This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
wiki:policies:infosec [2023/05/10 16:07] katcow |
wiki:policies:infosec [2023/12/13 21:02] kholub |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Information Security | + | ====== Information Security |
===== Information Security Organization ===== | ===== Information Security Organization ===== | ||
Line 43: | Line 43: | ||
==== Data Protection Officer (DPO) ==== | ==== Data Protection Officer (DPO) ==== | ||
- | The DPO, responsible for approving data processing projects, | + | The DPO, responsible for reviewing and approving data processing projects, |
+ | |||
+ | In brief, the DPO: | ||
+ | |||
+ | * Is made available for all product & support teams, for reporting & planning any changes to data processing | ||
+ | * Monitors for changes that are of consequence to our data processing policies, including: | ||
+ | * Code changes and releases | ||
+ | * Third party vendors & subprocessor additions | ||
+ | * Internal tooling & workflow changes | ||
+ | * Maintains records of compliance, associated directly with the issue tracker, processor record | ||
+ | * Reports to the CEO on activities and compliance on a regular basis | ||
+ | |||
+ | **DPO Email: | ||
==== Data Protection Impact Analysis Plan ==== | ==== Data Protection Impact Analysis Plan ==== | ||
Line 57: | Line 69: | ||
- **Scope of the processing: | - **Scope of the processing: | ||
- **Context of the processing: | - **Context of the processing: | ||
- | - **Purpose of the processing: | + | - **Purpose of the processing: |
- **Consultation Process** | - **Consultation Process** | ||
- describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? | - describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? | ||
Line 84: | Line 96: | ||
Employee training requirements are based on the [[https:// | Employee training requirements are based on the [[https:// | ||
+ | |||
+ | ==== Communicating Updates ==== | ||
+ | |||
+ | As [[: | ||
====== Backup Plan ====== | ====== Backup Plan ====== | ||
Line 103: | Line 119: | ||
Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis. | Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis. | ||
- | * It is recommended that all personal computers be backed up. Copies of the personal computer files should be uploaded to the Nested Knowledge | + | * It is recommended that all personal computers be backed up. Copies of the personal computer files should be uploaded to the Nested Knowledge |
=== Backup Strategies === | === Backup Strategies === | ||
Line 110: | Line 126: | ||
* Automated backup functions within software packages should be used where applicable. | * Automated backup functions within software packages should be used where applicable. | ||
* When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored. | * When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored. | ||
- | * The database backing the AutoLit application is backed up twice daily. The resulting image is copied to a separate data center for redundancy. Backups are retained for 60 days. | ||
- | === Database Back Ups=== | + | === Database Back Ups === |
- | Backups are generated as database snapshots, and the snapshotting process is subject | + | Backups are generated as database snapshots |
+ | |||
+ | In addition to backups on our main cloud provider (AWS), we generate & store backups on a separate cloud provider (GCP) as a redundancy. These backups are generated every other day, retained 60 days, and exercised quarterly. Failure in the backup process results in email alert to the technical lead. | ||
=== Restoration === | === Restoration === | ||
Line 123: | Line 140: | ||
* Backups are manually compared for validity against existing projects | * Backups are manually compared for validity against existing projects | ||
* Evidence of success backup is maintained internally, including time of test, verifiers, screenshots of successful staging deployment, and notes on any issues & remediations. | * Evidence of success backup is maintained internally, including time of test, verifiers, screenshots of successful staging deployment, and notes on any issues & remediations. | ||
+ | |||
+ | **Testing** | ||
+ | |||
+ | Backup and restore procedures must be tested at least annually. Issues with backups identified should be documented and remediated. | ||
===== Revision History ===== | ===== Revision History ===== | ||
Line 128: | Line 149: | ||
^Author^Date of Revision/ | ^Author^Date of Revision/ | ||
|K. Cowie|11/ | |K. Cowie|11/ | ||
- | |K. Holub|02/09/2023|Tracking restoration history| | + | |K. Holub|12/13/2023|Better defining DPO role| |
|K. Kallmes|11/ | |K. Kallmes|11/ | ||
|P. Olaniran|11/ | |P. Olaniran|11/ |