Security Policy

Global Information Security
Policy & Standards

Version & Id: 1.7
Version Date: 11/10/11
Status: Final
Date Last Printed:
Owner: GTIS on behalf of Information Governance Executive
Committee
Author Information Governance Executive Council
© 2010 BUPA Company Internal 1

Preface from the Bupa Chief Executive
As an integrated healthcare company, Bupa maintains patient, customer and other

information, which must be protected for ethical, legal, regulatory and commercial
reasons.
I am very pleased to introduce the Bupa Global Information Security Policy which
has been developed in accordance and compliance to the international security
standard and code of practice ISO / IEC 27001:2005.
The Global Information Security Policy informs us of our responsibilities and

behaviours and, provides help and guidance on how Bupa’s information must be
treated and protected. Key responsibilities include the following:
• All Bupa employees must comply with the policy at all times.
• It is the responsibility of each CEO / Managing Director / Group Director to
ensure that the requirements of this Bupa Global Information Security Policy
and associated Standards are incorporated in to business specific operating
procedures. These should also incorporate appropriate local legal &
regulatory requirements as well as any local policies and guidelines set by
medical governing bodies, and should include as a minimum local data
protection laws & regulations, and where applicable the Payment Card
Industry Data Security Standard (PCI DSS)
• Management is expected to take an active role in promoting the policy as well
as ensuring that employees and others comply with it. Management must also
ensure that any breaches of the policy are acted upon promptly.
If you have any queries regarding this policy or security issues in general, please
contact your local information security team.
Ray King
Chief Executive
January 2011

Table of Contents
INTRODUCTION .................................................................................................................................... 7
Company Responsibility.................................................................................................................... 10
Employee Responsibility ................................................................................................................... 11
Human Resources Responsibility .................................................................................................... 12
Information Classification ................................................................................................................. 13
Incident Management ......................................................................................................................... 14
Access to Bupa Information and Information Systems ................................................................. 15
Electronic Communication Services ................................................................................................ 16
Computing and Related Equipment ................................................................................................. 18
Compliance ......................................................................................................................................... 19
Physical and Environmental Security of Information and Technology ........................................ 20
Management of Access Control........................................................................................................ 22
Operations and Support .................................................................................................................... 23
Information Systems Acquisition, Development and Outsourcing............................................... 24
Business Continuity........................................................................................................................... 25
01.01 Company Information Governance Framework................................................................ 26
01.02 Information Security Policy and Standards Framework ...................................................... 32
02.01 Acceptable Use......................................................................................................................... 35
02.02 Authorised User Responsibility.............................................................................................. 45
02.03 Engagement and Management of External Service Providers ............................................ 48
03.01 Recruitment............................................................................................................................... 55
03.02 During Employment ................................................................................................................. 58
03.03 Training and Awareness .......................................................................................................... 60
03.04 Termination or Change of Employment ................................................................................. 63
03.05 Data Privacy .............................................................................................................................. 66
04.01 Information Classification Scheme ........................................................................................ 68

04.02 Information Asset Identification and Ownership .................................................................. 75
04.03 Electronic Data and Information Handling............................................................................. 79
04.04 Physical Media and Paper Handling....................................................................................... 82
04.05 Secondary Use of Information ................................................................................................ 85
05.01 Identifying and Reporting Information Security Incidents................................................... 87
05.02 Managing Information Security Incidents.............................................................................. 90
05.03 Managing Information Security Improvement ....................................................................... 95
06.01 User Identification and Registration....................................................................................... 98
06.02 System and Electronic Information Access Management ................................................. 101
06.03 Clear Desk ............................................................................................................................... 105
07.01 Electronic Communications – Enterprise Based Services and Systems......................... 108
07.02 Company Provided Mobile Device Security ........................................................................ 112
07.03 Multifunctional Devices ......................................................................................................... 115
07.04 Connecting Non-Company Equipment ................................................................................ 118
07.05 Wireless Connection .............................................................................................................. 120
08.01 Company Laptops .................................................................................................................. 124
08.02 Digital Cameras and Recording Devices ............................................................................. 127
08.03 Mobile Devices........................................................................................................................ 129
08.04 Removable Storage Devices ................................................................................................. 131
08.05 Screensavers (Authorised Users)......................................................................................... 135
08.06 Screensavers and Session Time-out.................................................................................... 137
09.01 Legal and Regulatory Requirements.................................................................................... 140
09.02 Compliance with Information Security Policy and Standards ........................................... 143
10.01 Physical Security Perimeters ................................................................................................ 146
10.02 Physical Entry Controls ......................................................................................................... 149
10.03 Securing Offices, Rooms and Facilities............................................................................... 152
10.04 Working in Secure Areas ....................................................................................................... 154

10.05 Delivery and Loading Areas .................................................................................................. 157
10.06 Equipment Location and Protection..................................................................................... 159
10.07 Power Supplies....................................................................................................................... 162
10.08 Cabling Security ..................................................................................................................... 164
10.09 Equipment Maintenance ........................................................................................................ 166
10.10 Security of Equipment Off-Premises.................................................................................... 168
10.11 Secure Disposal or Re-Use of Equipment ........................................................................... 170
11.01 Business Requirement for Access Control ......................................................................... 174
11.02 Segregation of Duties ............................................................................................................ 179
11.03 User Access Management ..................................................................................................... 182
11.04 Network Access Controls ...................................................................................................... 188
11.05 Operating System Access Controls ..................................................................................... 193
11.06 Application and Information System Access Controls ...................................................... 196
11.07 Mobile Computing and Remote Access............................................................................... 199
12.01 Operational Procedures and Responsibilities .................................................................... 203
12.02 System Planning and Acceptance........................................................................................ 207
12.03 Protection against Malicious Program and Mobile Code................................................... 210
12-04 Back-up ................................................................................................................................... 214
12.05 Network Security .................................................................................................................... 218
12.06 Exchange of Information ....................................................................................................... 224
12.07 Technical Compliance Monitoring ........................................................................................ 227
12-08 Change Control ...................................................................................................................... 231
12.09 Technical Vulnerability Management/Penetration Testing ................................................ 235
13.01 Security Requirements for Information Systems................................................................ 239
13.02 Correct Processing in Applications ..................................................................................... 242
13.03 Cryptographic Controls ......................................................................................................... 246
13-04 Security of System Files........................................................................................................ 249

14-01 Information Security Aspects of Business Continuity....................................................... 251
Glossary ............................................................................................................................................ 254

Global Information Security Policy & Standards
INTRODUCTION
Objective
As a global health and care company, Bupa deals with the personal details,
medical data and financial records of millions of people around the world.
Protecting that information for ethical, legal, regulatory and commercial reasons is
essential and is a key responsibility for us all.
All our customers – members, residents, patients, corporate clients, third parties
and business partners – expect us to treat their information with the utmost care.
This means using correct information for the intended purpose and making sure
that it doesn’t fall into the wrong hands.
The Global Information Security Policy has been established to protect Bupa’s
group of companies, our employees and our customers. It should be read in
conjunction with Bupa Global Information Security Standards (GISS) and other
relevant Bupa Group Corporate Policies.
The purpose of this document is to provide:

• Overall direction on Information Security
• Clear and concise Policy statements
• Reference to Standards which support Policy
Scope and Applicability

Global Information Security Policy (GISP) and its associated Global Information
Security Standards (GISS) apply to all business units and Group functions across
the Bupa Group world-wide and extend to all external parties providing outsourced
or managed services for any part of the Group.
Newly acquired business units or operations must become compliant within a
formally agreed timeframe and prior to any connectivity with systems managed by
Bupa.
Policy Structure
The GISP consists of 14 individual Policy Statements, divided onto sections as
follows:
Section Description
Introduction
GISP 01 Company Responsibility
GISP 02 Employee Responsibility
GISP 03 Human Resources Responsibility
GISP 04 Information Classification
GISP 05 Incident Management
GISP 06 Access to Bupa Information and Information Systems
GISP 07 Electronic Communication Services

GISP 08 Computing and related equipment

GISP 09 Compliance
GISP 10 Physical & Environmental Security of Information & Technology
GISP 11 Management of Access Control
GISP 12 Operations & Support
GISP 13 Information Systems Acquisition Development and Support
GISP 14 Business Continuity
Global Information Security Standards (GISS)

Global Information Security Standards (GISS) describe how to apply GISP policy
statements. These Standards complement the GISP and carry equal weight and
status.
All Authorised Users

All Authorised Users are required to have an understanding of the requirements
described in GISP and GISS. To help with this, the Bupa Information Security
Employee Handbook covers main points.
Compliance with the GISP is mandatory, so Authorised Users are expected to

have:
a good, working knowledge of directives that have a direct impact on their
day to day responsibilities;
a general awareness of all other Global Information Security Policies and
Standards
Variations
Should the GISP or a GISS conflict with local legislation the local Information
Security manager or Information Governance representative must be informed at
once.
A formal variation applicable to the Division, Business Unit or geographical area

will be authorised and approved through the Information Governance framework
and included in the GISP library.
Governance, Custodianship & Contacts

Governance of GISP
Accountability and responsibility for Information Security has been formally
delegated by the Chief Executive Committee (CEC) to the Information Governance
Executive Committee.
Refer to GISS 01.01 Bupa Information Governance Framework

Custodianship
GTIS Security Management is accountable to the Information Governance

Executive Committee and is responsible for:

a. Ownership and management of Global Information Security Policy and

Global Standards Library
b. Custodianship of Global Information Security Policy and Global Information
Security Standards
c. Management of the Variation Process where there are variations to the
Global Information Security Policy and Global Information Standards
Contact:
You should contact your local Information Security manager or Information
Governance representative in the first instance.
In the event of difficulty, some key contacts are listed in the Table below:
Location Contact details
Bupa Group Head of Information Governance

Stephen Hinde
Bupa, 15-19 Bloomsbury Way,
London WC1A 2BA
+44 207 656 2311
hindes@bupa.com
Bupa UK Information Security Manager

and Bupa Group Phil Hunt
(inc Bupa Willow House West, Unit 4 Pinetrees,
International) Chertsey Lane,
Staines, TW18 3DZ
+44 1784 89 3105
phil.hunt@buoa.com
Security Manager
Bupa Australia Group Marcel Sorouni
(inc Asia Pacific) L1 50 Bridge St, Sydney NSW 2000
+ 61 2 9323 9690
marcel.sorouni@bupa.com.au
Security Manager
Sanitas Group (Spain) Enrique Martín Menéndez
Sanitas Seguros, S.A.
C/ Ribera del Loira, 52.
28042. Madrid
+34 913244949
emartin@sanitas.es
Sr. Director, Information Security and Risk Management

James Livermore
Health Dialog
2 Bedford Farms Dr.
(United States)
Bedford, NH 03110
+1 603.222.5029
steve@healthdialog.com

Company Responsibility
Objective
Bupa has a corporate responsibility to safeguard both customer and employee
information and ensure that appropriate & effective governance arrangements are
in place to achieve this.
This policy will help to reduce exposure to the following risks:
• Loss of confidence amongst employees, customers, partners and advisors
• Legal action, censure and financial penalties due to failure to comply with
legislative, regulatory or contractual requirements
• Failure of security policies & standards due to poor governance & lack of
clear responsibility & ownership
• Disruption to business activities due to misuse of information.
• Failure to respond to emerging threats.
• Damage to Bupa’s image, reputation and brand
Policy Statement
GISP 01 Company Responsibility

It is the responsibility of each Business Division & Business Unit, including
Group Functions to establish:
Information Security Governance arrangements in line with the Bupa
Information Governance Framework
Operating procedures that meet the requirements of the Bupa Global
Information Security Policy and Standards
Reference: ISO/IEC 27001:2005 A.6 Information Security within the Organisation
Global Information Security Standards

The following Global information security standards describe how to apply this
Bupa policy:
• GISS 01.01 Bupa Information Governance Framework

• GISS 01.02 Bupa Information Security Policy & Standard Framework

Employee Responsibility
Objective
Bupa has a responsibility to ensure its employees, including contractors, third
party personnel, partners and advisors are aware of their responsibilities for
safeguarding Bupa information & information systems and Bupa facilities.
• Misplaced trust in individuals
• Disclosure of sensitive information
• Poor security awareness
• Loss of information assets
• Unauthorised access
Policy Statement
GISP 02 Employee Responsibility

All employees including contractors, third party personnel, partners and
advisors are expected to:
• Use Bupa provided facilities only for the purpose for which they are
intended
• Take all reasonable measures to safeguard Bupa information and
information systems
• Comply with the Global Information Security Policy and Standards
Failure to do so may result in disciplinary action including dismissal as well
as civil and or criminal legal proceedings.
Reference: ISO/IEC 27001:2005 A.7 Responsibility for Assets

Bupa policy:
• GISS 02.01 Acceptable Use

• GISS 02.02 Authorised User Responsibility
• GISS 02.03 Third Party Engagement & Management

Human Resources Responsibility

Objective
Bupa has a responsibility to ensure that its employees, including contractors, third
party personnel, partners and advisors are adequately protected as well as
capable and competent to safeguard Bupa information & information systems and
facilities.
• Misplaced trust in individuals.
• Disclosure of sensitive information.
• Poor security awareness.
• Loss of information assets.
Policy Statement
GISP 03 Human Resources Responsibility

It is the responsibility of each Business Division & Business Unit including
Group Functions to establish operating procedures in accordance with their
HR Policy that ensures information security requirements are incorporated
throughout the employment lifecycle of all Bupa employees including
contractors, third party personnel, partners and advisors.
Reference: ISO/IEC 27001:2005 A.8 Human Resources

Bupa policy:
• GISS 03.01 Recruitment

• GISS 03.02 During Employment
• GISS 03.03 Training & Awareness
• GISS 03.04 Termination or Change of Employment
• GISS 03.05 Privacy

Information Classification
Objective
Bupa has a responsibility to account for and safeguard customer, employee and
commercial information in accordance with its classification derived from its value
and risk.
• Business Units being unaware of the value of information
• Controls being applied which are inadequate or inappropriate to protect
customer, employee and commercial information
• Financial and or reputational loss following the deliberate or accidental
disclosure of personal or patient/member data, or corporate data.
• Inaccurate prioritisation for recovering from disaster due to poorly classified
and protected information.
• Inefficient business operations due to poorly classified and protected
information.
• Loss or damage to reputation resulting from inaccuracies in information
content.
Policy Statement
GISP 04 Information Classification

Information should be valued, classified and risk assessed in accordance to
its confidentiality, integrity and availability, regardless of the media on which
it is stored, the manual or automated systems that process it, or the
methods by which it is distributed.
Business Heads, Managing Directors and group Function Directors are
responsible for identifying, recording and accounting for key information
assets in their domain and appointing data owners, data custodians who are
responsible for ensuring and maintaining appropriate protection of the
information assets.
Reference: ISO/IEC 27001:2005 A.7.2 Information Classification

Bupa policy:
• GISS 04.01 Information Classification Scheme

• GISS 04.02 Information Asset Identification, Classification & Ownership
• GISS 04.03 Electronic Data & Information Handling
• GISS 04.04 Physical Media & Paper Handling
• GISS 04.05 Secondary use of Information

Incident Management
Objective
Bupa has a responsibility to manage Information security incidents which occur
whenever the confidentiality, integrity or availability of Information or information
systems is suspected to be, or is actually affected by an adverse event.
To minimise the risks of compromise to our information and information processing
systems, robust incident management is required in order to contain, investigate
and learn from the incidents that may affect the Group’s information.
• Failure to detect disclosure or theft of information.
• Repeat incidents due to failure to learn from prior occurrences.
• Disruption to business activity due to poorly managed incidents.
Policy Statement
GISP 05 Incident Management

Information security incidents must be identified, responded to, recovered
from and followed up.
It is the responsibility of each Business Division & Business Unit including
Group functions to establish local operating procedures for dealing with
security incidents in accordance with the requirements of the Bupa Global
Information Security Policy and Standards.
All Bupa employees including contractors, third party personnel, partners
and advisors are required to report events or incidents affecting security or
compliance to security policy in accordance with local operating
procedures.
Reference: ISO/IEC 27001:2005 A.13 Information Security Incident Management

Bupa policy:
• GISS 05.01 Identifying and Reporting Information Security Incidents

• GISS 05.02 Managing Information Security Incidents
• GISS 05.03 Managing Information Security Improvement

Access to Bupa Information and Information Systems

Objective
Bupa has a responsibility to ensure that access to customer, employee and
commercial information is protected in accordance with its classification and, is
restricted to authorised individuals
• Loss of reputation following the deliberate or accidental disclosure of
personal or patient/customer data
• Financial loss following deliberate or accidental disclosure of corporate data
• Disruption to business activities due to incorrectly processed information
Policy Statement
GISP 06 Access to Bupa Information and Information Systems

Bupa information and information systems should only be accessed by
Authorised Users in accordance with the terms specified by the appointed
data owner.
Users who are authorised to access Bupa information systems should be:
• uniquely identified
• held individually accountable for their actions
• provided with access privileges that are only specific to their role
Reference: ISO/IEC 27001:2005 A.11 Access Control

Bupa policy:
• GISS 06.01 User Identification and Registration

• GISS 06.02 System & Electronic Information Access Management
• GISS 06.03 Clear Desk

Electronic Communication Services

Objective
Bupa has a responsibility to ensure that electronic communication services are not
used in a way that could damage Bupa or cause harm or stress to any of its
employees.
For the purposes of this policy, electronic communication services include the
following service types, but this list is not exhaustive:
• Email (Corporate and Web mail)
• Instant messaging
• Information collaboration and blogging services (Bupa Live + Social
Networking)
• Telephone systems using internet protocols (VOIP)
• Voice and video communication systems (WebCam)
• Online meeting services (eg Webex)
• Desktop sharing and remote support services (eg Dameware)
• File transfer services (eg FTP servers)
• Internet based voice systems (eg Skype)
• Internet based desktop sharing and remote support services (eg
GoToMyPC)
• Internet based file transfer services (eg FTP downloaders and peer to peer
services)
• Services provisioned on Bupa supplied smartphones (eg. Blackberry)
including SMS, MMS, Bluetooth and Applications
• Services provisioned on multifunctional devices (eg scanner with email and
fax capability)
• Wireless connection services
• The introduction of computer viruses and other malicious software leading
to the unavailability of Bupa systems and information
personal or patient or customer data

Policy Statement
GISP 07 Electronic Communications Services

Electronic communication systems and services which are accessed via
Bupa systems should only be used for Bupa approved purposes.
Electronic communication systems may be monitored, filtered and/or
restricted to safeguard Bupa interests, Bupa information and to protect
information systems from electronic attacks
Reference: ISO/IEC 27001:2005 A.10 Communications & Operations

Bupa policy:
• GISS 07.01 Electronic Communications - Enterprise based services and

systems
• GISS 07.02 Company provided Mobile Device security
• GISS 07.03 Multifunctional Devices
• GISS 07.04 Connecting non-Company Equipment
• GISS 07.05 Wireless Connection

Computing and Related Equipment

Objective
Bupa has a responsibility to manage and protect its computing and associated
equipment. In addition to the market value of such equipment, the value and risk of
the information they may hold should also be considered.

• Theft and loss of computing related equipment
• Unauthorised disclosure of sensitive information due to theft or loss
• Unauthorised access to sensitive information
• Damage to equipment or services due to lack of protection from
environmental factors.
Policy Statement
GISP 08 Computing and Related Equipment
Computing and associated equipment, including removable media,

storage and mobile devices must be:
• cared for, operated in a safe and secure manner and should only
be exposed to appropriate environments or situations in order to
minimise the risk of loss or theft of the equipment itself and the
unauthorised disclosure of information it may contain
• disposed of in a secure manner to minimise the risk of
unauthorised disclosure of information it may contain
An inventory of Bupa owned computing and associated equipment
should be maintained by the asset owner as appropriate
Reference: ISO/IEC 27001:2005 A.7 Asset Management

Bupa policy:
• GISS 08.01 Company Laptops

• GISS 08.02 Digital cameras and recording devices
• GISS 08.03 Mobile Devices
• GISS 08.04 Removable Storage Devices (eg memory stick, USB drive, SIM
etc.)
• GISS 08.05 Screensaver and Session Timeouts (User)
• GISS 08.06 Screensaver and Session Timeouts (Technical)

Compliance
Objective
Bupa has a duty and responsibility to comply with all legal, statutory, regulatory
and contractual requirements.
These requirements will differ according to a number of factors including country of
applicability, applicable regulatory bodies, local business unit activities, specific
contractual obligation and may more.
Bupa employees, including contractors, third party personnel, partners and
advisors must comply with applicable Bupa policy. Failure to do so may result in
disciplinary action including dismissal as well as civil and or criminal legal
proceedings.
• Disruption to business activities due to misuse of information
• Financial loss
• Damage to Bupa reputation
Policy Statement
GISP 09 Compliance
It is the responsibility of each Business Division & Business Unit

including Group functions to identify all applicable legislative, statutory,
regulatory, policy and contractual requirements and define and
document the specific controls and responsibilities needed to meet
these requirements.
Each Business Division & Business Unit must also ensure compliance.
Reference: ISO/IEC 27001:2005 A.15 Compliance

Bupa policy:
• GISS 09.01 Legal and Regulatory requirements

• GISS 09.02 Compliance with Information Security Policy and related
Standards

Physical and Environmental Security of Information and

Technology
Objective
Bupa has a responsibility to manage and protect information held and processed
on its computer assets and associated equipment in its Data Centres, in Computer
and or Communications Rooms and other designated secure areas, in general
offices and workplaces.

• Unauthorised access to sensitive information held at major data processing
centres
• Disclosure or theft of sensitive information held at major data processing
centres
• Damage to equipment due to lack of protection from environmental factors
• Disruption of business activities due to lack of protection from
environmental factors
• Inadequate safety of employees
Policy Statement
GISP 10 Physical and Environmental Security of Information and Technology
Data Centres, Computer and /or Communications Rooms and other

designated secure areas should be afforded appropriate security
measures commensurate with their risk and value to protect these
facilities, the equipment and information from external risks including
environmental factors as well as physical criminal attack.
Reference: ISO/IEC 27001:2005 A.7.2 Physical & Environmental Security

Bupa policy:
• GISS 10.01 Physical Security Perimeters

• GISS 10.02 Physical Entry Controls
• GISS 10.03 Securing Offices, Rooms and Facilities
• GISS 10.04 Working in Designated Secure Areas
• GISS 10.05 Isolated Delivery and Loading Areas
• GISS 10.06 Equipment Siting and Protection
• GISS 10.07 Power Supplies
• GISS 10.08 Cabling Security
• GISS 10.09 Equipment Maintenance

• GISS 10.10 Security of Equipment Off Premises
• GISS 10.11 Secure Disposal or Re-Use of Equipment

Management of Access Control

Objective
Bupa has a responsibility to manage and protect access to customer, employee
and commercial information in accordance with the classification of the information
and business requirements. .
• Inadequate segregation between user groups
• Inadequate segregation of duties between developers and live users
• Inadequate monitoring and auditing of special user accounts
• Amendments to data or systems which are uncontrolled
personal or patient/customer data
• Disruption to business activities due to incorrectly processed information
Policy Statement
GISP 11 Management of Access Control
It is the responsibility of Data Owners in each Business Division and

Business Unit including Group functions together with designated Data
Custodians to ensure that access to information and information
systems is granted and maintained in accordance with established
standards for registration, maintenance and termination of users’
access.
Reference: ISO/IEC 27001:2005 A.11 Access Control

Bupa policy:
• GISS 11.01 Business Requirement for Access Control

• GISS 11.02 Segregation of Duties
• GISS 11.03 User Access Management
• GISS 11.04 Network Access Controls
• GISS 11.05 Operating System Access Controls
• GISS 11.06 Application and Information System Access Controls
• GISS 11.07 Mobile Computing and Remote Access

Operations and Support

Objective
Bupa has a responsibility to ensure that computer services are sufficiently
protected, properly operated and that adequate measures are taken to safeguard
the confidentiality, availability and integrity of the data and information during
processing operations.
• Backup data is incomplete or corrupt
• IT operations staff can compromise live systems
• Measures protecting data are not appropriate with respect to the value of
the data.
• Systems have inadequate or untested contingency.
Policy Statement
GISP 12 Operations and Support
Technology and Information Services functions should take all

reasonable steps to maintain and ensure that Bupa computer networks,
computer systems, applications and associated environments are
operated and supported in a secure manner which safeguards the
confidentiality, availability and integrity of data and information during
processing operations and in accordance with information security
standards
Reference: ISO/IEC 27001:2005 A.10 Communications & Operations

Bupa policy:
• GISS 12.01 Operational Procedures and Responsibilities

• GISS 12.02 System Planning and Acceptance
• GISS 12.03 Protection Against Malicious Program and Mobile Code
• GISS 12.04 Back Up
• GISS 12.05 Network Security
• GISS 12.06 Exchange of Information
• GISS 12.07 Technical Compliance Monitoring (software licensing, activity
logs etc.)
• GISS 12.08 Change Control
• GISS 12.09 Technical Vulnerability Management & Penetration Testing

Information Systems Acquisition, Development and

Outsourcing
Objective
Bupa has a responsibility to ensure that information systems and services,
computer applications and functions include adequate measures to safeguard the
confidentiality, availability and integrity of the data and information during the
development lifecycle and subsequent delivery lifecycle of these systems.
• Disclosure or theft due to the exploitation of technical vulnerabilities.
• Information leakage due to poor application infrastructure network design.
• Disruption of business activity due to poorly managed changes.
Policy Statement
GISP 13 Information Systems Acquisition, Development and Outsourcing
Information Security requirements should be incorporated into the

design of Information systems, services and computer applications, as
part of the development lifecycle, whether internally developed,
externally acquired or outsourced to safeguard the confidentiality,
availability and integrity of information delivered into the live operational
environment
Reference: ISO/IEC 27001:2005 A.10 Information Systems Acquisition, Development and Outsourcing

Bupa policy:
• GISS 13.01 Security Requirements for Information Systems

• GISS 13.02 Correct Processing in Applications
• GISS 13.03 Cryptographic Controls
• GISS 13.04 Security of System Files

Business Continuity
Objective
Information security requirements must be included and incorporated in all
business continuity programmes in order to safeguard information and data during
times of adverse operating conditions.
• Loss or theft of information due to poor planning
• Disruption to business activities due to poor prioritisation of asset recovery
• Disruption of business activity due to poor or non-existent testing
Policy Statement
GISP 14 Business Continuity

The security of information and information assets should be included
and integrated in to every business continuity programme to maintain
the security of the controls established to protect Bupa’s information
and to reduce the risks of loss during times of adverse operating
conditions.
Reference: ISO/IEC 27001:2005 A.14 Business Continuity Management

Bupa policy:
• GISS 14.01 Information Security Aspects of Business Continuity Planning

01.01 Company Information Governance Framework

Overview
The objective of this standard is to ensure that business units within the Company
are aware of their responsibilities with regard to information security and their role
within the global information governance framework. This standard details the global
structure and the local requirements for compliance with the overall information
security programme.
Scope
This standard applies to all Bupa Companies (hereafter referred to as Company).
Each Business Division & Business Unit including Group functions are to ensure the
requirements of this standard are met.
Target Audience
This standard is to be read and implemented by Senior Management and
Information Security Management across the Company.
Standards
Global Structure
01.01.01 A Group Information Governance Structure has been established to

implement, manage, review, update and improve the Information Security
Management System (ISMS). The three tiered information governance
structure provides the framework for managing Information across the
Group. The three tiers are as follows:
a. Information Governance Executive Committee
b. Information Governance Executive Council
c. Business Information Security and IG Councils

These are described more

fully in the figure below: responsibility for the oversight of IG across the Group.
sets the IG strategy for the Bupa Group
Chair: Company directs achievement of IG across the Group.
Secretary & Group
Strategy Director receives reportage of IG compliance, issues and incidents.
approval body for the Global Information Security Policy &
Information Governance Standards (GISP & GISS).
Executive Committee Provides IG Updates to the CEC, Audit Committee and
Divisional MDs
Information Governance accountable to the IG Executive Committee for Information

Executive Council Governance across the Bupa Group.
focus for the consideration of Information Governance
issues which impact the ability of Bupa businesses to
Chair: ethically and securely handle personal data to comply with
Head of
Information
both the Information Governance requirements of
Technical Governance legislation and regulation, as well as to comply with
Security Information Governance contractual obligations.
Forum approves Business Information Security requirements
within the structure of Global Information Security Policy &
Standards (GISP & GISS).
Technical Security Forum

considers Global IT Security concerns and issues. It also
provides a “follow the sun” process for the Group-Wide
Technical Instant Incident Response to critical IT incidents.
Business Information Information Security Councils.

Security & Clinical IG Divisional / Local responsibility for ensuring security
measures are co-ordinated, properly applied and provide
Councils evidence of IG in line with Global Policies & Standards and
the International Security Management Systems Standard
ISO 27001.
Clinical IG Steering Committee.

Provides a strategic lead for the implementation of the IG
Toolkit (ISO 27002) and associated continuous
improvement and maintenance programmes with a
particular focus on Clinical Information Governance and
Secondary Use Assurance initiatives.
Responsible in the UK for the NHS Statement of
Compliance.
Business Senior The Group Information Governance structure also recognises

Management Teams and links with Business Senior Management Teams and
Business Information Governance Committees.

Figure 01.01.01 Global Structure Diagram

Standards
Roles and Responsibilities
01.01.02 Head of Information Governance
a. The Head of Information Governance is responsible for setting the Information

Governance strategy for the Bupa Group to protect it from disclosure, loss,
misuse or misappropriation of its confidential, proprietary, business and
customer data
b. The Head of Information Governance supports the Information Governance

Executive Committee in the implementation of the Group IG strategy through:
1. ensuring that the levels of security, integrity and confidentiality of

the information assets within Bupa Group companies are set at
levels that are in the commercial interests of the Group, that comply
with regulation, legislation and industry standards, and are
adequate, commensurate with the risks to the Group and public
expectations;
2. promoting, lobbying and representing Bupa’s interest with respect

to legislative, regulatory and other developments affecting Data
Protection, Confidentiality of Data and Information Security.
01.01.03 GTIS Security Management
a. GTIS Security Management are accountable to the appropriate Information

Governance Committee/Council, and are responsible for:
1. Ownership and management of Global Information Security Policy and

Global Standards Library.
2. Custodianship of Global Information Security Policy and Global
Information Security Standards.
3. Management of the Variation Process where there are variations to the
Global Information Security Policy and Global Information Standards.
01.01.04 Heads of Business Units and Group Functions
a. It is the responsibility of the Managing Director or equivalent within each local

Business Unit or Group Function to provide sufficient resource and support to
implement the required procedures, processes and controls to meet the

requirements of the GISP and GISS. This will include the establishment of
local Information Security and Governance Framework which is approved and
authorised by the IG Executive Committee.
b. The Managing Director or equivalent is responsible for appointing an

authoritative representative of their functional area, empowered to speak for
Information Governance and take overall responsibility for Information
Security including the implementation of the GISP & GISS. The Information
Governance Representative is responsible for ensuring that the successes
and issues of the local information security framework is measured and
reported to the relevant Information Governance group on a regular basis.
c. The Managing Director or equivalent is responsible for ensuring that a local

Information Security Organization is appointed to take responsibility for day-
to-day Information Security management as required within a defined area.
01.01.05 Information Security
Operating within a defined scope. Information Security:
a. is responsible for ensuring all requirements of the GISP & GISS are
implemented as a minimum, and for reporting compliance, variations,
exceptions and incidents
b. ensures that all relevant GISP & GISS and any local supporting
policies & procedures are published & communicated to all Authorised
Users within their defined scope
c. is responsible for requesting variations where the GISP or GISS

requirements do not meet local legal, regulatory or contractual
requirements. Variations must be authorised by the Information
Governance Executive Council.
d. is responsible for ensuring that local procedures and processes are

implemented to meet the requirements of the GISP & GISS and that all
relevant controls meet business objectives, industry standards
(ISO/IEC 27001:2005) and legal and regulatory requirements.
e. is responsible for implementing audit and review programmes and

processes to ensure that security processes and controls are

maintained and effective. Audit programmes shall include formal audit

reporting processes, and corrective action & resolution processes.
f. is responsible for implementing local risk management processes to

assess, manage and reduce local information security risks to an
acceptable level within the business unit and aligning this to the
company risk methodology.
g. is responsible for implementing a local Security Incident Response

process for all Authorised Users to be able to report a real or possible
security incident or event. This process shall include procedures for
investigation and resolution of security incidents, as well as reporting
procedures to notify management and Information Governance in a
timely manner.
h. is responsible for ensuring local training and awareness programmes

for information security are implemented and rolled out to all
Authorised Users. Training and awareness programmes shall include
initial training on start of employment or engagement, and regular
updates and training at least annually.
i. is responsible for communicating that all breaches of information

security, actual or suspected must be reported immediately.
Guidance
The role of maintaining information security locally could be designated to one
person or a team of people.
Further detail regarding the requirements of this standard is contained within the
GISS library.
Enforcement
All employees, managers and contractors are required to comply with Company
Policies and Standards. Compliance with this standard shall be monitored internally
via compliance programs and security incident reports. Failure to comply with any
Policy or Standard may result in disciplinary action.

Variations
This Standard must be applied in all Company business units. However, if local
legal, regulatory or contractual requirements require modification or exception to this
standard, then the exception must be documented and reported to the IGEC Group
for approval.
References
Associated policies/ procedures/
standards:
ISO 27001 Control Ref(s): A.5.1.2, A.6.1.2, A.6.1.3, A.6.1.4, A.6.1.6,
A.6.1.7, A.6.1.8, A.15.2.1
Document Control
GISS Ref: 01-01
Version: V1.1 Reviewed
Release 22 Nov 2011 Approval by: IG Exec Committee
date:
Next Dec 2012 Approval 22 Nov 2011
review: date:

01.02 Information Security Policy and Standards Framework

Overview
This standard provides the requirements for the Global Information Security Policy and
Global Information Security Standard framework and the requirement for local supporting
policies & procedures.
This standard supports the Global Information Security Policy:
• GISP 01
Target Audience
This standard is to be read by all local business management.
Standards
General
01.02.01 Authorised Users should have a good, working knowledge of the standards
that have a direct impact on their day to day responsibilities; and a general
awareness of all other Global Information Security Policies and Standards.
01.02.02 It is the responsibility of local business unit management to implement local

procedures to support the Global Information Security Policy and Standards.
01.02.03 Authorised Users should have knowledge of how to refer to Global

Information Security Policies and Standards, local Standards and local
procedures.
Variations
01.02.04 Where a local unit cannot meet a requirement of the Global Information
Security Policy or Standard for any reason, a local variation to that Policy or
Standard must be identified.
01.02.05 Variations to Global Information Security Policies and Standards must be

formally documented and submitted to the appropriate Information
Governance body for approval and authorisation.
Authorisation and Approvals Framework

01.02.06 The GISP, GISS and Local Information Policy and Standards must be
approved and authorised by appropriate Information Governance body.
01.02.07 The GISP and GISS are delivered and enforced locally by local Information
Security Councils; are owned by the Information Governance Council and
are endorsed and authorised by the Information Governance Executive
Committee.
01.02.08 Local Information Security Policy and Local Information Security Standards
where variations to the Global versions are necessary are owned, delivered
and enforced locally by local Information Security Councils; are endorsed
and authorised by the Information Governance Council. The Information
Governance Executive Committee is informed of local variances.
01.02.09 The figure below describes the framework
Figure 01.02.09 Authorisations and Approval Framework

Guidance
Enforcement
All employees, managers and contractors are required to comply with Company Policies
and Standards. Compliance with this standard shall be monitored internally via compliance
programs and security incident reports. Failure to comply with any Policy or Standard may
result in disciplinary action.
Variations
This Standard must be applied in all Company business units. However, if local legal,
regulatory or contractual requirements require modification or exception to this standard,
then the exception must be documented and reported to the IGEC Group for approval.
References
standards:
ISO 27001 Control Ref(s): A.5.1.1
Document Control
GISS Ref: 01-02
Version: V1.1 Corrected description of IG Council
Release 22/11/11 Approval by: IG Exec Committee
date:
Next review: Approval
date:

02.01 Acceptable Use

Overview
This standard defines the Company requirements for Authorised Users when using
Company supplied information and information systems, such as email, internet,
laptops and mobile devices.
• GISP 02
Target Audience
This standard applies to all Authorised Users.
Standards
General Principles
02.01.01 The Company provides computing equipment and services to help

employees, contractors and all other associated personnel work more
effectively. These shall not be misused. Amongst other things,
accessing and or obtaining or distributing intimidating, hostile, or
offensive material on the basis of race, colour, creed, religion, national
origin, age, sex, physical or mental disability, sexual orientation, or
other basis prohibited by law constitutes misuse.
02.01.02 Company provided computing equipment shall only be used to access

information and systems that have been authorised and for which there
is a genuine business need to know. Unauthorised access is
considered an offence, misuse, a breach of policy and could result in
disciplinary and or criminal proceedings.
02.01.03 The Company may monitor use of Company provided equipment and
services and or non-Company provided equipment that is connected to
its corporate network for security, policy and compliance to legal and
regulatory purposes without notification.
Email
02.01.04 The main purpose for providing email is for business activities, as such,
it is considered a privilege and should be used responsibly.
02.01.05 Subject to line manager approval, responsible personal use of the

Company email services is permitted, provided that it is reasonable
and:
a) Does not contravene any of the company’s policies and guidelines.
b) Is not detrimental to the company’s brand/image.
c) Is not likely to cause the company loss.
d) Is not for personal gain.
e) Does not constitute solicitation or harassment.
f) Does not interfere with work.
02.01.06 Messages containing Level 2 (Confidential) and Level 3 (Restricted

Confidential) information, and in particular messages communicated
externally shall be suitably protected by encryption or password
protection methods that meet the Company’s requirements.
02.01.07 Company Email Systems shall not be used to represent personal or

non-company business interests.
02.01.08 Receipt of offensive or unsolicited material from known or unknown

internal or external sources shall not be communicated or redistributed
either internally or externally. Such messages should be forwarded to
the appropriate authorities (Line Management and local Information
Security) for investigation.

02.01.09 Company equipment may not be used to access external messaging

systems such as those provided on the internet eg: Hotmail, Yahoo
mail, etc., unless authorised by line management.
02.01.10 Authorised Users shall not activate any features, with the exception of
Out of Office Replies, included in an E-Mail software application that
automatically sends, copies, or forwards messages outside the
Company Network. Consistent with this Policy, Authorised Users may
selectively send, copy, or forward electronic messages in the ordinary
course of business. Authorised Users should recognise that some
information is intended for specific individuals and may not be
appropriate for general distribution.
Internet
02.01.11 The Internet provides business opportunities and shall be used for
legitimate purposes and to further the company’s interests.
02.01.12 Subject to line manager approval, responsible personal use of internet

is permitted.
02.01.13 Downloading and or installing software or applications from the Internet

must be approved and authorised by the local IT function.
Unauthorised downloading is forbidden.
02.01.14 Company information not classified as Level 0 (Public) shall not be

uploaded to external websites or systems unless appropriately
authorised by Management.
02.01.15 Internet surfing must not interfere with work commitments.
02.01.16 Company Internet configuration controls must not be reconfigured

and/or circumvented and anti-virus checking must not be disabled.
Social Networking

02.01.17 Access to social networking sites may be granted for selected users
and groups based upon the business requirement. Access to these
privileges must be authorised
02.01.18 Social networking must not interfere with work commitments
02.01.19 When using social networking sites, Authorised Users must not post,
publish or otherwise disclose company information, material,
comments and or opinions that could bring the Company into
disrepute.
Passwords and Access Control
02.01.20 Company’s computer systems and network resources are password

and/or PIN protected. These are personal and must not be shared or
disclosed.
02.01.21 If it is suspected that a password or PIN has been compromised, it

must be changed immediately and or reported to the local IT
Department and / or Information Security.
02.01.22 Authorised Users shall not log-in another member of staff or external
party using their own log-in and password credentials.
02.01.23 Authorised Users shall either log-off or invoke a password-protected

screen saver when leaving Company computer equipment unattended
for short or prolonged periods.
Hardware, Software and Programs
02.01.24 All Company provided computer hardware, software and programs

installed and used shall be properly purchased and licensed. The
installation or use of unauthorised or unlicensed hardware, software
and programs is forbidden.
02.01.25 Company provided computer system configurations must not be

altered, changed or re-configured unless authorised by the local IT
Department.
02.01.26 The use of unauthorised or non-Company equipment to connect to the

Company corporate network must be approved by the Local IT
Department
02.01.27 Any Level 2 or 3 information must be deleted or removed as soon as it

is no longer required.
02.01.28 Using any software, tool, process, or method that intentionally

bypasses Company security controls is prohibited.
02.01.29 Authorised Users are prohibited from using any hacking tools without
prior written approval from the local Information Security Function. Use
of such tools without prior written approval could result in disciplinary
and or criminal proceedings.
02.01.30 The use of Peer-to-peer network software is prohibited unless

authorized.
Viruses
02.01.31 Authorised users have a responsibility to check from time to time that
Company installed security software including anti-virus software on a
Company workstation is functioning properly and is up to date.
02.01.32 If a virus infection is suspected, desktops / laptops must be

disconnected from the network immediately and reported to the local IT
Department.
Mobile Computing Equipment

02.01.33 Authorised users shall take all reasonable steps and are responsible to
protect company provided mobile computing equipment and the
information used and held on it whilst in their care.
02.01.34 Company provided mobile computing equipment remains the property

of the Company, together with the software and data stored on the
device.
02.01.35 Level 2 and Level 3 Information shall not be stored on company

provided mobile computing equipment unless it is protected with
encryption or other suitable controls approved by Information Security.
02.01.36 The use of Company provided mobile computing equipment by

Unauthorised Users is prohibited.
02.01.37 Company data must be backed up to the network at regular intervals.
02.01.38 Wireless functions should be switched off when not in use.
Mobile Phones and PDAs
02.01.39 Company provided mobile phone and or PDA devices shall be

protected with security features such as a PIN code to secure the
device when not in use. Authorised users must ensure to invoke the
security controls implemented.
02.01.40 Level 2 and Level 3 information shall not be stored on PDAs or mobile
phones unless suitably protected with encryption software.
02.01.41 Bluetooth wireless technology should be disabled when not in use.
Wireless Networks
02.01.42 Wireless access points providing access to the corporate network shall
be restricted to company approved and provided computing equipment.
02.01.43 Bridging (or attempts to bridge) wireless networks is forbidden.
02.01.44 Company provided wireless configurations or settings must not be

changed by unauthorized individuals.
02.01.45 Wireless hotspots may be used however access to the company

network must be via Company secured and approved mechanisms e.g.
IPSec VPN.
Incident Reporting
02.01.46 All users are required to report on any irregular or adverse events also
known as security incidents immediately in accordance with local
practices. Security incidents include, but are not limited to:
a) breach of the company’s information security policies and standards
b) theft or loss of company provided computing equipment and or

information
c) weak practices and or potential hazards, etc.
Guidance
Bupa Employee Handbook
The Bupa Employee Handook provides additional information
Common password pitfalls to avoid
Cyber criminals use sophisticated tools that can rapidly decipher passwords.
Avoid creating passwords using:
• Dictionary words in any language.

Words in all languages are vulnerable.

• Words spelled backwards, common misspellings, and abbreviations.

Words in all languages are vulnerable.
• Sequences or repeated characters.

Examples: 12345678, 222222, abcdefg, or adjacent letters on your keyboard
(qwerty).
• Personal information.
Your name, birthday, driver's license, passport number, or similar information.
Email
• Chain e-mails should not be created or forwarded on Company systems.
• Attachments from unknown senders, or which are not work-related, may

contain viruses and should not be opened.
• E-mail messages should only be sent to those employees for whom they are
particularly relevant.
• Regular monitoring of e-mails will be carried out on a random basis by the

Company.
Viruses
• Viruses are often written into .exe files, so be particularly vigilant. Never
download an .exe from the Internet.
• Viruses can be found in any file type including in image files, such as .jpg or
.bmp.
Internet
• You should be aware of phishing sites. Rather than using links in emails you
should use the full URL to access websites where you are entering personal
details or making online transactions.
Software
• Hacking tools include but are not limited to password guessing or cracking
software, sniffers, data capture software, and security testing software.
Enforcement
Policies and Standards. Compliance with this standard shall be monitored and
audited internally via compliance programs and security incident reports. Failure to
comply with any Policy or Standard may result in disciplinary action.

Variations
legal, regulatory or contractual requirements require modification or variation to this
standard, then the variation must be documented and reported to the IGEC Group
for approval.

References
standards:
A.6.1.7, A.6.1.8, A.15.2.1
Document Control
GISS Ref: 2.01
Version: V1.1 Added Reference to Bupa Employee Handbook
Release 22 Nov 2011 Approval by: IG Exec Commitee
date:
review: date:

02.02 Authorised User Responsibility
Overview
This standard outlines the requirements of all Authorised Users regarding their
responsibilities for safeguarding Company information & information systems. It is
the responsibility of everyone within the Company to maintain the confidentiality,
integrity and availability of information.
GISP 02
Target Audience
This standard is to be read by all Authorised Users.
Requirements
02.02.01 All Authorised Users must comply with Company Global Information
Security Policy (GISP) and Global Information Security Standards
(GISS); failure to do so could result in disciplinary action.
02.02.02 Actual or potential information security incidents must be reported
02.02.03 Information security training and awareness sessions must be

attended. The detailed content and frequency of formal training is set
by Business Units to meet local needs.
02.02.04 As an Authorised User, you are responsible for maintaining the

confidentiality, integrity and availability of company information and
information systems under your control in line with the Global
Information Security Policy (GISP) and the Global Information Security
Standards (GISS).
Guidance
Authorised users are required to attend Information security training and awareness
sessions
Enforcement

Variations
for approval.

References
standards:
ISO 27001 Control Ref(s): A.6.1.1, A.8.1.1, A.8.2.1, A.8.2.3
Document Control
GISS Ref: 2-02
Version: V1.1 Clarification of content and frequency of training. Unnecessary
Scope statement removed

date:
review: date:

02.03 Engagement and Management of External Service Providers
Overview
This standard defines the Company requirements when engaging and managing
services provided to the Company by external service providers. This may include
hosting companies, cloud services, software as a service, externally hosted sites and
systems, internal & external contractors with physical and / or logical access to
Company systems and information.
• GISP 02
Target Audience
This standard applies to all Managers and Authorised Users responsible for the
engagement and management of external parties.
Standards
Due Diligence/Risk Assessment
02.03.01 Where there is a requirement to allow, outsource, or transfer the

hosting the information processing facilities and/or the information of
the Company to an external service provider, a formal risk assessment
shall be carried out to identify the requirements and specific controls
necessary to facilitate and secure the company’s information and
information processing facilities.
The identification of risks shall take into account the following:
a) The information processing facilities the external service provider is

required to access, outsource or host.
b) The type of access the external service will have to the information
and information processing facilities, e.g.:
i) Physical access to offices, computer rooms, filing

cabinets.
ii) Logical access to company databases, information

systems.

iii) Network connectivity between the company and external

services network e.g.: permanent access, remote access.
iv) Whether access is taking place on-site or off-site.
c) The value and sensitivity of the information involved, and its

criticality for business operations.
d) The controls necessary to protect information that is not intended to

be accessible by the external service
e) The external party personnel involved in handling the company’s

information.
f) How the organisation or personnel authorised to have access can

be identified, the authorisation verified, and how often this needs to
be reconfirmed.
g) Legal and regulatory requirements and other contractual obligations

relevant to the external service that should be taken into account.
h) How the interests of any other stakeholders may be affected by the

arrangement. The different means and controls employed by the
external service when storing, processing, communicating, sharing
and exchanging information.
i) The impact of access not being available to the external service

when required, and the external service entering and receiving
inaccurate or misleading information.
j) Practices and procedures to deal with information security incidents

and potential damages, and the terms and conditions for the
continuation of external service access in the case of an information
security incident.
Control of External Service Providers
02.03.02 Following the Due Diligence/Risk Assessment activity, all identified

security requirements must be addressed and appropriate controls
implemented prior to providing the external services access to the
company’s information and information processing facilities.
The following shall be considered when addressing security controls:
a) The protection of company assets including:

i) Procedures to protect the company’s assets including

information and software, and management of known
vulnerabilities.
ii) Procedures to determine whether any compromise of the

assets e.g. loss or modification of data has occurred
iii) Integrity.
iv) Restrictions on copying and disclosing information.
b) Description of the product or service to be provided.
c) The different reasons, requirements and benefits for access.
d) Access control policy, covering:
i) Permitted access methods, and the control and use of

unique identifiers such as user ID’s and passwords.
ii) An authorisation process for user access and privileges.
iii) A statement that all access that is not explicitly authorised

is forbidden.
iv) A process for revoking access rights or interrupting the

connection between systems.
e) Arrangements for reporting, notification, and investigation of

information inaccuracies, information security breaches and
incidents.
f) A description of each service to be made available.
g) The target level of service and unacceptable level of service.
h) The right to monitor, and revoke any activity related to the

company’s assets.
i) The respective liability of the company and external service

provider.
j) Responsibilities with respect to legal matters and how it is ensured

that the legal requirements are met, taking into account the different
national legal systems especially where other countries are
involved.
k) Intellectual property rights and copy right assignment and protection

of any collaborative work.

Agreements with External Service Providers
02.03.03 Agreements with external service providers involving accessing,

processing, communicating or managing the company’s information or
information processing facilities, or adding products or services to
information processing facilities shall cover all relevant security
requirements.
02.03.04 The agreements shall ensure that there is no misunderstanding

between the company and the external service provider.
02.03.05 The Company shall also satisfy itself as to the indemnity of the external
service provider.
Monitoring and review of External Service Providers
02.03.06 Monitoring and review of external service providers shall ensure that
the information security terms and conditions of the agreement are
being adhered to, and that information security incidents and problems
are managed properly. This involves a service management
relationship and process between the company and the external
service provider to:
a) Monitor service performance levels to check adherence to the

agreements.
b) Review service reports produced by the external service provider

and arrange progress meetings as required by the agreements.
c) Provide information about information security incidents and review

of this information by the external service provider and the company
as required by the agreements and any supporting guidelines and
procedures.
d) Review external service provider audit trails and records of security

events, operational problems, failures, tracing of faults and
disruptions related to the service delivered.
e) Resolve and manage any identified problems.

02.03.07 The responsibility for managing the relationship with an external

service provider shall be assigned to a designated individual or service
management team.
02.03.08 In addition, the Company shall ensure that the external service provider
assigns responsibilities for checking for compliance and enforcing the
requirements of the agreements.
02.03.09 Appropriate action shall be taken when deficiencies in the service

delivery are observed.
02.03.10 The Company shall maintain sufficient overall control and visibility into
all security aspects where Level 2 and Level 3 information or
information processing facilities are accessed, processed or managed
by the external service provider
02.03.11 The company shall ensure to retain visibility into security activities such
as change management, identification of vulnerabilities and information
security incident reporting/response through a clearly defined reporting
process, format and structure.
Managing changes to External Service Providers
02.03.12 Changes to the provision of services, including maintaining and

improving existing information security policies, procedures and
controls, shall be managed taking account of the criticality of business
systems and processes involved and re-assessment of risks.
02.03.13 The process of managing changes to an external service provider shall

take account of:
a) Changes made by the company to implement;
i) Enhancements to the current services offered.
ii) Development of any new applications or systems.
iii) Modifications or updates to the company’s policies and

procedures.
iv) New controls to resolve information security incidents and to

improve security.
b) Changes in external service provider services to implement;
i) Changes and enhancement to networks.

ii) Use of new technologies.
iii) Adoption of new products or newer versions/releases.
iv) New development tools and environments.
v) Changes to physical location of service facilities.
vi) Change of external service provider.
Guidance
Enforcement
Policies and Standards. Compliance with this standard shall be monitored and
audited internally via compliance programs and security incident reports. Failure to
Variations
for approval.

References

standards:
A.6.1.7, A.6.1.8, A.15.2.1
Document Control
GISS Ref: 02.03
Version: V1.1 Re-ordered paragraphs and numbering
date:
review: date:

03.01 Recruitment
Overview
This document outlines the requirements to be implemented during the recruitment
process of any employees and / or temporary staff. This standard may also be applied to
external parties for additional security.
• GISP 03
Target Audience
This standard applies to the recruitment process and is to be read by Human Resources
and Management functions.
Standards
03.03.01 Potential hires shall be required to provide references in accordance to local
business and legislation requirements (e.g. right to work, employment
references etc.) prior to employment within the Company.
03.03.02 Confidentiality agreements shall be in place for all employees within terms
and conditions of employment.
03.03.03 Information security roles and responsibilities shall be written in to the terms
and conditions of employment for all employees.
03.03.04 Where applicable, additional checks such as criminal records checks,

financial checks, qualification checks shall be conducted for roles with higher
levels of privilege or access.
03.03.05 Discrepancies or potential security issues arising from security checks or

reference check must be reviewed and approved by senior management
before employment can commence.
Guidance
If employees are to have a role with higher levels of access, or potential access to large
amounts of sensitive information e.g. IT Administrators, financial controllers, application
developers, database administrators etc may benefit from additional security checks such
as police and credit checks in accordance with HR best practices
Enforcement
and Standards including those involved in recruitment. Compliance with this standard shall
be monitored internally via compliance programs and security incident reports. Failure to

Variations

References
standards:
ISO 27001 Control Ref(s): A.6.1.5, A.8.1.2, A.8.1.3
Document Control
GISS Ref: 03-01
Version: V1.1 Corrected error in Overview and guidelines improved
date:
review: date:

03.02 During Employment
Overview
This document outlines the Company responsibilities of the Company and those of
Authorised Users during employment with the Company.
• GISP 03
Target Audience
This standard applies to Managers and Authorised Users.
Standards
Management
03.02.01 All Management responsibilities regarding Information Security shall be

clearly defined.
03.02.02 All Authorised Users shall have access to the Global Information Security
Policy and Standards.
Authorised Users
03.02.03 All Authorised Users must comply with the Global Information Security Policy
and Standards and will be made aware that disciplinary action may be taken
in the event of non-compliance.
03.02.04 Each business unit shall have a documented disciplinary process.
Guidance
This standard should be read in conjunction with the Information Security Framework,
where roles and responsibilities are clearly defined.
Enforcement
Variations

References
standards:
ISO 27001 Control Ref(s): A.8.1.1, A.8.2.3
Document Control
GISS Ref: 03-02
Version: V1.1 Minor correction to 03.02.04
date:
review: date:

03.03 Training and Awareness
Overview
This standard outlines the Company training and awareness requirements to be provided
to all Authorised Users.
• GISP 03
Target Audience
This standard is to be read by Human Resources and Managers.
Standards
Training and Awareness

03.03.01 Information security training and awareness shall be delivered to all
Authorised Users, including contractors and temporary staff on a regular
basis as required by the business unit.
03.03.02 Specific training legally required for certain job roles (e.g. legal and privacy
requirements within call centres) shall be undertaken and records
maintained.
03.03.03 Job specific training may be delivered at management discretion in order to

maintain industry recognized certifications, meet new technology
requirements, or to meet competency needs.
03.03.04 It is the responsibility of each business unit management team to ensure that
a Training and Awareness Programme is implemented in line with the Global
Information Security Policy. The design and content of programmes should
be verified by the Information Governance Council or it’s agent to ensure
consistency and alignment.
Records
03.03.05 Records for all training and awareness activities delivered shall be
maintained.
Guidance
Methods of training and awareness could include;
o Workshops
o Quiz
o Leaflets and posters

o One to one sessions
o Emails
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 03-03
Version: V1.1 Additional clarity in 03.03.04
date:
review: date:

03.04 Termination or Change of Employment
Overview
This standard outlines the requirements regarding employees and contractors leaving or
changing roles within the Company.
• GISP 03
Target Audience
This standard is to be read by Human Resources and Managers.
Standards
03.04.01 A formal ‘Starters, Movers and Leavers’ process must be in place to include
the following:
a. Human Resources are aware of any employees starting, moving from,

or leaving their role within the Company.
b. The IT Department must be informed of any new employees in order

to set up IT accounts. The software request process must be
followed.
c. The IT Department must be informed of any employee role changes

in order to modify/disable IT accounts. When an Authorised User is
transferred within the Company, their access to Systems shall be
reset to base privileges (minimum access). This includes removal
from Windows Active Directory Security Groups and distribution lists
and other system accounts. Access to Systems required for their new
position must be requested using standard procedures.
d. The IT Department must be informed of any employees leaving their

role in order to disable IT accounts.
e. Physical and logical access to buildings and systems is formally

requested via the Access Control standards.
03.04.02 Where IT equipment (laptops, notepads, tablets, Smartphones etc.) and

physical identity credentials (such as pin code devices, smartcards, photo
identity cards etc.) are issued for use by indiviuduals, these must be
collected when an employee or contractor leaves the organisation, usually
by the leaver’s line manager or supervisor. Where applicable, employees
leaving will be requested to complete a Non Disclosure Agreement.

Guidance
The IT Department is the part of the organisation responsible and accountable for
the provision of Information Technology services.
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 03-04
Version: V1.1 Improved clarity in 03.04.02
Improved definition of IT Department, IT equipment and Keys
date:
review: date:

03.05 Data Privacy
Overview
This standard sets outlines the Company requirements regarding protecting and
maintaining the privacy of information.
• GISP 03
Target Audience
This standard applies to all Company information. It is to be read by all Authorised Users.
Standards
03.05.01 Prevailing data privacy legislation and law in each country, state, area or
region must be applied.
03.05.02 A formal process must be in place to identify new or updated regulatory or

statutory requirements regarding privacy. This should be incorporated in the
Information Governance framework.
Guidance
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 03-05
Version: V1.1 03.05.02 Improved clarity regarding responsibility
date:
review: date:

04.01 Information Classification Scheme
Overview
This standard provides the requirements for the classification of information.
• GISP 04
Target Audience
Standards
General
04.01.01 All Company information will fall into one of four categories of information
classification based upon its confidentiality, integrity and availability.
04.01.02 All information must be treated in accordance with its classification.
04.01.03 When considering the classification of information, appropriate appraisal

criteria as defined by Information Security should be used.
Information Classification Scheme

04.01.04 The Company Information Classification Scheme is based upon assessing
the confidentiality, integrity and availability aspects of information. The more
important a particular aspect is to the Company the higher the level of
classification. This is summarised in the table below:
LEVEL CONFIDENTIALITY INTEGRITY AVAILABILITY

0 PUBLIC
1 COMPANY
LOW LOW
INTERNAL
2 CONFIDENTIAL MEDIUM MEDIUM
3 RESTRICTED
HIGH HIGH
CONFIDENTIAL
Confidentiality
04.01.05 Access to, and use of, Level 2 (Confidential) and Level 3 (Restricted
Confidential) information is restricted to those Authorised Users with an
immediate need and then only for so long as that need exists and only to the
extent of that need.
04.01.06 All information classified as Level 2 (Confidential) Level 3 (Restricted

Confidential) must be subject to protection at all times.
04.01.07 The Confidentiality aspect of information should be assessed as follows:

Information Classification Levels Examples

Level
PUBLIC
0
Information which can be made available to anyone Addresses of Company
without exception. It is neither sensitive nor locations; marketing
controlled. information
Level
COMPANY INTERNAL
1
Information belonging to the organisation which Internal phone lists,

may be shared outside the Company with proper policies, internal
authorization publications
Level
CONFIDENTIAL
2
Information which may only be shared on a need to Financial data, account

know basis and not disclosed to unauthorised details
individuals, entities or processes. This includes all Membership records (Non
commercially or operationally sensitive information US); Personal medical
or any other information which, if disclosed, could details (Non US)
pose a serious risk to one or more parts of the
organisation.
Level
RESTRICTED - CONFIDENTIAL
3
Strategic papers; mergers

and acquisitions; security
Information which must not be shared outside of a systems
defined ‘closed’ group of authorised individuals, Protected Health
entities or processes. This includes high value Information - PHI (US
information for strategic or business reasons. ONLY), Personally
Identifiable Information-
PII (US ONLY)
04.01.08 When exchanging classified and labelled data with other business units or
third parties, recipients should ensure that conflicts of variances in
classification systems are resolved. Data imported onto Company systems
should be annotated with the approved Company classification scheme and
any conflicting labelling by the originator should be erased.
Integrity
04.01.09 The value of the integrity of information in systems should be assessed by a

simple ‘High, Medium, Low’ assessment:

Integrity Value LOW MEDIUM HIGH

Description Negligible or Low Moderate Impact High Impact arising
Impact arising from arising from breach from breach in
breach in Integrity in Integrity Integrity
Examples Internal community Internal employee Customer facing
web sites work flows web sites
Treasury systems
Availability
04.01.10 The ‘availability’ value of information in systems should be based upon the
impact of any period of partial or full unavailability:
Availability Value LOW MEDIUM HIGH

Description Information where Information where Information where
the owner is the owner is the service is
prepared to accept prepared to accept critical and no or
a medium to long- a short to medium absolute minimal
term loss of term loss of losses of
availability of availability of availability of
information/service information/service information/service
is acceptable
Examples Internal employee Customer Core Infrastructure
informative web informative web systems
sites sites

Guidance
The value of data and information services has traditionally been based upon an
assessment of three characteristics; Confidentiality, Integrity and Availability:
Confidentiality: preserving authorised restrictions on information access and

disclosure, including means for protecting personal privacy and
proprietary information
Integrity: guarding against improper information modification or destruction, and
includes ensuring information non-repudiation and authenticity
Availability: ensuring timely and reliable access to and use of information or an
information system.
These three characteristics are often referred to as the ‘CIA’ of information security.
The table below lists a number of impact areas and data/service traits which should be
considered when conducting an assessment against the three ‘CIA’ values. This list,
whilst not exhaustive, will help set the value assessment in context with the operational
environment.
IMPACT AREA DEFINITION

The degree to which information affects or reflects the
business’s current or future strategy. The extent to which
Strategic Value
that information, if disclosed to the media or competitors,
would seriously disadvantage the Group.
The actual or potential value that the information could
Business Value have to other organisations. The effect that it could have
on the Group’s business if it were lost or inaccurate.
The extent to which the information could be used for
Fraud Potential
gain.
Where disclosure, deletion or inaccuracy of the
Legal Liability
information may subject the Group to legal action.
The extent to which the mishandling of data might expose
the organisation to adverse comment or action by
Compliance
regulatory bodies (eg FSA) or trade organisations (eg
PCI).
The extent to which the information, if disclosed, is or
could be considered newsworthy by the media or special
interest groups. Furthermore, where information, if made
Embarrassment
public, other than through the Group’s normal publicity
channels, is likely to be subject to misinterpretation or
distortion.
Information that requires many hours of computer and
Cost of
personnel resource to restore should be considered of a
Creation/Reconstruction
higher value than information that is easily created.
Information becomes more sensitive as it is associated
Context with other information, such as PIN being linked with a
customer.
Currency As information becomes older then its value may decline.
The number of transactions or appearances of sensitive
Quantity
information may increase the opportunities for attack.
The risks resulting from the loss or theft of information,

Loss of Information
including when it is transported physically.
The definition of ‘Information’ includes, however is not limited to:
• Electronic data
o Information in Databases, applications etc
o Email communications
o Files stored within directories, documents, presentations, spreadsheets etc
o SMS (text messages)
o Photographs, videos, images
o website content
• Paper based information
o Printed documents
o Application forms, receipts
o Information received via post/ fax
• Information shared orally or visually
o Presentations
o Telephone conversations
o Meetings
o Conference Calls
Further information regarding the rules for handling information can be found in the
following Global Information Security Standards:
• GISS 4-02 Information Asset Identification and Ownership
• GISS 4-03 Electronic data and information handling
• GISS 4-04 Physical media and paper handling
Enforcement

Variations

References
Associated policies/ procedures/ 4-02, 4-03, 4-04
standards:
Document Control
GISS Ref: 04-01
Version: V1.1
date:
review: date:

04.02 Information Asset Identification and Ownership
Overview
This standard outlines the requirements for the identification and ownership of all
Company information and information assets to ensure that correct classification and
security controls are applied.
• GISP 04
Scope
This standard applies to all data and information processed or generated by the
organisation referred to as Company information. It also apples to information
assets, that is information that has a tangible value to the Company.
Target Audience
This standard is to be read by all Authorised Users of information and information

assets.
Standards
General
04.02.01 An up to date Inventory of key information assets shall be maintained.
04.02.02 The inventory must record the value of an information asset according
to its confidentiality, integrity and availability.
Management
04.02.03 Each head of Business Unit or Managing Director is responsible for

identifying information assets in their domain and once identified,
nominating a Data Owner that has management responsibility for each
data group.
Data Owners
04.02.04 Data Owners are responsible for correctly classifying any information
under their control, based upon its value.

04.02.05 Data Owners should ensure that there are periodic, at least annual,
reviews of the information classification.
04.02.06 Data Owners are responsible for ensuring that user access and
privileges to the data are defined and controlled and ensuring
appropriate segregation of duties.
04.02.07 Data Owners are responsible for approving access to the information
assets by internal business individuals/groups, other business units
and third parties.
04.02.08 Data Owners are responsible for confirming the Recovery Point
Objective (RPO) and Recovery Time Objective (RTO) in a formal
Disaster Recovery. These are normally calculated according to the
data value determined by the Data Owner.
04.02.09 Data Owners may appoint a Data Custodian for the data. The Data
Custodian would typically be the manager of the unit that provides
information management services for the data or whom maintains the
physical custody of data.
04.02.10 The Data Custodian should provide the physical and procedural
safeguards necessary to achieve the level of control and availability
specified by the Data Owner.
Guidance
Information Assets
Information assets can take many forms – paper, electronic files, database, emails,
applications etc, and can be used for many different business functions and
processes. This standard applies to those information assets that have a high value
to Bupa in terms of their confidentiality, integrity and availability.
Data Custodians
Normally, the operational requirements of the Data Owner are enacted by a Data
Custodian which may be a role or function. The Data Custodian provides the
physical and procedural safeguards necessary to achieve the level of control and
availability specified by the Data Owner. For example the Data Custodian is
responsible for ensuring that any back-up regime is undertaken in an appropriate
manner and at the frequency specified by the Data Owner.

The organisation of Information Systems and Services within Bupa will often provide
environments where the responsibility for the management of data and information
services is shared across business units and IS functions. In such instances,
consideration should be given to the identification of both and Application Data
Custodian and Infrastructure Data Custodian. In these circumstances the allocation
of responsibilities should be formally agreed by each business unit/function and
documented by the Data Owner.
Enforcement
Variations
This Standard must be applied in all Organisation business units. However, if local
for approval.

References

standards:
A.6.1.7, A.6.1.8, A.15.2.1
Document Control
GISS Ref: 4-02

Version: V1.1 Improved definitions and scope
date:
review: date:

04.03 Electronic Data and Information Handling
Overview
This standard sets out the Company requirements for Authorised Users when
processing, transmitting and storing electronic information.
• GISP 04
Scope
This standard applies to all electronic information.
Target Audience
Standards
04.03.01 Where practical and appropriate, electronic information should be

labelled according to its classification.
04.03.02 Where information is not labelled it should be treated at least as Level

1 (Company Internal)
04.03.03 All information must be treated in accordance with its classification and
appropriate controls applied to maintain security. This includes
information on display, information storage, access to information and
its disposal or destruction when no longer needed.
Guidance
It is recommended that encryption be employed when sending information classified

as Level 2 and above via email. Encryption is required when sending Level 3 data in
the US.
Enforcement
Policies and Standards. Compliance with this standard shall be monitored via
Internal Audit, compliance programs and Security Incident Reporting Procedures.

Failure to comply with any Policy or Standard may result in disciplinary action.
Variations
for approval.

References

standards:
Document Control
GISS Ref: 4-03

Version: V1.1 Corrected typographical errors. Improved wording in 04.03.03

date:
review: date:

04.04 Physical Media and Paper Handling
Overview
This standard sets out the Company requirements for Authorised Users when
processing, transmitting and storing physical information.
• GISP 04
Scope
This standard applies to all physical media and paper within the Company. This
includes:
• Records
• Files
• Removable media
o Memory sticks
o CDs/DVDs
o Hard disks
Target Audience
Standards
04.04.01 Where practical and appropriate, paper information and physical media
should be labelled according to its classification.
04.04.02 Where information is not labelled it should be treated at least as Level

1 (Company Internal)
04.04.03 All information must be treated in accordance with its classification and
appropriate controls applied to maintain security. This includes
information on display, information storage, access to information and
its disposal or destruction when no longer needed.

04.04.04 Only approved secure courier services will be used to transport media
containing Level 2 (Confidential) or above
04.04.05 In the event of information becoming lost or stolen, the loss or theft
must be reported using the incident Reporting process.
Guidance
Enforcement
Variations
for approval.

References
standards:
Document Control
GISS Ref: 4-04
Version: V1.1 Corrected typographical errors. Improved wording in 04.04.03
Release 22 Nov 2011 Release 22 Nov 2011

date: date:
Next Dec 2012 Next review: Dec 2012
review:

04.05 Secondary Use of Information
Overview
This standard provides the requirements for the secondary use of information.
• GISP 04
Target Audience
This standard is to be read by all Authorised Users and applies to anyone developing
applications or analysing data
Standards
04.05.01 Data and information may only be used for the purpose for which it was
supplied and as defined by the Data Owner
Secondary use of information by IT functions
04.05.02 Production and/or live data shall be not be used for testing purposes unless
approved by Information Security, the Data Owner, and Legal/Privacy.
04.05.03 Personal details of Company employees or customers must not be used in

development and testing environments. This includes Personal Identifiable
data (as defined by applicable Privacy legislation); payment card details (in
accordance with Payment Card Industry standards) and other such sensitive
data which could cause loss or damage if mishandled.
Secondary use of information by Business Units
04.05.04 Unobfuscated personal details of Company employees or customers must

not be used for statistical analysis without the express permission of the
Data Owner and Legal/Privacy.
Guidance
Enforcement
Variations

References
Associated policies/ procedures/ Data Protection Act 1988 (UK)
standards:
Document Control
GISS Ref: 04-05
Version: V1.1 Improved wording in 04.05.03 and 04.05.04

date:
review: date:

05.01 Identifying and Reporting Information Security Incidents
Overview
This standard details the requirements for the reporting of information security incidents.
• GISP 05
Target Audience
Standards
Incident Reporting
05.01.01 It is the responsibility of each Business Division & Business Unit including
Group functions to establish local operating procedures to ensure that any
event, or potential event, which adversely affects the confidentiality, integrity
and / or availability, of Company information and / or information systems is
reported immediately.
05.01.02 All Authorised Users are required to report events or incidents affecting
information security or compliance to information security policy in
accordance with local operating procedures.
05.01.03 All information security incidents whether actual or suspected, must be

promptly reported in accordance with local Information Security
arrangements.
Guidance
This standard applies to all potential or actual information security incidents, which may
include;
Compromise of system integrity Unauthorised access to Company systems
Denial of system resources Unable to access Company systems/ applications
Worm or virus attacks Virus alerts
Malicious use of system Use of Company resources to commit crime, cause

resources offense e.g. sending of illicit email, accessing illegal
websites
System damage Physical damage to computer equipment;

Environmental damage to computer equipment
Loss or theft of equipment Lost or stolen laptops, Blackberry, PDAs, mobile

phones, memory sticks, and any other computer

equipment containing Company information.
Software vulnerability Notification of vulnerabilities in software
Violation of policy Breach of information security policy or standards
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 05-01
Version: V1.1 Improved wording in 05.01.01 and 05.01.02 to clarify Information
Security incidents

date:
review: date:

05.02 Managing Information Security Incidents
Overview
This standard outlines the requirements for local information security teams when
managing potential or actual information security incidents.

• GISP 05
Target Audience
This standard is to be read by all central and local information security management.
Standards
Incident Management
05.02.01 It is the responsibility of each Business Division & Business Unit including
Group functions to establish local operating procedures for managing with
security incidents in accordance with the requirements of the Global
Information Security Policy and Standards.
Incident Reporting
05.02.02 All reported information security incidents must be recorded and an audit trail
maintained of relevant materials.
05.02.03 When a security incident is reported, local Information Security shall:
a. Identify and classify the incident.
1) Assess the impact and magnitude of the incident.
2) Assess the urgency of the incident.
b. Determine if a crime has occurred. Local authorities have primary

investigative responsibility for criminal incidents.
c. Escalate to Business Management and the Head of Information

Governance if needed. The Company Press Office may need to be
informed of major incidents.
d. Investigate the incident.
e. Report recommendation and remediation for the incident to the proper

Management. Develop a corrective action plan for future mitigation.
Incident Investigation
05.02.04 Only trained employees may carry out investigations.

05.02.05 On completion of every investigation, an investigation report is to be

submitted by the investigator in accordance with the Information Governance
procedures and held centrally in a secure repository. Information security
investigation records must be retained for a period of at least three years or
in compliance with local regulatory or statutory requirements.
05.02.06 For all information security incidents, an Investigation Record must be

maintained throughout the conduct of the investigation and the resolution of
the incident.
05.02.07 All investigations must be classified in accordance with the information

classification scheme.
05.02.08 Investigation records must include at a minimum:
a. Nature of the incident.
b. When, how and who discovered the incident.
c. To whom and when was the incident escalated.
d. Details of actions taken, when, and by whom together with results.
e. Details of any emergency measures implemented to contain the

exposure.
f. Details of agreed permanent solution.
g. Impact assessment.
05.02.09 All investigations will be treated in confidence and disclosure only made with
authorisation from the Information Security. Security investigations must
address the following:
a. What happened and its impact.
b. Why it happened and how.
c. What needs to take place immediately to prevent further damage and

facilitate initial recovery?
d. What needs to be done in the longer term to prevent a further

occurrence?
e. Identify if any person is responsible and if disciplinary action is

necessary.
Evidence
05.02.10 Any paper evidence must be kept securely with a record of the individual
who found or generated the document, where the document was found,
when it was found or generated and who witnessed the discovery. This
information must be recorded within an evidence or investigation log.
05.02.11 Any original documentation retained, as evidence, must not be tampered

with.
05.02.12 Where possible, electronic evidence (hard disks and in memory) shall be
forensically secured to preserve evidence. This may require the assistance
of specialist third party contractors.
05.02.13 All evidence, whether physical or electronic, must attempt to maintain a

chain of evidence and be recorded to be used in a court of law if required.
Non-Retaliation
05.02.14 Retaliation, discrimination, or intimidation shall not be permitted against an
individual, an Authorised User, a business partner, a client member, or any
other person or organization, for reporting a Privacy or Security Incident; for
filing a report or complaint with government authorities; or for participating in
any investigation, legal proceeding or review.
Guidance
This standard applies to all potential or actual information security incidents, which may
include;
• Compromise of system integrity.
• Denial of system resources.
• Worm or virus attacks.
• Illegal access to the system (either a penetration or intrusion)
• Malicious use of system resources.
• Any kind of damage to the system initiated inside or outside of the Company
• Loss or theft of equipment.
• Notification of a software vulnerability that effects a production application
• Any activities that violate information security policy are considered an incident.
Local information security management operating procedures should consider the

following;
• Advise the Security Department

• Create an Information Security Incident record
• Investigate the incident
• Identify Corrective Action
• Implement Corrective Action
• Report Produced
• Appropriate documentation updated
• Company Management advised
• Company staff advised (e.g. procedural changes, additional training)
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 05-02
Version: V1.1 Improved wording in 05.02.02 ; 05.02.03 d and 05.02.09 e
date:
review: date:

05.03 Managing Information Security Improvement
Overview
This standard details the requirements for the management of improvements to
information security following strategic change or information security incidents.
• GISP 05
Target Audience
This standard is to be read by all Managers.
Standards
05.03.01 Information security incidents must be identified, responded to, recovered
from, followed up and closed.
05.03.02 Following each investigation, where possible, a root cause should be

determined.
05.03.03 Following each investigation, where appropriate, an action plan should be

identified and documented
05.03.04 Any actions that cannot be implemented immediately shall be added to the
Company Risk Register which is managed by the Information Governance.
05.03.05 Action plans shall be reviewed at regular intervals to ensure they are
implemented in a timely manner
05.03.06 Information contained within the information security incident databases or

incident logs shall be analysed on a regular basis in order to:
a. Identify trends or patterns
b. Identify areas of concern
c. Analyse where preventative action could be taken to reduce the

likelihood of future incidents.
05.03.07 Local Information Security will produce reports on trends or patterns and
submit them to the appropriate Information Governance meetings for
analysis.
Guidance
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 05-03
date:
review: date:

06.01 User Identification and Registration
Overview
This document outlines the Company standard for the technical identification and
registration of Authorised Users.
• GISP 06
Target Audience
This standard applies to all Company systems. It is to be read all IT & Technical functions
within the Company.
Standards
Authorised Users
06.01.01 It is the responsibility of the Data Owner to define the rules for granting
access and permissions requirements to systems under their control.
06.01.02 All users once authorised to access systems and applications will be
provided a unique User Identification.
06.01.03 Each user is individually accountable for their actions within systems and
applications by virtue of their unique User Identification.
06.01.04 Access privileges and rights shall be set to the least privilege required for the
job role.
Shared Accounts
06.01.05 Generic accounts are not permitted for use by individuals
06.01.06 Shared accounts may only be authorised for use by Information Security in
exceptional circumstances where individual accountability is not required or
is controlled by other means, such as student accounts in a classroom
setting.
06.01.07 System accounts which are used by automated processes, as opposed to

people, must be carefully controlled.
Guidance
Enforcement

Variations

References
standards:
Document Control
GISS Ref: 06-01
Version: V1.1
date:
review: date:

06.02 System and Electronic Information Access Management
Overview
This document outlines the Company standard for the technical management of access to
systems and electronic information, including audit and logging data.
• GISP 06
Target Audience
This standard to be read all IT & Technical functions within the Company.
Standards
Clock Synchronisation
06.02.01 System clocks shall be synchronised to a consistent and accurate time
source.
Audit, Monitoring and Logging

06.02.02 The monitoring requirements for individual systems shall be determined
during system design or major changes and in accordance with its
classification.
06.02.03 Controls must protect against unauthorised changes to log information,

including:
a. Alterations to the message types that are recorded.
b. Log files being edited or deleted.
c. Storage capacity of the log file media being exceeded.
06.02.04 Audit logs must be archived / retained / disposed of in line with relevant
statutory or regulatory requirements.
06.02.05 System administrator and system operator activities shall be logged. Logs
shall include:
a. The time at which an event (success or failure) occurred.
b. Information about the event (e.g. files handled) or failure (e.g. error
occurred and corrective action taken).
c. Which account and which administrator or operator was involved.
d. Which processes were involved.

e. The change management record associated with the administrative

access.
06.02.06 System administrator and operator logs shall be reviewed on a regular basis.
06.02.07 Outside of the legal and regulatory requirements for data retention, audit
logs recording user activities, exceptions, and information security incidents
shall be collected and kept for at least 3 months to assist in future
investigations and access control monitoring.
Important Systems
06.02.08 Important Systems must be housed in a secure computing environment.
Guidance
Clocks should be synchronised using NTP (Network Time Protocol).
For monitoring and logging, areas that should be considered include:
• Authorised access, including detail such as
o The user ID
o The date and time of key events.
o The types of events.
o The files accessed.
o The program or utilities used.
o All privileged operations, such as:
Use of privileged accounts, e.g. supervisor, root, administrator.
System start-up and stop.
o I/O device attachment or detachment.
o Unauthorised access attempts, such as:
Failed or rejected user actions.
Failed or rejected actions involving data and other resources.
o Access policy violations and notifications for network gateways and firewalls.
o Alerts from proprietary intrusion detection systems.
o System alerts or failures, such as:

Console alerts or messages.
System exceptions.
Network management alarms.
Alarms raised by the access control system.
o Changes to, or attempts to change system security settings and controls.
• How often the results of monitoring activities are reviewed should depend on the risks
involved. Risk factors that should be considered include the:
o Criticality of the application processes.
o Value, sensitivity, and criticality of the information involved.
o Past experience of system infiltration and misuse, and the frequency of

vulnerabilities being exploited.
o Extent of system interconnection (particularly public networks).
o Logging facility being de-activated.
Enforcement
Variations

References
standards:
ISO 27001 Control Ref(s): A.10.10.1, A.10.10.2, A.10.10.6, A.11.6.1,
A.11.6.2
Document Control
GISS Ref: 06-02
Version: V1.1 Corrected error in Target Audience.
date:
review: date:

06.03 Clear Desk
Overview
This document outlines the requirements for the physical access to physical media and
paper information, and ensures that it is securely stored and locked away when not in use.
• GISP 06
Target Audience
This standard applies to all Company information and is to be read by all Authorised
Users.
Standards
06.03.01 All paper documents must be stored appropriately according to their
classification.
06.03.02 Paper information or portable electronic media containing Level 2

(Confidential) and Level 3 (Restricted Confidential) information must not be
left unattended and unprotected on desks or in general office areas
06.03.03 Paper information or portable electronic media containing Level 2

(Confidential) and Level 3 (Restricted Confidential) information must not be
left on desks or in general office areas overnight
06.03.04 Paper documents or portable electronic media must not be left in meeting
rooms and whiteboards should be cleared upon leaving the room.
06.03.05 Laptops, memory sticks, CDs, DVDs and disks containing company
Information shall be locked away securely when not in use.
Guidance
Portable electronic media is used to describe any medium on any device which can easily
be carried and which can store data or information. These include laptops; notebooks;
tablets; memory sticks; thumb drives; external hard drives; CDs; DVDs; cameras; SD
cards; XD cards; smartphones;
The data held on hard discs in and portable media should be encrypted.
Enforcement

Variations

References
standards:
Document Control
GISS Ref: 06-03
Version: V1.1 Replaced “removable media” with “portable media” in 06.03.02-05
Added additional guidance about portable media
date:
review: date:

07.01 Electronic Communications – Enterprise Based Services and Systems
Overview
This standard provides the requirements for the use of electronic communication systems
(e-mail, voice, video, social networking, etc) with regards to enterprise based services.
• GISP 07
Target Audience
Standards
General
07.01.01 The Company maintains electronic communication systems for business

purposes both internally and externally. These systems, including the
equipment and data stored in them are and remain the property of the
Company.
07.01.02 Company-provided electronic communication systems shall only be used for

Company approved activities. The use of Company systems for reasonable
personal use may be permitted by an Authorised User’s line manager.
07.01.03 The Company’s electronic communication systems shall not be used to

participate in, encourage, or forward internally or externally intimidating,
hostile, or offensive material on the basis of race, colour, creed, religion,
national origin, age, sex, physical or mental disability, sexual orientation, or
other basis prohibited by law.
07.01.04 The Company reserves the right to store and review any communications
composed sent or received through its electronic communication systems in
accordance with any regulations and Law enforceable in the hosting nation.
Electronic Messaging (E-Mail)
07.01.05 The communication of Company Level 0 (Public) and Level 1 (Internal)

information internally and externally over the company’s electronic
messaging systems is permitted.
07.01.06 Company Level 2 (Confidential) and Level 3 (Restricted Confidential)

information shall only be communicated and distributed both internally and or
externally by secured (encrypted) means, unless or otherwise authorised by
Legal/Privacy and line management acting as agents of the Data Owner.
07.01.07 The Company is responsible for providing secure messaging facilities.

Voice
07.01.08 Systems and protocols used to communicate, process, and store Level 2
and Level 3 voice information must meet the same level of security and
protection as the systems used to protect Level 2 and Level 3 electronic
information.
07.01.09 All users shall take reasonable care to maintain the confidentiality of Level 2
and Level 3 information when communicated over internal and external
electronic communication networks.
Video
07.01.10 Level 2 and Level 3 video data shall not be communicated unencrypted over
unsecured private or public networks i.e. the internet.
Faxes
07.01.11 The Company shall establish and implement appropriate processes to

secure and protect Level 2 and Level 3 information communicated internally
and/or externally when faxing services.
Internet and Social Networking
07.01.12 Unless required as part of a job role, access to the public internet and public
social networking services are a privilege authorised by the line manager,
and only then in business units where such activities are permitted.
07.01.13 Posting, publishing and or disclosing information on public internet and

public social networking sites that could bring the Company into disrepute is
forbidden.
07.01.14 Posting, publishing and or disclosing Company Level 2 (Confidential) and

Level 3 (Restricted Confidential) information on public social networks is
forbidden.
07.01.15 Access to intimidating, hostile, or offensive material on the basis of race,

colour, creed, religion, national origin, age, sex, physical or mental disability,
sexual orientation, or other basis prohibited by law is forbidden.
File Transfer
07.01.16 Electronic transfer of Level 2 (Confidential) and Level 3 (Restricted

Confidential) information internally and or externally shall utilise secure
transmission methods approved by Information Security.

Guidance
(SSL/TLS, SSH) and (RSA, 3DES, AES) are examples of encryption. FTPS (SSL/TLS),
SFTP (SSH), PGP, are some examples of secure file transfer protocols
Enforcement
Variations
regulatory or contractual requirements require modification or variation to this standard,
then the variation must be documented and reported to the IGEC Group for approval.

References
standards:
Document Control
GISS Ref: 07-01
date:
review: date:

07.02 Company Provided Mobile Device Security
Overview
This document outlines the requirements for the protection of Company provided mobile
devices.
• GISP 07
Target Audience
This standard should be read by all Authorised Users and applies to Company provided
mobile devices, including;
• Laptops
• PDAs
• Blackberry / iPhone
• Tablet devices such as iPad
Standards
07.02.01 The Company provides mobile devices for Company business purposes.
Whilst not prohibited, any personal use must be limited and reasonable and
must not in any way interfere with Company business use
07.02.02 Mobile electronic devices such as laptops, cameras, tablets etc. must be
locked away securely and, if possible, out of sight when not in use.
07.02.03 When in use and in transit, mobile devices must remain under the direct
control of the owner at all times.
07.02.04 Unauthorised Users must be not allowed to use Company mobile devices.
07.02.05 Device timeout and holster lockout features which require a pin code or
password to unlock should be considered to prevent unauthorised use.
Guidance
Enforcement

Variations

References
standards:
Document Control
GISS Ref: 07-02
date:
review: date:

07.03 Multifunctional Devices
Overview
This document outlines the Company standards for the protection of multifunctional
devices. Multifunctional devices present a number of risks to the organisation through
diverse storage and network capabilities that have the potential to undermine
• GISP 07
Target Audience
This standard applies to all multifunctional devices including printers, photocopiers,
scanners and fax machines. It is to be read by all Authorised Users.
Standards
07.03.01 A local risk assessment must be carried out to assess the capabilities of
each device, the environment within which it is to be used and the controls
required to mitigate the risks.
07.03.02 Procurement, deployment and configuration procedures must provide the

same assurances for information security as those adopted for traditional
networked computing devices.
07.03.03 Authentication and authorisation to local and networked functions through

the device, whether scan, e-mail, fax or data storage must be commensurate
with those provided through traditional computing devices on the host
network.
07.03.04 Local access to the device should be controlled. This could include Swipe
cards, PIN or passwords.
07.03.05 All fax and e-mail communication directly from the device should be
attributable to an individual Authorised User or sender.
07.03.06 All e-mail communication directly from the device to external addresses
outside of the Company must be attributable to an individual Authorised User
or sender.
07.03.07 The use of device generic e-mail accounts should be avoided unless
mitigating controls are in place.
07.03.08 Remote support arrangements are to be properly controlled so as not to

compromise the network or data stored locally on the device.

07.03.09 For Sensitive Areas, consideration should be given to the provision of

Company laptops to enable local support and connection to the asset by
support engineers through a trusted Company device.
07.03.10 When replaced or disposed of, all non-volatile storage, in particular hard
drives, are to be disposed of in an approved secure manner.
07.03.11 Support and maintenance contracts must make provision for the secure
procurement, maintenance and disposal of multifunctional devices.
07.03.12 Documents must not be left unattended on printers, photocopiers and fax
machines.
Guidance
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 07-03
date:
review: date:

07.04 Connecting Non-Company Equipment
Overview
This document outlines the Company standard for the connection of non-company
equipment to Company systems.
• GISP 07
Target Audience
This standard applies to all Company Infrastructure and equipment. It is to be read all
Authorised Users.
Standards
07.04.01 A risk assessment must be conducted and regularly reviewed by the local
Information Security Council for each Company private network to determine
local controls needed to protect it from un-trusted devices connecting to that
network.
07.04.02 Where appropriate, technology shall be used to detect unauthorised devices

connected to a Company private network
07.04.03 Persons acting as agents of a Data Owner or Information Security are

authorised to immediately disconnect any device which is or seems to be a
threat to the security of the Company private network.
Guidance
See also Removable Storage Device Standards.
Enforcement
Variations

References
Associated policies/ procedures/ 08-04 Removable Storage Device Standard
standards:
Document Control
GISS Ref: 07-04
Version: V1.1 Clarification of risk assessment needs in 07.04.01
date:
review: date:

07.05 Wireless Connection
Overview
This document outlines the Company standard for the installation and use of wireless
networks. This standard supports the Global Information Security Policy:
• GISP 07
Target Audience
This standard applies to all Company wireless networks, including the corporate and guest
networks. It is to be read all IT & Technical functions within the Company.
Standards
Approved Technology
07.05.01 All Company wireless networks must be approved and implemented by the
Company’s respective local Information Security and IT divisions.
07.05.02 All wireless access points (WAP) and base stations connected to the
company network shall be documented and subject to periodic penetration
tests and audits.
Physical Security
07.05.03 All wireless devices shall be protected against theft, unauthorised use, or
damage.
07.05.04 Access points (AP) and related equipment supporting wireless networks
shall be physically located within secured areas where access is restricted to
authorised personnel.
07.05.05 The reset function on access points shall only be accessible to approved and
authorised personnel.
Network Security
07.05.06 Company wireless network access points shall be logically segmented from
the internal wired Local Area Network (LAN) by a gateway device.
07.05.07 Where feasible, Company provided guest or hotel wireless access points
shall be physically and/or logically segregated from the company’s internal
wired LAN/WAN.
07.05.08 The service set identifier (SSID), administrator user ID, password and Wi-Fi
Protected Access (WPA2 – 802.11i) keys shall be changed from the default
values.

07.05.09 The SSID shall be configured such that it does not contain any identifying
information about the Company. In addition, the SSID shall not contain
characters that indicate the location of the wireless LAN access point or any
other identifying name.
07.05.10 The SSID broadcast function should be disabled to ensure the client SSID
matches that of the access point. The hotel wireless network SSID can be
broadcast.
07.05.11 Devices shall only connect to the wireless LAN when a valid SSID has been
provided. In addition, devices connecting to the company corporate wireless
network shall have anti-virus and or personal firewalls installed.
07.05.12 AP “beacon frame” interval transmissions shall be set to the highest value to
delay the interval frequency used to announce and identify the AP.
07.05.13 Access Points shall be configured with complex passwords to access the
administrative features.
Authentication
07.05.14 Wireless access for company employed personnel to the company’s
corporate network shall be authenticated using the company’s local
network authentication services (i.e. Active Directory)
07.05.15 Guest or hotel wireless access services shall employ open

authentication using manual or automated username and password
credentials generated at the request of a company sponsor.
07.05.16 Additional authentication mechanisms shall also be established

through such technologies as SSL, SSH or VPN when a LAN is
extended or access via a third party network using wireless
technology.
Encryption
07.05.17 802.11i (WPA2) compliant shall be enabled using the AES
encryption standard or better and no less than 128 bit key length.
07.05.18 WPA2 (802.11i) encryption must use Counter Mode with Cipher
Block Chaining Message Authentication Code Protocol (CCMP) or
other IEEE approved key exchange mechanisms
07.05.19 End-to-end encryption across both 802.11 wireless and wired

networks shall, in addition to WPA2 (802.11i), ensure that data
transmitted across the networks is encrypted using proven
encryption protocols such as SSL, SSH, IPSEC and VPN tunnels.

07.05.20 If Pre-Shared Keys (PSK) are employed, they shall be strong in

nature, randomly generated and redistributed at regular intervals
(i.e. quarterly or annually).
Wireless System Management

07.05.21 SNMP shall be disabled if not required for network management
purposes. Should it be required for network management purposes,
appropriate access controls shall be implemented (i.e. to prohibit
wireless devices from requesting and retrieving information).
07.05.22 Should SNMP be required for dynamic reconfiguration of access

points to address AP failures and or rogue access points, the SNMP
protocol used shall adhere to the latest SNMP version standard and
take place on the wired side of the network.
07.05.23 Pre-defined community strings such as “public” and “private” shall

be removed.
07.05.24 IEEE 802.11 wireless devices shall not be used to manage other
systems on the network unless otherwise authorised to do so.
Guidance
Prior to granting access to visitors using the guest wireless network, a prompt screen
could be in place for the acceptance of the Company terms and conditions, e.g. “I have
read and accept Company terms and conditions when using this wireless network”.
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 07-05
date:
review: date:

08.01 Company Laptops
Overview
This standard outlines the Company requirements for the protection of Company Laptops.
• GISP 08
Target Audience
This standard applies to all Company laptop computers. It is to be read by all Authorised
Users.
Standards
08.01.01 Only Company provided laptops are automatically authorised for use on
Company networks.
08.01.02 Laptops must be secured when not in use.
08.01.03 Laptops must remain under the direct control of the owner at all times.
08.01.04 It is the responsibility of the laptop keeper to safeguard its physical security
at all times, particularly when off Company premises.
08.01.05 The keeper of the laptop must take all reasonable steps to ensure that
security software as provided by the Company is up to date and operating
correctly. This includes anti-virus and encryption software.
08.01.06 A keeper of a laptop who is able to make changes to configuration settings

must take all reasonable steps to ensure that such modifications are
authorised and do not compromise or hamper security, operations or
support. Disabling antivirus and other security software is specifically
prohibited.
08.01.07 Company laptops may not be used or accessed by unauthorised Users.
08.01.08 The use of wireless hotspots is permitted. However access to Company

data, systems and resources must be via the Company approved VPN.
08.01.09 Laptop hard disks shall be encrypted
Guidance
• A lost, stolen or missing laptop must be reported straight away in accordance with
Security Incident procedures.
• Wherever possible, you should not leave Company laptops in cars.
• Laptops should be stored out of sight if being left unattended in cars or employee
homes.

Enforcement
Variations

References
standards:
Document Control
GISS Ref: 08-01
Version: V1.1 Additional guidance about lost, stolen and missing laptops
date:
review: date:

08.02 Digital Cameras and Recording Devices
Overview
This document outlines the Company requirements for the authorised use of digital
cameras and recording devices.
• GISP 08
Target Audience
This standard applies to Company digital cameras and recording devices. It should be
read by all Authorised Users.
Standards
08.02.01 Only Authorised Users with approval from Business Managers shall be
permitted to use digital cameras and recording devices within the Company.
08.02.02 Digital cameras and recording devices should not be used in a manner
which may cause offense or in a manner inconsistent with Information
Classification standards.
08.02.03 Digital cameras and recording devices must be used within the constraints of
any legal and regulatory requirements. These may differ locally.
08.02.04 All Company owned devices shall be stored securely when not in use.
Guidance
A lost, stolen or missing Company provided device must be reported straight away in
accordance with Security Incident procedures
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 08-02
Version: V1.1 Additional guidance about lost, stolen and missing devices
date:
review: date:

08.03 Mobile Devices
Overview
This standard sets outlines the Company requirements for the protection of mobile
devices.
• GISP 08
Target Audience
This standard applies to mobile devices within the Company and is to be read by all
Authorised Users.
Standards
08.03.01 Company phones, laptops, and other mobile devices containing Company
information shall be secured when not in use.
08.03.02 It is the responsibility of designated owners of Company phones, laptops,

and other mobile devices to safeguard their physical security at all times, in
particular when off Company premises.
08.03.03 Mobile devices must be kept under the direct control of the owner at all
times.
08.03.04 Devices such as PDAs/Blackberry/iPhone etc shall have PIN codes enabled.
08.03.05 Unauthorised Users are not permitted to access to Company equipment.
08.03.06 The use of wireless hotspots is permitted however access to Company data,
systems and resources must be via the Company approved VPN.
Guidance
Laptops and removable media, where possible, should be encrypted.
Wherever possible, you should not leave Company equipment in car
When using public transport, ensure that any Company devices and equipment are within
sight at all times.
Enforcement

Variations
References
standards:
Document Control
GISS Ref: 08-03
date: date:
Next Dec 2012 Next review: Dec 2012
review:

08.04 Removable Storage Devices
Overview
This document outlines the Company requirements for the use of Company provided and
non-Company removable storage devices, such as memory sticks, USB drives, flash
memory cards, CDs/DVDs and SIM cards.
• GISP 08
Target Audience
This standard applies to Company removable storage devices. It should be read by all
Authorised Users.
Standards
General
08.04.01 The movement or copying of Company owned information on to removable

storage devices shall be restricted to Company provided removable storage
devices.
08.04.02 Company provided removable storage devices shall not contain logos or
other insignia identifying them as belonging to the Company.
08.04.03 The use of personal or non-Company provided removable storage devices to

read and copy information onto the Company network is approved.
Authorised Users should exercise basic anti-virus precautions.
08.04.04 It is not permitted to write Company information onto personal or non-

Company provided removable storage devices.
Responsibilities
08.04.05 The Company will provide removable storage devices that incorporate
appropriate security functionality, such as encryption and password
protection, to adequately secure the information contained within them.
08.04.06 Company provided removable storage devices shall be registered to

approved Authorised Users.
08.04.07 Line management is responsible for sponsoring the authorised use of

Company provided removable storage devices by individual users.
08.04.08 Users of Company provided removable storage devices are responsible for
the information they store on the device and for the safekeeping of the
device.

08.04.09 The amount of Company owned information stored on removable storage

devices shall be limited to the minimum required and must be deleted when
no longer required.
08.04.10 The type of Company owned information moved or copied to removable

storage devices shall be limited to that required to carry out an individual’s
role and responsibilities.
08.04.11 Copying and saving of Level 2 (Confidential) or Level 3 (Restricted

Confidential) information to a removable storage device should only be
performed as part of a formally authorised procedure or where an Authorised
User has been approved to do so as part of their role
08.04.12 Information and data which is directly copied to a non-Company workstation

for editing must be securely deleted or erased after use.
Protection
08.04.13 Authorised encrypted removable storage devices shall conform to standards

of best practice for encryption.
08.04.14 Authorised password enabled removable storage devices shall conform to

the Company’s password policies and supporting standards
08.04.15 Authorised removable storage devices shall be further protected by

restricting the number of unsuccessful attempts to gain access to the device,
in accordance to local password management controls.
Monitoring
08.04.16 The Company shall maintain systems that monitor the movement of
information to and from the Company’s computing Systems.
08.04.17 Movement of information to and from Company provided removable storage

devices must be monitored.
08.04.18 At a minimum, monitoring systems shall maintain a record or audit trail

history of the following when information is copied to or from removable
storage devices:
a. The unique User Identifier (User ID)

b. The names and types of files copied
c. A time-stamp denoting the time information was copied
08.04.19 Audit trail history shall be only used and retained in accordance to local
regulatory requirements and Law.

Guidance
Best practice for encryption include those meeting FIPS 140, AES 256 standards or
higher.
Enforcement
Variation

References
standards:
Document Control
GISS Ref: 08-04
date:
review: date:

08.05 Screensavers (Authorised Users)
Overview
This document outlines the Company standard for the use of screensavers on Company
owned equipment.
• GISP 08
Target Audience
This standard applies to all Authorised Users.
Standards
08.05.01 Only standard or Company approved screensavers are permitted for use on
Company equipment.
08.05.02 Upon leaving a workstation, the screensaver must be activated using Ctrl +
Alt + Del or Windows + L.
08.05.03 If local administration rights have been permitted, the user shall not change
the settings of the automatic screensaver activation.
Guidance
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 08-05
date:
review: date:

08.06 Screensavers and Session Time-out
Overview
This document outlines the Company standard for the use of screensavers and the
requirement for session time-out to be configured for Company equipment and systems.
• GISP 08
Target Audience
This standard applies to all IT and Technical functions.
Standards
Screensavers
08.06.01 Screen savers with password lockout must be set to activate after a
maximum of 15 minutes idle time for Company desktops and laptops
08.06.02 Screen saver activation time settings must not be changed by individual
users without authorisation from local Information Security
08.06.03 Information Security may authorise the temporary or permanent removal of

screen savers with password lockout in certain circumstances where a
lockout would interfere with the purpose of the display (for example a
wallboard or presentation display) or cause unacceptable operational
difficulties where the risk is low.
Session Time-out
08.06.04 Systems and applications shall be protected by a time-out and password
lockout facility which activates automatically after a maximum period of
inactivity. The permissible period of inactivity will be specified by the Data
Owner and may vary according to technical circumstances and
requirements.
08.06.05 Users shall be requested to re-authenticate following a maximum period of

inactivity. The permissible period of inactivity will be specified by the Data
Owner and may vary according to technical circumstances and
requirements.
Guidance
Screensaver settings should be controlled by IT and disabled for Authorised Users which
are not technical staff.

Enforcement
Variations

References
standards:
Document Control
GISS Ref: 08-06
date:
review: date:

09.01 Legal and Regulatory Requirements
Overview
This standard outlines the requirements for all relevant legal and regulatory
requirements in each Company to be identified and properly managed.
GISP 09
Scope
This applies to all relevant legal, regulatory and industry standards which impact the
Company information and information assets. These may differ dependent upon
location and country.
Target Audience
Requirements
09.01.01 Business Divisions, Business Units and Group Functions shall identify,
and incorporate, all applicable legislative, statutory and regulatory
requirements into local policies and standards.
09.01.02 Policies and standards shall be appropriately communicated to the

Authorised Users.
09.01.03 Programmes shall be established locally to manage, adhere to, and

audit against applicable legal and regulatory requirements.
09.01.04 All Business Units shall identify all relevant local laws and regulations
and inform the Information Governance Committee of any contradiction
to existing Company policy.
09.01.05 Senior Managers must implement a local programme to manage, audit

and adhere to relevant legal & regulatory requirements
09.01.06 Where an exception to existing policy needs to be in place, local

management must send the request to the Information Governance
Committee for approval.
09.01.07 Managers must ensure that policies and standards are available to all
Authorised Users and that they are complied with.
09.01.08 All breaches to legislative, statutory and regulatory policies and

standards must be reported to local Information Security via the
incident reporting process.
Guidance
Local managers should draw up a list of relevant legislation and regulations. The list
should contain the local person responsible for maintenance & reporting on the
requirement, details of audits & certification if applicable, and Next reviews for
compliance to be reviewed at least annually for each requirement.
Enforcement
via compliance programs and security incident Reports. Failure to comply with any
Variations
for approval.

References
standards:
Document Control
GISS Ref: 9-01
Version: V1.1 Correction of IG Council in 09.01.04; improved wording in 09.01.05
and 09.05.06
date:
review: date:

09.02 Compliance with Information Security Policy and Standards
Overview
Compliance with the Company’s Information Security Policy and Standards is
mandatory. This standard outlines the responsibilities of management to ensure
compliance with the information security policy and standards across the Company.
• GISP 09
Scope
This standard applies to all Global Information Security policies and standards.
Target Audience
This standard is to be read by Managers across the Company.
Requirements
09.02.01 Managers shall ensure that all Authorised Users have access to, and
comply with Company global Information Security Policy and
Standards.
09.02.02 Managers must ensure that all Authorised Users are aware that failure
to comply with Company policy could result in disciplinary action.
09.02.03 Managers shall ensure that all Authorised Users have access to
Company Information Security policies and standards.
09.02.04 For all Authorised Users, information security roles and responsibilities
shall be addressed within job descriptions.
09.02.05 All Authorised Users must receive regular awareness and training on
information security, as well as the Bupa Information Security
Employee Handbook.

09.02.06 Authorised users must be aware of how to report information security

incidents, and must report any actual or potential security incidents in
line with the Incident Reporting Standard.
09.02.07 Business units shall be responsible for the reporting of information

security updates to the Information Governance Council
Guidance
• Further guidance can be sought from the GIGC regarding management
information security responsibilities.
• Local Business Units may wish to further enhance information security

awareness by running local programmes.
Enforcement
Variations
for approval.

References
standards:
Document Control
GISS Ref: 9-02
Version: V1.1 Improved wording – managers and Business Units
date:
review: date:

10.01 Physical Security Perimeters
Overview
This document outlines the Company requirements for the physical protection of the
Company perimeter order to prevent unauthorised access.
• GISP 10
Target Audience
This standard applies to all Company premises. It is to be read by IT and Facilities
Management.
Standards
10.01.01 The security perimeters of all Company premises must be clearly defined.
10.01.02 The entry and exit points within perimeters of buildings or sites containing
Company information processing facilities shall be adequately protected
from unauthorised access.
10.01.03 The external walls of Company premises shall be of a solid construction and
all external doors shall be suitably protected against unauthorised access
with control mechanisms, e.g. bars, alarms, locks etc.
10.01.04 Doors and windows must be locked when unattended and external
protection e.g. shutters/ barriers will be considered via risk assessment for
windows, particularly at ground level.
10.01.05 A manned reception area or other means to control physical access to the
site or building shall be implemented with access to sites and buildings
restricted to authorised persons only.
10.01.06 Physical barriers, where applicable, will be built to prevent unauthorised

physical access.
10.01.07 Emergency exits on the security perimeter shall be adequately secured and
tested regularly.
10.01.08 Facilities managed by third parties will have the minimum physical security
requirements documented in contracts and regularly monitored for
compliance.
10.01.09 Physical security controls must comply with local legal and regulatory
requirements.

Guidance
Perimeters may be protected with the use of fences, walls, CCTV and signage.
Suitable intruder detection systems should be installed and regularly tested to cover all
external doors and accessible windows.
Information processing facilities managed by the organisation should be physically
separated from those managed by third parties.
Unoccupied areas should be locked and where appropriate, alarmed at all times; e.g.
computer room or communications rooms.
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 10-01
date:
review: date:

10.02 Physical Entry Controls
Overview
This document outlines the Company standard for controlling physical entry to Company
premises.
• GISP 10
Target Audience
This standard applies to all Company premises. It is to be read by all IT and Technical
functions as well as Facilities Management.
Standards
10.02.01 All entry and exit points on Company premises shall be controlled.
General
10.02.02 A formal process to control physical entry into buildings must be established,
documented and include:
a. Identification and authentication of persons with legitimate reasons for

unescorted access.
b. The issue of a visible means of identification (ID badge) and the

requirement to wear it.
c. Providing the appropriate means of access (e.g. swipe cards, keys,

keycode).
Visitors
10.02.03 A formal process for Visitors must be established, documented and include:
a. A registration or signing in process to establish the legitimacy of the

visit.
b. The requirement for a Visitor’s host.
c. The responsibilities of the Visitor’s host which includes responsibility

for information security as well as the general welfare of the Visitor,
such as emergency evacuation.
d. The issue of a Visitors badge and the requirement to wear it.
e. A log of the date and time of entry and departure of visitors.

Secure Areas
10.02.04 Secure areas shall be protected by appropriate entry controls to limit access
to authorised persons only.
10.02.05 A formal process to control physical entry to secure areas must be

established, documented and include:
a. Identification, authentication and approval by management of persons

with legitimate reasons for access, unescorted or otherwise
b. The issue of a visible means of identification (ID badge) and the

requirement to wear it
c. Providing the appropriate means of access (e.g. swipe cards, keys,

keycode)
d. Limitations of access
e. A log of the date and time of entry and departure of authorised

persons
f. A regular review of the list of authorised persons
10.02.06 External parties providing maintenance and support services shall be

granted restricted access to secure areas or sensitive information processing
facilities only when required; this access must be authorised and monitored.
Guidance
Appropriate physical entry controls may include:
• Locks
• Swipe card access
• Keypads
Secure areas include communications and server rooms, loading and delivery areas.
Enforcement
Variations
References
standards:
Document Control
GISS Ref: 10-02
Version: V1.1 Correction in 10.02.01 to cover exit points too
date:
review: date:

10.03 Securing Offices, Rooms and Facilities
Overview
This document outlines the Company requirements for the physical security of
Company offices, rooms and facilities.
• GISP 10
Target Audience
This standard applies to all Company premises and facilities. It should be read
by all Authorised Users.
Standards
10.03.01 Offices, rooms and facilities shall have appropriate entry
controls to prevent unauthorised access.
10.03.02 Where applicable, offices, rooms and facilities shall be locked at

the end of the day.
10.03.03 Means of access (keys, codes) shall only be issued to

authorised persons.
10.03.04 Offices, rooms and facilities shall be locked in accordance with

health and safety regulations and standards, e.g. Emergency
exits
10.03.05 Key facilities must be locked to prevent unauthorised access by

the public.
Guidance
Enforcement
All employees, managers and contractors are required to comply with
Company Policies and Standards. Compliance with this standard shall be
monitored internally via compliance programs and security incident reports.
Variations
This Standard must be applied in all Company business units. However, if
local legal, regulatory or contractual requirements require modification or
exception to this standard, then the exception must be documented and
reported to the IGEC Group for approval.

References
standards:
Document Control
GISS Ref: 10-03
Version: V1.1 Correction to typographical error in 10.3.05
date:
review: date:

10.04 Working in Secure Areas
Overview
This document outlines the Company standard for Authorised Users working in secure
areas.
• GISP 10
Target Audience
This standard applies to all Company premises. It is to be read by all Authorised Users.
Standards
Secure Areas
10.04.01 Secure areas such as data centres, communications rooms and any other
areas deemed necessary shall have appropriate entry controls for approved
personnel.
10.04.02 CCTV, where applicable shall be used and images retained for a minimum
period of 4 weeks or in compliance with local retention standards.
10.04.03 Access Control Lists shall be maintained for secure areas and shall be
reviewed regularly.
10.04.04 Where applicable, door keypads / alarm codes must be changed regularly.
10.04.05 Access by persons to secure areas shall be logged.
10.04.06 External visitors must only be granted access if accompanied by a Company

Employee who has or has obtained the appropriate authority to do so.
10.04.07 Authorized Users must only be aware of the existence of, or activities within,
a secure area on a need to know basis.
10.04.08 Vacant secure areas should be physically locked and periodically checked
by authorised employees.
10.04.09 Specific written permission by an Authorised Manager is required before

photographic, video, audio or other recording equipment may be used in a
secure area.
Data Centre Security

10.04.10 Data centre locations shall be chosen based upon risk assessment.
10.04.11 Only authorised persons shall be granted access to Company data centres.

10.04.12 All external parties including visitors must sign in via a visitor process which
records the date, time of the visit.
10.04.13 CCTV must be in operation.
10.04.14 Racks within the data centre must be locked if in a shared location such as a
non-dedicated collocation facility.
10.04.15 Cabling must be installed in such a way so as to aid in the troubleshooting of

problems e.g., servers should be easily traceable to a switch.
10.04.16 Keys and alarm codes must be changed at regular intervals and a record of
keyholders shall be maintained and reviewed.
10.04.17 Data centres must be included within the Business Continuity Plan.
10.04.18 Air conditioning and fire suppression must be in place and regularly checked
and maintained.
10.04.19 Any changes to the data centre, including updates to servers/ systems, must
be subject to a formal change control process.
10.04.20 The data centre shall not be easily identifiable or advertised as a data centre
to the public.
Guidance
Secure areas may include communications/ server rooms, delivery and loading areas and
post rooms.
Unsupervised working in secure areas should be avoided both for safety reasons and to
prevent opportunities for malicious activities
CCTV must be used in line with applicable legal and regulatory requirements.
Enforcement
Exceptions

References
standards:
Document Control
GISS Ref: 10-04
Version: V1.1 Additional wording to 10.04.06 to clarify authorisation
date:
review: date:

10.05 Delivery and Loading Areas
Overview
This document outlines the Company standard regarding receipt and delivery within
loading areas.
• GISP 10
Target Audience
This standard applies to all delivery and loading areas. It is to be read by all Authorised
Users.
Standards
10.05.01 Delivery and loading areas and other points where unauthorised persons
may enter the premises shall be controlled, monitored and, if possible,
isolated to prevent unauthorised access to information processing facilities.
10.05.02 Access to a delivery and loading area from outside the building shall be
restricted to identified and authorised personnel.
10.05.03 Within isolated delivery areas, the external doors must be locked when the
internal doors are open.
10.05.04 Inbound and outbound goods shall be recorded and records kept.
10.05.05 Inbound and outbound goods shall be physically segregated, where

possible.
Guidance
Delivery and loading areas should be designed so that supplies can be unloaded without
external delivery persons gaining access to other parts of the building.
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 10-05
date:
review: date:

10.06 Equipment Location and Protection
Overview
This document outlines the Company standard for the protection and location of Company
equipment.
• GISP 10
Target Audience
This standard applies to specialist static IT equipment such as Servers and their
peripherals. It is to be read all IT and Technical functions as well as Facilities
Management.
Standards
Location of Information Processing Equipment

10.06.01 IT equipment shall be located appropriately and controls applied to prevent
unauthorised access.
10.06.02 Information processing facilities handling Level 3 data will be positioned and
the viewing angle restricted to reduce the risk of information being viewed by
unauthorised persons.
Environmental protection
10.06.03 Controls will be established to minimise the risk of potential physical threats,
e.g. theft, fire, explosives, smoke, water (or water supply failure), dust,
vibration, chemical effects, electrical supply interference, communications
interference, electromagnetic radiation, and vandalism.
10.06.04 Procedures for eating, drinking, and smoking in proximity to information

processing facilities will be established, documented and distributed.
10.06.05 Where appropriate controls shall be established to monitor environmental

conditions such as temperature and humidity in order to protect information
and information assets.
10.06.06 Conditions that may adversely affect the operation of information processing
facilities will be reported immediately.
Removal of Property
10.06.07 Company computing equipment sited within offices rooms and facilities must
not be removed from Company premises without formal authorisation.

10.06.08 For specific requests to remove equipment from Company premises, e.g. to
an external training site or for short-term loan, a formal request and approval
process must be followed.
10.06.09 The Asset register must be updated to reflect the location and/or owner of
Company equipment.
Guidance
Conditions that may affect the operation of equipment include:
• Untidy cabling
• Faulty air conditioning
An example of 10.06.02: Computer Servers need to be housed in a computer room and

not under somebody’s desk.
An example of 10.06.03: The monitor on a PC used in a reception area to record personal

details of patients must face away from the public
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 10-06
Version: V1.1 Minor wording changes to Target audience and Guidance
date:
review: date:

10.07 Power Supplies
Overview
This document outlines the Company standard for the supply and maintenance of power
to the Company in support of the confidentiality, integrity and availability of Company
information and information assets.
• GISP 10
Target Audience
This standard applies to all Company premises. It is to be read by all IT and Technical
functions and Facilities Management.
Standards
10.07.01 Electricity supplies shall be monitored to ensure adequacy for the premises,
equipment and systems being supported.
10.07.02 Utilities will be regularly inspected and as appropriate tested to ensure their
proper functioning and to reduce any risk from their malfunction or failure.
10.07.03 Uninterruptable Power Supplies (UPS) and back-up generators shall be

installed in line with the Company Business Continuity Plans
Guidance
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 10-07
date:
review: date:

10.08 Cabling Security
Overview
This document outlines the Company standard for the installation and
maintenance of cabling supporting IT Infrastructure within the Company.
• GISP 10
Target Audience
This standard is to be read by all IT and Technical functions and Facilities
Management.
Standards
10.08.01 All cabling must be installed in a manner which will prevent trip
hazards in line with the Company Health and Safety Policy.
10.08.02 Cabling must be protected from interception or damage by

running through overhead or under-floor cable-runs or protective
trunking.
10.08.03 Only authorised technical users shall install cabling within the
Company.
10.08.04 All cabling within the Communications/ Server room shall be

kept organised in a logical way so as to aid in the simplification
of troubleshooting.
10.08.05 Cabling shall be checked regularly in line with legal and

regulatory requirements where applicable.
Guidance
Enforcement
All employees, managers and contractors are required to comply with
Company Policies and Standards. Compliance with this standard shall be
monitored internally via compliance programs and security incident reports.
Variations
This Standard must be applied in all Company business units. However, if
local legal, regulatory or contractual requirements require modification or
exception to this standard, then the exception must be documented and
reported to the IGEC Group for approval.

References
standards:
Document Control
GISS Ref: 10-08
date:
review: date:

10.09 Equipment Maintenance
Overview
This document outlines the requirements for the maintenance of equipment supporting the
Company information systems.
• GISP 10
Target Audience
This standard applies to all Company computing equipment. It is to be read by all IT and
Technical Functions and Facilities Management.
Standards
10.09.01 Computing equipment such as servers, PCs and mobile devices shall be
periodically checked to ensure that they are in working order.
10.09.02 Contracts shall be in place to ensure that all critical equipment and
supporting infrastructure such as cabling is adequately maintained.
10.09.03 All supporting utilities, such as electricity, water supply, heating, and air
conditioning will be managed to ensure they are adequate for the equipment
and services they are supporting.
10.09.04 Utilities will be regularly inspected and as appropriate tested to ensure their
proper functioning and to reduce any risk from malfunction or failure.
10.09.05 Maintenance records shall be retained in line with legal and regulatory
requirements.
Guidance
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 10-09
date:
review: date:

10.10 Security of Equipment Off-Premises
Overview
This document outlines the requirements for maintaining the security of Company
equipment when removed or located off Company premises such as a third party
collocation site.
• GISP 10
Target Audience
This standard applies to all Company equipment. It is to be read by all IT and Technical
Functions, Facilities Management and Authorised Users.
Standards
10.10.01 Equipment stored within external party premises must be protected from
unauthorised access.
10.10.02 The location of equipment stored off Company premises must be recorded
within the Asset Inventory.
10.10.03 Equipment must be locked away securely when not in use and must not be
left unattended off-site.
Guidance
Laptops should be encrypted to prevent unauthorised access to information in the event of
loss or theft.
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 10-10
Version: V1.1 Review
date:
review: date:

10.11 Secure Disposal or Re-Use of Equipment
Overview
This document outlines the Company requirements for the disposal or re-use of equipment
within the Company.
• GISP 10
Target Audience
Standards
Removal of Data
10.11.01 Equipment and devices shall be physically destroyed or the information

destroyed, deleted or overwritten in a manner approved by Information
Security.
10.11.02 Techniques to make the original information non-retrievable (rather than

using the standard delete or format function) must be used:
a. If the disk drives/media will remain within the same environment, in

which they are currently situated (and existing security measures will
continue to cover them), the most appropriate removal method is
Clearing.
b. Purging is required when media is to be moved to a new environment

or destroyed. A minimum of seven passes qualifies as a purging
process.
Destruction and Disposal
10.11.03 Low cost and low value damaged devices must be physically destroyed
rather than sent for repair or discarded unless documented approval is given
by the Information Security.
10.11.04 Memory sticks, SD cards, magnetic tape and other low cost media must be
physically destroyed or degaussed when no longer required to ensure
information is non-retrievable
10.11.05 Media which attracts a commercial re-use or re-sale value (such as server
discs) may only be released after all information or data held has been
certifiably irretrievably destroyed and purged.

10.11.06 CD/DVDs shall be broken into small fragments prior to disposal.
Audit Trail
10.11.07 In the event that a third party is used for the removal of data prior to reuse,
or the disposal of equipment, reputable companies must be chosen and
certificates issued following disposal / destruction.
10.11.08 The asset inventory shall be updated with details of disposal or re-allocation
of equipment.
Guidance
Table 1: Media and Data Destruction Methods
Media Type Data Storage Suggested Removal
Mechanism Methods
Hard Disk Drives Non volatile magnetic Pattern wiping, Physical
destruction, Degaussing
CDROM/DVD-R Write once optical Abrasion, Incineration
CD-RW/DVD- Write many optical Abrasion, Incineration
RW
Magnetic Tape Non volatile magnetic Degaussing, Incineration
Flash Disk Drives Solid state Pattern wiping, Physical
destruction
Paper Based - Shredding, Incineration
Removal of Data
Clearing
All media should be treated the same regardless of data classification
Typical clearing programs use sequential writes of patterned data, ensuring that data is
not easily recovered using standard techniques and programs. The pattern matching
should involve at least three writes of data. The following is a typical example:
• 1st write 01101100

• 2nd write 10010011
• 3rd write 00101110
This method attempts to mask any previous data with two sets of data that are a mirror of
each other, thus ‘blanking’ previous data on the disk. A random set of data is utilised to fill
all available space with meaningless information.
To ensure that historical data is thoroughly removed it is advisable to make as many

passes as is practicable. The likelihood of total data eradication is proportional to the
amount of passes.
Purging

After removal of media from its current security context there must be sufficient care taken
to ensure that data is irretrievable, even if specialised methods are used (e.g. platter
scanning or the use of electron microscopes).
Purging involves the use of more sophisticated tools and therefore requires specialist
personnel working within a controlled environment. Advise contractors that purging of the
media is required.
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 10-11
Version: V1.1
date:
review: date:

11.01 Business Requirement for Access Control
Overview
This standard sets out the Company requirements for requesting and granting of
Authorised User access to Company information and information systems.
• GISP 11
Scope
This standard applies to all Company information and information systems.
Target Audience
This standard is to be read by all IT System Administration staff, IT Development
staff, HR Departments and all Information Asset Owners.
Requirements
Access Control
11.01.01 The Data Owner shall, in cooperation with Legal, Privacy, and Security
representatives, determine a formal procedure for all prospective Users
to follow to gain authorisation.
11.01.02 It is the Data Owner via his/her agents who provides authorisation for
access. The Data Owner’s decision is final.
11.01.03 As part of the approval process, prospective Authorised Users must

meet all personal identity checks, background screening requirements
and Privacy and Confidentiality requirements established by the
Company.
11.01.04 Access to systems and information shall be restricted to Authorised

Users only based on business need.

11.01.05 Access to Level 3 (Restricted Confidential) information requires

separate and specific authorisation from the Data Owner (in
cooperation with Legal, Privacy, and Security representatives).
11.01.06 The default access rights to information and systems must be “deny”
unless authorised.
11.01.07 Access Control Lists shall be developed and maintained on all systems
as appropriate and as determined by the Data Owner, in cooperation
with Legal, Privacy, and Security representatives.
11.01.08 Access rights to systems and information must be reviewed by the

Data Owner via his/her agents on a regular basis, or after significant /
major changes to ensure that unauthorised access has not been
granted.
11.01.09 Access reviews of critical systems and sensitive information should be

undertaken at least every 12 months.
Registration of Users
11.01.10 A formal request and registration process as determined by the Data

Owner must be followed for all new Users
11.01.11 Requests for authorised access must be sponsored by Company line

management acting as an agent for the Data Owners.
11.01.12 Approved requests for authorised access must be documented and

should be kept for at least 12 months for audit trail purposes to
demonstrate proper authorisation.
11.01.13 Requests for access to systems or special access privileges where

justification is inadequate or where the formal process has not been
followed may be treated as an Information Security Incident.

11.01.14 Any change to User access rights must be formally requested and
authorised. Changes to access rights must be recorded using the
Access Control List.
De-Registration of Users
11.01.15 A formal de-registration process as determined by the Data Owner

must be followed for Authorised Users who leave the Company.
11.01.16 The Leaver’s access to systems, applications and resources must be

disabled before or on the last day of working.
11.01.17 Access to Company systems and information must not be possible

after an Authorised User has left the Company.
11.01.18 When an Authorised User leaves the employment of the Company the
Authorised User’s line manager, acting as the agent for Data Owners,
must take all reasonable steps to ensure that:
a. access to all Company systems, applications and information is

disabled before or on the last day of working.
b. access to Company systems and information is not possible after

the Authorised User has left the Company.
c. all Company assets are returned as required by the Company,

including building access ID cards, swipe cards, keys (for physical
locks), remote working authentication tokens, mobile devices
(laptops, PDAs, mobile or cell phones, smartphones, tablets,
notebooks, cameras etc.) storage devices (USB Sticks, disc drives)
and other items.

11.01.19 When an Authorised User transfers within the Company or Business

Unit, the Authorised User’s line manager, acting as the agent for Data
Owners must ensure that:
a. access to Business Unit systems, applications and information

which was specific to their job role is disabled before or on the day
of transfer.
b. access to common services, such as server file share access, e-

mail and internet are reset to base privileges (minimum access).
c. that the Authorised User and their new line manager is kept
informed so that new or adjusted access and privileges can be
arranged and authorised in a timely fashion.
Guidance
Enforcement
Variations
for approval.

References
standards:
Document Control
GISS Ref: 11-01
date:
review: date:

11.02 Segregation of Duties
Overview
This document outlines the Company requirements for the segregation of duties.
• GISP 11
Target Audience
This standard applies to Company information and information systems and is to be read
by Authorised Users.
Standards
Responsibilities
11.02.01 Heads of Business units shall establish and put into place both physical and
logical structures that will reduce the possibilities of fraud, sabotage, misuse
of information, theft and other security compromises.
Management
11.02.02 Controls shall be implemented to ensure that individuals acting alone cannot
compromise the integrity of processing systems.
11.02.03 Job roles, associated functions and responsibilities shall be clearly defined,
separated, implemented and regularly reviewed.
11.02.04 Mechanisms shall be in place to validate appropriate segregation of duties

e.g. combinations matrix of user profiles and their capabilities.
Processes
11.02.05 High-risk activities shall be distributed across more than a single role to
reduce the risk of intentional or unintentional mistakes and or manipulation
which could result in fraud, sabotage or misuse of information e.g. a single
user must not be able input, amend and authorise transactions.
Environments
11.02.06 There shall be clear distinction and segmentation between working
environments such as Development, User Acceptance Testing and
Production.
11.02.07 Software Developers and Programmers shall be restricted from accessing

the Production environments, to ensure that changes to the production
environments are not made in unstructured and dangerous ways.
11.02.08 Software libraries shall also be established to host programme code.

Programme code should not transition from the programmer directly to
production without formal testing and checking it in to the library. Programme

code must be promoted into production environments in a controlled

manner.
11.02.09 Where support personnel require access to live data or software libraries for
diagnosis purposes, only read access is permitted. Their activities must be
logged, preferably automatically, and full records kept for later perusal by
operations management and the Group Audit.
11.02.10 Where, in exceptional circumstances, read and update access to live data
and/or software is provided to support personnel under the direct control of
an authorised individual, the authorised individual is responsible for ensuring
that any actions taken by the support personnel via the sign-on are:
a) bona-fide,
b) appropriately logged,
c) reported to senior management,
d) any password disclosed is changed immediately after the work has

been completed.
Guidance
Whilst the standards above focus predominantly on IT Systems and information,
segregation and or separation of duties should be incorporated in to all working
environments that could be susceptible to similar risks.
Development and Support personnel may not have access to live data and software,
current or historical, except under exceptional circumstances and with the written consent
of the Data Custodian or delegate. Procedures for retrospective authorisation not later
than the next working day are permitted. Such accesses should be recorded with full
details of the circumstances and the action taken. Where ‘read’ access is required on a
permanent basis, approval must be obtained from the Data Owner.
Enforcement
Variation

References
standards:
Document Control
GISS Ref: 11-02
Version: V1.1 Minor changes to 11.02.10 to show immediate action is required
date:
review: date:

11.03 User Access Management
Overview
This standard sets out the Company requirements for the management of user
access to Company information and information systems.
• GISP 11
Target Audience
This standard applies to Company information and information systems and is to be
read by Authorised Users.
Standards
Identification
11.03.01 All Authorised Users shall be issued with unique User Identifiers to
access systems and applications as authorised by Data Owners and
their agents.
11.03.02 Access management for Consumer use of Company systems must

undergo a risk assessment to ensure the appropriate security controls
are implemented.
11.03.03 Unique Identifiers are provided for use only by the named Authorised
User during their contracted term of employment and are used as a
mechanism to attribute actions and activities to an individual.
11.03.04 System administrators, technical staff and other ‘power users’ shall be
issued with and use unique User identifiers in order to attribute actions
and activities to the individual.
11.03.05 It is permissible for Authorised Users to have more than one unique
User Identifier assigned to them. This is useful in circumstances where
‘power’ privileges are not permanently required.

11.03.06 Connections and access to servers, databases, applications, devices

and systems must be attributable to a specific Authorised User.
Authentication
11.03.07 Access to the Company private network and internal systems

(Applications, Databases, and Servers etc.) shall require user
verification through authentication mechanisms.
11.03.08 Authentication mechanisms may include but shall not be limited to:
a. Passwords
b. Biometrics
c. Tokens
11.03.09 Where passwords are employed, at a minimum, a strong password

shall be enforced at primary network authentication. The minimum
control requirements for a strong password include the password:
a. being a minimum of 8 characters long.
b. containing at least one upper-case character, one lower-case

character, and a numeric character.
c. containing at least one non-alpha numeric character i.e. !, $,

&, *.
d. not containing the user identification account detail.
11.03.10 Secondary authentication control requirements to internal systems and

resources (applications, databases, file servers etc) which require
successful primary authentication to the private network are
determined by the Data Owner, based on the data classification and
value.

11.03.11 Where Authorised User authentication to internal systems is governed

by or linked to primary network authentication to perform a single sign-
on or similar, then strong passwords must be enforced.
11.03.12 Two-factor authentication is mandatory for remote access to a

Company private network and internal services via the public internet.
11.03.13 Two-factor authentication is required for remote access to Level 2

(Confidential) and Level 3 (Restricted Confidential) information via the
public internet.
11.03.14 All Authorised Users including administrators, contractors, third party

personnel and end users shall be required to authenticate to Company
private networks and internal systems.
Authorisation
11.03.15 Access to systems and resources shall be based on least privilege

required
11.03.16 Authorised Users shall be granted access rights and privileges based
on their job role and on a need to know basis.
11.03.17 The allocation of privileges to systems and resources for individual

Authorised Users shall be sponsored by line management acting as
agents for the Data Owners.
Management
11.03.18 Access rights and associated privileges shall be reviewed periodically

by the Data Owner or the Data Custodian and their agents check to
ensure appropriate role definitions and Segregation of Duties are

maintained.
Password Allocation
11.03.19 When allocating new User accounts, System administrators must not
set the initial password to an easily guessable word and must not set
the initial password to a known or easily guessable formula (such as
the unique User Identifier)
11.03.20 User accounts should be set to change passwords on first use, or

when a request has been made for a password reset.
11.03.21 Passwords should be changed regularly. This is usually between 28

days and 90 days. Local variations will apply.
11.03.22 Passwords shall be further protected by restricting the number of

unsuccessful attempts to gain access, in accordance with local
password management controls and procedures.
Password Protection
11.03.23 Passwords should not be written down, emailed, stored in files, scripts
or code. Where this is unavoidable, suitable measures must be taken
to ensure that passwords remain secret and are not associated with
the User account
11.03.24 Passwords stored electronically shall be encrypted and protected from

unauthorised access or deletion.
11.03.25 Passwords must be suitably masked and must not appear in clear text
on logon screens
11.03.26 The Authorised User must not divulge their passwords.

11.03.27 The Authorised User is responsible for keeping their passwords safe. If
a User suspects that their password has been compromised, the
password should be reset.
Vendor / Default passwords
11.03.28 Default vendor passwords shall be changed before installing any

system or device on the network.
Enforcement
Variations
for approval.

References
standards:
Document Control
GISS Ref: 11-03
date:
review: date:

11.04 Network Access Controls
Overview
This standard sets out the Company requirements for the management of network
access to the Company network.
• GISP 11
Scope
This standard applies to all Company networks.
Target Audience
This standard is to be read by all technical staff responsible for the development and
maintenance of Company network infrastructure.
Requirements
Network Configuration and Firewalls
11.04.01 Company private networks must not connect directly to the Public
internet.
11.04.02 All Company private network connections to the Public internet must be
adequately protected by firewalls and other appropriate security
controls.
11.04.03 Web servers, file transfer systems, email gateways and other services
which need to be exposed to the Public internet must be adequately
protected in a DMZ area.
11.04.04 All Company private network connections to third parties must be

adequately protected by firewalls and other security controls.
11.04.05 Firewalls must be configured, monitored and maintained by qualified

and authorised administrators, technicians and engineers only.

11.04.06 Changes to firewalls and network devices must follow a formal change
management process to ensure that changes are assessed for risk and
impact and are authorised before implementation.
11.04.07 Perimeter firewalls must be installed between any wireless networks

and the Company private network and these firewalls must be
configured to deny or control (if such traffic is necessary for business
purposes) any traffic from the wireless environment into the Company
data environment.
Access to Firewall and Network Devices
11.04.08 Administrator, technician and engineer authentication for firewalls and

network devices shall use strong password standards.
11.04.09 ‘Power User’ access to all firewalls and network devices shall be
restricted to qualified and authorised personnel only.
11.04.10 Access controls to firewalls and network devices shall be reviewed

regularly
Network Connection Control
11.04.11 No User or administrator shall bypass Company private network

security and controls without formal authorisation and documented
approval.
11.04.12 Devices must not be connected directly to the Company’s private

network, unless authorised.

11.04.13 External parties shall not be allowed to connect to Company networks

without agreement to meet security controls and requirements and
following a risk assessment.
Firewall Configuration
11.04.14 Firewalls must be configured to deny all and then only allow agreed
and approved protocols to and from given IP addresses or address
ranges, or for specific services
11.04.15 Firewalls must be configured to restrict inbound and outbound

protocols and ports to only those systems and services that are
authorised and necessary
11.04.16 Firewalls must be configured in such a way as to prevent external

sources from gaining intelligence about Company networks and
systems
11.04.17 Firewalls must be configured to use Proxy services where appropriate

and wherever possible to control and manage internet browsing and
traffic
11.04.18 Firewalls must be configured to reliably identify and authenticate all

users of such services whether they are internal or external
11.04.19 Firewalls must be configured to enable the auditing of the allowed and
blocked traffic
Enforcement

Variations
for approval.

References
standards:
Document Control
GISS Ref: 11-04
date:
review: date:

11.05 Operating System Access Controls
Overview
This standard outlines the Company requirements for operating system access controls.
• GISP 11
Target Audience
This standard applies to all Company applications and information systems. It is to be read
by all IT & Technical functions within the Company.
Standards
11.05.01 System Administrator access shall be limited to least privilege necessary.
11.05.02 System Administrator and system operator activities shall be logged and
include:
a. The time at which an event (success or failure) occurred
b. Information about the event (e.g. files handled) or failure (e.g. error
occurred and corrective action taken)
c. Which account and which administrator or operator was involved
d. Which processes were involved
e. The change management record associated with the administrative

access
11.05.03 System Administrator and operator logs should be reviewed on a regular

basis.
11.05.04 Access to systems and information must not be possible after an Authorised
User has left the business.
Guidance
Enforcement

Variations

References
standards:
Document Control
GISS Ref: 11-05
Version: V1.1 Minor change to 11.05.01 to improve clarity
date:
review: date:

11.06 Application and Information System Access Controls
Overview
This standard sets outlines the Company requirements for the access to applications and
information systems.
• GISP 11
Target Audience
This standard applies to all Company applications and information systems. It is to be read
all IT & Technical functions within the Company.
Standards
11.06.01 Access to applications and Information systems shall be restricted to
Authorised Users only, based on business need.
11.06.02 All servers and computers shall have a defined standard build based upon
role with relevant applications installed.
11.06.03 Access to applications and information systems further to the standard build
must be formally requested and authorised.
11.06.04 Access rights to applications and information systems and information must
be reviewed on a regular basis.
11.06.05 Information & system owners shall be responsible for defining the access
controls within their local applications.
11.06.06 Access to systems and information must not be possible after an Authorised
User has left the Company.
Guidance
Enforcement
Variations


References
standards:
Document Control
GISS Ref: 11-06
date:
review: date:

11.07 Mobile Computing and Remote Access
Overview
This standard sets out the Company requirements for remote access to company
systems.
• GISP 11
Scope
This standard applies to all Company networks which may be accessed from off-site.
Target Audience
This standard is to be read by all technical staff responsible for the development and
maintenance of Company network infrastructure and all users authorised to access
the Company network from off-site.
Standards
Remote Access
11.07.01 Remote access to a Company private network must be authorised prior

to access being granted.
11.07.02 Remote access to a Company private network shall only be utilised for
authorised business purposes.
11.07.03 Remote access to a Company private network must only use secure
and encrypted VPN technologies; dial-up access is not permitted.
11.07.04 Remote access to Company email systems (Outlook Web Access) is

permitted in accordance with local Standards.
11.07.05 Two-factor authentication is required for remote access to a Company

private network via the public internet. Remote access must also be
authenticated in accordance with Access Control Standards.

11.07.06 All users authorised for remote access must be configured to use VPN
access; dial-up access must not be used.
11.07.07 Split-tunnelling when using VPN must be disabled on remote users’

laptops to prevent internet-based exploits.
11.07.08 Remote access sessions must not exceed 5 hours in any one session.
Access must be configured to disconnect after this time.
11.07.09 The Company reserves the right to discontinue an Authorised User’s

Remote Access, with or without notice, if at any time, at the Company’s
sole discretion, such Authorised User is in violation of Company Policy
or Standard or for any business reason
Remote Access User Authentication
11.07.10 Two-factor authentication is required for remote access via the public
internet to Company private networks and/or Company internal
applications where the information is classified as Level 2
(Confidential) or above. Remote access must also be authenticated in
accordance with Access Control Standards
11.07.11 Authorised Remote Access Users access shall be issued with unique
User Identifiers to access systems and applications as authorised by
Data Owners and their agents.
11.07.12 Passwords must not be preconfigured or preset in connection scripts or

software.
11.07.13 Remote access accounts must be disabled immediately upon a user

leaving the Company.
Guidance

It is recommended that the remote access to the Company network be with two-
factor authentication – i.e. must be configured to use a token and / or unique
certificate.
Enforcement
Variations
for approval.

References
Associated policies/ procedures/ GISS 2-01
standards:
Document Control
GISS Ref: 11-07
date:
review: date:

12.01 Operational Procedures and Responsibilities
Overview
This standard outlines the Company requirements for having defined operating
procedures to ensure security controls and processes are agreed and documented.
• GISP 12
Scope
This standard applies to all Company technical systems, applications, networks,
hardware and software.
Target Audience
This standard is to be read by all IT Infrastructure, network, & application
development management functions.
Requirements
12.01.01 Standard operating procedures must meet the stated objectives in
Global Information Security Policy and meet Global Information
Security Standards
12.01.02 Operating procedures for all critical technical functions and processes
must be documented.
12.01.03 Operating procedures for Information Technology infrastructure must

be documented. Procedures must include as a minimum provision for:
a. Access controls for new Authorised Users
b. Access controls for Authorised Users who are changing roles
c. Access controls for Authorised Users leaving the Company
d. Standard system and workstation build and configuration
e. Change Management and system release procedures
f. Logging and monitoring processes

g. System backup
h. Critical system start-up and shutdown
i. Overnight procedures
j. Daily system and log checks
k. Failover and recovery procedures
l. Virus and malware identification, isolation and removal
m. Security vulnerability tests
n. IT infrastructure development processes, IDLC
12.01.04 Procedures for Systems and Application Development must be

documented. Procedures must include as a minimum provision for:
a. Software development processes, SDLC
b. Computer code version management
c. Testing and release procedures
d. Change Management and system release procedures
e. Use of data in non-production environments
f. Security vulnerability and security penetration tests
g. Access controls for new Authorised Users
h. Access controls for Authorised Users who are changing roles
i. Access controls for Authorised Users leaving the Company
12.01.05 Procedures for all Systems and Application Support functions must be
documented. Procedures must include as a minimum provision for:
a. Access controls for new Authorised Users

b. Access controls for Authorised Users who are changing roles
c. Access controls for Authorised Users leaving the Company
d. Access to databases, including user and system access
e. Change Management and system release procedures
f. Database security requirements
g. Security vulnerability and security penetration tests
h. Logging and monitoring processes
i. Periodic review of Authorised User access permissions
Guidance
Documented procedures are not meant to define step by step functions, but rely on
some measure of technical knowledge and expertise.
Processes should clearly define any steps involved, and roles & responsibilities.
Enforcement
Variations
for approval.

References
standards:
A.12.6.1
Document Control
GISS Ref: 12-01
date:
review: date:

12.02 System Planning and Acceptance
Overview
This document outlines the Company requirements for systems planning and acceptance.
• GISP 12
Target Audience
This standard applies to IT and Technical functions.
Standards
Capacity Management
12.02.01 The use of resources must be monitored and projections made of future
capacity requirements to ensure the required system performance.
12.02.02 The storage capacity of fileservers shall be periodically monitored by the

system administrator.
12.02.03 Future requirements must be considered to prevent degradation of services
System Acceptance
12.02.04 All new systems/upgrades are to be controlled by the change control
process. No upgrade/systems are to be implemented without prior approval
12.02.05 A risk assessment must be conducted prior to new systems/upgrades being

deployed within the Operational environment to ensure information security
issues are addressed.
12.02.06 Prior to installation, the system/upgrade must be appropriately tested to

ensure no conflicts or vulnerabilities are introduced to the current Company
network.
12.02.07 Testing must be carried out to confirm that all acceptance criteria are fully
satisfied.
12.02.08 For major new developments, Information Security/ IT must be consulted at

all stages in the development process to ensure the confidentiality, integrity
and availability of the proposed system design.
Guidance
Alerting should be enabled for capacity management to enable the IT function to
proactively manage disk space.

Enforcement
Variations

References
standards:
Document Control
GISS Ref: 12-02
date:
review: date:

12.03 Protection against Malicious Program and Mobile Code
Overview
This standard sets out the Company requirements for the protection of Company
information and information systems from malicious and mobile code. For the
purposes of this Standard, the term computer virus also includes worms and Trojans.
• GISP 12.
Scope
This standard applies to all Company information systems.
Target Audience
This standard is to be read by all technical employees and Authorised Users.
Standards
12.03.01 The Company shall implement measures designed to protect systems
from malicious and mobile code.
12.03.02 Approved anti-virus software must be installed and operating correctly

on all Company equipment and devices which are susceptible to
malicious code and which connect to the Company private network.
This includes, but is not limited to desktop computers, laptops and
servers.
12.03.03 All systems with anti-virus software installed shall be configured to

accept updated software patterns at least daily.
12.03.04 Procedures must be in place to ensure that Security updates are

installed on Company laptops and other devices which are not
permanently connected to the Company private network and especially
where those devices connect to the public internet

12.03.05 Procedures must be in place to ensure that Company laptops and

other devices which have connected to the public internet or other un-
trusted networks do not pose a threat of malware when reconnecting to
the Company private network.
12.03.06 Servers must be configured to scan files on access for malicious

software and must be configured to run a daily scan on all critical files.
Where on-access scanning is not practical or causes performance
issues, a scan of files shall be configured to run at a time when least
impact will occur.
12.03.07 Company email servers and email gateways shall have suitable anti-
virus and anti-malware software installed and functioning correctly to
help ensure that all inbound and outbound email traffic is scanned and
that malicious software is prevented from continuing or executing.
12.03.08 Internet proxy servers shall have suitable anti-virus and anti-malware
software installed and functioning correctly to help protect the
Company private network.
12.03.09 All Company computer desktops and laptops must be configured to

scan files on access or download for malicious software.
12.03.10 Files loaded from an external source (e.g., e-mail, internet, CD, DVD,
USB drive) must be scanned for viruses.
12.03.11 Files as e-mail attachments must be scanned for viruses
12.03.12 Where users are authorised to use removable media, suitable anti-
virus controls and tools shall be installed and functioning correctly.
12.03.13 Actual or suspected virus activity must be reported immediately to the

IT helpdesk as a Security Incident

12.03.14 Performing unauthorised changes to anti-virus or anti-malware

configuration settings on any Company device is a serious violation of
Company Security policy.
12.03.15 Actual or suspected weaknesses in the Company’s anti-virus

programme must be reported immediately to the IT helpdesk as a
Security Incident
12.03.16 Information Security shall regularly monitor, maintain and communicate

virus protection standards and controls for all Company access points
under the Company’s control.
12.03.17 Response procedures for virus-related incidents must be implemented

and reviewed
Guidance
Enforcement
Variations
for approval.

References
standards:
Document Control
GISS Ref: 12-03
date:
review: date:

12-04 Back-up
Overview
This standard sets out the Company requirements for the Back-up of Company
information.
• GISP 12
Scope
This standard applies to all Company information to be backed up.
Target Audience
This standard is to be read by all technical staff responsible for the Back-up of
Company information.
Standards
12.04.01 All critical systems and data shall be backed up to provide recovery of
such systems in the event of a system or site failure. The Recovery
Point Objective (RPO) and Recovery Time Objective (RTO) are
normally calculated according to the Data Value determined by the
Data Owner. As minimum, critical information should be backed up at
least daily.
12.04.02 The back-up, restore and recovery processes and procedures shall be
documented. Copies of documentation shall be stored off-site to allow
for access in the event of a site failure or lack of access.
12.04.03 Restore and recovery procedures shall be tested regularly, at least

annually. Restoration procedures must be regularly checked and tested
to ensure that they are effective and can be completed in the allocated
restoration time.
12.04.04 Back-up media stored on-site shall be stored in a fire-safe or suitable

equivalent to protect against damage in the event of a fire or other
environmental risk.

12.04.05 Back-up media stored off-site must be in approved locations or with

approved external suppliers.
12.04.06 Robust controls must be in place to ensure that Back-up data is not
misplaced, stolen, damaged or otherwise compromised at any time,
including in transit. These controls must be reviewed regularly.
12.04.07 All physical and logical security controls applied to information and data
at the primary site must be extended to cover information and data at
any Back-up or Disaster Recovery site.
12.04.08 Authorised Users are responsible for copying and backing up their own
unstructured Company data securely both when on-site and travelling
off-site.
Guidance
Clear guidance should be given to Authorised Users to ensure they understand the
requirements for Back-up of information they may have on laptops or other
removable media / devices.
Consideration should be given to defining clear manual or automatic procedures for

Back-up of information on laptops.
Offsite DR Back-up locations and systems should be included in Information Security

considerations and controls. The same level of control should be applied to DR
systems.
Tests of Back-up tapes should be done randomly to ensure backups are valid and
will work.
Enforcement
Variations
for approval.

References
standards:
Document Control
GISS Ref: 12-04
date:
review: date:

12.05 Network Security
Overview
This standard sets out the minimum security requirements for any company network
to ensure all networks are appropriately protected and secured.
• GISP 12
Scope
This standard applies to all Company internal and external networks, and external
party network connections.
Target Audience
This standard is to be read by all IT Administration, network & technical staff.
Standards
Network Configuration
12.05.01 Firewalls shall be in place at each Internet connection and between

DMZ and internal networks, and between any external / 3rd party
network connections.
12.05.02 Web servers, file transfer systems and email gateways that are
exposed to external access shall be secured in a DMZ area to prevent
access to Company corporate network.
12.05.03 Direct routes from the internet to the internal network must not be
allowed. Network address translation must be implemented on all
inbound & outbound connections.
12.05.04 Any 3rd party or external network connections must be protected by

firewalls and appropriate security controls.

12.05.05 The configuration and changes of firewalls shall only be undertaken by

authorised members of the Company IT Department.
12.05.06 Changes to Firewalls and network devices shall follow a formal change
management process to ensure changes are detailed, assessed for
risk and impact, authorised before implementation.
Network Systems Administrator Access
12.05.07 Administrator passwords for firewalls and network devices shall follow
the complexity requirements for Administrator / Privilege passwords
12.05.08 Administrator access to all firewalls and network devices shall be

restricted to authorised administrators only.
12.05.09 Any remote administration connection to network devices, systems or

applications shall be done via authorised and must use encrypted
connections.
Network Documentation
12.05.10 All firewall rules and ports in use must be documented and authorised
by the IT Manager. The documentation must include the system and
business reason for the rule.
12.05.11 External firewall rule sets must be reviewed every 6 months to ensure
all rules are valid & acceptable
Network Connection Control
12.05.12 No user or administrator shall bypass network security and controls

without formal authorisation and documented approval.

12.05.13 No unauthorised or non-company equipment must be connected to the

Company network without formal authorisation.
12.05.14 Modems, access points or other network connectivity devices shall not
be connected directly to the network, unless authorised, or as part of
an approved and managed project, and approved by Information
Security.
12.05.15 External parties shall not be allowed to connect to the corporate

networks without agreement to meet security controls and
requirements. Such security requirements must be specified in formal
agreements and contracts. External party network connections must be
authorised by Information Security.
12.05.16 No wireless access points can be connected to the Company network

without authorisation. (see the Wireless Security Standard for more
detail)
External Network Access
12.05.17 All external access by Authorised Users to company networks must be

through approved VPN connections.
12.05.18 All VPN connections must utilise strong passwords in line with the
Acceptable Use standard.
12.05.19 Sessions must be set to automatically disconnect after a maximum of 5

hours.
12.05.20 All Authorised User-based internet browsing must be routed through

approved company proxy server

12.05.21 Split-tunnelling when using the VPN must be disabled on remote users’
laptops to prevent internet-based exploits from routing back down the
VPN
12.05.22 VPN Passwords shall not be preconfigured or preset in dial-up

software or VPN’s. Passwords must not be transmitted in clear text, but
must be suitable encrypted in transmission.
Physical Protection for Networks
12.05.23 All network devices such as routers, firewalls etc must be secured from
unauthorised access in server rooms, data centres, where access is
recorded and logged.
12.05.24 All network switches must be secured in locked cages or racks in

internal not public areas
12.05.25 All exterior network cabling shall be protected from unauthorised

access. All external cabling shall be presented underground or in
secure housing to prevent tampering and unauthorised access.
Guidance
• Firewalls should be configured:
o to deny all, and then only allow agreed and approved protocols to and
from given IP addresses or address ranges, or for specific services,
o to restrict inbound and outbound protocols and ports to only those

systems and services that are authorised and necessary,
o In such a way as to prevent external sources from gaining intelligence

about Company networks and systems,
o In such a way as to prevent external sources from gaining intelligence

about Company networks and systems,
o To use Proxy services wherever possible to control and manage

internet browsing and traffic,

o To reliably identify and authenticate all users of such services whether

they are internal or external,
o To enable the auditing of the allowed and blocked traffic.
Network Access control systems can be deployed to prevent or notify unauthorised

connection to the network.
It is recommended that the remote access to the Company network be with two-
factor authentication i.e. must be configured to use a token and / or unique
certificate.
Enforcement
Variations
for approval.

References
standards:
ISO 27001 Control Ref(s): A.10.6.2, A.11.4.3, A.11.4.4, A.11.4.5, A.11.5.6
Document Control
GISS Ref: 12-05
Version: V1.1 Corrected error in 12.05.19
date:
review: date:

12.06 Exchange of Information
Overview
This standard outlines the Company requirements for Authorised Users when
exchanging Company information with external parties.
• GISP 12
Scope
• This standard applies to all information exchanged with external parties
Target Audience
This standard is to be read by all Authorised Users exchanging information with
external parties.
Standards
12.06.01 Exchange agreements shall be in place with all external parties where
there is a requirement to exchange information on a regular basis.
12.06.02 Formal confidentiality agreements must be in place with any external

party before exchanging or sending level 2 or level 3 information
12.06.03 For any process involving the regular or automated exchange of level 2
and level 3 information with external parties, a formal exchange
agreement must be in place, stating the following as a minimum:
a. Defined & documented persons responsible at each party for the

secure exchange of information.
b. Documented details and agreement on the process for

exchange of information.
c. Any required security controls or processes required to protect

the information, such as encryption, secure courier, networks or
VPN requirements, receipt & transmission notifications etc.

d. Nominated contact points in each party for the notification /

escalation of any security breach or incident..
12.06.04 Secure methods for regular or routine exchange or transmission of

information to external parties must be addressed within contractual
agreements
12.06.05 Retention requirements and policies must be specified for any level 3
information sent to external parties, to ensure information is only
retained for as long as is required and is disposed of securely
12.06.06 All legal, regulatory & contractual requirements shall be considered

before entering into any formal exchange of information with external
parties, particularly if the exchange crosses borders, states or
territories where information laws and regulations may differ.
Guidance
Enforcement
Variations
for approval.

References
Associated policies/ procedures/ NHS IG Toolkit (UK)
standards:
Document Control
GISS Ref: 12-06
Version: V1.1
date:
review: date:

12.07 Technical Compliance Monitoring
Overview
This standard sets out the requirements for the monitoring of technical compliance within
the company.
• GISP 12
Target Audience
This standard applies to Company computer systems. It is to be read all IT & Technical
functions within the Company.
Standards
Technical Compliance Checking

12.07.01 A regular technical compliance check and audit process shall be defined to
ensure that security controls are working correctly and effectively.
12.07.02 IT Departments should perform and record regular checks on a daily /

weekly / monthly basis to include as a minimum:
a. Success of backups.
b. System, server and domain log checks for errors, failures and suspicious
activity.
c. Updates of anti-virus patterns and reviews of AV logs etc.
d. Weekly / monthly checks of disk space.
e. Updates of operating system patches and updates.
f. Regular penetration & vulnerability assessments.
12.07.03 The compliance checking should be conducted against a checklist, and a

method of reporting inconsistencies / non-conformities should be included.
Monitoring Access to Systems

12.07.04 Critical systems, servers and network devices shall be configured to log and
record user and privileged access and changes.
12.07.05 Critical system logs for serious errors and suspicious activities must be
reviewed on a regular basis. If a suspected breach or major problem is
detected, the incident reporting process must be followed immediately.
12.07.06 Event logs will be configured to ensure sufficient records are maintained.

12.07.07 Access to event logs will be restricted to those IT staff who are responsible
for monitoring systems.
Software Licensing
12.07.08 Without prior approval, Authorised Users must not:
a. Install any software on Company owned equipment without authorisation.
b. Share any software with any external party or colleague (for example
consultants or customers).
c. Remove software from one machine and re-install on another machine.
d. Access software or load software via a modem from a home computer.
e. Duplicate any software or documentation.
f. Install any Company licensed software onto a personal portable or home

computer without prior agreement and authorisation.
12.07.09 Formal license inventories for all software shall be maintained by the IT
department.
12.07.10 During the procurement process, all software licenses will be recorded in the
software inventory.
12.07.11 Software installation shall be audited at least annually. Any unlicensed

software will be removed until the appropriate licenses have been procured.
12.07.12 Licence audits shall be compared to purchased licences registers to ensure

that the business unit is fully and legally licensed.
Guidance
Ideally all systems and applications should record the following activities:
• All individual accesses to data
• All actions taken by any individual with root or administrative privileges
• Access to all audit trails
• Invalid logical access attempts
• Use of identification and authentication mechanisms
• Initialization of the audit logs
• Creation and deletion of system-level objects
Enforcement

Variations

References
standards:
A.15.2.2,
Document Control
GISS Ref: 12-07
Version: V1.1 Reworded 12.07.02 to give better clarity
date: date:
Next Dec 2012 Next Dec 2012
review: review:

12-08 Change Control
Overview
This standard outlines the Company requirements and processes for managing changes
to systems, applications and information.
• GISP 12
Target Audience
This standard applies to all functions, and covers any changes which impact Company
information systems. It is to be read by all Authorised Users.
Standards
12.08.01 All changes, updates and modifications to hardware, software, networks,
systems, and applications shall be subject to formal change control
procedures.
12.08.02 Minor changes which are exempt from change control processes must be
formally documented and approved.
12.08.03 All major changes must be authorised and tested before being implemented.
12.08.04 As a minimum the following elements must be included in change control

procedures:
a. Description of change.
b. Proposed timescales.
c. Impact of change on business.
d. Rollback / back out procedures.
e. Test plans.
f. Defined acceptance criteria.
g. Authorisation for change.
12.08.05 All new systems and changes shall be subject to formal testing in a test
environment (separate to the live environment) before being released to the
live / production environment.
12.08.06 Testing procedures shall include recording of bugs and issues which must
be recorded and resolved prior to the change being released into the live/
production environment.

12.08.07 Any system development or maintenance must be formally approved before

release to the live environment.
12.08.08 On completion of the changes, upgrades, modification or installation, all

system documentation shall be updated to reflect the changes made.
12.08.09 Whenever there are changes to the operating system on critical systems –
e.g. upgrade to a new version of OS - the system will be tested and reviewed
to ensure:
a) The integrity of the operating system has not been compromised.
b) Ensure that the Information Security Manager is informed of any

potential policy and / or security changes resulting from the change.
c) Ensure notification and appropriate training is given to the relevant

Authorised Users prior to implementation.
d) Ensure appropriate changes are made to the relevant BCP.
e) Update the information asset list with relevant details of any new
information asset.
12.08.10 All changes to operating systems for critical systems must be subject to
formal approval prior to implementation.
Guidance
Change control processes may be relatively simple – a single sheet detailing the change,
risks, impact, test procedures & approval may suffice. It is important to define the relevant
persons responsible for approval of changes, to make sure all changes are acceptable
and have been thought through.
Minor / emergency changes such as a server re-boot, replacing a hard disk in a RAID set
etc may not require the formal change process, please consult your local Information
Security Department. But all changes should either be a formal change, or on the pre-
approved list.
Enforcement

Variations

References
standards:
Document Control
GISS Ref: 12-08
Version: V1.1Reviewed
date:
review: date:

12.09 Technical Vulnerability Management/Penetration Testing
Overview
This standard outlines the Company requirements for the management of technical
vulnerabilities, including patching and the need for regular technical security testing of
Company infrastructure and systems.
• GISP 12
Target Audience
This standard applies to all Company infrastructure and systems, including PCs and
servers. It is to be read by all IT & Technical functions within the Company.
Standards
Patch Management
12.09.01 The Data Custodian is responsible for ensuring that systems are kept up to
date with all appropriate vendor security-relevant upgrades and patches.
12.09.02 Appropriate security-relevant upgrades and patches shall be installed on live

systems as soon as possible.
12.09.03 Critical security patches must be applied within one month of release.
12.09.04 If an extended delay in installation of an upgrade or patch is unavoidable, or

if it is not practical to install an upgrade or patch on live systems due to
conflicts with existing software, local Information Security must be notified as
soon as possible.
Security and Penetration Testing

12.09.05 Security and Penetration testing is to be considered throughout the lifecycle
of all Company systems whether Company or third party managed/hosted.
12.09.06 A risk assessment of all new systems and those undergoing change is to be
undertaken to identify the requirements for security testing.
12.09.07 Systems and applications that are designed to use or interface the public
internet will require security testing
12.09.08 Systems subject to PCI DSS must be subject to regular security testing and
vulnerability scanning at the frequency specified in the Standard.
12.09.09 All new applications processing sensitive data must, as a minimum, undergo
functional security testing to verify appropriate access controls have been
implemented.

12.09.10 Security testing must be carried out in a manner that does not in itself
introduce more significant vulnerabilities than those seeking to be mitigated.
12.09.11 All vulnerabilities identified through security testing must be managed

appropriately and a record maintained of agreed actions.
12.09.12 Data Owners must formally accept all residual risk identified through security
testing prior to the promotion of systems to the live environment.
12.09.13 Security testing must only be carried out by qualified and authorised
personnel.
12.09.14 Vendors engaged in security testing activity must undergo thorough due
diligence activity and be subject to strict NDAs.
Guidance
Upgrades and patches that may adversely affect live functionality, or that offer no practical
solution benefit, should not be implemented on live systems.
Security testing can include functional security testing, application security penetration
testing, vulnerability scanning, server build reviews and database configuration reviews.
It is good practice to use more than one security testing vendor.
Priority should be given to externally facing systems; however, some critical internal and
highly sensitive systems might also attract specialist security testing routines.
It is recommended that vulnerability testing be conducted for all new systems and
applications that process sensitive data.
When developing large applications, consideration should be given to a phased security

testing approach.
Enforcement

Variations

References
standards:
Document Control
GISS Ref: 12-09
date:
review: date:

13.01 Security Requirements for Information Systems
Overview
This document outlines the requirements for the protection of Company Information
Systems.
• GISP 13
Target Audience
This standard applies to all Company Information Systems. It is to be read by IT and all
Technical Functions.
Standards
13.01.01 Information Security requirements and specifications shall be addressed at
the planning stages of Information System projects.
13.01.02 Information security requirements must be considered and documented

within the project plans. Where identified, an Information Security
representative may need to be appointed to guide the project team.
13.01.03 The project manager is accountable to the Data Owner for ensuring that
appropriate and adequate Security has been applied.
13.01.04 Information security must be included and covered throughout the

development lifecycle requirements for new systems or throughout the
development of significant changes to existing systems.
13.01.05 Where appropriate, information security requirements shall be formally

reviewed and documented as part of new development projects or system
changes and upgrades.
13.01.06 When developing new systems / applications, or making changes to existing

systems / applications, development and test environments must be
separated from the live environments to ensure that the live environment is
not adversely affected from testing and development of new code and
processes.
13.01.07 Testing must include Information Security tests as identified in the

requirements
Guidance
Considerations when looking at the security of development and maintenance must
include:
• Access control to data and applications

• Audit trail of user and administrator activities

• Protection & encryption of data in storage
• Protection & encryption of data in transmission
• Physical access to servers and systems
Level 3 information should be scrambled or masked in test systems wherever possible.
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 13-01
date:
review: date:

13.02 Correct Processing in Applications
Overview
This document outlines the requirements for the processing and development of
applications.
• GISP 13
Target Audience
This standard is to be read by IT and Technical Functions, particularly Development
functions.
Standards
13.02.01 Input and output data in applications shall, where appropriate, be subject to
validation tests.
13.02.02 User screens designed for user input shall have input fields validated to
ensure data is accurate, for example date fields, title, numerical, etc.
13.02.03 Where appropriate, formal processes and procedures must be implemented

to ensure that data output is checked for accuracy.
Input Data Validation

13.02.04 Data input to applications must be validated to ensure that this data is
correct and appropriate.
13.02.05 Data input to application systems shall be validated to ensure that it is

correct and appropriate. Checks should be applied to the input of business
transactions, standing data and parameter tables. The following controls will
be considered, developed and tested as appropriate:
a. Dual input or other input checks to detect the following errors:
Out-of-range values.
Unauthorised file types.
Invalid characters in data fields.
Missing or incomplete data.
Exceeding upper and lower data volume limits.
Unauthorised or inconsistent control data.
b. Periodic review of the content of key fields or data files to confirm their
validity and integrity.
c. Inspecting hard copy input documents for any unauthorised changes to

input data (All changes to input documents should be authorised).

d. Procedures for responding to validation errors.
e. Defining the responsibilities of all personnel involved in the data input

process.
Internal Processing Validation

13.02.06 Validation checks shall be incorporated into applications to detect any
corruption of information through processing errors or deliberate acts.
13.02.07 Data correctly entered into an application system can be corrupted by

processing errors or through deliberate acts. Validation checks must be
incorporated into systems to detect such corruption. The design of
applications should ensure that restrictions are implemented to minimise the
risk of processing failures leading to a loss of integrity.
13.02.08 Specific areas that will be considered, developed and tested, as appropriate,
include:
a. The use and location in programs of add and delete functions to

implement changes to data.
b. The procedures to prevent programs running in the wrong order or

running after failure of prior processing.
c. The use of correct programs to recover from failures to ensure the

correct processing of data.
d. Checks to ensure that programs run in the correct order and terminate
in case of failure, and that further processing is halted until the
problem is resolved.
Output Data Validation

13.02.09 Data output from an application should be validated to ensure that the
processing of stored information is correct and appropriate to the
circumstances.
13.02.10 Data output from an application system should be validated to ensure that
the processing of stored information is correct and appropriate to the
circumstances. Typically, systems are constructed on the premise that
having undertaken appropriate validation, verification and testing the output
will always be correct. This is not always the case.
13.02.11 The following controls for output validation will be considered, developed and
tested as appropriate:
a. Plausibility checks to test whether the output data is reasonable.
b. Reconciliation control counts to ensure processing of all data.

c. Providing sufficient information for a reader or subsequent processing

system to determine the accuracy, completeness, precision and
classification of the information.
d. Procedures for responding to output validation tests.
e. Defining the responsibilities of all personnel involved in the data output

process.
Guidance
Data Validation checks should include:
• Checking data input formats.

• Checking for SQL injection and other vulnerabilities for data input.
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 13-02
date:
review: date:

13.03 Cryptographic Controls
Overview
This document outlines the Company standard for encryption which may be required to
protect sensitive information that is vulnerable to unauthorised access, either in
transmission or storage.
• GISP 13
Target Audience
This standard applies to IT and Technical functions.
Standards
Data Encryption
13.03.01 Level 3 information shall be encrypted when stored or sent externally.
13.03.02 Nominated individuals must be assigned within the Company for the
implementation of the encryption policy, including the generation and
management of cryptographic keys.
13.03.03 Where cryptographic controls are deployed they will be obtained from
commercially available sources and comply with any local legal and
regulatory requirements.
13.03.04 All encryption technology must be authorized by Information Security. Only

proven standard algorithms shall be used as the basis for encryption
technologies. The use of proprietary encryption algorithms shall not be
allowed for any purpose unless reviewed and approved by Information
Security.
Key Management
13.03.05 Key management shall be in place to support the Company’s use of
cryptographic techniques.
13.03.06 Cryptographic keys used must be protected against modification, loss and
destruction.
13.03.07 A key management system will be defined and implemented incorporating

the following considerations:
a. Generating keys for different cryptographic systems and different

applications.
b. Generating and obtaining public key certificates.
c. Distributing keys to intended users, including how keys should be

activated when received.
d. Storing keys, including how Authorised Users obtain access to keys.
e. Changing or updating keys including rules on when keys should be

changed and how this will be done.
f. Dealing with compromised keys.
g. Revoking keys including how keys should be withdrawn or deactivated,

e.g. when keys have been compromised or when a user leaves an
organisation (in which case keys should also be archived).
h. Recovering keys that are lost or corrupted as part of business continuity

management, e.g. for recovery of encrypted information.
i. Archiving keys, e.g. for information archived or backed up.
j. Destroying keys.
k. Logging and auditing of key management related activities.
l. All keys will be changed at frequencies not exceeding 6 months or in the

event of cryptographic keys becoming compromised.
Guidance
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 13-03
date:
review: date:

13-04 Security of System Files
Overview
This document outlines the requirements for the protection of system files.
• GISP 13
Target Audience
This standard applies to all Company system files and is to be read by IT and Technical
Functions.
Standards
13.04.01 Access to system files shall be restricted to authorised persons only.
13.04.02 Manuals, configuration details, systems documentation and network

drawings are to be stored securely, with access restricted to Authorised
Users only.
13.04.03 Copies of system documentation and backups of files shall be stored off site
where possible for recovery purposes and in accordance with the Company
Business Continuity Plan.
13.04.04 Where possible, vendor-supplied software packages should be used without

modification.
Guidance
System files include:
• Log information
• Source code
• System documentation
Enforcement
Variations

References
standards:
Document Control
GISS Ref: 13-04
date:
review: date:

14-01 Information Security Aspects of Business Continuity
Overview
This document outlines the requirements for Business Continuity planning throughout the
Company.
• GISP 14
Target Audience
This standard applies to all critical processes and systems and should be read by
Management.
Standards
Business Continuity Planning

14.01.01 A process shall be developed and maintained for business continuity
throughout the Company. Local Business Units shall develop Business
Continuity Plans in line with the Company framework.
14.01.02 Risk Assessments shall be conducted to establish critical processes and

systems.
14.01.03 Events that can cause interruptions to business processes and the
probability and impact of such interruptions and their consequences for
information security shall be identified and documented.
14.01.04 Plans shall be developed and implemented to maintain or restore critical

operations and ensure availability of information when required.
Testing and Maintenance

14.01.05 Plans shall be maintained to be consistent to all information security
requirements, and to identify priorities for testing and maintenance.
14.01.06 Business continuity plans shall be tested and updated regularly to ensure
that they are up to date and effective.
Guidance
Testing of Business Continuity Plans can take the form of telephone cascades, tabletop
scenarios and full physical tests.
Enforcement

Variations

References
standards:
Document Control
GISS Ref: 14-01
date:
review: date:

Glossary
The glossary is to provide clarification of the terms within the Global Information Security Policy
and Global Information Security Standards.
Access Control List – A list detailing the access rights of all Authorised Users to information and
information systems and applications/ databases.
Alternate Work Location - Approved work sites other than the Authorised User’s designated
primary office location where Company business is performed. Such locations may include, but are
not necessarily limited to employees’ homes and other Company offices.
Application – A software program, i.e. Microsoft Word.
Authorised User - refers to an individual expressly authorised by the Company to access Company
information and/or information systems.
Authentication Controls -
Availability - Information is accessible and useable by an Authorised User.
Business Owner – the person or persons in the Company Workforce who is/are ultimately
responsible for the Company’s relationship with an external party.
Business Unit – A subgroup (department or organisation) within the Company that manages or
performs a particular function.
CIO, COO, CSO, SO, PO – Chief Information Officer; Chief Operating Officer; Chief Security
Officer; Security Officer; Privacy Officer.
CISO- Corporate Information Security Office. Organization responsible for security practices and
policies at the Company.
Company- All companies which operate under the Bupa, Health Dialog, Sanitas brands.
Company Equipment/ Devices – Hardware devices issued by the Company including but not
limited to desktop computers, laptops, and hand-held communication devices (e.g., mobile
phones, PDAs, pagers, and hand held PCs).
Company Location – Any physical site the Company provides to its employees and/or independent
contractors where the Company controls and/or enforces physical security and technology
standards. This includes, but is not limited to, headquarters buildings, regional offices and
coaching centers, whether owned or leased.
Company Network – Any network equipment provided by the Company to facilitate the
transmission of electronic information and communications within and between Company
Locations. This includes local area networks within Company Locations, wide area networks
connecting Company Locations and all associated hardware, software and transmission
components. When the Company provides connections to non-Company locations or public
networks (e.g., business partner locations, the Internet, employees’ homes), the Company
Network ends at the properly secured gateway (e.g., firewall, router, access server) device.
Components – Any device periperal or component part such as diskette, external hard drive,
battery, etc.
Confidential Information - Refer to the Data Classification Schemes Standard for more details on
definitions of Confidential Information:
Computer Security Incident Response Team (“CSIRT”) – The Computer Security Incident
Response Team (CSIRT) team is compromised of Security and IT Operations leaders. This group
is responsible for detection and containment of computer security breaches. They follow normal
investigative procedures which include: Detection and Containment, Reporting, Criminal
Determination, Determination of Disclosures, and Proper Courses of Action. This group reports to
the Crisis Management Team in a crisis situation.
Contractor – An external party that the Company hires to perform a particular job or assignment.
Corrective Action Plan (“CAP”) – A document prepared by the Company, a Client or a Vendor to
address non-compliance issues through planning actions, timeframes and penalties to correct the
deficiencies.
Data Access Administrator – Individuals authorised by a Data Owner to provide operational access
to the data.
Data Centre – A secure Company Location that houses computer systems and associated
components such a telecommunications and storage.
Data Owner – The Data Owner is responsible for the classification of data under their control. The
Data Owner may be the creator, recipient, or primary user of the data. The Data Owner may
authorise access and use levels of the data. There shall be only one Data Owner for any specific
data.
Data Processor – Individuals authorised by the Data Owner and enabled by the Data Access
Administrator to enter, modify, or delete data. The Data Processor has all the powers of the Data
User.
Data User – Anyone in the Company authorised by the Data Owner to access data but is not
authorised to enter, modify, or delete it.
Disclosure - The release, transfer, provision of, access to, or divulging in any other manner of
Confidential Information outside the Company.
E
E-Mail – An electronic message sent from one person to another through the Systems and/or over
the Internet, including, without limitation, any header information, notes, documents, files and other
attachments, transferred or stored electronically by computer system. “E-Mail” includes messages
transferred using the mail transfer features of an application, such as Microsoft® Word or Excel.
Electronic Communication – Any method used to convey a message that has been transmitted via
electronic means such as E-Mail, video conferencing, etc.

Electronic Communications System – Any software or electronic computer or telecommunications

system the Company operates, maintains, or provides and authorizes for use to transmit
communications. This includes, but is not limited to: E-Mail system; telephony; voice mail
systems; facsimile machines; video conference devices; netmeeting software; and webcasting
software.
Exception- An exception may occur when a standard cannot be complied with due to exceptional
circumstances. All exceptions must be documented and submitted to the IGEC for approval.
External Party - Any person, group of persons, company not related to the group. An external
party includes business associates, contractors and consultants who have entered into an external
party agreement with the Company to exchange confidential data in any format.
GISP – Global Information Security Policy.
GISS – Global Information Security Standard.
GTIS – Group Technology and Information Services.
Help Desk – A function within IT that provides support for the Company’s Systems.
HVAC – Heating, Ventalation, and Air Conditioning.
Information Security- the process the Company uses to protect Systems and Data from
unauthorised access, use, disclosure, disruption, modification, or destruction.
Information System – Any software or electronic system the Company owns, operates, maintains,
or provides and authorises for use in storing, accessing, analysing and manipulating business
information. This includes, but is not limited to, business application systems, databases, Internet
and intranet web sites, file servers and document management systems.
Information Technology Operations – Any Company-managed organisation that has been properly
authorised to provide specific business support services, network and other electronic systems to
or on behalf of Company business operations and organisations.
ISO27001- A set of information security management standards published by the International

Standards Organization and the International Electrotechnical Commission.
Incident Log- A record of all reported information security incidents, e.g. spreadsheet, database.
Log Data- Logging information from applications, devices, or other Systems.
M
Mobile Devices- Mobile devices include laptops, mobile phones, Blackberry and iPhones.
Monitoring- the processes the Company uses to ensure compliance with its policies, procedures
and expectations including legal responsibilities. Monitoring may be in the form of reviewing,
reading, accessing, disclosing or taking any other means necessary to protect and safeguard
Company systems or information.
Non-Company Equipment- Equipment not owned or authorised by the Company to be used for
Company business.
Operating System – The system utilised by the Company as a platform to run software
applications.
P
Policy – A formal statement of Company rules governing acceptable use, security practices, and
operational procedures.
Privacy - An individual's interest in limiting who has access to individually identifiable information.
Public System(s) – These Systems contain information which can be made available to
anyone without exception.
R
Remote Access – Authorised access to the Company Network from a Remote (non Company)
Location.
Remote Location – Any site at which Company employees, contractors and other workers may
conduct business, but where the Company does not have direct control over physical security and
technology configurations. This includes, but is not limited to, business partner locations,
employees’ homes, hotels and office space shared with non-Company organizations.
Remote User – An Authorised User who has permission from the Company to access the
Company network from a Remote Location (hotel, client office, home, other).
Security Incident: Any potential or actual event which affects the confidentiality, integrity and/ or
availability of the Company information and/ or information systems.
Security Council – A group of senior management leaders.
Security Officer – The individual who is responsible for managing and administrating information
security policies and practices for the Company.
Sensitive System(s) –These Systems contain information which can be made available to
individuals who are not Authorised Users (e.g., Customers and Partners). These Systems
require limitations on access.
Service Desk – A function within IT that provides support for the Company’s Systems.
System(s) – the Company electronic communications systems, data programs and

systems, applications and any electronic services.
System(s) Owner – The custodian of the system, responsible for determining the
classification.
System(s) Administrator – Person responsible for technical administration of information/
technical systems.
System(s) Operator – A person authorised to use the system.
T
Third Party - A third party includes business associates, contractors and consultants who have
entered into a third party agreement with the Company to exchange confidential data in any
format. A Third Party may also be referred to as an External Party.
Third Party Vendor - A business organisation that provides goods or services to or on behalf of the
Company.
Unauthorised User - A person who is not authorized by the Company to access information and/or
information systems. This may refer to family members, external parties.
Visitor: A Party other than an Employee or Authorised User who enters the Company
premises for business purposes.
W
X
Y
Z
References
Associated policies/ procedures/ All Global Information Security Policies and
standards: Standards
ISO 27001 Control Ref(s):
Document Control
GISS Ref:
Version:
date:
review: date:

Security Policy

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Security Policy

Загружено:

Авторское право:

Доступные форматы

Global Information Security

Policy & Standards

© 2010 BUPA Company Internal 1

As an integrated healthcare company, Bupa maintains patient, customer and other

The Global Information Security Policy informs us of our responsibilities and

© 2010 BUPA Company Internal 2

Employee Responsibility ................................................................................................................... 11

Human Resources Responsibility .................................................................................................... 12

Information Classification ................................................................................................................. 13

Incident Management ......................................................................................................................... 14

Access to Bupa Information and Information Systems ................................................................. 15

Electronic Communication Services ................................................................................................ 16

Computing and Related Equipment ................................................................................................. 18

Physical and Environmental Security of Information and Technology ........................................ 20

Management of Access Control........................................................................................................ 22

Operations and Support .................................................................................................................... 23

Information Systems Acquisition, Development and Outsourcing............................................... 24

01.01 Company Information Governance Framework................................................................ 26

01.02 Information Security Policy and Standards Framework ...................................................... 32

02.01 Acceptable Use......................................................................................................................... 35

02.02 Authorised User Responsibility.............................................................................................. 45

02.03 Engagement and Management of External Service Providers ............................................ 48

03.02 During Employment ................................................................................................................. 58

03.03 Training and Awareness .......................................................................................................... 60

03.04 Termination or Change of Employment ................................................................................. 63

03.05 Data Privacy .............................................................................................................................. 66

04.01 Information Classification Scheme ........................................................................................ 68

© 2010 BUPA Company Internal 3

04.03 Electronic Data and Information Handling............................................................................. 79

04.04 Physical Media and Paper Handling....................................................................................... 82

04.05 Secondary Use of Information ................................................................................................ 85

05.01 Identifying and Reporting Information Security Incidents................................................... 87

05.02 Managing Information Security Incidents.............................................................................. 90

05.03 Managing Information Security Improvement ....................................................................... 95

06.01 User Identification and Registration....................................................................................... 98

06.02 System and Electronic Information Access Management ................................................. 101

06.03 Clear Desk ............................................................................................................................... 105

07.01 Electronic Communications – Enterprise Based Services and Systems......................... 108

07.02 Company Provided Mobile Device Security ........................................................................ 112

07.03 Multifunctional Devices ......................................................................................................... 115

07.04 Connecting Non-Company Equipment ................................................................................ 118

07.05 Wireless Connection .............................................................................................................. 120

08.01 Company Laptops .................................................................................................................. 124

08.02 Digital Cameras and Recording Devices ............................................................................. 127

08.03 Mobile Devices........................................................................................................................ 129

08.04 Removable Storage Devices ................................................................................................. 131

08.05 Screensavers (Authorised Users)......................................................................................... 135

08.06 Screensavers and Session Time-out.................................................................................... 137

09.01 Legal and Regulatory Requirements.................................................................................... 140

10.01 Physical Security Perimeters ................................................................................................ 146

10.02 Physical Entry Controls ......................................................................................................... 149

10.03 Securing Offices, Rooms and Facilities............................................................................... 152

10.04 Working in Secure Areas ....................................................................................................... 154

© 2010 BUPA Company Internal 4

10.06 Equipment Location and Protection..................................................................................... 159

10.07 Power Supplies....................................................................................................................... 162

10.08 Cabling Security ..................................................................................................................... 164

10.09 Equipment Maintenance ........................................................................................................ 166

10.10 Security of Equipment Off-Premises.................................................................................... 168

10.11 Secure Disposal or Re-Use of Equipment ........................................................................... 170

11.01 Business Requirement for Access Control ......................................................................... 174

11.02 Segregation of Duties ............................................................................................................ 179

11.03 User Access Management ..................................................................................................... 182

11.04 Network Access Controls ...................................................................................................... 188