Академический Документы
Профессиональный Документы
Культура Документы
I am very pleased to introduce the Bupa Global Information Security Policy which
has been developed in accordance and compliance to the international security
standard and code of practice ISO / IEC 27001:2005.
• All Bupa employees must comply with the policy at all times.
• It is the responsibility of each CEO / Managing Director / Group Director to
ensure that the requirements of this Bupa Global Information Security Policy
and associated Standards are incorporated in to business specific operating
procedures. These should also incorporate appropriate local legal &
regulatory requirements as well as any local policies and guidelines set by
medical governing bodies, and should include as a minimum local data
protection laws & regulations, and where applicable the Payment Card
Industry Data Security Standard (PCI DSS)
• Management is expected to take an active role in promoting the policy as well
as ensuring that employees and others comply with it. Management must also
ensure that any breaches of the policy are acted upon promptly.
If you have any queries regarding this policy or security issues in general, please
contact your local information security team.
Ray King
Chief Executive
January 2011
INTRODUCTION .................................................................................................................................... 7
Company Responsibility.................................................................................................................... 10
Compliance ......................................................................................................................................... 19
Business Continuity........................................................................................................................... 25
03.01 Recruitment............................................................................................................................... 55
09.02 Compliance with Information Security Policy and Standards ........................................... 143
INTRODUCTION
Objective
As a global health and care company, Bupa deals with the personal details,
medical data and financial records of millions of people around the world.
Protecting that information for ethical, legal, regulatory and commercial reasons is
essential and is a key responsibility for us all.
All our customers – members, residents, patients, corporate clients, third parties
and business partners – expect us to treat their information with the utmost care.
This means using correct information for the intended purpose and making sure
that it doesn’t fall into the wrong hands.
The Global Information Security Policy has been established to protect Bupa’s
group of companies, our employees and our customers. It should be read in
conjunction with Bupa Global Information Security Standards (GISS) and other
relevant Bupa Group Corporate Policies.
Policy Structure
The GISP consists of 14 individual Policy Statements, divided onto sections as
follows:
Section Description
Introduction
GISP 01 Company Responsibility
GISP 02 Employee Responsibility
GISP 03 Human Resources Responsibility
GISP 04 Information Classification
GISP 05 Incident Management
GISP 06 Access to Bupa Information and Information Systems
GISP 07 Electronic Communication Services
Variations
Should the GISP or a GISS conflict with local legislation the local Information
Security manager or Information Governance representative must be informed at
once.
Contact:
You should contact your local Information Security manager or Information
Governance representative in the first instance.
In the event of difficulty, some key contacts are listed in the Table below:
Security Manager
Bupa Australia Group Marcel Sorouni
(inc Asia Pacific) L1 50 Bridge St, Sydney NSW 2000
+ 61 2 9323 9690
marcel.sorouni@bupa.com.au
Security Manager
Sanitas Group (Spain) Enrique Martín Menéndez
Sanitas Seguros, S.A.
C/ Ribera del Loira, 52.
28042. Madrid
+34 913244949
emartin@sanitas.es
Company Responsibility
Objective
Bupa has a corporate responsibility to safeguard both customer and employee
information and ensure that appropriate & effective governance arrangements are
in place to achieve this.
This policy will help to reduce exposure to the following risks:
• Loss of confidence amongst employees, customers, partners and advisors
• Legal action, censure and financial penalties due to failure to comply with
legislative, regulatory or contractual requirements
• Failure of security policies & standards due to poor governance & lack of
clear responsibility & ownership
• Disruption to business activities due to misuse of information.
• Failure to respond to emerging threats.
• Damage to Bupa’s image, reputation and brand
Policy Statement
Employee Responsibility
Objective
Bupa has a responsibility to ensure its employees, including contractors, third
party personnel, partners and advisors are aware of their responsibilities for
safeguarding Bupa information & information systems and Bupa facilities.
This policy will help to reduce exposure to the following risks:
• Misplaced trust in individuals
• Disclosure of sensitive information
• Poor security awareness
• Loss of information assets
• Unauthorised access
Policy Statement
Policy Statement
Information Classification
Objective
Bupa has a responsibility to account for and safeguard customer, employee and
commercial information in accordance with its classification derived from its value
and risk.
This policy will help to reduce exposure to the following risks:
• Business Units being unaware of the value of information
• Controls being applied which are inadequate or inappropriate to protect
customer, employee and commercial information
• Financial and or reputational loss following the deliberate or accidental
disclosure of personal or patient/member data, or corporate data.
• Inaccurate prioritisation for recovering from disaster due to poorly classified
and protected information.
• Inefficient business operations due to poorly classified and protected
information.
• Loss or damage to reputation resulting from inaccuracies in information
content.
Policy Statement
Incident Management
Objective
Bupa has a responsibility to manage Information security incidents which occur
whenever the confidentiality, integrity or availability of Information or information
systems is suspected to be, or is actually affected by an adverse event.
To minimise the risks of compromise to our information and information processing
systems, robust incident management is required in order to contain, investigate
and learn from the incidents that may affect the Group’s information.
This policy will help to reduce exposure to the following risks:
• Failure to detect disclosure or theft of information.
• Repeat incidents due to failure to learn from prior occurrences.
• Disruption to business activity due to poorly managed incidents.
Policy Statement
Policy Statement
Policy Statement
Policy Statement
Compliance
Objective
Bupa has a duty and responsibility to comply with all legal, statutory, regulatory
and contractual requirements.
These requirements will differ according to a number of factors including country of
applicability, applicable regulatory bodies, local business unit activities, specific
contractual obligation and may more.
Bupa employees, including contractors, third party personnel, partners and
advisors must comply with applicable Bupa policy. Failure to do so may result in
disciplinary action including dismissal as well as civil and or criminal legal
proceedings.
This policy will help to reduce exposure to the following risks:
• Legal action, censure and financial penalties due to failure to comply with
legislative, regulatory or contractual requirements
• Disruption to business activities due to misuse of information
• Financial loss
• Damage to Bupa reputation
Policy Statement
GISP 09 Compliance
Policy Statement
Policy Statement
Policy Statement
Policy Statement
Business Continuity
Objective
Information security requirements must be included and incorporated in all
business continuity programmes in order to safeguard information and data during
times of adverse operating conditions.
This policy will help to reduce exposure to the following risks:
• Loss or theft of information due to poor planning
• Disruption to business activities due to poor prioritisation of asset recovery
• Disruption of business activity due to poor or non-existent testing
Policy Statement
Scope
This standard applies to all Bupa Companies (hereafter referred to as Company).
Each Business Division & Business Unit including Group functions are to ensure the
requirements of this standard are met.
Target Audience
This standard is to be read and implemented by Senior Management and
Information Security Management across the Company.
Standards
Global Structure
requirements of the GISP and GISS. This will include the establishment of
local Information Security and Governance Framework which is approved and
authorised by the IG Executive Committee.
a. is responsible for ensuring all requirements of the GISP & GISS are
implemented as a minimum, and for reporting compliance, variations,
exceptions and incidents
b. ensures that all relevant GISP & GISS and any local supporting
policies & procedures are published & communicated to all Authorised
Users within their defined scope
Guidance
The role of maintaining information security locally could be designated to one
person or a team of people.
Further detail regarding the requirements of this standard is contained within the
GISS library.
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored internally
via compliance programs and security incident reports. Failure to comply with any
Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.5.1.2, A.6.1.2, A.6.1.3, A.6.1.4, A.6.1.6,
A.6.1.7, A.6.1.8, A.15.2.1
Document Control
GISS Ref: 01-01
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
• GISP 01
Target Audience
This standard is to be read by all local business management.
Standards
General
01.02.01 Authorised Users should have a good, working knowledge of the standards
that have a direct impact on their day to day responsibilities; and a general
awareness of all other Global Information Security Policies and Standards.
Variations
01.02.04 Where a local unit cannot meet a requirement of the Global Information
Security Policy or Standard for any reason, a local variation to that Policy or
Standard must be identified.
01.02.07 The GISP and GISS are delivered and enforced locally by local Information
Security Councils; are owned by the Information Governance Council and
are endorsed and authorised by the Information Governance Executive
Committee.
© 2010 BUPA Company Internal 32
Global Information Security Policy & Standards
01.02.08 Local Information Security Policy and Local Information Security Standards
where variations to the Global versions are necessary are owned, delivered
and enforced locally by local Information Security Councils; are endorsed
and authorised by the Information Governance Council. The Information
Governance Executive Committee is informed of local variances.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.5.1.1
Document Control
GISS Ref: 01-02
Version: V1.1 Corrected description of IG Council
Release 22/11/11 Approval by: IG Exec Committee
date:
Next review: Approval
date:
This standard defines the Company requirements for Authorised Users when using
Company supplied information and information systems, such as email, internet,
laptops and mobile devices.
• GISP 02
Target Audience
Standards
General Principles
02.01.03 The Company may monitor use of Company provided equipment and
services and or non-Company provided equipment that is connected to
© 2010 BUPA Company Internal 35
Global Information Security Policy & Standards
its corporate network for security, policy and compliance to legal and
regulatory purposes without notification.
02.01.04 The main purpose for providing email is for business activities, as such,
it is considered a privilege and should be used responsibly.
02.01.10 Authorised Users shall not activate any features, with the exception of
Out of Office Replies, included in an E-Mail software application that
automatically sends, copies, or forwards messages outside the
Company Network. Consistent with this Policy, Authorised Users may
selectively send, copy, or forward electronic messages in the ordinary
course of business. Authorised Users should recognise that some
information is intended for specific individuals and may not be
appropriate for general distribution.
Internet
02.01.11 The Internet provides business opportunities and shall be used for
legitimate purposes and to further the company’s interests.
Social Networking
02.01.17 Access to social networking sites may be granted for selected users
and groups based upon the business requirement. Access to these
privileges must be authorised
02.01.19 When using social networking sites, Authorised Users must not post,
publish or otherwise disclose company information, material,
comments and or opinions that could bring the Company into
disrepute.
02.01.22 Authorised Users shall not log-in another member of staff or external
party using their own log-in and password credentials.
02.01.29 Authorised Users are prohibited from using any hacking tools without
prior written approval from the local Information Security Function. Use
of such tools without prior written approval could result in disciplinary
and or criminal proceedings.
Viruses
02.01.31 Authorised users have a responsibility to check from time to time that
Company installed security software including anti-virus software on a
Company workstation is functioning properly and is up to date.
02.01.33 Authorised users shall take all reasonable steps and are responsible to
protect company provided mobile computing equipment and the
information used and held on it whilst in their care.
02.01.40 Level 2 and Level 3 information shall not be stored on PDAs or mobile
phones unless suitably protected with encryption software.
Wireless Networks
02.01.42 Wireless access points providing access to the corporate network shall
be restricted to company approved and provided computing equipment.
© 2010 BUPA Company Internal 40
Global Information Security Policy & Standards
Incident Reporting
02.01.46 All users are required to report on any irregular or adverse events also
known as security incidents immediately in accordance with local
practices. Security incidents include, but are not limited to:
Guidance
Cyber criminals use sophisticated tools that can rapidly decipher passwords.
• Personal information.
Your name, birthday, driver's license, passport number, or similar information.
• E-mail messages should only be sent to those employees for whom they are
particularly relevant.
Viruses
• Viruses are often written into .exe files, so be particularly vigilant. Never
download an .exe from the Internet.
• Viruses can be found in any file type including in image files, such as .jpg or
.bmp.
Internet
• You should be aware of phishing sites. Rather than using links in emails you
should use the full URL to access websites where you are entering personal
details or making online transactions.
Software
• Hacking tools include but are not limited to password guessing or cracking
software, sniffers, data capture software, and security testing software.
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored and
audited internally via compliance programs and security incident reports. Failure to
comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local
legal, regulatory or contractual requirements require modification or variation to this
standard, then the variation must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.5.1.2, A.6.1.2, A.6.1.3, A.6.1.4, A.6.1.6,
A.6.1.7, A.6.1.8, A.15.2.1
Document Control
GISS Ref: 2.01
Version: V1.1 Added Reference to Bupa Employee Handbook
Release 22 Nov 2011 Approval by: IG Exec Commitee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard outlines the requirements of all Authorised Users regarding their
responsibilities for safeguarding Company information & information systems. It is
the responsibility of everyone within the Company to maintain the confidentiality,
integrity and availability of information.
GISP 02
Target Audience
This standard is to be read by all Authorised Users.
Requirements
02.02.01 All Authorised Users must comply with Company Global Information
Security Policy (GISP) and Global Information Security Standards
(GISS); failure to do so could result in disciplinary action.
Guidance
Authorised users are required to attend Information security training and awareness
sessions
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored internally
via compliance programs and security incident reports. Failure to comply with any
Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local
legal, regulatory or contractual requirements require modification or variation to this
standard, then the variation must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.6.1.1, A.8.1.1, A.8.2.1, A.8.2.3
Document Control
GISS Ref: 2-02
Version: V1.1 Clarification of content and frequency of training. Unnecessary
Scope statement removed
Overview
This standard defines the Company requirements when engaging and managing
services provided to the Company by external service providers. This may include
hosting companies, cloud services, software as a service, externally hosted sites and
systems, internal & external contractors with physical and / or logical access to
Company systems and information.
• GISP 02
Target Audience
This standard applies to all Managers and Authorised Users responsible for the
engagement and management of external parties.
Standards
Due Diligence/Risk Assessment
b) The type of access the external service will have to the information
and information processing facilities, e.g.:
iii) Integrity.
02.03.05 The Company shall also satisfy itself as to the indemnity of the external
service provider.
02.03.06 Monitoring and review of external service providers shall ensure that
the information security terms and conditions of the agreement are
being adhered to, and that information security incidents and problems
are managed properly. This involves a service management
relationship and process between the company and the external
service provider to:
02.03.08 In addition, the Company shall ensure that the external service provider
assigns responsibilities for checking for compliance and enforcing the
requirements of the agreements.
02.03.10 The Company shall maintain sufficient overall control and visibility into
all security aspects where Level 2 and Level 3 information or
information processing facilities are accessed, processed or managed
by the external service provider
02.03.11 The company shall ensure to retain visibility into security activities such
as change management, identification of vulnerabilities and information
security incident reporting/response through a clearly defined reporting
process, format and structure.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored and
audited internally via compliance programs and security incident reports. Failure to
comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local
legal, regulatory or contractual requirements require modification or variation to this
standard, then the variation must be documented and reported to the IGEC Group
for approval.
References
Document Control
GISS Ref: 02.03
Version: V1.1 Re-ordered paragraphs and numbering
Release 22 Nov 2011 Approval by: IG Exec Commitee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
03.01 Recruitment
Overview
This document outlines the requirements to be implemented during the recruitment
process of any employees and / or temporary staff. This standard may also be applied to
external parties for additional security.
• GISP 03
Target Audience
This standard applies to the recruitment process and is to be read by Human Resources
and Management functions.
Standards
03.03.01 Potential hires shall be required to provide references in accordance to local
business and legislation requirements (e.g. right to work, employment
references etc.) prior to employment within the Company.
03.03.02 Confidentiality agreements shall be in place for all employees within terms
and conditions of employment.
03.03.03 Information security roles and responsibilities shall be written in to the terms
and conditions of employment for all employees.
Guidance
If employees are to have a role with higher levels of access, or potential access to large
amounts of sensitive information e.g. IT Administrators, financial controllers, application
developers, database administrators etc may benefit from additional security checks such
as police and credit checks in accordance with HR best practices
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards including those involved in recruitment. Compliance with this standard shall
be monitored internally via compliance programs and security incident reports. Failure to
comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.6.1.5, A.8.1.2, A.8.1.3
Document Control
GISS Ref: 03-01
Version: V1.1 Corrected error in Overview and guidelines improved
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company responsibilities of the Company and those of
Authorised Users during employment with the Company.
• GISP 03
Target Audience
This standard applies to Managers and Authorised Users.
Standards
Management
03.02.02 All Authorised Users shall have access to the Global Information Security
Policy and Standards.
Authorised Users
03.02.03 All Authorised Users must comply with the Global Information Security Policy
and Standards and will be made aware that disciplinary action may be taken
in the event of non-compliance.
Guidance
This standard should be read in conjunction with the Information Security Framework,
where roles and responsibilities are clearly defined.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.8.1.1, A.8.2.3
Document Control
GISS Ref: 03-02
Version: V1.1 Minor correction to 03.02.04
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard outlines the Company training and awareness requirements to be provided
to all Authorised Users.
• GISP 03
Target Audience
This standard is to be read by Human Resources and Managers.
Standards
03.03.02 Specific training legally required for certain job roles (e.g. legal and privacy
requirements within call centres) shall be undertaken and records
maintained.
03.03.04 It is the responsibility of each business unit management team to ensure that
a Training and Awareness Programme is implemented in line with the Global
Information Security Policy. The design and content of programmes should
be verified by the Information Governance Council or it’s agent to ensure
consistency and alignment.
Records
03.03.05 Records for all training and awareness activities delivered shall be
maintained.
Guidance
Methods of training and awareness could include;
o Workshops
o Quiz
o Emails
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.8.2.1, A.8.2.2
Document Control
GISS Ref: 03-03
Version: V1.1 Additional clarity in 03.03.04
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard outlines the requirements regarding employees and contractors leaving or
changing roles within the Company.
• GISP 03
Target Audience
This standard is to be read by Human Resources and Managers.
Standards
03.04.01 A formal ‘Starters, Movers and Leavers’ process must be in place to include
the following:
Guidance
The IT Department is the part of the organisation responsible and accountable for
the provision of Information Technology services.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.8.3.1, A.8.3.2, A.8.3.3
Document Control
GISS Ref: 03-04
Version: V1.1 Improved clarity in 03.04.02
Improved definition of IT Department, IT equipment and Keys
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard sets outlines the Company requirements regarding protecting and
maintaining the privacy of information.
• GISP 03
Target Audience
This standard applies to all Company information. It is to be read by all Authorised Users.
Standards
03.05.01 Prevailing data privacy legislation and law in each country, state, area or
region must be applied.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.15.1.3, A.15.1.4
Document Control
GISS Ref: 03-05
Version: V1.1 03.05.02 Improved clarity regarding responsibility
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard provides the requirements for the classification of information.
This standard supports the Global Information Security Policy:
• GISP 04
Target Audience
This standard is to be read by all Authorised Users.
Standards
General
04.01.01 All Company information will fall into one of four categories of information
classification based upon its confidentiality, integrity and availability.
Confidentiality
04.01.05 Access to, and use of, Level 2 (Confidential) and Level 3 (Restricted
Confidential) information is restricted to those Authorised Users with an
immediate need and then only for so long as that need exists and only to the
extent of that need.
Level
CONFIDENTIAL
2
Level
RESTRICTED - CONFIDENTIAL
3
04.01.08 When exchanging classified and labelled data with other business units or
third parties, recipients should ensure that conflicts of variances in
classification systems are resolved. Data imported onto Company systems
should be annotated with the approved Company classification scheme and
any conflicting labelling by the originator should be erased.
Integrity
Availability
04.01.10 The ‘availability’ value of information in systems should be based upon the
impact of any period of partial or full unavailability:
Guidance
The value of data and information services has traditionally been based upon an
assessment of three characteristics; Confidentiality, Integrity and Availability:
These three characteristics are often referred to as the ‘CIA’ of information security.
The table below lists a number of impact areas and data/service traits which should be
considered when conducting an assessment against the three ‘CIA’ values. This list,
whilst not exhaustive, will help set the value assessment in context with the operational
environment.
• Electronic data
o Email communications
o website content
o Printed documents
o Presentations
o Telephone conversations
o Meetings
o Conference Calls
Further information regarding the rules for handling information can be found in the
following Global Information Security Standards:
• GISS 4-02 Information Asset Identification and Ownership
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/ 4-02, 4-03, 4-04
standards:
ISO 27001 Control Ref(s): A.7.1.2
Document Control
GISS Ref: 04-01
Version: V1.1
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard outlines the requirements for the identification and ownership of all
Company information and information assets to ensure that correct classification and
security controls are applied.
• GISP 04
Scope
This standard applies to all data and information processed or generated by the
organisation referred to as Company information. It also apples to information
assets, that is information that has a tangible value to the Company.
Target Audience
Standards
General
04.02.02 The inventory must record the value of an information asset according
to its confidentiality, integrity and availability.
Management
Data Owners
04.02.04 Data Owners are responsible for correctly classifying any information
under their control, based upon its value.
04.02.05 Data Owners should ensure that there are periodic, at least annual,
reviews of the information classification.
04.02.06 Data Owners are responsible for ensuring that user access and
privileges to the data are defined and controlled and ensuring
appropriate segregation of duties.
04.02.07 Data Owners are responsible for approving access to the information
assets by internal business individuals/groups, other business units
and third parties.
04.02.08 Data Owners are responsible for confirming the Recovery Point
Objective (RPO) and Recovery Time Objective (RTO) in a formal
Disaster Recovery. These are normally calculated according to the
data value determined by the Data Owner.
04.02.09 Data Owners may appoint a Data Custodian for the data. The Data
Custodian would typically be the manager of the unit that provides
information management services for the data or whom maintains the
physical custody of data.
04.02.10 The Data Custodian should provide the physical and procedural
safeguards necessary to achieve the level of control and availability
specified by the Data Owner.
Guidance
Information Assets
Information assets can take many forms – paper, electronic files, database, emails,
applications etc, and can be used for many different business functions and
processes. This standard applies to those information assets that have a high value
to Bupa in terms of their confidentiality, integrity and availability.
Data Custodians
Normally, the operational requirements of the Data Owner are enacted by a Data
Custodian which may be a role or function. The Data Custodian provides the
physical and procedural safeguards necessary to achieve the level of control and
availability specified by the Data Owner. For example the Data Custodian is
responsible for ensuring that any back-up regime is undertaken in an appropriate
manner and at the frequency specified by the Data Owner.
The organisation of Information Systems and Services within Bupa will often provide
environments where the responsibility for the management of data and information
services is shared across business units and IS functions. In such instances,
consideration should be given to the identification of both and Application Data
Custodian and Infrastructure Data Custodian. In these circumstances the allocation
of responsibilities should be formally agreed by each business unit/function and
documented by the Data Owner.
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored internally
via compliance programs and security incident reports. Failure to comply with any
Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Document Control
Overview
This standard sets out the Company requirements for Authorised Users when
processing, transmitting and storing electronic information.
• GISP 04
Scope
Target Audience
Standards
04.03.03 All information must be treated in accordance with its classification and
appropriate controls applied to maintain security. This includes
information on display, information storage, access to information and
its disposal or destruction when no longer needed.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
© 2010 BUPA Company Internal 79
Global Information Security Policy & Standards
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Document Control
Overview
This standard sets out the Company requirements for Authorised Users when
processing, transmitting and storing physical information.
• GISP 04
Scope
This standard applies to all physical media and paper within the Company. This
includes:
• Records
• Files
• Removable media
o Memory sticks
o CDs/DVDs
o Hard disks
Target Audience
This standard is to be read by all Authorised Users.
Standards
04.04.01 Where practical and appropriate, paper information and physical media
should be labelled according to its classification.
04.04.03 All information must be treated in accordance with its classification and
appropriate controls applied to maintain security. This includes
information on display, information storage, access to information and
its disposal or destruction when no longer needed.
04.04.04 Only approved secure courier services will be used to transport media
containing Level 2 (Confidential) or above
04.04.05 In the event of information becoming lost or stolen, the loss or theft
must be reported using the incident Reporting process.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.7.2.2
Document Control
GISS Ref: 4-04
Version: V1.1 Corrected typographical errors. Improved wording in 04.04.03
Overview
This standard provides the requirements for the secondary use of information.
This standard supports the Global Information Security Policy:
• GISP 04
Target Audience
This standard is to be read by all Authorised Users and applies to anyone developing
applications or analysing data
Standards
04.05.01 Data and information may only be used for the purpose for which it was
supplied and as defined by the Data Owner
04.05.02 Production and/or live data shall be not be used for testing purposes unless
approved by Information Security, the Data Owner, and Legal/Privacy.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/ Data Protection Act 1988 (UK)
standards:
ISO 27001 Control Ref(s): A.12.4.2
Document Control
GISS Ref: 04-05
Version: V1.1 Improved wording in 04.05.03 and 04.05.04
Overview
This standard details the requirements for the reporting of information security incidents.
This standard supports the Global Information Security Policy:
• GISP 05
Target Audience
This standard is to be read by all Authorised Users.
Standards
Incident Reporting
05.01.01 It is the responsibility of each Business Division & Business Unit including
Group functions to establish local operating procedures to ensure that any
event, or potential event, which adversely affects the confidentiality, integrity
and / or availability, of Company information and / or information systems is
reported immediately.
05.01.02 All Authorised Users are required to report events or incidents affecting
information security or compliance to information security policy in
accordance with local operating procedures.
Guidance
This standard applies to all potential or actual information security incidents, which may
include;
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.13.1.1, A.13.1.2
Document Control
GISS Ref: 05-01
Version: V1.1 Improved wording in 05.01.01 and 05.01.02 to clarify Information
Security incidents
Overview
This standard outlines the requirements for local information security teams when
managing potential or actual information security incidents.
Target Audience
This standard is to be read by all central and local information security management.
Standards
Incident Management
05.02.01 It is the responsibility of each Business Division & Business Unit including
Group functions to establish local operating procedures for managing with
security incidents in accordance with the requirements of the Global
Information Security Policy and Standards.
Incident Reporting
05.02.02 All reported information security incidents must be recorded and an audit trail
maintained of relevant materials.
Incident Investigation
05.02.04 Only trained employees may carry out investigations.
g. Impact assessment.
05.02.09 All investigations will be treated in confidence and disclosure only made with
authorisation from the Information Security. Security investigations must
address the following:
Evidence
05.02.10 Any paper evidence must be kept securely with a record of the individual
who found or generated the document, where the document was found,
© 2010 BUPA Company Internal 91
Global Information Security Policy & Standards
when it was found or generated and who witnessed the discovery. This
information must be recorded within an evidence or investigation log.
05.02.12 Where possible, electronic evidence (hard disks and in memory) shall be
forensically secured to preserve evidence. This may require the assistance
of specialist third party contractors.
Non-Retaliation
05.02.14 Retaliation, discrimination, or intimidation shall not be permitted against an
individual, an Authorised User, a business partner, a client member, or any
other person or organization, for reporting a Privacy or Security Incident; for
filing a report or complaint with government authorities; or for participating in
any investigation, legal proceeding or review.
Guidance
This standard applies to all potential or actual information security incidents, which may
include;
• Any kind of damage to the system initiated inside or outside of the Company
• Any activities that violate information security policy are considered an incident.
• Report Produced
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.13.2.1, A.13.2.3
Document Control
GISS Ref: 05-02
Version: V1.1 Improved wording in 05.02.02 ; 05.02.03 d and 05.02.09 e
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard details the requirements for the management of improvements to
information security following strategic change or information security incidents.
• GISP 05
Target Audience
This standard is to be read by all Managers.
Standards
05.03.01 Information security incidents must be identified, responded to, recovered
from, followed up and closed.
05.03.04 Any actions that cannot be implemented immediately shall be added to the
Company Risk Register which is managed by the Information Governance.
05.03.05 Action plans shall be reviewed at regular intervals to ensure they are
implemented in a timely manner
05.03.07 Local Information Security will produce reports on trends or patterns and
submit them to the appropriate Information Governance meetings for
analysis.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
© 2010 BUPA Company Internal 95
Global Information Security Policy & Standards
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.13.2.2
Document Control
GISS Ref: 05-03
Version: V1.1 Improved wording in 05.03.04 and 05.03.07
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for the technical identification and
registration of Authorised Users.
• GISP 06
Target Audience
This standard applies to all Company systems. It is to be read all IT & Technical functions
within the Company.
Standards
Authorised Users
06.01.01 It is the responsibility of the Data Owner to define the rules for granting
access and permissions requirements to systems under their control.
06.01.02 All users once authorised to access systems and applications will be
provided a unique User Identification.
06.01.03 Each user is individually accountable for their actions within systems and
applications by virtue of their unique User Identification.
06.01.04 Access privileges and rights shall be set to the least privilege required for the
job role.
Shared Accounts
06.01.06 Shared accounts may only be authorised for use by Information Security in
exceptional circumstances where individual accountability is not required or
is controlled by other means, such as student accounts in a classroom
setting.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.11.2.1, A.11.2.2
Document Control
GISS Ref: 06-01
Version: V1.1
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for the technical management of access to
systems and electronic information, including audit and logging data.
• GISP 06
Target Audience
This standard to be read all IT & Technical functions within the Company.
Standards
Clock Synchronisation
06.02.01 System clocks shall be synchronised to a consistent and accurate time
source.
06.02.04 Audit logs must be archived / retained / disposed of in line with relevant
statutory or regulatory requirements.
06.02.05 System administrator and system operator activities shall be logged. Logs
shall include:
b. Information about the event (e.g. files handled) or failure (e.g. error
occurred and corrective action taken).
06.02.06 System administrator and operator logs shall be reviewed on a regular basis.
06.02.07 Outside of the legal and regulatory requirements for data retention, audit
logs recording user activities, exceptions, and information security incidents
shall be collected and kept for at least 3 months to assist in future
investigations and access control monitoring.
Important Systems
06.02.08 Important Systems must be housed in a secure computing environment.
Guidance
Clocks should be synchronised using NTP (Network Time Protocol).
o The user ID
o Access policy violations and notifications for network gateways and firewalls.
System exceptions.
• How often the results of monitoring activities are reviewed should depend on the risks
involved. Risk factors that should be considered include the:
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.10.1, A.10.10.2, A.10.10.6, A.11.6.1,
A.11.6.2
Document Control
GISS Ref: 06-02
Version: V1.1 Corrected error in Target Audience.
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the requirements for the physical access to physical media and
paper information, and ensures that it is securely stored and locked away when not in use.
• GISP 06
Target Audience
This standard applies to all Company information and is to be read by all Authorised
Users.
Standards
06.03.01 All paper documents must be stored appropriately according to their
classification.
06.03.04 Paper documents or portable electronic media must not be left in meeting
rooms and whiteboards should be cleared upon leaving the room.
06.03.05 Laptops, memory sticks, CDs, DVDs and disks containing company
Information shall be locked away securely when not in use.
Guidance
Portable electronic media is used to describe any medium on any device which can easily
be carried and which can store data or information. These include laptops; notebooks;
tablets; memory sticks; thumb drives; external hard drives; CDs; DVDs; cameras; SD
cards; XD cards; smartphones;
The data held on hard discs in and portable media should be encrypted.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.11.3.2, A.11.3.3
Document Control
GISS Ref: 06-03
Version: V1.1 Replaced “removable media” with “portable media” in 06.03.02-05
Added additional guidance about portable media
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard provides the requirements for the use of electronic communication systems
(e-mail, voice, video, social networking, etc) with regards to enterprise based services.
• GISP 07
Target Audience
This standard is to be read by all Authorised Users.
Standards
General
07.01.04 The Company reserves the right to store and review any communications
composed sent or received through its electronic communication systems in
accordance with any regulations and Law enforceable in the hosting nation.
Voice
07.01.08 Systems and protocols used to communicate, process, and store Level 2
and Level 3 voice information must meet the same level of security and
protection as the systems used to protect Level 2 and Level 3 electronic
information.
07.01.09 All users shall take reasonable care to maintain the confidentiality of Level 2
and Level 3 information when communicated over internal and external
electronic communication networks.
Video
07.01.10 Level 2 and Level 3 video data shall not be communicated unencrypted over
unsecured private or public networks i.e. the internet.
Faxes
07.01.12 Unless required as part of a job role, access to the public internet and public
social networking services are a privilege authorised by the line manager,
and only then in business units where such activities are permitted.
File Transfer
Guidance
(SSL/TLS, SSH) and (RSA, 3DES, AES) are examples of encryption. FTPS (SSL/TLS),
SFTP (SSH), PGP, are some examples of secure file transfer protocols
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or variation to this standard,
then the variation must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.8.5, A.11.6.2
Document Control
GISS Ref: 07-01
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the requirements for the protection of Company provided mobile
devices.
• GISP 07
Target Audience
This standard should be read by all Authorised Users and applies to Company provided
mobile devices, including;
• Laptops
• PDAs
• Blackberry / iPhone
Standards
07.02.01 The Company provides mobile devices for Company business purposes.
Whilst not prohibited, any personal use must be limited and reasonable and
must not in any way interfere with Company business use
07.02.02 Mobile electronic devices such as laptops, cameras, tablets etc. must be
locked away securely and, if possible, out of sight when not in use.
07.02.03 When in use and in transit, mobile devices must remain under the direct
control of the owner at all times.
07.02.04 Unauthorised Users must be not allowed to use Company mobile devices.
07.02.05 Device timeout and holster lockout features which require a pin code or
password to unlock should be considered to prevent unauthorised use.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.11.7.1, A.11.4.2
Document Control
GISS Ref: 07-02
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standards for the protection of multifunctional
devices. Multifunctional devices present a number of risks to the organisation through
diverse storage and network capabilities that have the potential to undermine
• GISP 07
Target Audience
This standard applies to all multifunctional devices including printers, photocopiers,
scanners and fax machines. It is to be read by all Authorised Users.
Standards
07.03.01 A local risk assessment must be carried out to assess the capabilities of
each device, the environment within which it is to be used and the controls
required to mitigate the risks.
07.03.04 Local access to the device should be controlled. This could include Swipe
cards, PIN or passwords.
07.03.05 All fax and e-mail communication directly from the device should be
attributable to an individual Authorised User or sender.
07.03.06 All e-mail communication directly from the device to external addresses
outside of the Company must be attributable to an individual Authorised User
or sender.
07.03.07 The use of device generic e-mail accounts should be avoided unless
mitigating controls are in place.
07.03.10 When replaced or disposed of, all non-volatile storage, in particular hard
drives, are to be disposed of in an approved secure manner.
07.03.11 Support and maintenance contracts must make provision for the secure
procurement, maintenance and disposal of multifunctional devices.
07.03.12 Documents must not be left unattended on printers, photocopiers and fax
machines.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.7.2.2
Document Control
GISS Ref: 07-03
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for the connection of non-company
equipment to Company systems.
• GISP 07
Target Audience
This standard applies to all Company Infrastructure and equipment. It is to be read all
Authorised Users.
Standards
07.04.01 A risk assessment must be conducted and regularly reviewed by the local
Information Security Council for each Company private network to determine
local controls needed to protect it from un-trusted devices connecting to that
network.
Guidance
See also Removable Storage Device Standards.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/ 08-04 Removable Storage Device Standard
standards:
ISO 27001 Control Ref(s): A.10.8.5, A.11.6.2
Document Control
GISS Ref: 07-04
Version: V1.1 Clarification of risk assessment needs in 07.04.01
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for the installation and use of wireless
networks. This standard supports the Global Information Security Policy:
• GISP 07
Target Audience
This standard applies to all Company wireless networks, including the corporate and guest
networks. It is to be read all IT & Technical functions within the Company.
Standards
Approved Technology
07.05.01 All Company wireless networks must be approved and implemented by the
Company’s respective local Information Security and IT divisions.
07.05.02 All wireless access points (WAP) and base stations connected to the
company network shall be documented and subject to periodic penetration
tests and audits.
Physical Security
07.05.03 All wireless devices shall be protected against theft, unauthorised use, or
damage.
07.05.04 Access points (AP) and related equipment supporting wireless networks
shall be physically located within secured areas where access is restricted to
authorised personnel.
07.05.05 The reset function on access points shall only be accessible to approved and
authorised personnel.
Network Security
07.05.06 Company wireless network access points shall be logically segmented from
the internal wired Local Area Network (LAN) by a gateway device.
07.05.07 Where feasible, Company provided guest or hotel wireless access points
shall be physically and/or logically segregated from the company’s internal
wired LAN/WAN.
07.05.08 The service set identifier (SSID), administrator user ID, password and Wi-Fi
Protected Access (WPA2 – 802.11i) keys shall be changed from the default
values.
07.05.09 The SSID shall be configured such that it does not contain any identifying
information about the Company. In addition, the SSID shall not contain
characters that indicate the location of the wireless LAN access point or any
other identifying name.
07.05.10 The SSID broadcast function should be disabled to ensure the client SSID
matches that of the access point. The hotel wireless network SSID can be
broadcast.
07.05.11 Devices shall only connect to the wireless LAN when a valid SSID has been
provided. In addition, devices connecting to the company corporate wireless
network shall have anti-virus and or personal firewalls installed.
07.05.12 AP “beacon frame” interval transmissions shall be set to the highest value to
delay the interval frequency used to announce and identify the AP.
07.05.13 Access Points shall be configured with complex passwords to access the
administrative features.
Authentication
07.05.14 Wireless access for company employed personnel to the company’s
corporate network shall be authenticated using the company’s local
network authentication services (i.e. Active Directory)
Encryption
07.05.17 802.11i (WPA2) compliant shall be enabled using the AES
encryption standard or better and no less than 128 bit key length.
07.05.18 WPA2 (802.11i) encryption must use Counter Mode with Cipher
Block Chaining Message Authentication Code Protocol (CCMP) or
other IEEE approved key exchange mechanisms
07.05.24 IEEE 802.11 wireless devices shall not be used to manage other
systems on the network unless otherwise authorised to do so.
Guidance
Prior to granting access to visitors using the guest wireless network, a prompt screen
could be in place for the acceptance of the Company terms and conditions, e.g. “I have
read and accept Company terms and conditions when using this wireless network”.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.6.1
Document Control
GISS Ref: 07-05
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard outlines the Company requirements for the protection of Company Laptops.
This standard supports the Global Information Security Policy:
• GISP 08
Target Audience
This standard applies to all Company laptop computers. It is to be read by all Authorised
Users.
Standards
08.01.01 Only Company provided laptops are automatically authorised for use on
Company networks.
08.01.03 Laptops must remain under the direct control of the owner at all times.
08.01.04 It is the responsibility of the laptop keeper to safeguard its physical security
at all times, particularly when off Company premises.
08.01.05 The keeper of the laptop must take all reasonable steps to ensure that
security software as provided by the Company is up to date and operating
correctly. This includes anti-virus and encryption software.
Guidance
• A lost, stolen or missing laptop must be reported straight away in accordance with
Security Incident procedures.
• Wherever possible, you should not leave Company laptops in cars.
• Laptops should be stored out of sight if being left unattended in cars or employee
homes.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.2.1, A.11.7.1
Document Control
GISS Ref: 08-01
Version: V1.1 Additional guidance about lost, stolen and missing laptops
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company requirements for the authorised use of digital
cameras and recording devices.
• GISP 08
Target Audience
This standard applies to Company digital cameras and recording devices. It should be
read by all Authorised Users.
Standards
08.02.01 Only Authorised Users with approval from Business Managers shall be
permitted to use digital cameras and recording devices within the Company.
08.02.02 Digital cameras and recording devices should not be used in a manner
which may cause offense or in a manner inconsistent with Information
Classification standards.
08.02.03 Digital cameras and recording devices must be used within the constraints of
any legal and regulatory requirements. These may differ locally.
08.02.04 All Company owned devices shall be stored securely when not in use.
Guidance
A lost, stolen or missing Company provided device must be reported straight away in
accordance with Security Incident procedures
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.8.1.3
Document Control
GISS Ref: 08-02
Version: V1.1 Additional guidance about lost, stolen and missing devices
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard sets outlines the Company requirements for the protection of mobile
devices.
• GISP 08
Target Audience
This standard applies to mobile devices within the Company and is to be read by all
Authorised Users.
Standards
08.03.01 Company phones, laptops, and other mobile devices containing Company
information shall be secured when not in use.
08.03.03 Mobile devices must be kept under the direct control of the owner at all
times.
08.03.04 Devices such as PDAs/Blackberry/iPhone etc shall have PIN codes enabled.
08.03.06 The use of wireless hotspots is permitted however access to Company data,
systems and resources must be via the Company approved VPN.
Guidance
A lost, stolen or missing Company provided device must be reported straight away in
accordance with Security Incident procedures
When using public transport, ensure that any Company devices and equipment are within
sight at all times.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.7.1.3, A.11.5.6
Document Control
GISS Ref: 08-03
Version: V1.1 Additional guidance about lost, stolen and missing devices
Release 22 Nov 2011 Release 22 Nov 2011
date: date:
Next Dec 2012 Next review: Dec 2012
review:
Overview
This document outlines the Company requirements for the use of Company provided and
non-Company removable storage devices, such as memory sticks, USB drives, flash
memory cards, CDs/DVDs and SIM cards.
• GISP 08
Target Audience
This standard applies to Company removable storage devices. It should be read by all
Authorised Users.
Standards
General
08.04.02 Company provided removable storage devices shall not contain logos or
other insignia identifying them as belonging to the Company.
Responsibilities
08.04.05 The Company will provide removable storage devices that incorporate
appropriate security functionality, such as encryption and password
protection, to adequately secure the information contained within them.
08.04.08 Users of Company provided removable storage devices are responsible for
the information they store on the device and for the safekeeping of the
device.
Protection
Monitoring
08.04.16 The Company shall maintain systems that monitor the movement of
information to and from the Company’s computing Systems.
08.04.19 Audit trail history shall be only used and retained in accordance to local
regulatory requirements and Law.
Guidance
A lost, stolen or missing Company provided device must be reported straight away in
accordance with Security Incident procedures
Best practice for encryption include those meeting FIPS 140, AES 256 standards or
higher.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variation
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or variation to this standard,
then the variation must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.7.1.3, A.10.7.1, A.10.7.2, A.10.8.3
Document Control
GISS Ref: 08-04
Version: V1.1 Additional guidance about lost, stolen and missing devices
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for the use of screensavers on Company
owned equipment.
• GISP 08
Target Audience
This standard applies to all Authorised Users.
Standards
08.05.01 Only standard or Company approved screensavers are permitted for use on
Company equipment.
08.05.02 Upon leaving a workstation, the screensaver must be activated using Ctrl +
Alt + Del or Windows + L.
08.05.03 If local administration rights have been permitted, the user shall not change
the settings of the automatic screensaver activation.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.11.3.3, A.11.5.5
Document Control
GISS Ref: 08-05
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for the use of screensavers and the
requirement for session time-out to be configured for Company equipment and systems.
• GISP 08
Target Audience
This standard applies to all IT and Technical functions.
Standards
Screensavers
08.06.01 Screen savers with password lockout must be set to activate after a
maximum of 15 minutes idle time for Company desktops and laptops
08.06.02 Screen saver activation time settings must not be changed by individual
users without authorisation from local Information Security
Session Time-out
08.06.04 Systems and applications shall be protected by a time-out and password
lockout facility which activates automatically after a maximum period of
inactivity. The permissible period of inactivity will be specified by the Data
Owner and may vary according to technical circumstances and
requirements.
Guidance
Screensaver settings should be controlled by IT and disabled for Authorised Users which
are not technical staff.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.11.3.3, A.11.5.5
Document Control
GISS Ref: 08-06
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard outlines the requirements for all relevant legal and regulatory
requirements in each Company to be identified and properly managed.
GISP 09
Scope
This applies to all relevant legal, regulatory and industry standards which impact the
Company information and information assets. These may differ dependent upon
location and country.
Target Audience
This standard is to be read by all Authorised Users.
Requirements
09.01.01 Business Divisions, Business Units and Group Functions shall identify,
and incorporate, all applicable legislative, statutory and regulatory
requirements into local policies and standards.
09.01.04 All Business Units shall identify all relevant local laws and regulations
and inform the Information Governance Committee of any contradiction
to existing Company policy.
09.01.07 Managers must ensure that policies and standards are available to all
Authorised Users and that they are complied with.
Guidance
© 2010 BUPA Company Internal 140
Global Information Security Policy & Standards
Local managers should draw up a list of relevant legislation and regulations. The list
should contain the local person responsible for maintenance & reporting on the
requirement, details of audits & certification if applicable, and Next reviews for
compliance to be reviewed at least annually for each requirement.
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored internally
via compliance programs and security incident Reports. Failure to comply with any
Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.6.1.1, A.8.1.1, A.8.2.1, A.8.2.3
Document Control
GISS Ref: 9-01
Version: V1.1 Correction of IG Council in 09.01.04; improved wording in 09.01.05
and 09.05.06
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
Compliance with the Company’s Information Security Policy and Standards is
mandatory. This standard outlines the responsibilities of management to ensure
compliance with the information security policy and standards across the Company.
• GISP 09
Scope
This standard applies to all Global Information Security policies and standards.
Target Audience
This standard is to be read by Managers across the Company.
Requirements
09.02.01 Managers shall ensure that all Authorised Users have access to, and
comply with Company global Information Security Policy and
Standards.
09.02.02 Managers must ensure that all Authorised Users are aware that failure
to comply with Company policy could result in disciplinary action.
09.02.03 Managers shall ensure that all Authorised Users have access to
Company Information Security policies and standards.
09.02.04 For all Authorised Users, information security roles and responsibilities
shall be addressed within job descriptions.
09.02.05 All Authorised Users must receive regular awareness and training on
information security, as well as the Bupa Information Security
Employee Handbook.
Guidance
• Further guidance can be sought from the GIGC regarding management
information security responsibilities.
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored internally
via compliance programs and security incident reports. Failure to comply with any
Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.8.2.1
Document Control
GISS Ref: 9-02
Version: V1.1 Improved wording – managers and Business Units
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company requirements for the physical protection of the
Company perimeter order to prevent unauthorised access.
• GISP 10
Target Audience
This standard applies to all Company premises. It is to be read by IT and Facilities
Management.
Standards
10.01.01 The security perimeters of all Company premises must be clearly defined.
10.01.02 The entry and exit points within perimeters of buildings or sites containing
Company information processing facilities shall be adequately protected
from unauthorised access.
10.01.03 The external walls of Company premises shall be of a solid construction and
all external doors shall be suitably protected against unauthorised access
with control mechanisms, e.g. bars, alarms, locks etc.
10.01.04 Doors and windows must be locked when unattended and external
protection e.g. shutters/ barriers will be considered via risk assessment for
windows, particularly at ground level.
10.01.05 A manned reception area or other means to control physical access to the
site or building shall be implemented with access to sites and buildings
restricted to authorised persons only.
10.01.07 Emergency exits on the security perimeter shall be adequately secured and
tested regularly.
10.01.08 Facilities managed by third parties will have the minimum physical security
requirements documented in contracts and regularly monitored for
compliance.
10.01.09 Physical security controls must comply with local legal and regulatory
requirements.
Guidance
Perimeters may be protected with the use of fences, walls, CCTV and signage.
Suitable intruder detection systems should be installed and regularly tested to cover all
external doors and accessible windows.
Information processing facilities managed by the organisation should be physically
separated from those managed by third parties.
Unoccupied areas should be locked and where appropriate, alarmed at all times; e.g.
computer room or communications rooms.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.1.1
Document Control
GISS Ref: 10-01
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for controlling physical entry to Company
premises.
• GISP 10
Target Audience
This standard applies to all Company premises. It is to be read by all IT and Technical
functions as well as Facilities Management.
Standards
10.02.01 All entry and exit points on Company premises shall be controlled.
General
10.02.02 A formal process to control physical entry into buildings must be established,
documented and include:
Visitors
10.02.03 A formal process for Visitors must be established, documented and include:
Secure Areas
10.02.04 Secure areas shall be protected by appropriate entry controls to limit access
to authorised persons only.
d. Limitations of access
Guidance
Appropriate physical entry controls may include:
• Locks
• Swipe card access
• Keypads
Secure areas include communications and server rooms, loading and delivery areas.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
© 2010 BUPA Company Internal 150
Global Information Security Policy & Standards
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.1.2
Document Control
GISS Ref: 10-02
Version: V1.1 Correction in 10.02.01 to cover exit points too
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company requirements for the physical security of
Company offices, rooms and facilities.
• GISP 10
Target Audience
This standard applies to all Company premises and facilities. It should be read
by all Authorised Users.
Standards
10.03.01 Offices, rooms and facilities shall have appropriate entry
controls to prevent unauthorised access.
Guidance
Enforcement
All employees, managers and contractors are required to comply with
Company Policies and Standards. Compliance with this standard shall be
monitored internally via compliance programs and security incident reports.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if
local legal, regulatory or contractual requirements require modification or
exception to this standard, then the exception must be documented and
reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.1.3
Document Control
GISS Ref: 10-03
Version: V1.1 Correction to typographical error in 10.3.05
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for Authorised Users working in secure
areas.
• GISP 10
Target Audience
This standard applies to all Company premises. It is to be read by all Authorised Users.
Standards
Secure Areas
10.04.01 Secure areas such as data centres, communications rooms and any other
areas deemed necessary shall have appropriate entry controls for approved
personnel.
10.04.02 CCTV, where applicable shall be used and images retained for a minimum
period of 4 weeks or in compliance with local retention standards.
10.04.03 Access Control Lists shall be maintained for secure areas and shall be
reviewed regularly.
10.04.04 Where applicable, door keypads / alarm codes must be changed regularly.
10.04.07 Authorized Users must only be aware of the existence of, or activities within,
a secure area on a need to know basis.
10.04.08 Vacant secure areas should be physically locked and periodically checked
by authorised employees.
10.04.11 Only authorised persons shall be granted access to Company data centres.
10.04.12 All external parties including visitors must sign in via a visitor process which
records the date, time of the visit.
10.04.14 Racks within the data centre must be locked if in a shared location such as a
non-dedicated collocation facility.
10.04.16 Keys and alarm codes must be changed at regular intervals and a record of
keyholders shall be maintained and reviewed.
10.04.17 Data centres must be included within the Business Continuity Plan.
10.04.18 Air conditioning and fire suppression must be in place and regularly checked
and maintained.
10.04.19 Any changes to the data centre, including updates to servers/ systems, must
be subject to a formal change control process.
10.04.20 The data centre shall not be easily identifiable or advertised as a data centre
to the public.
Guidance
Secure areas may include communications/ server rooms, delivery and loading areas and
post rooms.
Unsupervised working in secure areas should be avoided both for safety reasons and to
prevent opportunities for malicious activities
CCTV must be used in line with applicable legal and regulatory requirements.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Exceptions
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.1.4, A.9.1.5
Document Control
GISS Ref: 10-04
Version: V1.1 Additional wording to 10.04.06 to clarify authorisation
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard regarding receipt and delivery within
loading areas.
• GISP 10
Target Audience
This standard applies to all delivery and loading areas. It is to be read by all Authorised
Users.
Standards
10.05.01 Delivery and loading areas and other points where unauthorised persons
may enter the premises shall be controlled, monitored and, if possible,
isolated to prevent unauthorised access to information processing facilities.
10.05.02 Access to a delivery and loading area from outside the building shall be
restricted to identified and authorised personnel.
10.05.03 Within isolated delivery areas, the external doors must be locked when the
internal doors are open.
10.05.04 Inbound and outbound goods shall be recorded and records kept.
Guidance
Delivery and loading areas should be designed so that supplies can be unloaded without
external delivery persons gaining access to other parts of the building.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.1.5
Document Control
GISS Ref: 10-05
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for the protection and location of Company
equipment.
• GISP 10
Target Audience
This standard applies to specialist static IT equipment such as Servers and their
peripherals. It is to be read all IT and Technical functions as well as Facilities
Management.
Standards
10.06.02 Information processing facilities handling Level 3 data will be positioned and
the viewing angle restricted to reduce the risk of information being viewed by
unauthorised persons.
Environmental protection
10.06.03 Controls will be established to minimise the risk of potential physical threats,
e.g. theft, fire, explosives, smoke, water (or water supply failure), dust,
vibration, chemical effects, electrical supply interference, communications
interference, electromagnetic radiation, and vandalism.
10.06.06 Conditions that may adversely affect the operation of information processing
facilities will be reported immediately.
Removal of Property
10.06.07 Company computing equipment sited within offices rooms and facilities must
not be removed from Company premises without formal authorisation.
10.06.08 For specific requests to remove equipment from Company premises, e.g. to
an external training site or for short-term loan, a formal request and approval
process must be followed.
10.06.09 The Asset register must be updated to reflect the location and/or owner of
Company equipment.
Guidance
Conditions that may affect the operation of equipment include:
• Untidy cabling
• Faulty air conditioning
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.1.5
Document Control
GISS Ref: 10-06
Version: V1.1 Minor wording changes to Target audience and Guidance
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for the supply and maintenance of power
to the Company in support of the confidentiality, integrity and availability of Company
information and information assets.
• GISP 10
Target Audience
This standard applies to all Company premises. It is to be read by all IT and Technical
functions and Facilities Management.
Standards
10.07.01 Electricity supplies shall be monitored to ensure adequacy for the premises,
equipment and systems being supported.
10.07.02 Utilities will be regularly inspected and as appropriate tested to ensure their
proper functioning and to reduce any risk from their malfunction or failure.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.1.4, A.9.2.2, A.10.3.1
Document Control
GISS Ref: 10-07
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for the installation and
maintenance of cabling supporting IT Infrastructure within the Company.
• GISP 10
Target Audience
This standard is to be read by all IT and Technical functions and Facilities
Management.
Standards
10.08.01 All cabling must be installed in a manner which will prevent trip
hazards in line with the Company Health and Safety Policy.
10.08.03 Only authorised technical users shall install cabling within the
Company.
Guidance
Enforcement
All employees, managers and contractors are required to comply with
Company Policies and Standards. Compliance with this standard shall be
monitored internally via compliance programs and security incident reports.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if
local legal, regulatory or contractual requirements require modification or
exception to this standard, then the exception must be documented and
reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.2.3
Document Control
GISS Ref: 10-08
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the requirements for the maintenance of equipment supporting the
Company information systems.
• GISP 10
Target Audience
This standard applies to all Company computing equipment. It is to be read by all IT and
Technical Functions and Facilities Management.
Standards
10.09.01 Computing equipment such as servers, PCs and mobile devices shall be
periodically checked to ensure that they are in working order.
10.09.02 Contracts shall be in place to ensure that all critical equipment and
supporting infrastructure such as cabling is adequately maintained.
10.09.03 All supporting utilities, such as electricity, water supply, heating, and air
conditioning will be managed to ensure they are adequate for the equipment
and services they are supporting.
10.09.04 Utilities will be regularly inspected and as appropriate tested to ensure their
proper functioning and to reduce any risk from malfunction or failure.
10.09.05 Maintenance records shall be retained in line with legal and regulatory
requirements.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.2.2, A.9.2.4
Document Control
GISS Ref: 10-09
Version: V1.1 Improved wording in 10.9.2 and 10.9.3
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the requirements for maintaining the security of Company
equipment when removed or located off Company premises such as a third party
collocation site.
• GISP 10
Target Audience
This standard applies to all Company equipment. It is to be read by all IT and Technical
Functions, Facilities Management and Authorised Users.
Standards
10.10.01 Equipment stored within external party premises must be protected from
unauthorised access.
10.10.02 The location of equipment stored off Company premises must be recorded
within the Asset Inventory.
10.10.03 Equipment must be locked away securely when not in use and must not be
left unattended off-site.
Guidance
Laptops should be encrypted to prevent unauthorised access to information in the event of
loss or theft.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.2.5
Document Control
GISS Ref: 10-10
Version: V1.1 Review
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company requirements for the disposal or re-use of equipment
within the Company.
• GISP 10
Target Audience
This standard is to be read by all Authorised Users.
Standards
Removal of Data
10.11.03 Low cost and low value damaged devices must be physically destroyed
rather than sent for repair or discarded unless documented approval is given
by the Information Security.
10.11.04 Memory sticks, SD cards, magnetic tape and other low cost media must be
physically destroyed or degaussed when no longer required to ensure
information is non-retrievable
10.11.05 Media which attracts a commercial re-use or re-sale value (such as server
discs) may only be released after all information or data held has been
certifiably irretrievably destroyed and purged.
Audit Trail
10.11.07 In the event that a third party is used for the removal of data prior to reuse,
or the disposal of equipment, reputable companies must be chosen and
certificates issued following disposal / destruction.
10.11.08 The asset inventory shall be updated with details of disposal or re-allocation
of equipment.
Guidance
Table 1: Media and Data Destruction Methods
Media Type Data Storage Suggested Removal
Mechanism Methods
Hard Disk Drives Non volatile magnetic Pattern wiping, Physical
destruction, Degaussing
CDROM/DVD-R Write once optical Abrasion, Incineration
CD-RW/DVD- Write many optical Abrasion, Incineration
RW
Magnetic Tape Non volatile magnetic Degaussing, Incineration
Flash Disk Drives Solid state Pattern wiping, Physical
destruction
Paper Based - Shredding, Incineration
Removal of Data
Clearing
All media should be treated the same regardless of data classification
Typical clearing programs use sequential writes of patterned data, ensuring that data is
not easily recovered using standard techniques and programs. The pattern matching
should involve at least three writes of data. The following is a typical example:
This method attempts to mask any previous data with two sets of data that are a mirror of
each other, thus ‘blanking’ previous data on the disk. A random set of data is utilised to fill
all available space with meaningless information.
Purging
After removal of media from its current security context there must be sufficient care taken
to ensure that data is irretrievable, even if specialised methods are used (e.g. platter
scanning or the use of electron microscopes).
Purging involves the use of more sophisticated tools and therefore requires specialist
personnel working within a controlled environment. Advise contractors that purging of the
media is required.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.9.2.6
Document Control
GISS Ref: 10-11
Version: V1.1
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard sets out the Company requirements for requesting and granting of
Authorised User access to Company information and information systems.
• GISP 11
Scope
This standard applies to all Company information and information systems.
Target Audience
This standard is to be read by all IT System Administration staff, IT Development
staff, HR Departments and all Information Asset Owners.
Requirements
Access Control
11.01.01 The Data Owner shall, in cooperation with Legal, Privacy, and Security
representatives, determine a formal procedure for all prospective Users
to follow to gain authorisation.
11.01.02 It is the Data Owner via his/her agents who provides authorisation for
access. The Data Owner’s decision is final.
11.01.06 The default access rights to information and systems must be “deny”
unless authorised.
11.01.07 Access Control Lists shall be developed and maintained on all systems
as appropriate and as determined by the Data Owner, in cooperation
with Legal, Privacy, and Security representatives.
Registration of Users
11.01.14 Any change to User access rights must be formally requested and
authorised. Changes to access rights must be recorded using the
Access Control List.
De-Registration of Users
11.01.18 When an Authorised User leaves the employment of the Company the
Authorised User’s line manager, acting as the agent for Data Owners,
must take all reasonable steps to ensure that:
c. that the Authorised User and their new line manager is kept
informed so that new or adjusted access and privileges can be
arranged and authorised in a timely fashion.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.11.1.1
Document Control
GISS Ref: 11-01
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company requirements for the segregation of duties.
This standard supports the Global Information Security Policy:
• GISP 11
Target Audience
This standard applies to Company information and information systems and is to be read
by Authorised Users.
Standards
Responsibilities
11.02.01 Heads of Business units shall establish and put into place both physical and
logical structures that will reduce the possibilities of fraud, sabotage, misuse
of information, theft and other security compromises.
Management
11.02.02 Controls shall be implemented to ensure that individuals acting alone cannot
compromise the integrity of processing systems.
11.02.03 Job roles, associated functions and responsibilities shall be clearly defined,
separated, implemented and regularly reviewed.
Processes
11.02.05 High-risk activities shall be distributed across more than a single role to
reduce the risk of intentional or unintentional mistakes and or manipulation
which could result in fraud, sabotage or misuse of information e.g. a single
user must not be able input, amend and authorise transactions.
Environments
11.02.06 There shall be clear distinction and segmentation between working
environments such as Development, User Acceptance Testing and
Production.
11.02.09 Where support personnel require access to live data or software libraries for
diagnosis purposes, only read access is permitted. Their activities must be
logged, preferably automatically, and full records kept for later perusal by
operations management and the Group Audit.
11.02.10 Where, in exceptional circumstances, read and update access to live data
and/or software is provided to support personnel under the direct control of
an authorised individual, the authorised individual is responsible for ensuring
that any actions taken by the support personnel via the sign-on are:
a) bona-fide,
b) appropriately logged,
Guidance
Whilst the standards above focus predominantly on IT Systems and information,
segregation and or separation of duties should be incorporated in to all working
environments that could be susceptible to similar risks.
Development and Support personnel may not have access to live data and software,
current or historical, except under exceptional circumstances and with the written consent
of the Data Custodian or delegate. Procedures for retrospective authorisation not later
than the next working day are permitted. Such accesses should be recorded with full
details of the circumstances and the action taken. Where ‘read’ access is required on a
permanent basis, approval must be obtained from the Data Owner.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variation
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or variation to this standard,
then the variation must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.7.1.3, A.10.7.1, A.10.7.2, A.10.8.3
Document Control
GISS Ref: 11-02
Version: V1.1 Minor changes to 11.02.10 to show immediate action is required
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard sets out the Company requirements for the management of user
access to Company information and information systems.
• GISP 11
Target Audience
This standard applies to Company information and information systems and is to be
read by Authorised Users.
Standards
Identification
11.03.01 All Authorised Users shall be issued with unique User Identifiers to
access systems and applications as authorised by Data Owners and
their agents.
11.03.03 Unique Identifiers are provided for use only by the named Authorised
User during their contracted term of employment and are used as a
mechanism to attribute actions and activities to an individual.
11.03.04 System administrators, technical staff and other ‘power users’ shall be
issued with and use unique User identifiers in order to attribute actions
and activities to the individual.
11.03.05 It is permissible for Authorised Users to have more than one unique
User Identifier assigned to them. This is useful in circumstances where
‘power’ privileges are not permanently required.
Authentication
11.03.08 Authentication mechanisms may include but shall not be limited to:
a. Passwords
b. Biometrics
c. Tokens
Authorisation
11.03.16 Authorised Users shall be granted access rights and privileges based
on their job role and on a need to know basis.
Management
Password Allocation
11.03.19 When allocating new User accounts, System administrators must not
set the initial password to an easily guessable word and must not set
the initial password to a known or easily guessable formula (such as
the unique User Identifier)
Password Protection
11.03.23 Passwords should not be written down, emailed, stored in files, scripts
or code. Where this is unavoidable, suitable measures must be taken
to ensure that passwords remain secret and are not associated with
the User account
11.03.25 Passwords must be suitably masked and must not appear in clear text
on logon screens
11.03.27 The Authorised User is responsible for keeping their passwords safe. If
a User suspects that their password has been compromised, the
password should be reset.
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or variation to this
standard, then the variation must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.11.2.3, A.11.2.4, A.11.5.2
Document Control
GISS Ref: 11-03
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard sets out the Company requirements for the management of network
access to the Company network.
• GISP 11
Scope
This standard applies to all Company networks.
Target Audience
This standard is to be read by all technical staff responsible for the development and
maintenance of Company network infrastructure.
Requirements
Network Configuration and Firewalls
11.04.01 Company private networks must not connect directly to the Public
internet.
11.04.02 All Company private network connections to the Public internet must be
adequately protected by firewalls and other appropriate security
controls.
11.04.03 Web servers, file transfer systems, email gateways and other services
which need to be exposed to the Public internet must be adequately
protected in a DMZ area.
11.04.06 Changes to firewalls and network devices must follow a formal change
management process to ensure that changes are assessed for risk and
impact and are authorised before implementation.
11.04.09 ‘Power User’ access to all firewalls and network devices shall be
restricted to qualified and authorised personnel only.
Firewall Configuration
11.04.14 Firewalls must be configured to deny all and then only allow agreed
and approved protocols to and from given IP addresses or address
ranges, or for specific services
11.04.19 Firewalls must be configured to enable the auditing of the allowed and
blocked traffic
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.11.4.1, A.11.4.6, A.11.4.7
Document Control
GISS Ref: 11-04
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard outlines the Company requirements for operating system access controls.
• GISP 11
Target Audience
This standard applies to all Company applications and information systems. It is to be read
by all IT & Technical functions within the Company.
Standards
11.05.01 System Administrator access shall be limited to least privilege necessary.
11.05.02 System Administrator and system operator activities shall be logged and
include:
b. Information about the event (e.g. files handled) or failure (e.g. error
occurred and corrective action taken)
11.05.04 Access to systems and information must not be possible after an Authorised
User has left the business.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.6.4, A.11.6.1
Document Control
GISS Ref: 11-05
Version: V1.1 Minor change to 11.05.01 to improve clarity
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard sets outlines the Company requirements for the access to applications and
information systems.
• GISP 11
Target Audience
This standard applies to all Company applications and information systems. It is to be read
all IT & Technical functions within the Company.
Standards
11.06.01 Access to applications and Information systems shall be restricted to
Authorised Users only, based on business need.
11.06.02 All servers and computers shall have a defined standard build based upon
role with relevant applications installed.
11.06.03 Access to applications and information systems further to the standard build
must be formally requested and authorised.
11.06.04 Access rights to applications and information systems and information must
be reviewed on a regular basis.
11.06.05 Information & system owners shall be responsible for defining the access
controls within their local applications.
11.06.06 Access to systems and information must not be possible after an Authorised
User has left the Company.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.11.5.1, A.11.5.3, A.11.6.1
Document Control
GISS Ref: 11-06
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard sets out the Company requirements for remote access to company
systems.
• GISP 11
Scope
This standard applies to all Company networks which may be accessed from off-site.
Target Audience
This standard is to be read by all technical staff responsible for the development and
maintenance of Company network infrastructure and all users authorised to access
the Company network from off-site.
Standards
Remote Access
11.07.02 Remote access to a Company private network shall only be utilised for
authorised business purposes.
11.07.03 Remote access to a Company private network must only use secure
and encrypted VPN technologies; dial-up access is not permitted.
11.07.06 All users authorised for remote access must be configured to use VPN
access; dial-up access must not be used.
11.07.08 Remote access sessions must not exceed 5 hours in any one session.
Access must be configured to disconnect after this time.
11.07.10 Two-factor authentication is required for remote access via the public
internet to Company private networks and/or Company internal
applications where the information is classified as Level 2
(Confidential) or above. Remote access must also be authenticated in
accordance with Access Control Standards
11.07.11 Authorised Remote Access Users access shall be issued with unique
User Identifiers to access systems and applications as authorised by
Data Owners and their agents.
Guidance
It is recommended that the remote access to the Company network be with two-
factor authentication – i.e. must be configured to use a token and / or unique
certificate.
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/ GISS 2-01
standards:
ISO 27001 Control Ref(s): A.11.7.1, A.11.7.2, A.11.5.6
Document Control
GISS Ref: 11-07
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard outlines the Company requirements for having defined operating
procedures to ensure security controls and processes are agreed and documented.
• GISP 12
Scope
This standard applies to all Company technical systems, applications, networks,
hardware and software.
Target Audience
This standard is to be read by all IT Infrastructure, network, & application
development management functions.
Requirements
12.01.01 Standard operating procedures must meet the stated objectives in
Global Information Security Policy and meet Global Information
Security Standards
12.01.02 Operating procedures for all critical technical functions and processes
must be documented.
g. System backup
i. Overnight procedures
12.01.05 Procedures for all Systems and Application Support functions must be
documented. Procedures must include as a minimum provision for:
Guidance
Documented procedures are not meant to define step by step functions, but rely on
some measure of technical knowledge and expertise.
Processes should clearly define any steps involved, and roles & responsibilities.
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.1.1, A.10.10.5, A.11.5.3, A.11.5.4,
A.12.6.1
Document Control
GISS Ref: 12-01
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company requirements for systems planning and acceptance.
This standard supports the Global Information Security Policy:
• GISP 12
Target Audience
This standard applies to IT and Technical functions.
Standards
Capacity Management
12.02.01 The use of resources must be monitored and projections made of future
capacity requirements to ensure the required system performance.
System Acceptance
12.02.04 All new systems/upgrades are to be controlled by the change control
process. No upgrade/systems are to be implemented without prior approval
12.02.07 Testing must be carried out to confirm that all acceptance criteria are fully
satisfied.
Guidance
Alerting should be enabled for capacity management to enable the IT function to
proactively manage disk space.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.3.1, A.12.2.2
Document Control
GISS Ref: 12-02
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard sets out the Company requirements for the protection of Company
information and information systems from malicious and mobile code. For the
purposes of this Standard, the term computer virus also includes worms and Trojans.
• GISP 12.
Scope
This standard applies to all Company information systems.
Target Audience
This standard is to be read by all technical employees and Authorised Users.
Standards
12.03.01 The Company shall implement measures designed to protect systems
from malicious and mobile code.
12.03.07 Company email servers and email gateways shall have suitable anti-
virus and anti-malware software installed and functioning correctly to
help ensure that all inbound and outbound email traffic is scanned and
that malicious software is prevented from continuing or executing.
12.03.08 Internet proxy servers shall have suitable anti-virus and anti-malware
software installed and functioning correctly to help protect the
Company private network.
12.03.10 Files loaded from an external source (e.g., e-mail, internet, CD, DVD,
USB drive) must be scanned for viruses.
12.03.12 Where users are authorised to use removable media, suitable anti-
virus controls and tools shall be installed and functioning correctly.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.11.1.1
Document Control
GISS Ref: 12-03
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
12-04 Back-up
Overview
This standard sets out the Company requirements for the Back-up of Company
information.
• GISP 12
Scope
This standard applies to all Company information to be backed up.
Target Audience
This standard is to be read by all technical staff responsible for the Back-up of
Company information.
Standards
12.04.01 All critical systems and data shall be backed up to provide recovery of
such systems in the event of a system or site failure. The Recovery
Point Objective (RPO) and Recovery Time Objective (RTO) are
normally calculated according to the Data Value determined by the
Data Owner. As minimum, critical information should be backed up at
least daily.
12.04.02 The back-up, restore and recovery processes and procedures shall be
documented. Copies of documentation shall be stored off-site to allow
for access in the event of a site failure or lack of access.
12.04.06 Robust controls must be in place to ensure that Back-up data is not
misplaced, stolen, damaged or otherwise compromised at any time,
including in transit. These controls must be reviewed regularly.
12.04.07 All physical and logical security controls applied to information and data
at the primary site must be extended to cover information and data at
any Back-up or Disaster Recovery site.
12.04.08 Authorised Users are responsible for copying and backing up their own
unstructured Company data securely both when on-site and travelling
off-site.
Guidance
Clear guidance should be given to Authorised Users to ensure they understand the
requirements for Back-up of information they may have on laptops or other
removable media / devices.
Tests of Back-up tapes should be done randomly to ensure backups are valid and
will work.
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.
Failure to comply with any Policy or Standard may result in disciplinary action.
© 2010 BUPA Company Internal 215
Global Information Security Policy & Standards
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.5.1
Document Control
GISS Ref: 12-04
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard sets out the minimum security requirements for any company network
to ensure all networks are appropriately protected and secured.
• GISP 12
Scope
This standard applies to all Company internal and external networks, and external
party network connections.
Target Audience
This standard is to be read by all IT Administration, network & technical staff.
Standards
Network Configuration
12.05.02 Web servers, file transfer systems and email gateways that are
exposed to external access shall be secured in a DMZ area to prevent
access to Company corporate network.
12.05.03 Direct routes from the internet to the internal network must not be
allowed. Network address translation must be implemented on all
inbound & outbound connections.
12.05.06 Changes to Firewalls and network devices shall follow a formal change
management process to ensure changes are detailed, assessed for
risk and impact, authorised before implementation.
12.05.07 Administrator passwords for firewalls and network devices shall follow
the complexity requirements for Administrator / Privilege passwords
Network Documentation
12.05.10 All firewall rules and ports in use must be documented and authorised
by the IT Manager. The documentation must include the system and
business reason for the rule.
12.05.11 External firewall rule sets must be reviewed every 6 months to ensure
all rules are valid & acceptable
12.05.14 Modems, access points or other network connectivity devices shall not
be connected directly to the network, unless authorised, or as part of
an approved and managed project, and approved by Information
Security.
12.05.18 All VPN connections must utilise strong passwords in line with the
Acceptable Use standard.
12.05.21 Split-tunnelling when using the VPN must be disabled on remote users’
laptops to prevent internet-based exploits from routing back down the
VPN
12.05.23 All network devices such as routers, firewalls etc must be secured from
unauthorised access in server rooms, data centres, where access is
recorded and logged.
Guidance
• Firewalls should be configured:
o to deny all, and then only allow agreed and approved protocols to and
from given IP addresses or address ranges, or for specific services,
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.6.2, A.11.4.3, A.11.4.4, A.11.4.5, A.11.5.6
Document Control
GISS Ref: 12-05
Version: V1.1 Corrected error in 12.05.19
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard outlines the Company requirements for Authorised Users when
exchanging Company information with external parties.
• GISP 12
Scope
• This standard applies to all information exchanged with external parties
Target Audience
This standard is to be read by all Authorised Users exchanging information with
external parties.
Standards
12.06.01 Exchange agreements shall be in place with all external parties where
there is a requirement to exchange information on a regular basis.
12.06.03 For any process involving the regular or automated exchange of level 2
and level 3 information with external parties, a formal exchange
agreement must be in place, stating the following as a minimum:
12.06.05 Retention requirements and policies must be specified for any level 3
information sent to external parties, to ensure information is only
retained for as long as is required and is disposed of securely
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.
Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
This Standard must be applied in all Organisation business units. However, if local
legal, regulatory or contractual requirements require modification or variation to this
standard, then the variation must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/ NHS IG Toolkit (UK)
standards:
ISO 27001 Control Ref(s): A.10.8.1, A.10.8.2
Document Control
GISS Ref: 12-06
Version: V1.1
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard sets out the requirements for the monitoring of technical compliance within
the company.
• GISP 12
Target Audience
This standard applies to Company computer systems. It is to be read all IT & Technical
functions within the Company.
Standards
a. Success of backups.
b. System, server and domain log checks for errors, failures and suspicious
activity.
12.07.05 Critical system logs for serious errors and suspicious activities must be
reviewed on a regular basis. If a suspected breach or major problem is
detected, the incident reporting process must be followed immediately.
12.07.06 Event logs will be configured to ensure sufficient records are maintained.
12.07.07 Access to event logs will be restricted to those IT staff who are responsible
for monitoring systems.
Software Licensing
12.07.08 Without prior approval, Authorised Users must not:
b. Share any software with any external party or colleague (for example
consultants or customers).
12.07.09 Formal license inventories for all software shall be maintained by the IT
department.
12.07.10 During the procurement process, all software licenses will be recorded in the
software inventory.
Guidance
Ideally all systems and applications should record the following activities:
• All individual accesses to data
• All actions taken by any individual with root or administrative privileges
• Access to all audit trails
• Invalid logical access attempts
• Use of identification and authentication mechanisms
• Initialization of the audit logs
• Creation and deletion of system-level objects
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.6.1.8, A.10.10.1, A.10.10.2, A.15.1.2,
A.15.2.2,
Document Control
GISS Ref: 12-07
Version: V1.1 Reworded 12.07.02 to give better clarity
Release 22 Nov 2011 Release 22 Nov 2011
date: date:
Next Dec 2012 Next Dec 2012
review: review:
Overview
This standard outlines the Company requirements and processes for managing changes
to systems, applications and information.
• GISP 12
Target Audience
This standard applies to all functions, and covers any changes which impact Company
information systems. It is to be read by all Authorised Users.
Standards
12.08.01 All changes, updates and modifications to hardware, software, networks,
systems, and applications shall be subject to formal change control
procedures.
12.08.02 Minor changes which are exempt from change control processes must be
formally documented and approved.
12.08.03 All major changes must be authorised and tested before being implemented.
a. Description of change.
b. Proposed timescales.
e. Test plans.
12.08.05 All new systems and changes shall be subject to formal testing in a test
environment (separate to the live environment) before being released to the
live / production environment.
12.08.06 Testing procedures shall include recording of bugs and issues which must
be recorded and resolved prior to the change being released into the live/
production environment.
12.08.09 Whenever there are changes to the operating system on critical systems –
e.g. upgrade to a new version of OS - the system will be tested and reviewed
to ensure:
e) Update the information asset list with relevant details of any new
information asset.
12.08.10 All changes to operating systems for critical systems must be subject to
formal approval prior to implementation.
Guidance
Change control processes may be relatively simple – a single sheet detailing the change,
risks, impact, test procedures & approval may suffice. It is important to define the relevant
persons responsible for approval of changes, to make sure all changes are acceptable
and have been thought through.
Minor / emergency changes such as a server re-boot, replacing a hard disk in a RAID set
etc may not require the formal change process, please consult your local Information
Security Department. But all changes should either be a formal change, or on the pre-
approved list.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.1.2, A.12.5.1, A.12.5.2
Document Control
GISS Ref: 12-08
Version: V1.1Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This standard outlines the Company requirements for the management of technical
vulnerabilities, including patching and the need for regular technical security testing of
Company infrastructure and systems.
• GISP 12
Target Audience
This standard applies to all Company infrastructure and systems, including PCs and
servers. It is to be read by all IT & Technical functions within the Company.
Standards
Patch Management
12.09.01 The Data Custodian is responsible for ensuring that systems are kept up to
date with all appropriate vendor security-relevant upgrades and patches.
12.09.03 Critical security patches must be applied within one month of release.
12.09.06 A risk assessment of all new systems and those undergoing change is to be
undertaken to identify the requirements for security testing.
12.09.07 Systems and applications that are designed to use or interface the public
internet will require security testing
12.09.08 Systems subject to PCI DSS must be subject to regular security testing and
vulnerability scanning at the frequency specified in the Standard.
12.09.09 All new applications processing sensitive data must, as a minimum, undergo
functional security testing to verify appropriate access controls have been
implemented.
12.09.10 Security testing must be carried out in a manner that does not in itself
introduce more significant vulnerabilities than those seeking to be mitigated.
12.09.12 Data Owners must formally accept all residual risk identified through security
testing prior to the promotion of systems to the live environment.
12.09.13 Security testing must only be carried out by qualified and authorised
personnel.
12.09.14 Vendors engaged in security testing activity must undergo thorough due
diligence activity and be subject to strict NDAs.
Guidance
Upgrades and patches that may adversely affect live functionality, or that offer no practical
solution benefit, should not be implemented on live systems.
Security testing can include functional security testing, application security penetration
testing, vulnerability scanning, server build reviews and database configuration reviews.
Priority should be given to externally facing systems; however, some critical internal and
highly sensitive systems might also attract specialist security testing routines.
It is recommended that vulnerability testing be conducted for all new systems and
applications that process sensitive data.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the variation must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.6.1.8, A.12.6.1, A.15.2.2, A.15.3.1, A.15.3.2
Document Control
GISS Ref: 12-09
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the requirements for the protection of Company Information
Systems.
• GISP 13
Target Audience
This standard applies to all Company Information Systems. It is to be read by IT and all
Technical Functions.
Standards
13.01.01 Information Security requirements and specifications shall be addressed at
the planning stages of Information System projects.
13.01.03 The project manager is accountable to the Data Owner for ensuring that
appropriate and adequate Security has been applied.
Guidance
Considerations when looking at the security of development and maintenance must
include:
• Access control to data and applications
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.1.4, A.11.6.2, A.12.1.1, A.12.4.3
Document Control
GISS Ref: 13-01
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the requirements for the processing and development of
applications.
• GISP 13
Target Audience
This standard is to be read by IT and Technical Functions, particularly Development
functions.
Standards
13.02.01 Input and output data in applications shall, where appropriate, be subject to
validation tests.
13.02.02 User screens designed for user input shall have input fields validated to
ensure data is accurate, for example date fields, title, numerical, etc.
Out-of-range values.
Unauthorised file types.
Invalid characters in data fields.
Missing or incomplete data.
Exceeding upper and lower data volume limits.
Unauthorised or inconsistent control data.
b. Periodic review of the content of key fields or data files to confirm their
validity and integrity.
13.02.08 Specific areas that will be considered, developed and tested, as appropriate,
include:
d. Checks to ensure that programs run in the correct order and terminate
in case of failure, and that further processing is halted until the
problem is resolved.
13.02.10 Data output from an application system should be validated to ensure that
the processing of stored information is correct and appropriate to the
circumstances. Typically, systems are constructed on the premise that
having undertaken appropriate validation, verification and testing the output
will always be correct. This is not always the case.
13.02.11 The following controls for output validation will be considered, developed and
tested as appropriate:
Guidance
Data Validation checks should include:
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.12.2.1, A.12.2.2, A.12.2.3, A.12.2.4
Document Control
GISS Ref: 13-02
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the Company standard for encryption which may be required to
protect sensitive information that is vulnerable to unauthorised access, either in
transmission or storage.
This standard supports the Global Information Security Policy:
• GISP 13
Target Audience
This standard applies to IT and Technical functions.
Standards
Data Encryption
13.03.01 Level 3 information shall be encrypted when stored or sent externally.
13.03.02 Nominated individuals must be assigned within the Company for the
implementation of the encryption policy, including the generation and
management of cryptographic keys.
13.03.03 Where cryptographic controls are deployed they will be obtained from
commercially available sources and comply with any local legal and
regulatory requirements.
Key Management
13.03.05 Key management shall be in place to support the Company’s use of
cryptographic techniques.
13.03.06 Cryptographic keys used must be protected against modification, loss and
destruction.
j. Destroying keys.
Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.12.3.1, A.12.3.2, A.15.1.6
Document Control
GISS Ref: 13-03
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the requirements for the protection of system files.
This standard supports the Global Information Security Policy:
• GISP 13
Target Audience
This standard applies to all Company system files and is to be read by IT and Technical
Functions.
Standards
13.04.01 Access to system files shall be restricted to authorised persons only.
13.04.03 Copies of system documentation and backups of files shall be stored off site
where possible for recovery purposes and in accordance with the Company
Business Continuity Plan.
Guidance
System files include:
• Log information
• Source code
• System documentation
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.10.7.4, A.10.10.3, A.12.4.3, A.12.5.3
Document Control
GISS Ref: 13-04
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Overview
This document outlines the requirements for Business Continuity planning throughout the
Company.
• GISP 14
Target Audience
This standard applies to all critical processes and systems and should be read by
Management.
Standards
14.01.03 Events that can cause interruptions to business processes and the
probability and impact of such interruptions and their consequences for
information security shall be identified and documented.
14.01.06 Business continuity plans shall be tested and updated regularly to ensure
that they are up to date and effective.
Guidance
Testing of Business Continuity Plans can take the form of telephone cascades, tabletop
scenarios and full physical tests.
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.14.1.1, A.14.1.2, A.14.1.3, A.14.1.4, A.14.1.5
Document Control
GISS Ref: 14-01
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:
Glossary
The glossary is to provide clarification of the terms within the Global Information Security Policy
and Global Information Security Standards.
Access Control List – A list detailing the access rights of all Authorised Users to information and
information systems and applications/ databases.
Alternate Work Location - Approved work sites other than the Authorised User’s designated
primary office location where Company business is performed. Such locations may include, but are
not necessarily limited to employees’ homes and other Company offices.
Authorised User - refers to an individual expressly authorised by the Company to access Company
information and/or information systems.
Authentication Controls -
Business Owner – the person or persons in the Company Workforce who is/are ultimately
responsible for the Company’s relationship with an external party.
Business Unit – A subgroup (department or organisation) within the Company that manages or
performs a particular function.
CIO, COO, CSO, SO, PO – Chief Information Officer; Chief Operating Officer; Chief Security
Officer; Security Officer; Privacy Officer.
CISO- Corporate Information Security Office. Organization responsible for security practices and
policies at the Company.
Company- All companies which operate under the Bupa, Health Dialog, Sanitas brands.
Company Equipment/ Devices – Hardware devices issued by the Company including but not
limited to desktop computers, laptops, and hand-held communication devices (e.g., mobile
phones, PDAs, pagers, and hand held PCs).
Company Location – Any physical site the Company provides to its employees and/or independent
contractors where the Company controls and/or enforces physical security and technology
standards. This includes, but is not limited to, headquarters buildings, regional offices and
coaching centers, whether owned or leased.
Company Network – Any network equipment provided by the Company to facilitate the
transmission of electronic information and communications within and between Company
Locations. This includes local area networks within Company Locations, wide area networks
connecting Company Locations and all associated hardware, software and transmission
components. When the Company provides connections to non-Company locations or public
© 2010 BUPA Company Internal 254
Global Information Security Policy & Standards
networks (e.g., business partner locations, the Internet, employees’ homes), the Company
Network ends at the properly secured gateway (e.g., firewall, router, access server) device.
Components – Any device periperal or component part such as diskette, external hard drive,
battery, etc.
Confidential Information - Refer to the Data Classification Schemes Standard for more details on
definitions of Confidential Information:
Computer Security Incident Response Team (“CSIRT”) – The Computer Security Incident
Response Team (CSIRT) team is compromised of Security and IT Operations leaders. This group
is responsible for detection and containment of computer security breaches. They follow normal
investigative procedures which include: Detection and Containment, Reporting, Criminal
Determination, Determination of Disclosures, and Proper Courses of Action. This group reports to
the Crisis Management Team in a crisis situation.
Contractor – An external party that the Company hires to perform a particular job or assignment.
Corrective Action Plan (“CAP”) – A document prepared by the Company, a Client or a Vendor to
address non-compliance issues through planning actions, timeframes and penalties to correct the
deficiencies.
Data Access Administrator – Individuals authorised by a Data Owner to provide operational access
to the data.
Data Centre – A secure Company Location that houses computer systems and associated
components such a telecommunications and storage.
Data Owner – The Data Owner is responsible for the classification of data under their control. The
Data Owner may be the creator, recipient, or primary user of the data. The Data Owner may
authorise access and use levels of the data. There shall be only one Data Owner for any specific
data.
Data Processor – Individuals authorised by the Data Owner and enabled by the Data Access
Administrator to enter, modify, or delete data. The Data Processor has all the powers of the Data
User.
Data User – Anyone in the Company authorised by the Data Owner to access data but is not
authorised to enter, modify, or delete it.
Disclosure - The release, transfer, provision of, access to, or divulging in any other manner of
Confidential Information outside the Company.
E
E-Mail – An electronic message sent from one person to another through the Systems and/or over
the Internet, including, without limitation, any header information, notes, documents, files and other
attachments, transferred or stored electronically by computer system. “E-Mail” includes messages
transferred using the mail transfer features of an application, such as Microsoft® Word or Excel.
Electronic Communication – Any method used to convey a message that has been transmitted via
electronic means such as E-Mail, video conferencing, etc.
Exception- An exception may occur when a standard cannot be complied with due to exceptional
circumstances. All exceptions must be documented and submitted to the IGEC for approval.
External Party - Any person, group of persons, company not related to the group. An external
party includes business associates, contractors and consultants who have entered into an external
party agreement with the Company to exchange confidential data in any format.
Help Desk – A function within IT that provides support for the Company’s Systems.
Information Security- the process the Company uses to protect Systems and Data from
unauthorised access, use, disclosure, disruption, modification, or destruction.
Information System – Any software or electronic system the Company owns, operates, maintains,
or provides and authorises for use in storing, accessing, analysing and manipulating business
information. This includes, but is not limited to, business application systems, databases, Internet
and intranet web sites, file servers and document management systems.
Information Technology Operations – Any Company-managed organisation that has been properly
authorised to provide specific business support services, network and other electronic systems to
or on behalf of Company business operations and organisations.
Incident Log- A record of all reported information security incidents, e.g. spreadsheet, database.
M
© 2010 BUPA Company Internal 256
Global Information Security Policy & Standards
Mobile Devices- Mobile devices include laptops, mobile phones, Blackberry and iPhones.
Monitoring- the processes the Company uses to ensure compliance with its policies, procedures
and expectations including legal responsibilities. Monitoring may be in the form of reviewing,
reading, accessing, disclosing or taking any other means necessary to protect and safeguard
Company systems or information.
Non-Company Equipment- Equipment not owned or authorised by the Company to be used for
Company business.
Operating System – The system utilised by the Company as a platform to run software
applications.
P
Policy – A formal statement of Company rules governing acceptable use, security practices, and
operational procedures.
Privacy - An individual's interest in limiting who has access to individually identifiable information.
Public System(s) – These Systems contain information which can be made available to
anyone without exception.
R
Remote Access – Authorised access to the Company Network from a Remote (non Company)
Location.
Remote Location – Any site at which Company employees, contractors and other workers may
conduct business, but where the Company does not have direct control over physical security and
technology configurations. This includes, but is not limited to, business partner locations,
employees’ homes, hotels and office space shared with non-Company organizations.
Remote User – An Authorised User who has permission from the Company to access the
Company network from a Remote Location (hotel, client office, home, other).
Security Incident: Any potential or actual event which affects the confidentiality, integrity and/ or
availability of the Company information and/ or information systems.
Security Officer – The individual who is responsible for managing and administrating information
security policies and practices for the Company.
Sensitive System(s) –These Systems contain information which can be made available to
individuals who are not Authorised Users (e.g., Customers and Partners). These Systems
require limitations on access.
Service Desk – A function within IT that provides support for the Company’s Systems.
System(s) Owner – The custodian of the system, responsible for determining the
classification.
System(s) Administrator – Person responsible for technical administration of information/
technical systems.
System(s) Operator – A person authorised to use the system.
T
Third Party - A third party includes business associates, contractors and consultants who have
entered into a third party agreement with the Company to exchange confidential data in any
format. A Third Party may also be referred to as an External Party.
Third Party Vendor - A business organisation that provides goods or services to or on behalf of the
Company.
Unauthorised User - A person who is not authorized by the Company to access information and/or
information systems. This may refer to family members, external parties.
Visitor: A Party other than an Employee or Authorised User who enters the Company
premises for business purposes.
W
X
Y
Z
References
Associated policies/ procedures/ All Global Information Security Policies and
standards: Standards
ISO 27001 Control Ref(s):
Document Control
GISS Ref:
Version:
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date: