This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
wiki:policies:infosec [2022/01/25 17:01] katcow |
wiki:policies:infosec [2023/12/13 21:15] (current) kholub |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Information Security | + | ====== Information Security |
===== Information Security Organization ===== | ===== Information Security Organization ===== | ||
Line 11: | Line 11: | ||
* An external cybersecurity consultant, who has already been vetted and interviewed by Nested Knowledge, will be hired as an independent contractor if the needs of our information security organization expand. | * An external cybersecurity consultant, who has already been vetted and interviewed by Nested Knowledge, will be hired as an independent contractor if the needs of our information security organization expand. | ||
- | **Review:** All policies will be reviewed on an annual basis or earlier, should a major system changed occur. | + | ==== Review: |
+ | |||
+ | All policies will be reviewed on an annual basis or earlier, should a major system changed occur. | ||
+ | |||
+ | ==== Personnel changes ==== | ||
+ | |||
+ | In the event of a change in role, a departure, or a new hire, oversight of the affected security policies will be transferred to the new information security personnel. Management of information technology systems will be transferred to the appropriate engineer. Barring no sudden change, the transition will take place over two to eight weeks and will include training, knowledge checks, and progressively increasing responsibility over policies. | ||
====== Data Protection Plan ====== | ====== Data Protection Plan ====== | ||
Line 37: | Line 43: | ||
==== Data Protection Officer (DPO) ==== | ==== Data Protection Officer (DPO) ==== | ||
- | The DPO, responsible for approving data processing projects, | + | The DPO, responsible for reviewing and approving data processing projects, |
+ | |||
+ | In brief, the DPO: | ||
+ | |||
+ | * Is made available for all product & support teams, for reporting & planning any changes to data processing | ||
+ | * Monitors for changes that are of consequence to our data processing policies, including: | ||
+ | * Code changes and releases | ||
+ | * Third party vendors & subprocessor additions | ||
+ | * Internal tooling & workflow changes | ||
+ | * Monitors subprocessor communications for terms and conditions and subprocessor updates | ||
+ | * Maintains records of compliance, associated directly with the issue tracker, processor record | ||
+ | * Reports to the CEO on activities and compliance on a regular basis | ||
+ | |||
+ | **DPO Email: | ||
==== Data Protection Impact Analysis Plan ==== | ==== Data Protection Impact Analysis Plan ==== | ||
- | Nested Knowledge will fill out a data protection impact analysis before processing any high-risk personal data. | + | Nested Knowledge will fill out a data protection impact analysis before processing any high-risk personal data. |
=== We will take the following steps: === | === We will take the following steps: === | ||
+ | |||
- **Identify the need for a DPIA** | - **Identify the need for a DPIA** | ||
- Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarize why you identified the need for a DPIA. | - Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarize why you identified the need for a DPIA. | ||
Line 50: | Line 70: | ||
- **Scope of the processing: | - **Scope of the processing: | ||
- **Context of the processing: | - **Context of the processing: | ||
- | - *Purpose of the processing: | + | - **Purpose of the processing: |
- **Consultation Process** | - **Consultation Process** | ||
- describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? | - describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? | ||
Line 75: | Line 95: | ||
===== Training ===== | ===== Training ===== | ||
+ | |||
Employee training requirements are based on the [[https:// | Employee training requirements are based on the [[https:// | ||
+ | |||
+ | ==== Communicating Updates ==== | ||
+ | |||
+ | As [[: | ||
====== Backup Plan ====== | ====== Backup Plan ====== | ||
Line 95: | Line 120: | ||
Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis. | Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis. | ||
- | * It is recommended that all personal computers be backed up. Copies of the personal computer files should be uploaded to the Nested Knowledge | + | * It is recommended that all personal computers be backed up. Copies of the personal computer files should be uploaded to the Nested Knowledge |
=== Backup Strategies === | === Backup Strategies === | ||
Line 102: | Line 127: | ||
* Automated backup functions within software packages should be used where applicable. | * Automated backup functions within software packages should be used where applicable. | ||
* When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored. | * When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored. | ||
- | * The database | + | |
+ | === Database Back Ups === | ||
+ | |||
+ | Backups are generated as database | ||
+ | |||
+ | In addition to backups on our main cloud provider (AWS), we generate & store backups on a separate | ||
=== Restoration === | === Restoration === | ||
Line 108: | Line 138: | ||
* Authorization to restore data from backup media that would overwrite existing production data must be obtained from Data Owners. | * Authorization to restore data from backup media that would overwrite existing production data must be obtained from Data Owners. | ||
* Restoration of the current configuration must be within agreed recovery timescales | * Restoration of the current configuration must be within agreed recovery timescales | ||
- | * Restoration of the AutoLit database is tested with regularity | + | * Restoration of the AutoLit database is tested with quarterly |
+ | * Backups | ||
+ | * Evidence | ||
+ | |||
+ | **Testing** | ||
+ | |||
+ | Backup and restore procedures must be tested at least annually. Issues with backups identified should be documented and remediated. | ||
===== Revision History ===== | ===== Revision History ===== | ||
Line 114: | Line 150: | ||
^Author^Date of Revision/ | ^Author^Date of Revision/ | ||
|K. Cowie|11/ | |K. Cowie|11/ | ||
- | |K. Holub|11/17/2021|Review Completed| | + | |K. Holub|12/13/2023|Better defining DPO role| |
|K. Kallmes|11/ | |K. Kallmes|11/ | ||
+ | |P. Olaniran|11/ | ||
[[: | [[: | ||
+ | |||
+ |