Data Protection Policy - Risk Management 

Encryption is the process of transforming readable data into an unreadable format. This is done using a key, which is a piece of information used to encrypt and decrypt the data. The key is usually a password or a passphrase.  Encryption prevents data loss by making it unreadable to anyone who does not have the key. This means that even if the data is stolen, the thief would not be able to make sense of it. 

Data Protection

Responsibility – Business Management shall formally appoint a person who is responsible for establishing and maintaining the privacy of confidential information.

Management Consent – Certain types of confidential information require expressed consent from Management, Supervisor, or Security Officer before disclosure to an outside entity. Before emailing, faxing, communicating via telephone, or any other transmission method, consent must be received.

Encryption Keys – Encryption keys for all systems shall be securely managed and stored by the Security Officer. Keys shall not be stored in the cloud (i.e. at the cloud provider in question) but maintained by a Business or a trusted key management provider.

Confidential Data Protection – Any confidential data being stored by the Business shall be protected from threats to confidentiality and integrity using an encryption method appropriate to the storage medium. If Management opts to store confidential data un-encrypted, a business justification shall be documented, approved, and maintained by the Security Officer or their designee.

Transmission of Confidential Data – Confidential data being transmitted across public networks to any outside entity must be securely protected during transfer. The Security Officer shall ensure the methods are in place for the secure transfer of data to outside entities lawfully collecting data.

Removal of Confidential Data – Documents and media containing confidential information shall not be removed from Business premises without express permission from a supervisor of the Security Officer or their designee. Confidential information requiring transport shall be packaged securely and tracked to help protect against the unauthorized use or disclosure of the documents or media being sent. Management shall maintain a listing of where confidential information can be stored.

Data Storage/Encryption

Any data stored, while at rest, shall be stored using an encryption method appropriate for the medium of storage. The following encryption methods are in place for stored confidential data:

  • Require Encryption on All Amazon S3 Buckets in an AWS Account

  • Amazon Elasticsearch Encrypted at Rest

  • EBS Encrypted Volumes Check

  • Amazon EFS Encrypted Check

  • CloudTrail Encryption Enabled Check

  • KMS Encryption Customer Master Key (CMK) with Automatic Key Rotation

  • KMS Encryption Customer Master Key (CMK)

  • DynamoDB Encryption Enabled Check

  • Require SSL (encryption in transit) to access the S3 Bucket

  • Enable S3 Bucket Encryption If Not Configured

  • EBS Volume Default Encryption (Account-Level)

  • CloudWatch Log Groups Encryption Enabled Check

  • S3 Bucket Server Side Encryption Enabled Check

  • RDS Storage Encrypted Check

Consent for Disclosure

Consent must be obtained from Management, a Supervisor, or a Security Officer before the disclosure of the following types of confidential information via email, telephone, fax, or other communication methods:

Disclosures of information shall be logged on the Business  Disclosure Log.

Mailing of Confidential Information

Confidential information being removed from facilities requires express permission from a supervisor or Security Officer or their designee.

Documents or media being mailed shall be packed in secure envelopes or other secure packaging material so that no covered information is readable or obtainable by unauthorized parties.

Documents or media being mailed should be sent via certified US Postal Service (USPS) mail and a tracking mechanism should be obtained to ensure delivery to the correct party.

Data Transmission/Transfer

Any data being transferred to an outside entity must be securely protected during transfer. A secure email service is provided to all employees and is enabled by default for each user’s Exchange mailbox. Additional encrypted file transfer methods, such as SFTP, can be put in place with approval from the Security Officer or their designee.

Third-Party Vendors/Service Providers

Business shall obtain confidentiality agreements from vendors and other third-party service providers whose products and services are part of Business systems and compliance with Business confidentiality commitments will be assessed on a periodic and as-needed basis with corrective actions taken as determined necessary.

Changes to Confidentiality Policy

Changes made to internal or external confidentiality policies shall be approved by Management in accordance with documented policies and procedures. Affected parties (including third parties whose products and services are part of the system and have access to confidential information) shall be notified of relevant changes within two weeks of approval.