Information Security Policy
Document Details | |
---|---|
Version | 3.0 |
Effective Date | November 2013 |
Contact | Lee Albin Albin |
lee.albin@virginwines.co.uk | |
Telephone | 01603 88 6644 |
Preamble
Introduction
This policy defines the rules and other requirements necessary for the secure and reliable operation of the Virgin Wines information systems infrastructure.
Critical business function - Information and information systems are necessary for the performance of many essential activities at Virgin Wines. If there were to be a serious security problem with this information or these information systems, Virgin Wines could suffer serious consequences including lost customers, reduced revenues, and degraded reputation. This is why information security is a key part of the Virgin Wines business environment.
Supporting business objectives - This information security document has been prepared to ensure that Virgin Wines is able to support further growth of the business, and ensure a high level of customer, supplier, employee, and business-partner service. The prevention of security problems is considerably less expensive than correction and recovery.
Consistent compliance - A single unauthorised exception to security measures can jeopardise other workers, the organisation, and even business partners. The interconnected nature of information systems requires that all workers observe a minimum level of security. This document defines that minimum level of due care. All workers, employees, contractors, consultants, and temporaries, must observe the requirements set forth in this document.
Team effort - The tools available in the information security field are relatively unsophisticated. This means that all staff at Virgin Wines must step in and play an important role in the information security area. Information systems are distributed to the office desktop so it is very much a team effort to maintain security.
Responsibilities
Information owners - Certain users within Virgin Wines are information owners. This is at all levels of the organisation’s structure. Information Owners do not legally own the information but they are members of the Virgin Wines team who make decisions on behalf of the company. The responsibility for maintaining information is noted in the job descriptions of and training of Information owners.
Business users - these are broadly defined as any worker with access to internal information or internal information systems. Business users are required to follow all security requirements defined by owners and implemented by custodians. Business users must request access from their line manager, and report all suspicious activity and security problems.
Line managers - Line managers approve requests from their staff for system access. This access is based on job roles. When staff leave the company, it is the responsibility of line managers to promptly inform the IT dept that access must be revoked where appropriate.
Information custodians - Custodians are in physical or logical possession of information and information systems. The custodians at Virgin Wines are primarily the IT department. Custodians follow the instructions of information owners, operate systems on behalf of information owners, but also serve the business users. Custodians are responsible for defining and maintaining the IT infrastructure and all aspect of information security.
Workers - for the sake of document simplicity, all the above are also “workers”.
Changes from version 1 of this policy
Customer Data – In order to make explicit the requirement of all staff to comply with the data protection act and for them to treat all customer data, including email addresses, as private, section 3 has been introduced
BYOD (Bring your own device) – with the proliferation of smaller portable devices such as smartphones and tablet computers the boundaries of security and responsibility have become more complex. This policy has been updated in respect of this, see section 6
Email – because of BYODs it is now much easier to send and receive both work and personal emails with blurred boundaries. This is reflected in sections 9 and 10.
Changes from version 2 of this policy
Access Control - Group ID's are allowed by exception. Changed Facilities Department to Office Manager
Privacy - BYODs may also be tracked if using the guest network
Acceptable Use Of The Internet - Encryption can be used in cases where secured connections cannot be established
Network Connections - BYODs can be connected to the corporate network by exception, but data on them remains property of Virgin Wines and may be deleted. Removed clause about dial-up connections
Company Email - loosened restrictions on forwarding to only include sensitive and confidential information. Added explicit statement saying any personal information must be encrypted.
Viruses - Added clause allowing Whitehat software development.
The Policies
1. Access Control
Access philosophy - Access to information is granted when a legitimate business need has been demonstrated and access has been approved by line managers or information owners. Access to special hardware and software is restricted based on business need.
Access approval process - A worker’s line manager must initiate the access control approval process, and the privileges granted remain in effect until the worker’s job changes or the worker leaves Virgin Wines. If either of these two events do occur, the line manager must notify the IT dept immediately. All non-employees, contractors, consultants, temporaries, and outsourcing organisations must also go through a similar access control request and authorisation process.
Default facilities - By default all workers are granted basic information systems services such as email and word processing facilities. All system capabilities must be provided through job profiles or by special request by line managers.
Workers leaving Virgin Wines - When a worker with information systems access leaves Virgin Wines, all system privileges and access must cease immediately unless otherwise specified by the line manager. At this point, all Virgin Wines’ information disclosed to the departing user must be returned or destroyed. All work done by workers for Virgin Wines is Virgin Wines’ property.
Unique user IDs - Each worker must be assigned their own unique user ID. This user ID follows a worker as they move through the organisation. It must be permanently decommissioned when a worker leaves Virgin Wines. Every Virgin Wines user ID and related password is intended for the exclusive use of a specific individual. While user IDs can be shared in email messages and in other places, passwords must never be shared with anyone. User IDs are linked to specific people, and must not be associated with computer terminals, departments, or job titles. With the exception of internet pages, intranet pages, and other places where anonymous interaction is both generally understood and expected, anonymous, guest and shared user IDs are not permitted unless approved in advance by the IT dept.
Privilege deactivation - After a period of no workstation activity online sessions must be locked automatically. Workers must be sure to log-off from their applications and devices at the end of the working period. Dormant user IDs that have no activity for a period defined in weeks by the IT dept must have their privileges automatically revoked. Workers who return from an extended vacation or a leave of absence must have their manager contact the IT dept to re-establish their privileges.
User authentication - All production information system user IDs must have complex passwords, e.g. alpha-numeric. Workers are responsible for all activity that takes place with their user ID and password or other authentication mechanism they own. A worker must change their password immediately if they suspect that it has been discovered or used by another person. Workers must notify the IT dept if other access control mechanisms are broken or if they suspect that these mechanisms have been compromised.
Choosing passwords - Workers must choose difficult-to-guess passwords. Passwords must not be found in the dictionary and must not be a reflection of the worker’s personal life. All passwords must be at least 8 characters, and this minimum length must be enforced automatically where systems support it. Workers must choose passwords that include both alphabetic and numeric characters, a minimum of 1 non-alphabetic character will be mandatory across those systems that support this enforcement.
Changing passwords - User-chosen passwords must not be reused or recycled. Where systems support it passwords must be required to change every 60 days and passwords must be changed the first time they are used. If a worker suspects that somebody else may know his or her password, the password must be changed immediately. The IT dept will not reset user passwords unless a user is identified via the user identity procedure.
Protecting passwords - Workers must not share a password with anyone including managers and co-workers. Workers must not store fixed passwords in any computer files, such as logon scripts or computer programs, unless the passwords have been encrypted with authorised encryption software. Passwords must not be written down unless a transformation process has concealed them or they are physically secured, such as placed in a locked file cabinet. All initial passwords must be changed before the involved system can be used for Virgin Wines business activities.
Special access logins - Where special logins with a fixed password are utilised, these logins should have read-only access only to customer data and zero access to data deemed sensitive, e.g. credit card numbers.
Generic logons - these can only be used as short term solutions, as such they must be invalidated after a known (short) period of time has passed, for example a few days. Only authorised and documented use of generic logins are allowed.
Appropriate data storage - Workers have access to authorised applications. This access mandates that the workers use the applications for their intended use only and not for other uses. Workers must not store sensitive data in inappropriate applications or file system locations, including, but not limited to, cloud storage locations. For example credit card numbers must only be recorded in dedicated fields in applications where the underlying storage is known to be encrypted. Sensitive data must not be stored in free format text fields in any application nor in word processing files or text files in insecure locations. Hand written and computer printed sensitive data must be disposed of via the Virgin Wines process of secure disposal, managed by the Office Manager.
PDQ Machine - The PDQ machine is only used on a rare occasion. In order to process a sale or refund on the terminal the following processes are in place.
The machine is locked in a mangers drawer.
Agent fills out a Manual Payment request form
- Customers details, card number (NOT CVV) and order details
- Manual Payment form is handed to Sarah G who has access to the PDQ machine and a supervisors swipe card for the terminal.
- Transaction is processed on the terminal and then it is unplugged and locked away again
- The PDQ form is handed to the office manager (if she is not there it is locked away)
- Office Manager reconciles the machine and records data from PDQ form on a spreadsheet in a shared drive which Finance have access to
- Office Manager scans PDQ form and keeps in a folder on the network which she only has access to – after 2 months these are deleted
- The PDQ form is then put in the secure disposal bin and sent away to be shredded
2. Privacy
Expectations of privacy - Workers must have no expectation of privacy when using information systems at Virgin Wines, including systems used by BYODs. To manage systems and enforce security, Virgin Wines may log, review, and otherwise utilise any information stored on or passing through its systems. Virgin Wines may capture user activity such as telephone numbers dialed and web sites visited. Physical access to Virgin Wines’ premises and environs may be recorded by CCTV.
Collecting information - Virgin Wines does not collect information that is unnecessary for business purposes. Virgin Wines does not collect information from third parties such as customers unless these parties are notified about the collection activities before they occur.
Third party information privacy - A wide variety of third parties have entrusted their information to Virgin Wines for business purposes, and all workers at Virgin Wines must do their best to safeguard the privacy and security of this information. Customer account data is confidential and access must be strictly limited based on business need for such access. Customer account information must not be distributed to third parties for commercial reasons without advance authorisation by the customer. Customer account information must not be distributed to third parties for non-commercial reasons, e.g. systems development, without advance authorisation by information owners and without the existence of non-disclosure agreements (NDAs).
Data protection - Virgin Wines is bound by the Data Protection Act. Virgin Wines is a member of the Direct Marketing Association and as such adheres to its requirement to closely follow the principles of the Data Protection act. Workers must not contravene any of the principles laid down in the Data Protection act in the performance of their job. Virgin Wines and its staff are also bound by similar acts that exist in the other countries it, and its staff operate in. Where the situation arises, Virgin Wines will freely supply data to parties that make this request such as customers. Further details on Data Protection can be found in workers standard contracts of employment.
Data retention - A wide variety of data types are stored within Virgin Wines’ information systems and in physical archives. This data comprises customer data and all the data required to function as a business, for example financial data. Sensitive customer data such as payment data is purposefully retained for the minimum period possible whereas data for marketing purposes is retained for as long as possible and protected accordingly. For details see Appendix 1.
3. Data Protection
Customer Data - All workers who access customer data must take all necessary steps to ensure that that data is only used for the purposes it is intended and that it is not disclosed to any third parties. Customer data (including name, address, email address, etc) must not be shared with other customers. Any breaches of this are a breach of the Data Protection Act and may lead to disciplinary action.
Any systems or processes that are used within Virgin Wines that are liable to cause customer information to be shared through a failure of that process must be notified to your line manager and raised so that the process can be changed to prevent such failures.
4. Third-Party Disclosures
Pre-authorisation for public statements - All workers who will be delivering speeches, writing papers, or otherwise disclosing information about Virgin Wines or its business must obtain pre-authorisation from the Public Relations department. Only designated individuals are authorised to be spokespersons for Virgin Wines. Unless a worker is one of these designated spokespersons, all enquiries from the media must be directed to public relations staff at Virgin Wines.
Virgin Wines non-disclosure agreements - Whenever communications with third parties necessitate the release of sensitive Virgin Wines information, a standard non-disclosure agreement (NDA) must be signed by the third party. Information released to these third parties must be limited to the topics directly related to the involved project or business relationship, and the disclosure must be approved in advance by the involved information owner.
Third party non-disclosure agreements - In some instances, before discussions can be commenced, third parties may require that workers at Virgin Wines sign their non-disclosure agreements (NDAs). Recipients of third-party NDAs must forward these agreements to the legal department. Third-party NDAs must be signed only by members of the Virgin Wines legal department or by managers after consultation with the legal department.
5. Acceptable Use Of The Internet
Availability and content - Internet access is controlled and managed by the IT dept and is readily available where required. If a worker needs additional access to internet facilities, a request must be directed by line management to the IT dept. Workers must not visit sites containing undesirable material, this would include material that may be considered to be embarrassing, sexually explicit, obscene, intimidating, defamatory, violent, adult or fraudulent in nature. Display of such material on a user’s screen may lead to claims of inappropriate behaviour from colleagues, which may in turn lead to disciplinary action on the originator.
Information reliability - All information acquired from the internet must be considered suspect until confirmed by separate information from another source. Workers must not rely on the alleged identity of a correspondent through the internet unless the identity of this person is confirmed through methods approved by the IT dept such as digital certificates or digital signatures.
Posting information to public discussion groups - Workers must not use their Virgin Wines’ email address or the company name when posting to public discussion groups, blogs, chat rooms, or other public forums on the internet unless it is work related or they have received line management approval. Management reserves the right to remove any internet posting by a worker at Virgin Wines that it deems inappropriate and potentially damaging to the organisation’s reputation. For related items please see the Virgin Wines’ Social Media Policy.
Downloading software - Workers must not download software from the internet unless authorised to do so by the IT dept as an exception.
Sending security parameters - Workers must not send any sensitive parameters such as credit card numbers, passwords, or customer account numbers through the internet unless the connection and/or content is encrypted. It is the responsibility of the user to understand the transfer medium they are using.
International transfer of data - The movement of private information such as human resources records across international borders into some countries is illegal. Before transferring any private information across a border, workers must check with the HR dept to ensure that laws are not violated.
Laws in other countries may be more relaxed or tighter with regard the content of emails, the rules with regard illegal content still apply as laid down in this policy, but extra advise should be sought from the IT dept if the sender of a potentially dubious email internationally, is in doubt.
User anonymity - Workers must not misrepresent, obscure, suppress, or replace their own or another user’s identity on the internet or on any other Virgin Wines information system. In all instances the user name, email address, organisational affiliation, and related contact information must reflect the actual originator of a message or posting. The use of anonymous re-mailers or other identity-hiding mechanisms is forbidden. The use of web browsers, anonymous FTP log ons, and other methods established with the expectation that workers do not need to identify themselves is permissible.
False security reports - All workers in receipt of information about system vulnerabilities must forward this information to the IT dept which will determine what action is appropriate. If there is doubt then the IT dept should be told, rather than assume the information is unreliable. Workers must not redistribute system vulnerability information.
6. Network Connections
Connection approval - Virgin Wines computers or networks may be connected to third-party computers or networks only after the IT dept has determined that the combined systems will be in compliance with Virgin Wines security requirements. Real-time connections between two or more in-house Virgin Wines computer systems must not be established unless the IT dept has determined that such connections will not jeopardise information security. Connections of internal Virgin Wines computers to the Virgin Wines internal network do not require such permissions unless the involved systems store sensitive information. Connections to the internet through Virgin Wines firewalls do not require such permissions.
BYOD – Bring your own device - Workers may use their own personally owned devices such as laptops, smartphones, iPads and tablets in the workplace without seeking prior approval. Such BYODs may be connected to guest wireless facilities only. BYODs must not be connected to the corporate network via any mechanism (wireless or wired) without express permission from IT. Virgin Wines reserve the right to monitor and manage the usage of guest wireless by BYODs. The use of BYODs during work hours for personal reasons must be kept to a minimum so as to not affect performance of individuals.
Workers may access company email from BYODs but no corporate data is to be stored or processed on BYODs. It is the responsibility of the worker receiving emails to determine if emails are downloaded to their BYOD and if they contain corporate data, it is not the responsibility of the email sender or Virgin Wines. Virgin Wines reserve the right to manage the access to company email from BYODs, e.g. Webmail.
Virgin Wines reserves the right to inspect BYODs brought onto company premises by workers, this includes devices such as USB keys and portable/desktop hard drives as well as smartphones, iPads, tablets, etc.
Virgin Wines reserves the right to remove any corporate data that has been stored on BYODs
Firewalls required - All connections between Virgin Wines internal networks and the internet or any other publicly-accessible computer network must include an approved firewall or related access control system. The privileges permitted through this firewall or related access control system must be based on business needs and must be justified with documented reasons.
Dial-up access - The use of modems directly attached to office PCs is prohibited unless authorised by the IT dept, exceptions do exists, for example some Financial processing. Any modems that do exist must be set to outgoing calls only.
7. Third-Party Access
Approval required - Before third-party users are permitted to reach Virgin Wines internal systems through real-time computer connections, approval from the IT department must be obtained. These third parties include information providers such as outsourcing organisations, business partners, contractors, and consultants working on special projects. Evidence of approval via project documentation and/or emails may be required.
Access restrictions - Third-party information system vendors must be given only in-bound connection privileges when the applicable system manager determines that they have a legitimate business need. These privileges must be enabled only for the time period required to accomplish previously-defined and approved tasks. Third-party vendor access that will last longer than one day must be approved by the IT dept.
Only public information posted - Unless the relevant information owner has approved in advance, workers must not place anything other than Virgin Wines public information in a directory, on a server, or in any other location where unknown parties could readily access it.
Third party security requirements - As a condition of gaining access to the Virgin Wines computer network, every third party must secure its own connected systems in a manner consistent with Virgin Wines requirements. Virgin Wines reserve the right to audit the security measures in effect on third party-connected systems without prior warning. Virgin Wines also reserve the right to immediately terminate network connections with all third-party systems not meeting such requirements.
8. Encryption
Default protection not provided - Virgin Wines networks and the internet and other public networks are not protected from wiretapping by default. In all but a few rare instances, if information is to be protected, then the user must take specific action to enable encryption facilities and must take advice from the IT dept.
When to use encryption - Whenever confidential information is sent over a public computer network like the internet, encryption methods authorised by the IT department must be used to protect it. Whenever customer confidential information is stored in a computer, this storage must be achieved with similar authorised encryption methods, for example financial details.
Stored data encryption - If stored, customer data containing sensitive items such as credit card numbers must be encrypted to the standard laid down in the Payment Card Industry’s Data Security Standard. Management of encryption keys must adhere to PCI’s DSS as well. See https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
9. Company Email
General - Virgin Wines will treat all users’ company email messages as business messages and thus users have no right of privacy with them. Reasonable personal use of the company email system is permitted. Emails may be monitored if there is reason to do so, e.g. to ensure proper use of the company email system. Some attachments may result in emails being blocked, both incoming or outgoing. Users will have to contact the IT Service Desk to process these emails.
Sharing and forwarding - Company email accounts, like user IDs, are for specific individuals and must not be shared. If a user goes on vacation or is otherwise unable to check their mail for extended periods, mail can be forwarded to another Virgin Wines worker. Notices can be established that will automatically inform correspondents that the recipient will not be responding for a certain period of time. Upon departure from Virgin Wines, access to a users email account must be restricted and may be terminated. No forwarding of company email containing sensitive or confidential information to addresses outside Virgin Wines is permitted. If a company email message contains sensitive information, workers must not forward it to another recipient unless the other recipient is known to be authorised to view the information, or the originator approves the forwarding. Broadcast email message facilities must not be employed unless line management approval is obtained, but the use of selected distribution lists is both advisable and permissible without such approval.
Incoming emails - If you belong to, or subscribe to any groups that send out emails not specifically related to your business role then these must not be sent to Virgin Wines. If you receive unsolicited emails from such groups or any sort of chain email you should not forward it to anyone within Virgin Wines and permanently delete it from your system.
Default protection - workers must be careful about the inclusion of sensitive information in email messages that are not protected by encryption.
Message recording - Workers must save the content of important company email messages that might be needed at a future date.
Contents of messages - All users must not use profanity, obscenities, or derogatory remarks in any company email messages discussing employees, customers, competitors, or others involved with Virgin Wines business. Such remarks may create legal problems such as trade libel and defamation of character. Special caution is warranted because backup and archival copies of email made by third parties may actually be more permanent and more readily accessible than traditional paper communications. Workers must not transmit any confidential customer information unencrypted in emails, for example credit card numbers or bank account details either internally or externally.
Harassing or offensive messages - Virgin Wines information systems must not be used for the exercise of a user’s right to free speech. Sexual, ethnic, and racial harassment, including unwanted telephone calls, electronic mail, and internal mail, is strictly prohibited. Recipients must not respond directly to the originator of offensive email messages, telephone calls, or other communications. If the originator does not promptly stop sending offensive messages, workers must report the communications to their line manager.
10. Personal Email
General - It is acceptable for workers to periodically manage personal email during the working day be it from Virgin Wines’ equipment or BYODs.
11. Printing, Copying and Fax Transmission
Destruction of waste copies - If a printer, copier, or fax machine jams or malfunctions when printing confidential information, the involved worker must not leave the machine until all copies of the sensitive information are removed or are no longer legible. All paper copies of sensitive information must be disposed of by shredding or other methods approved by the IT department.
Faxing precautions - Sensitive materials must not be faxed unless an authorised staff member is on-hand at the time of transmission to properly handle the materials at the receiving site in a secure manner. Sensitive information must not be faxed through un-trusted intermediaries such as hotel staff or rented mailbox service staff. Confidential information may be faxed only if the connection is protected with encryption systems approved by the IT department. The receipt of sensitive information by fax must be confirmed promptly.
Printer precautions - When printing sensitive information, the user must be present at the printer at the time of printing to prevent the information from being revealed to unauthorised parties, or direct the output to a printer inside an area where only authorised workers are permitted to go.
Copy machine precautions - Unless permission from the copyright owner is obtained, making multiple copies of material from magazines, journals, newsletters, and other publications is forbidden unless this is both reasonable and customary.
12. Mobile Computing And Work At Home
Approval for remote access - Remote access to Virgin Wines systems must be granted only to those workers who have a demonstrable business need for such access. Virgin Wines reserves the right to conduct surprise audits of workers with remote access privileges.
Location independence - Office based security requirements apply at remote locations although they may be implemented in different ways. For example paper-based confidential information must be locked up when not in active use. In offices a filing cabinet might be used, but on the road, a locking briefcase should be employed as a minimum.
Handling of sensitive information - Sensitive information must not leave Virgin Wines’ offices unless authorised by line management. If it is necessary to remove computer-readable sensitive information from Virgin Wines’ offices this information must be protected by security facilities approved by the IT department. If sensitive information is transmitted over public computer networks such as the internet this transmission must take place with encryption facilities.
Authentication of remote users - Remote access to Virgin Wines computers and networks requires that all users be definitively authenticated. All remote users must connect to Virgin Wines computers and internal networks through authorised routes via firewalls and portals. Inbound connection to Virgin Wines computers or networks through an office desktop modem is prohibited unless specific approval has been obtained from IT dept.
Theft of equipment - All equipment used to handle Virgin Wines information must be stored in a locked area, e.g. private dwelling with normal domestic security arrangements. Remote users must not store passwords, user IDs, pin numbers any other access information in portable or remote systems.
Home PCs - where personal equipment is in use to gain remote access, all of the above security controls still apply. Additionally the use of personal firewalls on home PCs and laptops must be used.
Hotels and cyber-cafes - It is the responsibility of the worker to not leave any Virgin Wines data on publicly accessible systems.
Travel considerations - Travelling workers must be careful not to discuss, view or handle sensitive information when in public places. Laptops should never be left unattended unless stored securely.
13. Viruses, Malicious Software, And Changes To Desktop Systems
Virus checking - Virus-checking systems approved by the IT department must be in place on all personal computers with operating systems susceptible to viruses, e.g. desktops & laptops. All files coming from external sources must be virus checked.
If a virus is detected - If workers obtain virus alerts they must immediately disconnect their equipment from all networks and cease further use of the affected computer and call the IT helpdesk for technical assistance. Workers must not attempt to remove viruses on their own. If workers believe they may have been the victim of other malicious software, they must immediately call the IT helpdesk to minimise the damage. Possession or development of viruses or other malicious software is prohibited by any Virgin Wines worker unless that software has been explicitly commissioned by the IT department to test the security of the system.
Changes to Virgin Wines’ computing equipment - workers must not install or upgrade operating systems or application software on the Virgin Wines computing equipment that they use unless authorised to do so by the IT department. Systems used to process Virgin Wines information are owned by Virgin Wines and have been specifically recognised as systems used for regular business activities. This approach permits Virgin Wines to perform automatic software distribution, automatic software license management, automated remote backup and related functions on a centralised and coordinated basis without the user’s knowledge.
Laptops - Laptops are managed differently to desktops and may have less of the desktop restrictions, but all still within the security controls of the IT department.
14. Personal Use Of Company Information Systems
Personal use - All workers activities are subject to logging and subsequent analysis. Workers must not perform any activity on Virgin Wines information systems that could damage the reputation of Virgin Wines. Unbecoming conduct could lead to disciplinary action including revocation of access privileges. Incidental personal use of Virgin Wines information systems including the telephone is permissible as long as the usage does not interfere with job performance, does not deny other users access to the system resources and does not incur significant costs. Use of software licensed to Virgin Wines but installed on a personal computer owned by a worker is not authorised.
Testing the prohibition mechanisms - Workers must not test or attempt to compromise any information security mechanism unless specifically authorized to do so by the IT dept. Workers must not possess software or other tools that are designed to compromise information security.
15. Intellectual Property Rights
Legal ownership - With the exception of material clearly owned by third parties, Virgin Wines is the legal owner of all business information stored on or passing through its own systems. All business-related information developed while a worker is employed by Virgin Wines is Virgin Wines property.
Making copies of software - workers must not make copies of or use software unless they know that the copies are in keeping with the vendor’s license to Virgin Wines. If a system that is used to process Virgin Wines information has been set up by the IT department workers can rely on the fact that all software on this system is licensed and authorised. The IT dept will remove all software that is not authorised on systems that are used to process Virgin Wines information.
Labelling - Workers must maintain information about source, date, and usage restrictions for all information provided by third parties. These labels will be important for management decision-making purposes, and will demonstrate that Virgin Wines observed appropriate copyright and other intellectual property laws. Workers must assume that all materials on the Internet are copyrighted unless specific notice states otherwise.
16. Systems Development
Production systems - Information systems that have been designated production systems have special security requirements. A production system is a system that is regularly used to process information critical to Virgin Wines business.
Systems development - All software developed in-house that runs on production systems must be developed according to the IT department’s systems standard methodology. This methodology must ensure sufficient measures are taken with regard documentation, testing, access limitations, security and configuration management.
Separation between production, development, and test systems - Where resources permit, there must be a separation between the production, development, and test environments and the existence of a sanitised change management system to manage migrations.
17. Reporting Of Problems
What to report - All workers must promptly report to the IT department any loss of, or severe damage to, their hardware or software. Workers must report all suspected compromises to Virgin Wines information systems. All serious information security vulnerabilities known to exist must be reported. All instances of suspected disclosure of sensitive information also must be reported.
How to report - All workers should contact the IT dept via the normal methods. Line managers should be made aware of all suspected compromises.
18. Non-Compliance Situations
Risk acceptance - Non-compliance with these and other information security requirements can result in disciplinary action up to and including termination. In rare cases, a business case for non-compliance can be established. In all such cases, the non-compliance situation must be approved in advance via the user’s manager and the IT dept.
Further information - Questions about this document should be directed to the author.
Appendix
Document History
Version | Date | Description | Author | Status |
---|---|---|---|---|
1.0 | 25/06/2009 | initial release | David Seaton, IT Governance | published |
2.0 | 22/11/2012 | Revision #1 | David Seaton, IT Governance | Published |
2.1 | 19/12/2013 | Virgin Wines Revision | John Marsh | Published |
3.0 | 22/12/2013 | Virgin Wines, Post MBO Revision | Dom Davis | Draft |
Appendix 1: Data Retention
Sensitive customer data - Sensitive customer data is stored securely across a number of different information systems but primarily within the BlueMartini database. BlueMartini is the destination of all customer’s transactional data from all channels.
Sensitive data is retained for short specific periods whilst non-sensitive marketing data is stored for longer periods. The following list shows the specific data retention periods for different data types deemed sensitive, by system. Accurate at the time of publishing of this document.
System | Data Type | Retention Period | Comment |
---|---|---|---|
Blue Martini | Customer orders, products, quantities, prices in database. | Permanent | Used by marketing |
Blue Martini | Customer details in database, name, address etc | Permanent | Customer base, used by marketing |
Blue Martini | Credit card numbers in normal transactions in database | Permanent | All retained PANs are encrypted |
Blue Martini | CVV2 numbers in database | Not Retained | CVV2 exists whilst being processed then deleted, existing only for seconds |
Telecoms | Call recording service | Permanent | Third party service used who have PCI compliant procedures |
WorldPay | Credit Card Billing Service | Permanent | PANs are not visible on the reporting interface. WorldPay internal procedures are PCI compliant |