Book a Demo
Book a Demo

Information Security Policy

Last updated December 12, 2023

1. Introduction

1.1 Purpose

This policy forms part of a complete set of Information and Communications Technologies Security Policies for the organisation. Their primary purpose is to protect the organisation’s data and information systems and the investments made by the organisation in technologies that help the business operate on a day-to-day basis.

1.2 Scope

This document is intended to set out the policies as they relate to the general use of Information and Communications Technologies within the organisation.

The content of this document must be observed by all persons or organisations referred to in sections 1.3.

1.3 Audience and Responsibilities

This document forms part of the organisation’s Information and Communications Technologies services policies, standards, procedures and guidelines. The content of this document must be made available to and be known by all staff both permanent and temporary.

The relevant content of this document must also be made known and made available to suppliers, contractors and sub-contractors who supply services in support of any computer device or computing resource, where their access level may result in them being able to view the organisation’s data.

Key responsibilities include:

  1. Persons responsible for ICT
    1. Monitoring for breaches of these policies
    2. Enforcement of these policies
    3. Denying access to a computer device or computing resource following a breach of these policies
    4. Ceasing contractual arrangements with any third-party supplying ICT services to the organisation following a breach of these policies by their staff
    5. Recording details of any breach in an Issue Tracking (ServiceDesk) system
    6. Notifying the Human Resources department of any breach of these policies involving staff either permanent or temporary
  2. Human Resources Department
    1. Taking disciplinary action against any staff found in breach of these policies
  3. Permanent and temporary staff
    1. Observing the policies as set out in this document
    2. Reporting breaches observed to the Persons responsible for ICT
  4. Directors and senior management
    1. Reviewing, approving and the sign off these policies

1.4 Updating and Distribution

The document should be reviewed at a minimum annually.

Proposed revisions to this document must be agreed by the following:

  • Caroline Dunlea
  • David Brett

A revision history must be maintained on the front page.

Revised and updated version of this document must be distributed to the following:

  • All permanent and temporary staff
  • Other third parties as required

Distribution of this document will be done using an internal Intranet site.

1.5 Non-Compliance

Any failure to observe the policies contained in this document will be subject to the organisation’s disciplinary procedures, the ceasing of any support agreement with a supplier or any legal or regulatory enforcement requirement.

Within the appropriate boundaries of any Law, Act or Regulation, the organisation reserves the right to monitor the use of any Information and Communications Technologies computer device or computing resource to ensure compliance with this and all Information and Communications Technologies Security policies.

1.6 Definitions

A computer device includes, but is not limited to, any mainframe computer, server, personal computer (PC), laptop, tablet devices, terminal devices, mobile phones including smartphones and any device running an embedded or full operating system.

A tablet device also known as a tablet PC or tablet including a phablet is defined as any handheld capable device that runs an operating system such as Android, Apple IOS, Microsoft Windows, Chrome OS, Linux or others. A Phablet is defined as a 2-1 hybrid device that has the functionality of a laptop i.e., has a screen and keyboard, but the screen can be disconnected to allow it to be used as a tablet device.

A computing resource includes any system or components that forms part of the overall Information and Communications Technologies infrastructure of the organisation. Computing resources include, but are not limited to, removable media, any telecommunication resource, any network environment, fax machines, printing and copy machines, scanners, multifunction machines, applications, data and information, data and information storage devices, electronic transmission systems, security systems, cabling systems, recording machines both voice and video.

Data and information storage areas include, but are not limited to, USB keys and sticks, USB hard drives, smartphones, cameras, smart watches, media players or CDs/DVDs, network attached storage or any online or cloud storage system. This definition also includes any database technology.

A Database is a structured collection of related data and information that is stored and organised in an easy to access and retrieve format.

An Operating System is software that manages computer devices and installed software.

Data is raw unstructured information.

Information is structured giving meaning to raw data that results in advancing knowledge

Least Privilege Access is defined as a security concept and practice in which a user is given the minimum levels of access or permissions needed to perform their job.

Limited personal use is defined as using an organisation provided computer device or computing resource for limited personal use providing that use does not interfere with the normal business use of the device or resource, is performed during non-working times and does not violate Acceptable Use Policies or standard ethical use.

Social Media or Networking is a variety of applications, primarily web based, which allows a user to share content, interact with others and develop groups with similar interests. Social Media and networking applications and web sites include Facebook, Twitter, LinkedIn and various other similar sites.

Account Management refers to any local or network account capable of logging into a computer device or computing resource including, but are not limited to, user accounts, device accounts, computer accounts, system accounts, service accounts or special access accounts.

Critical equipment is defined as any device that supports the normal operations of the organisation’s business systems and services whose loss would impact he business either financially or its reputation.

Personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personally identifiable Information (PII) term is also used here.

Passphrase, an alternative to a password, is defined as a memorable phrase or sentence used to access a system.

Call conferencing is defined as any service capable of hosting more than one to many voice callers on the same call. One to many is defined as having more than two persons on the call.

Meeting conferencing is defined as any hosted (internal or external), cloud or online system capable of supporting voice, video or collaborative tool such as file sharing, document sharing, desktop sharing, chat or messaging.

Note: Additional terms and definitions are included within a policy area.

 

2 Policy Statements – Information Security

2.1 Asset Management

  • Assets are classified as either hardware, software or a data / information storage area. Hardware is defined as either a physical or virtual device used to support a service, system or application and includes data storage devices and services. Software includes any system or application that support the business such as a line of business application, any desktop application, or other critical applications such as a payroll system. Data / information storage areas include any file storage devices such as an internal hard disk, a network attached disk storage device, cloud storage or any other device capable of storing data. Data / information storage areas also includes any databases in use
  • An asset register must be maintained and updated as changes occur by the Persons responsible for ICT or assigned staff member
  • All assets add, moves and changes must be updated as they occur
  • The asset register must contain both hardware, software and central data / information storage areas
  • All assets must be classified as either critical or non-critical to the organisation’s activities with the asset register
  • Any asset that can be described as an accessory or consumable or has a value of less than €200 and are not classified as critical can be excluded from the asset register
  • All hardware must include sufficient details to allow for easy assessment and reporting and must include the following at a minimum:
    • Asset tag ID
    • Device type g., Desktop PC, laptop, printer etc.
    • Make and model
    • Operating system, where applicable
    • Serial number (warranty identification)
    • Date purchased or when built / installed
    • Assigned user or owner
    • Whether it is critical or non-critical
  • All software must include sufficient details to allow for easy assessment and reporting and must include the following at a minimum:
    • Vendor
    • Product
    • Version (current)
    • Licence key, where applicable
    • Licence expiry, where applicable
    • Licence type
    • Device installed on or who assigned to
    • Whether it is critical or non-critical
  • All data / information storage areas must identify the type of storage, the location, the business criticality of the data / information and the type of data including if any personal information is being stored that comes under any data protection regulations
  • The asset register must identify critical assets that include but are not limited to:
    • Critical business applications
    • Critical data / information
    • Critical servers required to support a critical This includes physical hypervisor hosts and virtual machines
    • Critical network services that support access from within the main office, outlying offices, and remote working services
    • Critical workstations running a critical application for example a payroll application
    • Critical network security services such as a next generation firewall (NGFW) or an Advance Threat Protection (ATP) system used to secure the network
  • The asset register must be reviewed annually and include the following:
    • Identifying and developing a plan around any asset due for replacement or upgrading
    • Identifying any software where the licence is expiring within the next 12 months and developing a plan on renewing or replacing
    • Identifying any unrecorded adds, moves, or changes to the assets and correcting
    • Reviewing capacity and performance of critical hardware devices and developing a plan to address any findings.
    • Reviewing asset criticality
    • Performing a random audit of the assets
  • All hardware assets must be replaced every 5 years at a minimum
  • All assets being retired must be updated as they occur by marking the asset as retired and by adding a comment on its retirement in the comments field
  • Where the asset is capable of storing data or information it must be ensured that the data storage device is securely wiped and disposed of by a certified agency and a certificate of disposal must be received from the agency and kept for reference
  • A high-level report of assets must be maintained and where required presented to the board of directors on demand or at agreed times

 

2.2 Account Management

  • Requests for new account must be submitted to the Persons responsible for ICT on the approved form or process
  • The new account details and access granted must be recorded within a Change Management system
  • All accounts must be unique and associated with a person
  • Generic accounts other than special system accounts must not be used
  • User accounts must not be shared
  • An initial user password must be temporary and set to change immediately on first logon, where available
  • A user password must never be set as permanent. Exceptions where required must be documented and every attempt must be made to restrict access using this user account by other means e.g. restrict the use of the user account to a single or limited number of devices
  • Password properties must be set in accordance with those policies set out in the Acceptable Use policies; see section 2.2 of this document
  • Access rights must be based on the principles of least privilege access that is user must only be given access to systems and information based on what they need to perform their duties
  • The account of a leaver must be disabled on the day of their departure and removed once it is safe to do so from the Appropriate backup of user data should be taken before removal of any user account
  • A staff member’s manager is responsible for notifying the HR Department of a leaver who will in turn liaise with the Persons responsible for ICT
  • Temporary staff or access accounts must have their account set to expire on the last day of their contract

2.3 Admin and Special Access

  • All admin or special access accounts must be made known to the Persons responsible for ICT along with the reason for the account existing. This access must be recorded within a Change Management system
  • All users of these accounts must have signed a confidentiality and non-disclosure agreement. This may form part of a contract for service or contract of service
  • All users of these accounts must observe the relevant Information Security and Acceptable Use policies of the organisation
  • All users of these accounts must understand their obligation under the Data Protection Act 2018 and General Data Protection Regulation (GDPR) 2018
  • Admin or special access accounts, where practical, must only have the level of access it needs to perform a task or tasks
  • Where possible, logon by these accounts must be restricted to applicable computing devices
  • The password for these accounts must be strictly controlled

2.4 Data Management

  • All corporate data is owned by the organisation and all persons provided access to data must respect and protect this vital asset
  • For the organisation to manage and safeguard data assets, procedures must be in place to secure and protect the source data and any information processed from this data
  • The organisation reserves the right to audit and monitor data usage across the network including data entering and leaving the internal private network
  • All data must be stored within agreed data storage locations documented within agreed data storage standards and procedures
  • Data classified as confidential as defined in the Data Classification and Retention section of these policies must only be used and processed in line with other policies relating to data and information
  • Access to data must be on a proven need for access and final approval must be by the identified data owner for example the HR Manager / Director for all HR data
  • A register of data owners must be maintained by the Persons responsible for ICT and approved by the CEO. Changes to this register must be approved by the CEO
  • Access must follow the guiding principle of least privilege e., access must only be for a legitimate and specific purpose
  • These policies and other policies within this document applied to all data regardless of where stored and includes data archives and backups
  • All changes to data access or storage locations must be supported by a change management request, approval and log. This includes any data extracts and transformation of data either done manually or automatically using an ETL (Extract, Transform and Load) process or system
  • Data extracted from a centralise and secure system must follow the same or higher security levels in terms of access and encryption as exists in the primary storage system
  • Personal Data as defined in the Data Protection 2018 and General Data Protection Regulation (GDPR) 2018 when extracted from the primary storage system must be pseudonymised where possible and practical. Pseudonymisation of data (defined in Article 4(5) GDPR) means replacing any information which could be used to identify an individual with a pseudonym, or, in other words, a value which does not allow the individual to be directly identified

2.5 Data Classification and Retention

2.5.1 Scope

The policy in this section covers all data collected by Core Optimisation and stored on Core Optimisation owned or leased systems and media, regardless of location. It applies to both data collected and held electronically (including photographs, video and audio recordings) and data that is collected and held as hard copy or paper files. The need to retain certain information may be mandated by federal or local law, federal regulations and legitimate business purposes, as well as the EU General Data Protection Regulation (GDPR).

2.5.2 Data Classification

  • Data is classified as one of the following:
    • Confidential is classified as any sensitive information and any data that is defined under the Data Protection 2018 and General Data Protection Regulation (GDPR) 2018 and includes but is not limited to:
      • Customer or other person’s personal data / Personally Identifiable Information (PII) as defined in the Data Protection 2018 and General Data Protection Regulation (GDPR) 2018
      • Customer account data or information including financial data
      • Personal Public Service Numbers (PPSN)
      • Accounting and Financial data
      • Payroll data
      • HR data
      • Credit Card data
      • Data or information that is considered copyright or Intellectual Property
      • Medical records or information
      • General accounting and financial data
      • Any document including electronic documents and emails marked confidential, sensitive or for Internal Use Only
      • IP networking addressing details assigned to an individual’s computing device
    • Standard is classified as any data not included in 1 above but must only be distribute either internally or to a customer with a right to the data or information
    • Public is classified as data or information for public release

2.5.3 Data Retention

2.5.3.1 Reasons for Data Retention

Core Optimisation retains only that data that is necessary to effectively conduct its program activities, fulfill its mission and comply with applicable laws and regulations.

Reasons for data retention include:

  • Providing an ongoing service to the data subject (e.g., sending a newsletter, publication or ongoing program update to an individual, ongoing training or participation in Core Optimisation’s programs, processing of employee payroll and other benefits)
  • Compliance with applicable laws and regulations associated with financial and programmatic reporting by Core Optimisation to its funding agencies and other donors
  • Compliance with applicable labor, tax and immigration laws
  • Other regulatory requirements
  • Security incident or other investigation
  • Intellectual property preservation
  • Litigation

2.5.3.2  Duplication

Core Optimisation seeks to avoid duplication in data storage whenever possible, though there may be instances in which for programmatic or other business reasons it is necessary for data to be held in more than one place. This policy applies to all data in Core Optimisation’s possession, including duplicate copies of data.

2.5.3.3 Retention Requirements

Core Optimisation has set the following guidelines for retaining all personal data as defined in the Institute’s data privacy policy.

  • Website visitor data will be retained as long as necessary to provide the service requested/initiated through the Core Optimisation website
  • Contributor data will be retained for the year in which the individual has contributed and then for [Duration] after the date of the last Financial information will not be retained longer than is necessary to process a single transaction
  • Event participant data will be retained for the period of the event, including any follow up activities, such as the distribution of reports, plus a period of [Duration]
  • Program participant data (including sign in sheets) will be retained for the duration of the grant agreement that financed the program plus any additional time required under the terms of the grant agreement.
  • Personal data of subgrantees, subcontractors and vendors will be kept for the duration of the contract or agreement.
  • Employee data will be held for the duration of employment and then [Duration] after the last day of employment.
  • Data associated with employee wages, leave and pension shall be held for the period of employment plus [Duration], with the exception of pension eligibility and retirement beneficiary data which shall be kept for [Duration].
  • Recruitment data, including interview notes of unsuccessful applicants, will be held for [Duration] after the closing of the position recruitment
  • Consultant (both paid and pro bono) data will be held for the duration of the consulting contract plus [Duration] after the end of the consultancy.
  • Board member data will be held for the duration of service on the Board plus for [Duration] after the end of the member’s term
  • Data associated with tax payments (including payroll, corporate and VAT) will be held for [Duration]
  • Operational data related to program proposals, reporting and program management will be held for the period required by the Core Optimisation donor, but not more than [Duration]

2.5.3.4 Data Destruction

Data destruction ensures that Core Optimisation manages the data it controls and processes it in an efficient and responsible manner. When the retention period for the data as outlined above expires, Core Optimisation will actively destroy the data covered by this policy. If an individual believes that there exists a legitimate business reason why certain data should not be destroyed at the end of a retention period, he or she should identify this data to his/her supervisor and provide information as to why the data should not be destroyed. Any exceptions to this data retention policy must be approved by Core Optimisation’s data protection officer in consultation with legal counsel. In rare circumstances, a litigation hold may be issued by legal counsel prohibiting the destruction of certain documents. A litigation hold remains in effect until released by legal counsel and prohibits the destruction of data subject to the hold.

2.6    Data Protection and Data Privacy

  • All persons with access to data within the organisation must observe privacy laws including the Data Protection Act 2018 and General Data Protection Regulation (GDPR) 2018
  • Data classified as personal data must adhere to the six principles under the General Data Protection Regulation (GDPR) 2018:
    • It must be processed lawfully, fairly, and transparently
    • It must be collected only for specified, explicit and legitimate purposes and not processed in a manner that is not compatible with those purposes
    • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
    • It must be accurate and, where necessary, kept up to date
    • It must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
    • It must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
  • A Data Subject right of access to personal data often referred to a ‘data subject access request’ or ‘DSAR’:
    • Training must be provided to all staff on how to identify a data subject access There is no requirement on the data subject to use this term or similar when making a request. Also there is no requirement to make the request in a formal manner other than that the request is sufficiently clear to act upon, and that the identity of the requester is sufficiently clear
    • Where a request is not made to the designated data protection contact point they must be immediately notified by the receiver of the request including where the receiver is unsure if it is a DSAR
    • Where the identity of the requester is not sufficiently clear the identity of the person making the request must be verified using the following:
      • Staff
        • In person to the data protection officer or Human Resources
        • By email using their own organisation’s supplied email address to the data protection officer or Human Resources
      • Former staff by providing or seeking
        • Employee number and
        • Work email address and
        • Employment start and end date
      • Client by providing or seeking
        • Client number or
        • Account number or
        • Billing information
      • Others by providing or seeking
        • Photo ID such as a driver’s licence or passport and
        • Full name and address supported by documentary evidence for example utility bill
  • Once a valid DSAR is received the request must be dealt without undue delay and within one month of receiving the request. A request can be extended by a further two months if the request is complex or we have received a number of requests from the same individual, but we must still let the individual know within one month of receiving their access request and explain to them why the extension is necessary
  • The output from the data search must be exchanged with / sent to the data subject in a secure manner. Where exchanged using electronic means it must be encrypted and comply with the encryption policies of the organisation and the requirements within Data Protection Act 2018 and General Data Protection Regulation (GDPR) 2018

2.7 Backups and Disaster Recovery

  • Backups of all key data and systems must be taken at a minimum of one working day
  • Two copies of all backups must be taken
  • A copy of the backup must be stored off site for disaster recovery purposes along with a recovery box containing any key information including a copy of the Business Continuity and Disaster Recovery Plans required to complete a recovery
  • At least one backup must have protection in place to protect the backup from active or dormant malware likely to infect the backup including the risks associated with Ransomware
  • Backups must be tested at a minimum every six months
  • A full disaster recovery test must be completed every twelve months or within 2 months after any major change to a critical system or service

2.8 Encryption

  • All data that is transported either physically or electronically, commonly known as Data in Transit or Data in Motion using any of the methods below and is classified as Confidential, see section titled ‘Data Classification and Retention’ for details, or is subject to the Data Protection Act 2018 and General Data Protection Regulation (GDPR) 2018 or any other Legislation, Law or Act must be encrypted. Transport methods include but are not limited to:
    • Data stored on removable media including:
      • USB keys
      • Data storage capable devices such as mobile phones, media players, cameras, camcorders
      • Portable hard drives
      • Removable hard drives
      • Laptops and Notebooks
      • Tablet PCs
    • Data emailed outside the organisation
    • Data files transferred or uploaded to an external storage location or web site
  • Password protection must be used where available
  • The uploading of data must only be done to sites approved by the Persons responsible for ICT and the director responsible for your area
  • The uploading of data must only be done using encrypted secure networks
  • All data stored in data storage capable devices that is classified as Confidential, see section titled ‘Data Classification and Retention’ for details, or is subject to the Data Protection Act 2018 and General Data Protection Regulation (GDPR) 2018 or any other Legislation, Law or Act must be encrypted. This is commonly known as Data at Rest

2.9 Security Incident Management

  • A documented Incident Response Plan must This plan must be tested and reviewed at a minimum annually
  • All security concerns and breaches must be reported to the Persons responsible for ICT immediately
  • An assessment of the risk must be immediately carried out by the organisation and any supporting ICT supplier
  • Immediate action must include either the immediate power down of equipment g., desktop and laptops or the device(s) disconnected from the network where practical
  • The Persons responsible for ICT will record the event and report this to the appropriate authority that may include but is not limited to:
    • The Board of Directors
    • The person responsible for the business unit area
    • The Gardaí where a breach of any law is committed
    • The Data Protection commissioner’s office for data breaches once agreed at senior level. Such reports must be made within 72 hours
    • The relevant IT vendor responsible for managing and supporting the IT system affected
  • A log of the incident must be maintained to include:
    • The incident details and initial date and time of discovery
    • Immediate actions to mitigate the risks
    • Long term actions to mitigate or close off the risk
  • Date and time the risk was closed off

2.10 Network Security

  • All network equipment including but not limited to routers, firewalls, switches and cabling patch panels must be secured in a locked room or at a minimum in a locked computer cabinet
  • Where required, the use of demilitarised zones (DMZ) and/or virtual LANs (vLAN) must be used to secure critical systems and data from devices such as CCTV, IP telephony, Internet of Things devices (IoT) or any device that cannot be centrally managed, monitored or updated including the updating of operating systems, applications and firmware / embedded code
  • Access to the room and/or cabinets must be restricted to only those needing access
  • Changes to any network equipment must only be performed by the preferred ICT support vendor or an internal ICT staff member
  • All cabling work must be carried out by persons or organisations capable of certifying that the work complies to regulations and must be installed in a manner that meets these requirements

2.11 Wireless Network Security

  • The use of an internal wireless or Wi-Fi networks is prohibited except for those approved, configured and installed by the Persons responsible for ICT or by an approved ICT installer
  • Visitors, staff personal devices and staff corporate smartphones must only use the guest wireless or Wi-Fi access point
  • Wireless network access must be segmented and restricted to help improve overall security of the wired network
  • An encryption level of WPA2 (Wi-Fi Protected Access version 2) or higher must be used. You must not connect to any access point using a lower standard such as WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access)

2.12 Endpoint Protection

  • An endpoint protection system must be installed on all computing devices capable of running an operating An Endpoint Protection system is an evolution from traditional antivirus software
  • The tool installed must be configured to:
    • Update on a regular basis preferably using a central managemen tool
    • Run a schedule full scan of all system areas and data drives at least once a week
  • Regular reporting and monitoring of these reports must be completed to ensure a high rate of compliance
  • Any computing device found not to be capable of running an anti-virus and malware tool must be segmented and secured from the main network

2.13 Advance Threat Protection and Intrusion Detection

  • Any firewall used to secure the network must include Advance Threat Protection (ATP) services that are constantly updated and monitored
  • Any other service, such as an email service, capable of Advance Threat Protection services must have this enabled, updated and monitored
  • Any firewall used to secure the network must also use Intrusion Prevention (IPS) / Intrusion Detection (IDS) as part of an ATP service
  • These services must be kept licenced and renewed, where required

2.14 Physical Security – General Building Areas

  • All possible external entry points into the building must be alarmed
  • A register of all key holders must be maintained
  • Lost or stolen keys must be reported
  • Where an access card or identity card includes identifiable information e.g., name and/or facial picture it must not be visible in public areas
  • Access to sensitive areas of the building must be controlled by locked doors by using a key or an access control Doors must only be unlocked while occupied.
  • Copies of these keys must be secured and only accessible by agreed senior staff members or a security service provider
  • Appropriate fire, smoke and water monitoring systems must be in place including suitable fire extinguishers at strategic locations
  • CCTV monitoring within the building must consider requirements under data protection legislation and privacy laws
  • All security and building protection systems and services must be maintained and tested under a service agreement with an approved supplier

2.15   Physical Security – Server and Comms Room

  • The door to the secure network and server area must be kept closed and locked at all time
  • Access to and from the room or cabinet(s) must be logged
  • The room area and computer cabinets must be kept clear of obstacles
  • The storage of combustible material is prohibited in the computer room area unless stored in a fireproof cabinet
  • The room area must be kept tidy and free from trip hazards
  • Wiring cabinet must be kept tidy including cabling leads
  • The room must be protected from water ingress where practical

2.16 Power Management

  • All critical equipment must be protected by at least one Uninterruptable Power Supply (UPS) capable of supplying power to the equipment for a duration that allows for an orderly shutdown or power off of the equipment
  • The comms / computer room must be supplied using two dedicated clean circuits
  • Surge protection must be used for any equipment not classified as critical but are essential in supporting any business system or service
  • Diverse mains power must be used where practical

2.17 Software Licencing

  • All software applications installed must observe the licencing requirement of the software provider. This includes software and applications know as freeware, shareware and opensource
  • Copying and distributing licenced software is prohibited
  • All software must be installed by or with the agreement of the Persons responsible for ICT

2.18 System Development

  • All system and software development must follow best practices using the Software Development Life Cycle (SDLC) and those processes defined by ITIL. This includes but is not limited to:
    • Preliminary Analysis including requirements gathering both business and technical
    • Feasibility Studies
    • Design
    • Technical Specification write up
    • Risk analysis including the risk of not implementing the solution
    • Development techniques and processes
    • System testing including quality assurance
    • User testing including user acceptance
    • User training
    • Live migration or implementation
    • Post implementation reviews
    • Documentation on the solution
    • On-going support and maintenance
    • Continual service improvement reviews
  • All testing must be performed on a test and/or quality assurance system prior to live implementation
  • Access levels to any development or quality assurance system must be replicated to these systems unless dummy customer data is being used
  • All development must follow the change management policy of this organisation

2.19 Security Awareness Training

  • All staff, directors and managers must undergo Information Security Awareness Training on an agreed scheduled basis
  • This training must include the core areas of:
    • An understanding of the current threat landscape and Internet of Things (IoT) risks
    • Usernames and passwords usage
    • Viruses explained
    • Email risks and safe usage
    • Web browsing risks and safe usage
    • Social Media usage
    • Your mobile device including laptops – risks and safe usage
    • Screen Savers – purpose and use
    • Positioning your workstation – confidential, legal and regulatory requirements
    • Social Engineering – what is it, how to identify and how to avoid

2.20 Vendor Access

  • Remote access to systems must be tightly controlled
  • Remote access must be done using a single solution that can log, track and report on activity
  • Remote access must use two-factor authentication
  • Remote access must only be granted to known and approved vendors
  • All access, whether on site or remotely by a third party, must receive prior approval and agreement with the Persons responsible for ICT
  • A confidentiality and non-disclosure agreement must be in place prior to granting remote access
  • Secure and encrypted communication technologies must be used when accessing systems remotely
  • Vendors must always observe the password policy of the organisation

2.21 Risk Management

  • A recognise risk management approach must be always followed within ICT and should include areas such as:
    • Information Security Policies
    • Organization of Information Security
    • Human Resource Security
    • Asset Management
    • Access Control
    • Cryptography
    • Physical and environmental security
    • Operation Security
    • Communication security
    • System acquisition, development and maintenance
    • Supplier relationships
    • Information security incident management
    • Information security aspects of business continuity management
    • Compliance
  • The risk management standards used must consider the processes of:
    • Establishing a risk management process including a risk register, monitoring and review
    • Risk identification
    • Risk rating using either a quantitative or qualitative method to determine the priority rating for the risk identified
    • Setting impact tolerances for critical or important services with at least one time based tolerance per service
    • Evaluating the risk and agreeing how the risk will be treated
    • Actioning the agreed mitigation for the risk that include actions such as:
      • Prevention and/or
      • Contingency
  • The risk management process crosses all areas of ICT and any associated or touching area that include the following:
        • Developing an IT Strategy
        • Converting these strategies to plans and projects e., a solution or service design
        • The development and / or rollout of the solution or service
        • The operations of the solution or service and ancillary resources
        • Continual reviews of the solution or service using the agreed approach

2.22 Payment Card Services

  • All payment card systems and payment service providers must be vetted to ensure they meet the requirements of these policies
  • All staff processing or having access to payment card information must be vetted
  • Payment card details taken must not be written down or recorded outside the approved payment service provider’s system
  • All payment card systems used must use strong encryption that covers the data while in transit across networks or at rest within a data storage system
  • All backups containing payment card information must be encrypted
  • The Payment Card Number (PAN) must not be recorded or stored in clear text
  • The PAN must meet PCI DSS (Payment Card Industry Data Security Standards) requirements by masking the PAN when displayed on a computer screen, payment card receipts, faxes, or paper reports
  • Where payment information is taken over the phone and voice recording is in use the recording must be paused while taking the card If this is not possible the recording function must not be used
  • Generic or shared logons to systems storing payment card information must not be used when entering or viewing card information
  • Access to payment card information must be restricted to only those requiring or needing access to this information
  • Email and any other electronic messaging or collaboration tool must not be used to transmit payment card information. If exception is made it must be ensured that the service is using strong encryption
  • Where payment card data is extracted or stored outside of a secure encrypted system, they must continue to be protected using the same level of encryption
  • Payment card information must meet requirements under the General Data Protection Regulation (GDPR) and be treated as personal data
  • Where payment card information is transmitted across the organisation’s own local and wide area networks the firewall must be setup and configured to protect card holder information
  • Monitoring and alerting must be in place to detect any security risks that potentially place the card information at risk
  • Regular auditing of systems that store payment card information must be undertaken