1. Objective
To define the measures to be taken for protecting the information/data of Integra’s various business partners and individuals.
2. Scope
This applies to all employees, business partners, and vendors, employees of third parties and consultants who share business data and/or personal information with Integra.
3. Reference
Standards: ISO 27001:2022 Information Security Management System
Controls: A5.12, A5.14, A8.3, A5.33, A5.34, A8.30, A8.10, A8.11 A8.12
4. Definition
Data protection and privacy policy guides all the employees, contractors, visitors of the organization as to the importance of protecting Integra’s information/data which may be the organizations own data and/or its customer’s data.
5. Glossary
|
Abbreviation / Term |
Full Form / Description |
|
CISO |
Chief Information Security Officer |
|
Individual Users / Employees |
Employees / Users in Integra |
|
Department Heads |
Heads of various departments within Integra |
|
ISMG |
Core group of people responsible for implementing and maintaining ISMS |
Policy Statement
5.1 Principle of Data Protection
However, there will be certain circumstances where Integra will have to disclose the data.
Unless otherwise directed by a specific non-disclosure agreement, customer data is treated as per this policy.
5.2 Roles and Responsibilities
|
Roles |
Responsibility |
|
Department Head (HR, Admin, Project/Operations) |
Protection of data, obligation to protect data, determining right to access |
|
Project Manager /Department Head |
Identifying and defining the confidentiality of data / assets; Protection of data, Determining Right to access, Disclosure of data |
|
IT Support Team |
Protection of data, Implement appropriate controls |
|
Individual Employees |
Protection of data and complying with this procedure |
5.3 Identification of Classified Data
Any data which is received from clients or business partners and already classified by the clients or business partners as Integra equivalent of “RESTRICTED” would be treated as Classified/Confidential Data. These Data would be handled as per the data protection & privacy policy defined in this document.
5.4 Protection of Data
The Project Manager should be responsible for protection of customer’s data in his/her project.
The Project Manager should identify the confidentiality levels of the data
Based on the level of confidentiality required, the Project Manager should define the access matrix for data and he / she should also define the protection level in coordination with Department Head-IT or CISO.
Integra reserves the right to use any technology or measures which it feels is required / adequate / feasible in protecting the data available in their custody, wherever necessary.
Any breach of customer data should immediately notified to the senior management of Integra including the CISO.
If there are any legal / client specific requirements, Integra will implement the appropriate technology / measures.
5.5 Obligation to Protect Data
The Management of Integra is obliged to ensure the protection of data collected, taken, received during its normal course of business engagements with various data subjects to fulfill the principles of data protection. However, this is limited only to Classified/Confidential Data which is equivalence of “SENSITIVE” OR “RESTRICTED”.
The necessary technical, procedure oriented, organizational measures would be implemented across all the activities of Integra to ensure that the process of “due care” is followed to protect the data always.
5.6 Data Masking Policy
The use of data masking techniques must at all times take account of Integra’s compliance obligations under relevant privacy legislation.
This policy applies in two main sets of circumstances:
Note: This policy does not apply to the preparation of PII for release to the general public; in this case, specific guidance from top management must be sought as the requirements for effective data masking (such as anonymization) are typically more stringent, with a higher risk of re-identification.
The approach to data masking that will be taken in a particular instance will be tailored to the specific requirements and will be in line with best practice.
Techniques that may be used include:
The use of each of these techniques (and other techniques where available) in a specific case will depend upon a firm understanding of how the data will be used, and not all of them will be appropriate in every case.
A risk-based approach will be used with regard to possible re-identification of PII, taking into account the sensitivity of the data and potential harm to the PII principal.
The involvement of a subject matter expert will be required in most cases to assess the risk of re-identification, for example by inferring someone’s identity from other available data.
Data masking techniques must be used in combination with supporting technical controls where possible. These may include restricting online access, allowing only query access to the data and limiting the number of recipients of the data.
The process used for data masking must be documented in each instance and kept securely, for audit purposes and in order to avoid its use in later re-identification.
Where techniques for pseudonymization are used, the associated mapping tables (which show the real data against the pseudonym) must be secured effectively as they provide the key to re-identification.
Records must be kept of PII that has been provided to third parties, with written agreements covering how the data may be used and the controls that are expected to be applied to it.
5.7 Data Leakage Prevention Policy
It is Integra’s policy to monitor systems, networks and endpoint devices to detect and prevent the unauthorised extraction of sensitive information by individuals or systems.
Monitoring will be carried out in accordance with applicable legislation and solely for the legitimate interest of Integra in protecting its sensitive information.
Unauthorised extraction will be interpreted as the copying or moving or otherwise exporting of sensitive data without the asset owner’s permission to a location or medium that falls outside the organization’s boundaries, such as a cloud service, mailbox or removable storage device.
Where technically possible, steps must be taken to restrict user access to extract sensitive data by design, such as limiting the user’s ability to copy and paste within an application or preventing the connection of removable storage devices.
Technical controls must be supplemented by regular user awareness training activities which inform users about the nature of data loss and how to avoid it.
Where possible, appropriate data leakage software tools will be used to detect the disclosure of information classified as sensitive and prevent the identified action (such as file copying or sending an email) from taking place.
Unauthorised physical actions such as photographing or taking screenshots of sensitive data are not permitted and all employees of Integra have a responsibility to report such instances to management.
Personnel found to be responsible for unauthorised extraction of information falling under the remit of this policy may be subject to disciplinary action. In some circumstances a targeted programme of awareness training may also be appropriate for those found to have breached this policy.
5.8 Information Deletion Policy
It is Integra’s policy to delete information that is no longer required for operational, legislative or other, justifiable reasons.
Information deletion must be carried out in compliance with Integra retention policies which define how long various types of records must be kept for.
Consideration must also be given as to whether information may be useful to the organization in anonymized form, as defined in the Data Masking Policy.
Methods of information deletion may vary according to the way in which the information is stored and may include:
Care must be taken to ensure that the most appropriate method of information deletion is used according to the circumstances, including consideration of the sensitivity of the information involved.
Where possible, evidence of the deletion of information (for example audit logs) must be recorded and retained for a specified period of time.
In cases where deletion is carried out by a third party, a relevant certificate or similar attestation ofcompletion must be obtained.
The use of information deletion techniques must at all times take account of Integra’s compliance obligations under relevant privacy legislation.
Where information is to be deleted as a result of a legal request by a PII principal under relevant privacy law, care must be taken to ensure that the information involved is deleted from all locations in which it is held, including those of processors and sub-processors.
For information held in third party cloud services, due diligence must be carried out prior to contract signing to confirm that information deletion methods meet Integra requirements.
For information that is classified as very sensitive, periodic audits must be carried out to confirm that procedures have been followed correctly and that deleted information cannot be recovered. It may be appropriate to use a third-party supplier which has specific expertise in this field for this purpose.
5.9 Information Transfer
This procedure describes the steps involved in performing the following information transfer:
|
Information To Be Transferred |
Customer order information, including names and addresses |
|
Information Classification |
Restricted |
|
Sender |
[Name of Transferor organization] |
|
Receiver |
[Name of Recipient organization] |
|
Purpose Of Transfer |
Allow outsourced picking and dispatching of customer orders |
|
Frequency Of Transfer |
Weekly |
|
Main Transfer Method |
Electronic file transfer |
|
Transfer Agreement Number |
ABC-1234 |
In describing the steps to be taken, the roles of Information Producer, Sender, Receiver and Information Consumer will be used.
Triggering the Procedure
This procedure will begin upon the Sender being informed via email by the Information Producer that a file needs to be transferred. The file will be placed by the Information Producer on the internal server [specify server name] at the following location:
[Specify location of file]
File Preparation and Transmission
Due to the sensitive nature of the information, the file will be encrypted by the Sender using standard encryption methods specified by the organization. This will involve the use of a pre-shared key between the Sender and the Receiver which must be securely stored by both parties.
The encrypted file will be placed into a folder within the agreed third-party filesharing service [for example Box, Dropbox, ShareFile] to which both parties (Sender and Receiver) have appropriate access.
Notifying Transmission, Dispatch and Receipt
When a file is ready to be retrieved from the files haring service, the Sender will inform theReceiver via email at the following address [this notification may be automated]:
a.receiver@recipient.com
Once the file has been retrieved by the Receiver, a confirmation email will be sent to the Sender [this notification may be automated]. Access to the information within the Receiver organization must be strictly controlled in accordance with the relevant transfer agreement. Only employees with sufficient clearance may be allowed to process the file.
Decryption and Processing
Once received, the file will be decrypted by the Receiver using the pre-shared key and passed to the Information Consumer for processing.
Incident Management Procedures
If the file is corrupted or has been subject to unauthorised access in any way, the Sender must be informed by the Receiver immediately. The circumstances of the incident must be recorded, and the Information Security Manager within both organizations informed.
Appropriate action will then be taken to address the situation. This may include:
5.9 Implementation of the Controls
5.9.1 Storage of Customer’s Data
Customer’s data should be stored on physically separate folders or servers if required. Access to these folders / servers should be limited and given to only those users who are working for that specific customer and have a specific “need to use”.
5.9.2 Backup of Customer’s Data
Backup of customer data should be done as per regular backup schedule and should have same level of access restrictions as the primary data. Wherever necessary, the data in backup media should be stored separately.
5.9.3 Retention & Disposal of Customer’s Data
All data collected / received from various sources as part of Business engagements should not be retained beyond the agreed / required period in the custody of Integra as per contract.
If the client not declared the data retention period, then by default all the data will be retained Once in a year as per the backup and retention policy of Integra.
On completion of the contract / term, the data should be removed from the work area. However, Integra should be entitled to take a backup of the data for its own references which should be preserved at onsite and offsite location with the highest classification possible such as “SENSITIVE” OR “RESTRICTED”. The physical and logical access afforded for this copy of data should always be commensurate with the classification.
5.10 Right to Access
Clients, partners and other individuals (within the scope of this policy) may audit Integra to ascertain the level of protection accorded to their own data with prior permission and due notice to the management of Integra.
