employer’s IT Department.
Internal Data: Employer information that is neither considered “Public Data” nor “Restricted Data.” This includes information that has not been restricted, as well as statistical, procedural, and other information collected for internal reporting and planning that is considered proprietary, but whose disclosure would not result in significant loss to Employer, violation of law, significant negative publicity, or other serious consequences.
Managers: Managing Employees of the Employer who have administrative or supervisory responsibility.
Mobile device: Any computer, personal digital assistant, telephone, or other device that is designed to be portable and can store data or connect to a computer network or the Internet.
Portable digital media: Any digital media designed to be portable, such as CDs, DVDs, cassettes, flash drives, floppy disks, memory sticks, and portable hard drives.
Public Data: Data that is readily accessible to the general public and does not require further permission for release. This includes information that is not generally considered harmful or an invasion of privacy if disclosed. Restricted Data: Employer Data that is accessible only for specific uses by specific authorized individuals and is available for release to other persons in limited circumstances requiring formal approval.
Confidential data and information: Data that is either restricted data or internal data.
Confidential data security incident: An incident in which it can reasonably be assumed that confidential data has been compromised.
Third party: Any person who is not an associate or employee of the Employer.
User: Anyone who has access to Employer Data
CHAPTER 3 – GENERAL ROLES AND RESPONSIBILITIES
Purpose.
This chapter sets out the general responsibilities of the Employer community for protecting confidential information.
Politics.
1. Users. Users are responsible for protecting confidential data to which they have access. Their responsibilities cover both computerized and non-computerized computing and information technology devices in their possession. Users are expected to learn and comply with all Employer policies regarding the protection of confidential data.
2. Data Administrators. Data Administrators have the responsibilities of Users and are additionally responsible for the following:
– Establish security policies and procedures. Data Controllers should establish specific policies and procedures for data security, where appropriate. Data Controllers are responsible for the processes related to the creation, retention, distribution and disposal of information. These must be consistent with this policy and applicable record retention policies, as well as other Employer policies, contractual agreements and laws. Data Controllers may impose additional requirements that enhance security.
-Assignment of security classifications. Data Controllers are responsible for classifying each category of data that has been assigned a sensitivity classification in accordance with chapter 4.
– Defining permissions: Data Controllers determine who is authorized to access their information. They ensure that those who have access have a legitimate need to know the information and understand the security requirements for that information.
3. Administrators. Administrators have all the responsibilities of Users and in some cases may also serve as Data Administrators. In addition, they are responsible for the security of the data with the users they manage and supervise.
4. Access Administrators. Access Administrators are responsible for controlling access to data systems, granting access rights under the direction of Data Administrators and the IT Department.
5. IT Department (Information Systems Department). The Information Systems Department is responsible for:
– Securing the Employer's Network Infrastructure and protecting the Employer's Network from external threats.
-Establish security standards and protocols for users, including encryption techniques and procedures for secure disposal of digital media
– Identification of secure methods of remote and third-party access to the Employer's Network.
– Collaborate with data controllers to manage data access rights.
-Maintain master lists of access rights and access managers.
-Posting this policy on the company website.
6. Directors and designated Access Administrators are responsible for: Distributing this policy to all associates and coordinating periodic training on data security and ensuring that associates complete training attendance.
7. Legal Counsel. The Employer's legal counsel is responsible for interpreting the terms and provisions applicable to this policy and for ensuring compliance of this policy with such laws and other Employer policies.
CHAPTER 4 – CLASSIFICATION AND CONTROL OF CONFIDENTIAL DATA
Purpose.
The purpose of this chapter is to establish classifications of confidential information and to provide for the identification and management of confidential information.
Politics.
1. All Employer Data will have a designated Data Controller.
2. Data Controllers are responsible for assigning each category of their designated Data to one of the following sensitivity classifications:
a) Limited Data,
b) Internal Data or
c) Public Data.
3. The different data that are aggregated or aggregated are classified as the safest classification level of each individual/separate element.
4. Data Controllers will implement security policies and measures, as necessary, to safeguard the Confidential Data for which they are responsible.
CHAPTER 5 – DATA ACCESS CONTROL
Purpose.
The purpose of this chapter is to ensure that appropriate controls are in place to establish and maintain appropriate access rights for all internal or external data systems used in the Employer's business.
Politics.
1. No User has access to confidential/restricted data unless there is a legitimate business purpose for such access and the level of access provided to a User must be the minimum required for that User to accomplish that business purpose.
2. Each Data Controller is responsible for determining the appropriate level of access rights to the Confidential/restricted Data for which the Data Controller is responsible.
3. Each Data Administrator is responsible for designating Access Administrators who are responsible for managing access to the data system for which the Data Administrator is responsible. Each data system should have at least two access administrators (one primary and one or more secondary).
4. The Access Administrator does not grant a User new access rights, does not modify the User's existing access rights or does not restrict the access rights of a User, unless it has been approved in advance by the relevant Data Administrator or by the IT Department in accordance with this chapter.
5. Managers are responsible for ensuring that the associates/employees they supervise have the appropriate access rights to perform their duties and comply with this Security Policy. In the event that an associate/employee requires new access rights, modification of existing access rights, or reduction of access rights, the Manager must immediately submit a change request to the appropriate Data Controller. Once approved by the Data Controller, the change request will be forwarded to the appropriate Access Controller for implementation of the change.
6. The IT Department may approve new access rights on behalf of the Data Administrator where such access rights are included in the approved job descriptions. When time is of the essence, the IT Department may authorize Access Administrators to reduce or eliminate an associate/employee's access rights.
7. The IT Department maintains an updated master list of Access Administrators. Any new access administrator or any change or separation of an existing access administrator must be reported immediately to the IT Department by the Access Administrator Manager.
8. The IT Department maintains an updated master list of access rights.
9. The IT Department is responsible for assigning and maintaining access to the Employer's Network infrastructure.
10. Appropriate audit trail capabilities must be enabled in each data system, as determined by the Data Administrator in consultation with the IT Department.
11. The IT Department, at regular intervals, no less than once a week, deletes files and folders that are classified as temp and are located in shared points/locations on the network.
CHAPTER 6 – CODE CHECK
Purpose.
The purpose of this chapter is to ensure that appropriate password controls are in place to protect confidential information.
Politics.
1. Strong passwords are required for any systems that provide access to restricted data.
2. Strong passwords are recommended for any systems that provide access to internal data.
3. Users should not share passwords with anyone, including Managers and members of the IT Department.
4. If a User knows or has reason to believe that a password has been disclosed or altered, the password must be changed or deactivated immediately.
5. If passwords are documented on paper, that paper should be stored in a secure locked location. Passwords stored electronically are password protected or encrypted.
CHAPTER 7 – STORAGE OF CONFIDENTIAL DATA
Purpose.
The purpose of this chapter is to ensure the secure storage of confidential data.
Policies.
1. Restricted data. Restricted data must be stored securely at all times to prevent access by unauthorized individuals.
– Restricted data in electronic form that is not stored on the Employer Network or another secure network approved by the Employer must be encrypted or have an additional password.
– Any portable digital media or mobile device containing restricted data should never be left unattended and when not in use should either be stored securely or remain inactive with password protection or turned off completely.
– Paper containing restricted data should never be left unattended and should be stored in a locked cabinet when not in use.
2. Internal Data. Internal data is stored in a manner that provides a reasonable level of protection from unauthorized access. The same standards for storing Restricted Data should be used for internal data whenever possible.
CHAPTER 8 – DISTRIBUTION AND TRANSMISSION OF CONFIDENTIAL DATA
Purpose.
The purpose of this chapter is to ensure the secure distribution and transmission of confidential data.
Politics.
1. Restricted data. Restricted data should not be distributed or made available to persons who are not authorized to access the information. Restricted data transmitted electronically, transported by physical delivery, or orally in conversation should be appropriately protected from unauthorized interception.
– Restricted data in electronic form, which is transmitted in any way other than the Employer Network or another secure network approved by the Employer, must be encrypted or have an additional password.
– Distribution of restricted data in printed form should be avoided unless there is a valid business reason.
– Restricted data, which is distributed from one person to another in printed form or stored on portable digital media, must either be marked “RESTRICTED” or be enclosed in a sealed envelope marked “CONFIDENTIAL”.
-Restricted data should be distributed using a reliable delivery method, such as by hand or by Employer's internal electronic mail. Restricted data that must be delivered by courier service should be sent by certified mail or by a commercially recognized courier, which provides delivery and receipt tracking.
– When Restricted Data is distributed from one person to another, the sender's obligation is to confirm receipt by the recipient.
– Telephone or in-person conversations involving Restricted Data should take place in an area where these conversations cannot be overheard by unauthorized persons.
2. Internal data. Internal data should not be distributed or made available to persons who do not have a legal, business or other legitimate reason to have access to the information. The same standards for distribution and transmission of restricted data should be used for internal data whenever possible.
CHAPTER 9 – NETWORK SECURITY
Purpose.
The purpose of this chapter is to define the roles and responsibilities for ensuring the security and integrity of the club network.
Policy.
1. The IT Department is responsible for protecting the Employer's Network from external threats, such as intrusions, detection, viruses, and spyware, etc.
2. The IT Department has the authority to assess the severity and immediacy of any threat to the Employer's Network and to take action to mitigate that threat.
3. The IT Department is responsible for maintaining procedures to protect confidential data located on network servers.
4. Users are responsible for complying with all rules, regulations and policies established to protect the security and integrity of the Employer's Network.
CHAPTER 10 – MOBILE DEVICE SECURITY
Purpose.
The purpose of this chapter is to protect confidential information accessible from mobile devices.
Politics.
1. Mobile devices that allow access to systems containing confidential data must be password protected in accordance with Chapter 6.
2. Once a user is logged into a mobile device, the device should not be left unattended. When use of a Mobile Device is complete, the User should log out and the device should remain in the User's possession until it can be safely stored.
3. Confidential Data should not be stored on a Mobile Device unless there is a legal, administrative or business reason to do so.
4. When a mobile device is permanently transferred from one user to another, any confidential data on the device must be securely erased before the transfer.
CHAPTER 11 – TERMINATION OF ACCESS
Purpose.
The purpose of this chapter is to establish standards for securely connecting to the Employer's Network from a computer or other device located outside the Employer's Network.
Policy.
1. A user must have remote access to the Employer's Network only for lawful, administrative or business purposes and only after prior approval of the relevant Employer Manager.
2. The Employer's Network may be accessed remotely only using connection methods approved by the IT Department of Information Systems.
3. Users are responsible for safeguarding the remote access credentials granted to them under this policy. These credentials may consist of username and password combinations, digital certificates, or other software or hardware.
4. All computers or other devices used for remote access to the Employer's Network must meet the standards established by the IT Department of Information Systems and must be available for inspection upon request by the IT Department of Information Systems, in order to verify and verify compliance with this policy.
5. After accessing confidential data remotely from a public device, the User must clear the cache and delete all temporary files to remove the confidential data stored on the device.
CHAPTER 12 – PHYSICAL SECURITY
Purpose.
The purpose of this chapter is to ensure that appropriate physical access controls are in place to protect confidential information.
Policy.
1. Physical access controls. Areas containing Confidential Data in any form or access to any element of the Employer's Network must be protected by appropriate physical access controls to ensure that only authorized personnel are permitted access. Visitors to secure areas must be supervised by authorized personnel.
2. Server Rooms. The Employer's server rooms must be locked at all times. The Employer's personnel must be able to monitor and record access to these rooms. Visitors to customer service rooms must be accompanied by authorized personnel.
3. Individual offices and work areas. Individual offices and work areas used by users with access to confidential data must be secure.
-Doors should be locked when users are not present.
-Confidential data should not be visible to passersby or unauthorized visitors.
-Computer screens must be carefully positioned so that viewing is limited to the authorized User.
– When leaving a computer unattended where it may be accessed by unauthorized persons, the User must either log out of all networks and applications or use a password-protected screen saver.
-Documents containing Restricted Data must be covered or removed when unauthorized persons are present.
– Any media containing restricted data, whether electronic or not, must be in a locked drawer, cabinet or storage area when not in use.
4. Equipment Security. Equipment components of the Employer's Network, including individual computers, should be secured with a locking mechanism where feasible.
5. Secure disposal of equipment. All equipment that may contain media or removable storage devices must be checked to ensure that Confidential Data has been securely erased before disposal.
CHAPTER 13 – THIRD PARTY ACCESS
Purpose.
The purpose of this chapter is to set standards for third parties seeking to gain access to the Employer's Network, in order to minimize the Employer's potential exposure to risks associated with third-party access.
Politics.
1Third party access to the Employer's Network may only be for legal, administrative or business purposes.
2. Requests for third party access to the Employer's Network must be approved by the IT Department and the responsible person(s).
3. The Applicant is responsible for ensuring that the third party agrees in writing to comply with all of the Employer's data security policies and the Applicant remains responsible for the Third Party's actions while accessing the Employer's Network.
4. To ensure individual responsibility for the integrity of the Employer Network, each third party granted access must have a unique user ID and password. The Third Party will be held responsible at all times for any activities that occur on the Employer Network using that unique user ID.
CHAPTER 14 – DISCLOSURE OF CONFIDENTIAL DATA
Purpose.
The purpose of this chapter is to provide standards for the safe disposal of any media containing sensitive information.
Politics.
1. Reject Limited Data.
When there is no legal, business or other legitimate reason for storing Restricted Data, such Restricted Data must be discarded as follows:
– The paper containing the Restricted Data must be shredded.
– Any media or storage devices containing Restricted Data in electronic form must be securely deleted or physically/materially destroyed.
2. Rejection of Internal Data. When there is no legal, business or other legitimate reason to store Internal Data, such Internal Data should be disposed of as follows:
– Paper containing Internal Data should be shredded if possible, otherwise it should be recycled.
– Any media or storage devices containing Internal Data in electronic form should be securely deleted or physically/materially destroyed if feasible, otherwise they will be deleted.
3. Transport of computers and other devices. Whenever a computer, mobile device, or other equipment capable of storing data is transferred from one user to another, all data stored on the device must be securely deleted.
4. Responsibilities.
-Data Controllers will be responsible for establishing timeframes and guidelines for when Data must be made available in accordance with this policy.
– Each Manager will be responsible for maintaining document disassembly/shredding and/or recycling facilities at the Employer's premises.
– The IT Department of Information Systems is responsible for establishing procedures for the secure deletion of data, as required by this policy.
CHAPTER 15 – CONFIDENTIAL DATA SECURITY INCIDENTS
Purpose. The purpose of this chapter is to provide steps to take when sensitive information may be compromised.
Policy.
1. All observed or suspected confidential data security incidents should be promptly reported to the IT Department, which will inform the Employer's Management and the Manager of the partner/employee who reported the incident. Users should not attempt to investigate or resolve an incident on their own.
2The Employer's Management will investigate the incident and, where appropriate, take measures to limit any data loss and remedy the cause of such incident under investigation.
3. If, after investigation, it is determined that there is a reasonable possibility that the Restricted Data may have been disclosed to unauthorized persons, it will take all necessary and mandatory measures to protect the Employer and any affected party, such as informing the authorities and other legal and criminal measures.
CHAPTER 16 – AWARENESS OF THE IMPORTANCE OF DATA PROTECTION
Purpose
The purpose of this chapter is to ensure that all executives, associates and employees of the Employer's company are informed and aware of the importance and legal obligation to protect confidential information.
Politics
1. All associates/employees are responsible for reviewing this Information and Data Security Policy and affirmatively agree to comply with it. Managers and Access Administrators are responsible for distributing this policy to all associates and coordinating periodic data security training and ensuring that associates complete training attendance.
2During any probationary period or training, all new associates and full-time and part-time employees, temporary employees and volunteers should be informed about the importance of information security and their roles in protecting confidential data.
3. Classes (online or in person) will be held periodically to continue to educate associates and employees about this policy and the importance of sensitive data security. Successful completion of these classes is monitored by the respective Access Administrators.
4. Managers must ensure that associates under their supervision are aware of this Information and Data Security Policy and other relevant policies, procedures and guidelines regarding information security and have access to current versions. If policy amendments are distributed, Managers must inform their subordinates within seven days, unless otherwise stated.
5. Directors will organize annual informational and educational meetings to review information security fundamentals and current information security policies with associates and employees under their supervision.
6. Third parties authorized to access confidential data must be informed of their responsibilities under this data security policy. Information security awareness and training materials are available for use by authorized third parties.
CHAPTER 17 – PERIODIC POLICY REVIEW
Purpose. The purpose of this chapter is to establish the process for the periodic review and amendment of this Information and Data Security Policy.
Politics
1A data security policy review group consisting of the Head of IT and the Directors meets annually each spring to review this policy and recommend any changes.
2The chairman of the data security policy review committee is the head of the IT Department.
3The recommendations of the Data Security Policy review team are submitted to the employer's Management for approval.