Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools

Trace: Mobile Device Policy Dual Two-Pass Screening Conducting Your Search
wiki:policies:infosec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:policies:infosec [2023/02/03 17:21]
kholub 		wiki:policies:infosec [2023/12/13 21:15] (current)
kholub
Line 1: Line 1:
-====== Information Security Policies ======+====== Information Security Policy ======
  
 ===== Information Security Organization ===== ===== Information Security Organization =====
Line 43: Line 43:
 ==== Data Protection Officer (DPO) ==== ==== Data Protection Officer (DPO) ====
  
-The DPO, responsible for approving data processing projects, will be Kevin Kallmes.+The DPO, responsible for reviewing and approving data processing projects, is Karl Holub. 
 + 
 +In brief, the DPO: 
 + 
 +  * Is made available for all product & support teams, for reporting & planning any changes to data processing 
 +  * Monitors for changes that are of consequence to our data processing policies, including: 
 +      * Code changes and releases 
 +      * Third party vendors & subprocessor additions 
 +      * Internal tooling & workflow changes 
 +  * Monitors subprocessor communications for terms and conditions and subprocessor updates 
 +  * Maintains records of compliance, associated directly with the issue tracker, processor record 
 +  * Reports to the CEO on activities and compliance on a regular basis 
 + 
 +**DPO Email:**  [[karl.holub@nested-knowledge.com?subject=Data Protection Inquiry|karl.holub@nested-knowledge.com]]
  
 ==== Data Protection Impact Analysis Plan ==== ==== Data Protection Impact Analysis Plan ====
Line 57: Line 70:
       - **Scope of the processing:**what is the nature of the data, and does it include special category or criminal offense data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?       - **Scope of the processing:**what is the nature of the data, and does it include special category or criminal offense data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
       - **Context of the processing:**  what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?       - **Context of the processing:**  what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
-      - *Purpose of the processing:* what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly?+      - **Purpose of the processing:**  what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly?
   - **Consultation Process**   - **Consultation Process**
       - describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?       - describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?
Line 84: Line 97:
  
 Employee training requirements are based on the [[https://wiki.nested-knowledge.com/doku.php?id=wiki:policies:data|data classification system]]. All employees and contractors will be provided with our data protection policy. Those who deal with confidential data, restricted use data, or high-risk personal data will be required to demonstrate understanding of our data protection procedures. Employee training requirements are based on the [[https://wiki.nested-knowledge.com/doku.php?id=wiki:policies:data|data classification system]]. All employees and contractors will be provided with our data protection policy. Those who deal with confidential data, restricted use data, or high-risk personal data will be required to demonstrate understanding of our data protection procedures.
 +
 +==== Communicating Updates ====
 +
 +As [[:wiki:policies:third_party#communicating_updates|described in our Third Party Policy]], we will notify users of changes to how their data is processed at least 7 days in advance.
  
 ====== Backup Plan ====== ====== Backup Plan ======
Line 103: Line 120:
 Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis. Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis.
  
-  * It is recommended that all personal computers be backed up. Copies of the personal computer files should be uploaded to the Nested Knowledge Google Drive. This provides for a more secure backup of personal computer-related systems where a local area disaster could wipe out important personal computer systems.+  * It is recommended that all personal computers be backed up. Copies of the personal computer files should be uploaded to the Nested Knowledge shared drive. This provides for a more secure backup of personal computer-related systems where a local area disaster could wipe out important personal computer systems.
  
 === Backup Strategies === === Backup Strategies ===
Line 110: Line 127:
   * Automated backup functions within software packages should be used where applicable.   * Automated backup functions within software packages should be used where applicable.
   * When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored.   * When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored.
-  * The database backing the AutoLit application is backed up twice daily. The resulting image is copied to a separate data center for redundancy. Backups are retained for 60 days.+ 
 +=== Database Back Ups === 
 + 
 +Backups are generated as database snapshots daily; transaction logs are streamed to storage and stored for 14 days (providing moment in time restoration within that window)Failure in either of these processes generates email alert to the technical lead. Database backups are fully exercised no more than every 3 months. Backups are retained 60 days. A failure in restoring a backup results in highest priority escalation with the development team on our product management software. 
 + 
 +In addition to backups on our main cloud provider (AWS), we generate & store backups on a separate cloud provider (GCP) as a redundancy. These backups are generated every other day, retained 60 days, and exercised quarterly. Failure in the backup process results in email alert to the technical lead.
  
 === Restoration === === Restoration ===
Line 116: Line 138:
   * Authorization to restore data from backup media that would overwrite existing production data must be obtained from Data Owners.   * Authorization to restore data from backup media that would overwrite existing production data must be obtained from Data Owners.
   * Restoration of the current configuration must be within agreed recovery timescales   * Restoration of the current configuration must be within agreed recovery timescales
-  * Restoration of the AutoLit database is tested with regularity by the development team, corresponding the to the release schedule where changes are tested against a copy of the production database.+  * Restoration of the AutoLit database is tested with quarterly by the development team. A successful restore requires taking a backup from stationary to deployed in our staging environment. 
 +      * Backups are manually compared for validity against existing projects 
 +      * Evidence of success backup is maintained internally, including time of test, verifiers, screenshots of successful staging deployment, and notes on any issues & remediations. 
 + 
 +**Testing** 
 + 
 +Backup and restore procedures must be tested at least annually. Issues with backups identified should be documented and remediated.
  
 ===== Revision History ===== ===== Revision History =====
Line 122: Line 150:
 ^Author^Date of Revision/Review^Comments/Description| ^Author^Date of Revision/Review^Comments/Description|
 |K. Cowie|11/17/2021|Initial Draft Completed| |K. Cowie|11/17/2021|Initial Draft Completed|
-|K. Holub|11/17/2021|Review Completed|+|K. Holub|12/13/2023|Better defining DPO role|
 |K. Kallmes|11/19/2021|Draft approved| |K. Kallmes|11/19/2021|Draft approved|
 |P. Olaniran|11/7/2022| | |P. Olaniran|11/7/2022| |
wiki/policies/infosec.1675444866.txt.gz · Last modified: 2023/02/03 17:21 by kholub

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki