GLC Bowling Data Security Policy

This document provides data security policies that cover key areas of concern. This document is not to be considered an exhaustive list but rather a generalized statement. All additional items should they be identified as additional areas that require policy in accordance with their users, data, regulatory environment and other relevant factors will be amended on next revision.

Data Security Policies

The three policies cover:

  1. Data security policy: Employee requirements
  2. Data security policy: Data Leakage Prevention – Data in Motion
  3. Data security policy: Data at Rest

Data security policy: Employee requirements Using this policy This policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of data with which they should be concerned.

1.0 Purpose:

GLC Bowling must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of data in scope is a critical business requirement, yet flexibility to access data and work effectively is also critical. It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. Its primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.

2.0 Scope:

Any employee, contractor or individual with access to GLC Bowling systems or data. Systems including all operational items which provide hosting, environment, access, or storage for protected or private information. All data stored on systems provided by GLC Bowling are covered, including data considered Confidential, Protected, Restricted/Sensitive, IP, Financial, or other information that could be damaging to the end-user or client if not intended for release.

3.0 Policy - Employee Requirements:

  1. You need to complete GLC Bowling’s security awareness training and agree to uphold the acceptable use policy.
  2. If you identify an unknown, un-escorted or otherwise unauthorized individual in GLC Bowling you need to immediately notify management. Should an unknown or unauthorized individual be deemed an immediate threat, please contact emergency services.
  3. Visitors to GLC Bowling must be escorted by an authorized employee at all times. If you are responsible for escorting visitors you must restrict them appropriate areas.
  4. You are required not to reference the subject or content of sensitive or confidential data publicly, or via systems or communication channels not controlled by GLC Bowling. For example, the use of external e-mail systems not hosted by GLC Bowling or provided by GLC Bowling to distribute data is not allowed.
  5. Please keep a clean desk. To maintain information security, you need to ensure that all printed in scope data is not left unattended at your workstation.
  6. You need to use a secure password on all GLC Bowling systems as per the password policy. These credentials must be unique and must not be used on other external systems or services. Your password is not allowed to be similar or the same as one used personally.
  7. Terminated employees will be required to return all records, in any format, containing personal information. This requirement is stated in the employee handbook.
  8. You must immediately notify CISO or Management in the event that a device containing in scope data is lost (e.g. mobiles, laptops etc).
  9. In the event that you find a system or process which you suspect is not compliant with this policy or the objective of information security you have a duty to inform Management so that they can take appropriate action.
  10. If you have been assigned the ability to work remotely you must take extra precaution to ensure that data is appropriately handled. Seek guidance from CISO if you are unsure as to your responsibilities. Furthermore, you may be requested to use a VPN or other tunneling service.
  11. Please ensure that assets holding data in scope are not left unduly exposed, for example visible in the back seat of your car.
  12. Data that must be moved within GLC Bowling is to be transferred only via business provided secure transfer mechanisms (e.g. encrypted USB keys, file shares, email etc). GLC Bowling will provide you with systems or devices that fit this purpose. You must not use other mechanisms to handle in scope data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with CISO.
  13. Any information being transferred on a portable device (e.g. USB stick, laptop) must be encrypted in line with industry best practices and applicable law and regulations. If there is doubt regarding the requirements, seek guidance from Management.

Data security policy: Data Leakage Prevention – Data in Motion Using this policy

This policy is intended to act as a guideline for implementation or update to GLC Bowling DLP controls. This policy, is used with requirements for usability or in accordance with the regulations or data you need to protect. This policy provides a framework for classes of data that may wish to be monitored.

Background to this policy

Data leakage prevention is designed to make users aware of data they are transferring which may be sensitive or restricted in nature.

1.0 Purpose

GLC Bowling must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of in scope data is a critical business requirement, yet flexibility to access data and work effectively is also critical.
It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.

2.0 Scope

  1. Any GLC Bowling device which handles customer data, sensitive data, personally identifiable information or company data. Any device which is regularly used for e-mail, web or other work-related tasks and is not specifically exempt for legitimate business or technology reasons.
  2. The GLC Bowling information security policy will define requirements for handling of information and user behavior requirements. This policy is to augment the information security policy with technology controls.
  3. Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted being authorized by security management.

3.0 Policy

  1. GLC Bowling’s data leakage prevention (DLP) technology will scan for data in motion.
  2. The DLP technology will identify large volumes (thus, of high risk of being sensitive and likely to have significant impact if handled inappropriately) of in scope data. A large number of records is variable depending on the type of data and may trigger as low as 10 variants. In scope data is defined as: a. Passwords or user accounts b. Names, addresses and other combinations of personally identifiable information c. Documents that have been explicitly marked with the GLC Bowling confidential string.
  3. DLP will identify specific content, i.e.: a. Sales data – particularly forecasts, renewals lists and other customer listings
  4. Exports of personally identifiable information outside controlled systems through a non-approved means or through unexpected release.
  5. DLP will be configured to alert the user in the event of a suspected transmission of sensitive data, and the user will be presented with a choice to authorize or reject the transfer. This allows the user to make a sensible decision to protect the data, without interrupting business functions. Changes to the DLP product configuration will be handled through the GLC Bowling IT change process and with security management approval, to identify requirements to adjust the information security policy or employee communications.
  6. Where there is an active concern of data breach, the IT incident management process is to be used with specific notification provided to Legal and Security Management.
  7. Access to DLP events will be restricted to a named group of individuals to protect the privacy of employees. A DLP event does not constitute evidence that an employee has intentionally, or accidentally lost data but provides sufficient basis for investigation to ensure data has been appropriately protected.

4.0 Technical Guidelines

Technical guidelines identify requirements for technical implementation and are typically technology specific.

  1. The technology of choice is Proofpoint.
  2. The product will be configured to identify data in motion to Browsers, E-mail clients.

Data security policy: Data at Rest

This policy is intended to act as a guideline for implementation or update of the GLC Bowling full disk encryption control policy. This policy is adapted particularly in line with requirements for usability or in accordance with the regulations or data you need to protect.

Background to this policy

Full disk encryption is now a key privacy enhancing technology which is mandated my many regulatory guidelines.

1.0 Purpose

GLC Bowling must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. A collection of global regulations such as PCI, ISO 27001, HIPPA, also require the protection of a broad scope of data, which this policy supports by restricting access to data hosted on GLC Bowling devices.
As defined by numerous compliance standards and industry best practice, full disk encryption is required to protect against exposure in the event of loss of an asset. This policy defines requirements for full disk encryption protection as a control and associated processes.

2.0 Scope

  1. All GLC Bowling workstations – desktops and laptops depending on the data held or accessed will contain a storage device that is running an OPAL 2.0 or similar physical disk encryption device.
  2. All GLC Bowling virtual machines will be stored on hardware which has underlying disk encryption via the same OPAL 2.0 or similar physical disk encryption process.
  3. Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted being authorized by security management.

3.0 Policy

  1. All devices in scope will have full disk encryption enabled.
  2. GLC Bowling Acceptable Use Policy (AUP) and security awareness training must require users to notify Management if they suspect they are not in compliance with this policy as per the AUP.
  3. The AUP and security awareness training must require users to notify Management of any device which is lost or stolen.
  4. Encryption policy must be managed and compliance validated by CISO. Machines may need to report to the central management infrastructure to enable audit records as required by any software demands.
  5. Where management is not possible and a standalone encryption is configured, the device user must provide a copy of the active encryption key to IT.
  6. GLC Bowling has the right to access any encrypted device for the purposes of investigation, maintenance or the absence of an employee with primary file system access. This requirement will be further illustrated in the ownership of devices and information as stipulated in the AUP and Employee Handbook.
  7. The encryption technology must be configured in accordance with industry best practice to be hardened against attack.
  8. The GLC Bowling help desk will be permitted to issue an out-of-band challenge/response to allow access to a system in the event of failure, lost credentials or other business blocking requirements. This challenge/response will be provided only in the event that the identity of the user can be established using challenge and response attributes documented in the password policy.
  9. Configuration changes are to be conducted through the GLC Bowling change control process, identifying risks and noteworthy implementation changes to security management.

4.0 Technical Guidelines

Technical guidelines identify requirements for technical implementation and are typically technology specific.

  1. Proofpoint is the standard product.
  2. Strong, industry best practice defined cryptographic standards must be employed. AES-256 is an approved implementation.
  3. The BIOS will be configured with a secure password (as defined by password policy) that is stored by IT. The boot order will be fixed to the encrypted HDD. If an override is required by a user for maintenance or emergency use, the helpdesk can authenticate the user and then provide the password for the BIOS. The objective being to avoid an attacker cold booting and attacking the system.
  4. Synchronization with Windows credentials will be configured so that the pre boot environment is matched to the user’s credentials and only one logon is required.
  5. A pre boot environment may be used for authentication. Credentials will be used to authenticate the user in compliance with GLC Bowling password security policy.