This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
wiki:policies:infosec [2021/11/22 00:50] katcow |
wiki:policies:infosec [2023/08/30 15:12] katcow |
||
---|---|---|---|
Line 11: | Line 11: | ||
* An external cybersecurity consultant, who has already been vetted and interviewed by Nested Knowledge, will be hired as an independent contractor if the needs of our information security organization expand. | * An external cybersecurity consultant, who has already been vetted and interviewed by Nested Knowledge, will be hired as an independent contractor if the needs of our information security organization expand. | ||
- | **Review:** All policies will be reviewed on an annual basis or earlier, should a major system changed occur. | + | ==== Review: |
+ | |||
+ | All policies will be reviewed on an annual basis or earlier, should a major system changed occur. | ||
+ | |||
+ | ==== Personnel changes ==== | ||
+ | |||
+ | In the event of a change in role, a departure, or a new hire, oversight of the affected security policies will be transferred to the new information security personnel. Management of information technology systems will be transferred to the appropriate engineer. Barring no sudden change, the transition will take place over two to eight weeks and will include training, knowledge checks, and progressively increasing responsibility over policies. | ||
====== Data Protection Plan ====== | ====== Data Protection Plan ====== | ||
Line 21: | Line 27: | ||
===== II. Scope ===== | ===== II. Scope ===== | ||
- | This plan applies to all Nested Knowledge employees and contractors. | + | This plan applies to all Nested Knowledge employees, and all contractors, consultants, |
High-Risk personal data includes: | High-Risk personal data includes: | ||
Line 37: | Line 43: | ||
==== Data Protection Officer (DPO) ==== | ==== Data Protection Officer (DPO) ==== | ||
- | The DPO, responsible for approving data processing projects, | + | The DPO, responsible for approving data processing projects, |
+ | |||
+ | **DPO Email: | ||
==== Data Protection Impact Analysis Plan ==== | ==== Data Protection Impact Analysis Plan ==== | ||
- | Nested Knowledge will fill out a data protection impact analysis before processing any high-risk personal data. | + | Nested Knowledge will fill out a data protection impact analysis before processing any high-risk personal data. |
=== We will take the following steps: === | === We will take the following steps: === | ||
+ | |||
- **Identify the need for a DPIA** | - **Identify the need for a DPIA** | ||
- Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarize why you identified the need for a DPIA. | - Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarize why you identified the need for a DPIA. | ||
Line 50: | Line 59: | ||
- **Scope of the processing: | - **Scope of the processing: | ||
- **Context of the processing: | - **Context of the processing: | ||
- | - *Purpose of the processing: | + | - **Purpose of the processing: |
- **Consultation Process** | - **Consultation Process** | ||
- describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? | - describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? | ||
Line 75: | Line 84: | ||
===== Training ===== | ===== Training ===== | ||
- | Employee training requirements based on the [[https:// | + | |
+ | Employee training requirements | ||
====== Backup Plan ====== | ====== Backup Plan ====== | ||
Line 85: | Line 95: | ||
===== II. Scope ===== | ===== II. Scope ===== | ||
- | This policy affects all employees of this Nested Knowledge | + | This policy affects all employees |
This policy applies to all computer and communication systems owned or operated by Nested Knowledge and it’s subsidiaries. Systems include company shared drives, purchased software, as well as access to the Nested Knowledge AutoLit review platform. Similarly, this policy applies to all platforms (operating systems) and all application systems. Reviews developed in the AutoLit software by parties external to Nested Knowledge are not covered in this policy. | This policy applies to all computer and communication systems owned or operated by Nested Knowledge and it’s subsidiaries. Systems include company shared drives, purchased software, as well as access to the Nested Knowledge AutoLit review platform. Similarly, this policy applies to all platforms (operating systems) and all application systems. Reviews developed in the AutoLit software by parties external to Nested Knowledge are not covered in this policy. | ||
Line 95: | Line 105: | ||
Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis. | Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis. | ||
- | * It is recommended that all personal computers be backed up. Copies of the personal computer files should be uploaded to the Nested Knowledge | + | * It is recommended that all personal computers be backed up. Copies of the personal computer files should be uploaded to the Nested Knowledge |
=== Backup Strategies === | === Backup Strategies === | ||
Line 102: | Line 112: | ||
* Automated backup functions within software packages should be used where applicable. | * Automated backup functions within software packages should be used where applicable. | ||
* When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored. | * When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored. | ||
- | * The database | + | |
+ | === Database Back Ups === | ||
+ | |||
+ | Backups are generated as database | ||
+ | |||
+ | In addition to backups on our main cloud provider (AWS), we generate & store backups on a separate | ||
=== Restoration === | === Restoration === | ||
Line 108: | Line 123: | ||
* Authorization to restore data from backup media that would overwrite existing production data must be obtained from Data Owners. | * Authorization to restore data from backup media that would overwrite existing production data must be obtained from Data Owners. | ||
* Restoration of the current configuration must be within agreed recovery timescales | * Restoration of the current configuration must be within agreed recovery timescales | ||
- | * Restoration of the AutoLit database is tested with regularity | + | * Restoration of the AutoLit database is tested with quarterly |
+ | * Backups | ||
+ | * Evidence | ||
+ | |||
+ | **Testing** | ||
+ | |||
+ | Backup and restore procedures must be tested at least annually. Issues with backups identified should be documented and remediated. | ||
===== Revision History ===== | ===== Revision History ===== | ||
Line 114: | Line 135: | ||
^Author^Date of Revision/ | ^Author^Date of Revision/ | ||
|K. Cowie|11/ | |K. Cowie|11/ | ||
- | |K. Holub|11/17/2021|Review Completed| | + | |K. Holub|05/26/2023|Off provider database back ups| |
|K. Kallmes|11/ | |K. Kallmes|11/ | ||
+ | |P. Olaniran|11/ | ||
+ | |||
+ | [[: | ||