Data Protection Policy - Risk Management
Encryption is the process of transforming readable data into an unreadable format. This is done using a key, which is a piece of information used to encrypt and decrypt the data. The key is usually a password or a passphrase. Encryption prevents data loss by making it unreadable to anyone who does not have the key. This means that even if the data is stolen, the thief would not be able to make sense of it.
Data Protection
Responsibility – Business Management shall formally appoint a person who is responsible for establishing and maintaining the privacy of confidential information.
Management Consent – Certain types of confidential information require expressed consent from Management, Supervisor, or Security Officer before disclosure to an outside entity. Before emailing, faxing, communicating via telephone, or any other transmission method, consent must be received.
Encryption Keys – Encryption keys for all systems shall be securely managed and stored by the Security Officer. Keys shall not be stored in the cloud (i.e. at the cloud provider in question) but maintained by a Business or a trusted key management provider.
Confidential Data Protection – Any confidential data being stored by the Business shall be protected from threats to confidentiality and integrity using an encryption method appropriate to the storage medium. If Management opts to store confidential data un-encrypted, a business justification shall be documented, approved, and maintained by the Security Officer or their designee.
Transmission of Confidential Data – Confidential data being transmitted across public networks to any outside entity must be securely protected during transfer. The Security Officer shall ensure the methods are in place for the secure transfer of data to outside entities lawfully collecting data.
Removal of Confidential Data – Documents and media containing confidential information shall not be removed from Business premises without express permission from a supervisor of the Security Officer or their designee. Confidential information requiring transport shall be packaged securely and tracked to help protect against the unauthorized use or disclosure of the documents or media being sent. Management shall maintain a listing of where confidential information can be stored.
Data Storage/Encryption
Any data stored, while at rest, shall be stored using an encryption method appropriate for the medium of storage. The following encryption methods are in place for stored confidential data:
Require Encryption on All Amazon S3 Buckets in an AWS Account
Amazon Elasticsearch Encrypted at Rest
EBS Encrypted Volumes Check
Amazon EFS Encrypted Check
CloudTrail Encryption Enabled Check
KMS Encryption Customer Master Key (CMK) with Automatic Key Rotation
KMS Encryption Customer Master Key (CMK)
DynamoDB Encryption Enabled Check
Require SSL (encryption in transit) to access the S3 Bucket
Enable S3 Bucket Encryption If Not Configured
EBS Volume Default Encryption (Account-Level)
CloudWatch Log Groups Encryption Enabled Check
S3 Bucket Server Side Encryption Enabled Check
RDS Storage Encrypted Check
Consent for Disclosure
Consent must be obtained from Management, a Supervisor, or a Security Officer before the disclosure of the following types of confidential information via email, telephone, fax, or other communication methods:
Disclosures of information shall be logged on the Business Disclosure Log.
Mailing of Confidential Information
Confidential information being removed from facilities requires express permission from a supervisor or Security Officer or their designee.
Documents or media being mailed shall be packed in secure envelopes or other secure packaging material so that no covered information is readable or obtainable by unauthorized parties.
Documents or media being mailed should be sent via certified US Postal Service (USPS) mail and a tracking mechanism should be obtained to ensure delivery to the correct party.
Data Transmission/Transfer
Any data being transferred to an outside entity must be securely protected during transfer. A secure email service is provided to all employees and is enabled by default for each user’s Exchange mailbox. Additional encrypted file transfer methods, such as SFTP, can be put in place with approval from the Security Officer or their designee.
Third-Party Vendors/Service Providers
Business shall obtain confidentiality agreements from vendors and other third-party service providers whose products and services are part of Business systems and compliance with Business confidentiality commitments will be assessed on a periodic and as-needed basis with corrective actions taken as determined necessary.
Changes to Confidentiality Policy
Changes made to internal or external confidentiality policies shall be approved by Management in accordance with documented policies and procedures. Affected parties (including third parties whose products and services are part of the system and have access to confidential information) shall be notified of relevant changes within two weeks of approval.