Page Comparison

Information Security Policy

1. PURPOSE

The purpose of this Policy is to safeguard information belonging to CloudCard and its stakeholders (including third parties, clients or customers and the general public), within a secure environment.

...

• Information will be protected against unauthorized access or misuse.

• Confidentiality of information will be secured.

• Integrity of information will be maintained.

• Availability of information / information systems is maintained for service delivery.

• Business continuity planning processes will be maintained.

• Regulatory, contractual and legal requirements will be complied with.

• Physical, logical, environmental and communications security will be maintained.

• Infringement of this Policy may result in disciplinary action or criminal prosecution.

• When information is no longer of use, it is disposed of in a suitable manner.

• All information security incidents will be reported to the Managing Director and investigated through the appropriate management channel. These reports will be brought to the Product Owner in order to address the current problem and devise a new plan.

...

• Electronic information systems (software, computers, and peripherals) owned by CloudCard whether deployed or accessed on or off campus.

• CloudCard’s computer network, both in the cloud and on campus.

• Hardware, software and data owned by CloudCard.

• Paper-based materials.

• Electronic recording devices (i.e. camera systems).

• Customer data obtained by CloudCard

2. INFORMATION & SECURITY OBJECTIVES

CloudCard’s information security policy has a simple objective: keep our information and data secure. We will accomplish this through the use of the CIA Triad:

...

potential threats. Likewise, AWS has taken extensive measures to certify the information security of their environment.

Anchor
_621xfpq6eqnb _621xfpq6eqnb

4. AUTHORIZED USERS OF INFORMATION SYSTEMS

In order for the information and security policy to be effective, CloudCard must determine who has the authority to decide what data can and cannot be shared. CloudCard requires all users to exercise a duty of care in relation to the operation and use of its information systems.

...

legal action to ensure that its information systems are not used by

unauthorised persons.

Anchor
_ix9tksae7zz9 _ix9tksae7zz9

5. DATA SUPPORTS AND OPERATIONS

In order to ensure sensitive data is handled with care and responsibility, CloudCard must determine how the different levels of data will be handled. The following components make up our comprehensive approach:

...

• Photos and Supporting Documents are encrypted at rest using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. As an additional safeguard, the key itself is encrypted with a master key that is regularly rotated. The server-side encryption uses 256-bit Advanced Encryption Standard (AES-256), to encrypt all data. For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

• All photo metadata stored at rest in the underlying storage is encrypted, as are all automated backups, read replicas, and snapshots using AES-256 encryption algorithm.

• Photos, photo metadata, and supporting documents are encrypted in transit using HTTPS and requires clients to support TLS 1.2 encryption or higher.

• All data is securely deleted using the techniques detailed in or NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process. Refer to AWS Overview of Security Processes Whitepaper for additional details - available at http://aws.amazon.com/security

• CloudCard adheres to industry best practices in regards to data protection, following the recommendations set forth by Amazon Web Services (see AWS Security Best Practices).

• All CloudCard servers enable automatic minor and patch updates during weekly update windows.

...

• CloudCard uses the premium database product from AWS, Amazon Aurora Database - which makes six copies of the data and distributes it across 3 different availability zones, continuously backed up to S3.

• Real time backups are available to customers upon request

• CloudCard is prepared to use a “pilot light” to keep a minimal version of an environment running in the cloud, should a disaster occur (see Business Continuity Plan).

• Infrastructure elements for the pilot light itself include our Amazon RDS database servers, which are replicated to a different availability zone using a multi-AZ deployment as well as our Amazon S3 files, which replicates data across availability zones to preserve data (see Business Continuity Plan).

5.3 Amazon Web Services complies with strict data protection best practices. The

...

Amazon Web Services compliance documents

Anchor
_l9n6uissndln _l9n6uissndln

6. SECURITY AWARENESS TRAINING

The best security plan in the world is useless if no one follows it. Staff must understand exactly what is required of them in order to ensure the Information Security Policy is followed when working with customer data.

...

• Basic understanding of the Information Security Policy training will be reviewed annually to support comprehension

• The Product Owner will review this policy annually and the Managing Director will ensure all personnel are properly applying and adhering to it.

Anchor
_f29s4bqdkd4c _f29s4bqdkd4c

7. RESPONSIBILITIES AND DUTIES OF EMPLOYEES

CloudCard has appointed the Product Owner to oversee the maintenance of the Information Security Policy. The Product Owner has direct responsibility for providing guidance and advice on its implementation. The Managing Director is responsible for the implementation of the Information Security Policy.

...

• Participation in the Annual review of the Information Security Policy

• Participation in the Annual review of the Business Continuity Plan

• Participation in the Annual review of the Disaster Recovery Plan

• Participation in the Annual review of the Data Breach Response Plan

• Reporting all information vulnerabilities or threats to Managing Director

...

• Annual review of the Information Security Policy

• Annual review of the Business Continuity Plan

• Annual review of the Disaster Recovery Plan

• Annual review of the Data Breach Response Plan

• Employee correction and review when the policy is not followed.

...

• Systems are adequately protected from unauthorised access.

• Systems are secured against theft and damage to a level that is cost-effective.

• Adequate steps are taken to ensure the availability of the information system, commensurate with its importance (Business Continuity).

• Electronic data can be recovered in the event of loss of the primary source. I.e. failure or loss of a computer system. It is incumbent on all system owners to backup data and to be able to restore data to a level commensurate with its importance (see Disaster Recovery Plan).

• Data is maintained with a high degree of accuracy.

• Systems are used for their intended purpose and that procedures are in place to rectify discovered or notified misuse.

• Any electronic access logs are only retained for a justifiable period to ensure compliance with the data protection, investigatory powers and freedom of information acts.

• Any third parties entrusted with CloudCard data understand their responsibilities with respect to maintaining its security.

• Perform and document risk assessments on an annual basis.

• Web server access and error logs are reviewed for anomalies that could indicate a compromise.

...