kashflow gdpr faqs - iris · management. this is designed to support our gdpr compliance strategy....
TRANSCRIPT
GDPRFAQs
kashflow.com | 0330 057 3989
GDPRFAQs
Introduction
ThefollowingdocumentoutlinesfrequentlyaskedquestionsregardingthepoliciesandproceduresthatKashFlowhaveinplacetoensurebestpracticeintermsofdataprotectionandcompanymanagement.ThisisdesignedtosupportourGDPRcompliancestrategy.
ThisdocumenthasbeencompletedbymembersoftheKashFlowProductManagement,IT,ServiceOperations,Development&BusinessContinuityteams,undertheoverarchinggovernanceofaDataProtectionOfficer.
ThisdocumentoutlineshowKashFlowcomplieswithGDPR,pleaserememberyouareresponsibleforyourowncompany'scompliance.
DataProtectionOfficer
InJune2016,IRISSoftwareGroupLtd(ownerofKashFlow)appointedaDataProtectionOfficer(DPO)tomeettherequirementsofArticles37to39oftheGeneralDataProtectionRegulation.AtIRIS,theDPOroleincludesthefollowingtasks:
a) ToinformandadviseIRISdecision-makers,whocarryoutprocessingoftheirobligationsundertherelevantdataprotectionlaws
b) Tomonitorcompliancewithdataprotectionlaw,andinaccordancewithIRISpoliciesinrelationtotheprotectionofpersonaldata;includingtheassignmentofresponsibilities,awareness-raisingandtrainingofstaffinvolvedinprocessingoperationsandanyrelatedaudits.
c) Toprovideadvicewhererequestedregardingdataprotectionimpactassessments(DPIAs),andtomonitorDPIAperformanceinlinewithArticle35oftheGDPR.
d) Toco-operatewiththeInformationCommissioner’sOffice,andtoactasthecontactpointonanyissuesrelatingtotheprocessingofpersonaldata.
InlinewiththeirresponsibilitiesunderGDPR,theKashFlowProductManagementteamensurethattheDPOisinvolvedproperly,andinatimelymanner,inallissueswhichrelatetotheprotectionofpersonaldata.TheDPOhasthereforebeenconsultedinrelationtoproductgapanalysisandriskassessmentsinrespectofdataprotectionandGDPR–aprojectinitiatedattheendof2016.
TheDPOreportsdirectlytotheChiefInformationOfficerand,inlinewithGDPRArticle38,doesnotreceiveanyinstructionsregardingtheexerciseofhisstatutorytasks.AnyindividualaffectedbythepersonaldataprocessingcarriedoutbyIRISmaycontacttheDPO([email protected]).TheDPOisboundbyconfidentialityconcerningtheperformanceofstatutorytasksinaccordancewiththelaw.
TheappointedDataProtectionOfficerisVincenzoArdilioandhiscontactemailisVincenzo.Ardilio@iris.co.uk.
GeneralBusiness
IsKashFlowGDPRCompliant?
KashFlowwillcomply,asyourdataprocessor,withtheGeneralDataProtectionRegulation(GDPR)onorbefore25May2018.
DoesKashFlowhaveanInformationSecurityPolicyinplace?Hasitbeenmaintained,reviewedandsignedoffinthelast12months?
Yes,wehaveanInformationSecurityandAcceptableUsePolicycoveringIRISSoftwareGroup,ofwhichKashFlowareapartof.Ithasbeenupdatedandreviewedwithinthelast12monthsandwillbereviewedannually.
HastheInformationSecurityPolicybeenapprovedbyaCISOorequivalentwithinyourorganisation?
Yes,ithasbeenapprovedbyourExecutiveCommittee.
Aretheroles&responsibilitiesoftheInformationSecurityfunctionformallydocumented?
Yes.
Isthereanappropriateforum(E.g.board,committeeetc.)todiscussandreviewdataprotection/informationsecurityriskswithinKashFlow?Ifso,pleaseprovidedetailsoftheforumincludingtheparticipants.
Yes,theexecutivecommittee.ThisincludesdivisionalCEOs,CIOsandDPOswhomeetregularlytodiscussandreviewdataprotectionandinformationsecurityriskswithinKashFlow.
Areregularsecurityawarenessmeetingsheld?
Yes
Isthereamonitoringprocedureinplacefornon-compliancewithsecuritypolicies,includingrelevantdisciplinaryconsequences(e.g.forinformationbreaches)?
Yes.
Arealllegislative,statutory,regulatoryandcontractualrequirementsdocumentedandkeptcurrentforallinformationsystems(includingintellectualpropertyrightsanduseofproprietysoftware)?
Yes,wedocumentandmaintainalllegislativerequirementsforoursoftware.
AreKashFlowregisteredwiththeFinancialConductAuthority?
KashFlowisnotregisteredwiththeFinancialConductAuthority,currently.
AreKashFlowregisteredwiththeInformationCommissioner’sOffice?
KashFlowisnotregisteredwiththeInformationCommissioner'sOffice.
DataProtectionandPrivacyDoyouhaveaDataProtectionPolicywhichhasbeenmaintained,reviewedandsignedoffinthelast12months?Youcanreviewthisinformation,amongstothersattheIRISGDPRhub:https://www.iris.co.uk/about-iris/corporate-governance/data-protection/WherecanIfindthePrivacyPolicy?https://www.iris.co.uk/assets/Uploads/Home/IRIS-Group-Privacy-Policy.pdfWheredoesKashFlowstoremydata?KashFlowstoresitsdataintheEU,usingacombinationofthird-partyserviceprovidersnamelyRackspaceandAmazonWebServices(AWS).AlthoughbothcompaniesprovidedatastorageforKashFlow,neithercandirectlyaccessyourdatainKashFlow.YoucanfindoutmoreabouttheRackspaceandAWSGDPRpolicieshere[https://www.rackspace.com/en-gb/gdpr]and[https://aws.amazon.com/compliance/gdpr-center/]
HowdoesKashFlowstoremypaymentinformation?KashFlowonlyprocessesyourpaymentinformationinmemory;wedonotstoreittodisk.InlinewithPCI-DSS,wepassyourdetailsdirectlytoourpaymentprovider,andyourtransactionistokenisedtoallowustotakearecurringpayment.Undertherighttobeforgotten,howdoIdeletemypersonaldataandthedatayouprocessinKashFlow?IfyouwishtokeepyourKashFlowsubscriptionbutwanttoremoveallthedatayouhaveentered,pleaselogintoKashFlowandvisitSettings>DeleteDataTodeleteyourKashFlowaccountandsubscriptioninitsentirety,includingallthedatacontainedinKashFlow,yourpersonaldataandsubscriptiondata,pleasecontactsupportatsupport@kashflow.com.IfyouareaKashFlowConnectuser,pleasecontactsupportatsupport@kashflow.comtodeleteyouraccount.Undertherighttodataportability,howdoIexportmydatafromKashFlow?YoucanexportyourdataintheformofacsvbackupfilebyloggingintoKashFlowandvisitingSettings>BackupData.IfyouareaKashFlowConnectuser,youcanexportyourpersonaldetailsfromtheYourDetailspage.
Howlongismydatakeptsecurelyfor?
Fromtimetotime,KashFlowholdstherighttodeletedatacontainedinexpiredfreetrialaccountsoraccountswhichnolongerhaveanactivesubscription.Priortocarryingoutanyaccountdeletions,KashFlowwillinformtheaccountowner.
ThirdPartyProvidersandKashFlow
WhoprovidesthebankfeedsinKashFlow?AretheyGDPRcompliant?
Yodlee,athirdpartysupplier,providethebankfeedstoKashFlow.AtthepointofconnectingyourbanktoYodleeyouagreetotheirterms&conditions.Yodlee’sServicesandtheYodleePlatformwillcomply,asyourdataprocessor,withtheEUGeneralDataProtectionRegulation(GDPR)onorbefore25May2018.Yodleewillhavetherequiredtechnicalandorganisationalsafeguardstoensurethatyourpersonaldataisprotectedandyourrightsoveryourdataissatisfied.Youcanreadmoreherehttps://www.yodlee.com/clients-customers/
WhenIsendanemailfromKashFlowtomycustomer,istheinformationsecure?
KashFlowusesathirdpartytransactionalemailserviceSendGridtosendemails.SendGridonlyretainsrecordsofemaildeliveriesfordiagnosticpurposes.TheyareonlyaccessibletoauthorisedIRISoperationalstafftoinvestigateemaildeliveryproblems.WeneverstorethesubjectorcontentsofemailsinSendgrid.YoucanfindoutmoreaboutSendGrid’sSecurityPolicyhere[https://sendgrid.com/resource/general-data-protection-regulation/]
IuseKashFlowGomobileapp,isthissecure?
KashFlowGousesallthesametechnologiesandback-endsystemsasKashFlow,allthesecuritysystems,policiesandproceduresareinplaceforGo.
However,it’sthedeviceowner’sresponsibilitytoensuretheirmobiledeviceissecure.
Ihaveconnectedsomeadd-onstomyKashFlowaccount,howdoyousecurethecredentialsIprovide?
Weencryptallusernamesandpasswordswhichareusedtoconnecttothird-partyproviders.
KashFlowCommunications
HowdoIunsubscribefromMarketingcampaigns?Youcanmanageyourcontactpreferenceshere,oralternatively,[email protected]’llhelp.
HowtoIunsubscribefromproductupdates?
AsstatedinourPrivacyPolicy[https://www.kashflow.com/privacy-policy/],KashFlowmaysendoutperiodicemailsinformingyouoftechnicalserviceissues,productsurveys,newfeatureannouncementsandnewsaboutKashFlowproductsandservices.Thesee-mailsareconsidered
essentialtotheprovisionoftheserviceyouhaverequested.Youwillnotbeabletochoosetounsubscribetothesemailings,astheyareconsideredapartoftheserviceyouhavechosen.
IncidentManagementIsthereanincidentmanagementprocedureinplacefortheidentificationandmanagementinformationsecurityrelatedincidents(includingdefinedrolesandresponsibilities,reporting,evidence,learningandassessmentofincident)?
Yes,anditisreviewedannually.
Intheeventofanincidentinvolvingourdata,pleaseprovidedetailsofhowwewillbenotifiedintheeventofabreach?Pleaseincludetimescalesforreportingfromincidentidentification.
Assoonasweconfirmabreach,IRISwillnotifycustomers,butinallcaseswithin72hours.Wehaveinternalintrusionandbreachdetectionprocessestofacilitatethis.
HumanResourcesPriortoemployment,arebackgroundverificationchecksofapplicantscarriedoutcovering:
• Criminalrecordscheck
• ProofofIdentify
• RighttoworkintheUK
• FinancialCreditCheck
• SanctionsCheck
Yes,fullbackgroundchecksarecarriedforallnewemployeesbeforetheystart.
Doemployees'termsandconditionsincluderesponsibilitiesforinformationsecurity(includingresponsibilitiesinterminationofcontract)?
Yes.
WhatprocessesdoesKashFlowhaveinplaceformanagingstarters/movers/leaverswithintheorganisation?Whatcontrolsdoyouhavetomanageaccesstophysicalandlogicalaccesscontrols?Ourprocessesformanagingstarters,moversandleaversisfullydocumentedinISP03-HR(Appendix5).
DostaffreceivetrainingonDataProtectionandaretheyawareofthecontrolstheyneedtofollow?
Yes,staffreceivetrainingondataprotectionaspartofthenewstarterinductionprocess,andthisisreviewedannually.Seeappendix4forthepolicyoutliningacceptableuseofassets.
NetworkSecurityAretechnicalvulnerabilitiesofinformationsystemsevaluatedandareappropriatemeasurestakentoaddressandmanagerisks?
Yes,weregularlyevaluatetechnicalvulnerabilitiesofinformationsystemsandmeasuresaretakentominimiserisks.Toensurewemaintainandsecureoursystemscorrectly,wehaveastrictsystempatchingregimeinplacethatrequiresustoapplynon-criticalpatcheswithinamonth,andcriticalonesassoonastheyaretested.
WhatvulnerabilityscannerdoesKashFlowuseandhowfrequentarethescans?
Weuseacombinationofinternalandexternalvulnerabilityscannersandscanquarterlyorafteranymajorsystemchange(infrastructurechanges,softwarereleases,etc.).
DoKashFlowmonitorresourcesadequatelytoensuresystemperformanceisn’taffectedbyfuturecapacityrequirements?
Yes,resourcesaremonitoredcloselywithmultiplesystemsbyadedicatedoperationsteam,toensurefuturesystemperformanceremainshigh.
Donetworksandsystemshavesecuritycontrols,segregation,servicelevelsandmanagementrequirementsidentifiedandincludedinserviceagreements(e.g.inmulti-tenantdatacentres)?
Yes.
Arelogskept,reviewedandprotectedfromunauthorisedaccess,detailinguseractivity,faults,informationsecurityevents(includingadministratorlogs)?
Yes.
Areadequatedetectionandpreventioncontrolsinplace(IPS/IDS)toprotectthenetworkfrommaliciousactivity?
Yes,weuseanIntrusionPreventionSystemintoprotectallourproductionsystemsfrommaliciousactivity.
IsAntivirussoftwareinstalledonallITassets?
Allinternaldesktops,laptopsandservershaveantivirussoftwareinstalledtoprotectthemfromvirusesandmalware.Allproduction(theserversthathostyourdata)servershavecentrallycontrolled,tamper-proof,anti-virusandHIDSinstalled.Thetwosetsofsystems(internalandproduction)arecompletelyisolatedfromeachother.
DoesKashFlowhavefirewallsinplaceontheexternalandinternalnetworks?Howoftenarefirewallrulesreviewed?
Yes,thereareenterprise-levelfirewallsatallgatewaysandtheirrulesarereviewedasrequired.
[Appendices]
Appendix 1: IRISInformationsecurityandacceptableusepolicies
Versionnumber 1Author VincenzoArdilio
Dateofissue 27March2017Documenttype ISMSPolicysummary
Replaces N/AApprovedby ExecutiveCommitteeApprovaldate
DataProtectionImpactScreening NoPIArequired
IRIShasapprovedan InformationSecurityManagementSystem (ISMS) toprovideuniformcontrolandguidelines for everyone using KashFlow’s information systems. This is an overview of the ISMS,whichcontainsthekey‘dosanddon’ts’.Allstaffmustagreetoobservetheseday-to-dayrequirementstohelpkeepourinformationandsystemssecure.
PleaserefertothefullISMSformoredetailedexplanationsofthestandardslistedinthissummary.
Passwordsandaccesstosystems,informationandpremises:
Do
1. Only access and use information, applications and systems in line with your authorised jobaccountabilities–thisreferstothe“needtoknow”principle.
2. Use the internet connection provided by IRIS with your business mobile device whenever you areworkingfromIRISpremises.
3. Usedifferentpasswordsandlogincredentialsforbusinessandpersonalmatters.
4. ProtectdeviceswithaPIN,passwordorauto-lock.
5. Useastrongpasswordofatleasteightmixedcharacters(passphrasesofthreerandomwordsareeasiertorememberandaremoresecure).
6. Be aware of who can see personal and business-sensitive information displayed on your computermonitorordevicewhenyouareworking.Beespeciallyvigilant inopen-planareas,publicplacesandathome.
7. Alwayslockyourcomputerordevicewhenleavingitunattended(suchasbypressing‘ALT+CTRL+DEL’oractivatingthelockingmechanismonyourdevice).
Don’t
1. Use another user’s ID or password, disclose your own to anyone else, or use a generic user ID orpassword.
2. Allowothers to share your access card,or allowanyoneyoudon’t recognise toenter IRISpremiseswithoutcheckingtheirID.
3. Writedownyourpasswordsandleavetheminanunsecuredenvironment.
4. UseremoteaccesstoIRISapplicationsandsystemsunlessauthorisedtodoso.
Usingemailandtheinternet:
Do
1. Besuspiciousofunexpectedemailsfromunknownorunexpectedsenders–donotclickonlinksintheseemailsoropenattachments.ReporttototheITServiceDeskbeforedoinganythingfurther.
2. Beextremelycarefulwhenaddressingemails.Makesureyouaresendingtheemailtotherightperson.Dangerareasareauto-completeand‘replytoall’.
3. TakeintoaccountthatIRISmonitorsinternetuse,websitesvisitedandfilesdownloaded.
4.Treatemailsasofficialcommunications,andusethesamerulesofgrammar,contentandrecord-keepingasforotherbusinesscommunications.
Don’t
1. Includeanypersonalinformationina‘normal’emailthatyouwouldnotbehappytoputontoapostcard(‘normalemails’areunencryptedemailssentoverthepublicinternet).
2. Useemailforanyillegalactivity,ortocompromisethesecurityoroperationofanycomputersystemornetwork.
3. Use the internet for illegal,unethicalorpersonalbusinessactivity, inaway thatwouldcompromisesecurityorforpeertopeerfilesharing.
4. Create,sendorforwardanyemailorsocialmediamessageswhichmanybeconsidereddiscriminatory,defamatory,intendedharassmentorhatred.
5. Visit,interactwithordownloadcontentfromoffensive,obscene,pornographicorviolentwebsites.
6. Bypassofficialcorporatesystemstoconnecttotheinternet–forexample,byusingmobilebroadbandcards, pairing hotspots, external modems, wireless usb, or any other mechanisms. However, mobilecomputingfacilitiesmaybeusedwhenworkingremotely.
Makingchangestoyourworkdevice
Do
1.Onlyupgradenewapplicationsorallowsoftwareupgradesfromarecognisedsource,andensuretheydonot impact the device's functionality or security, nor incur additional costs. Please contact IRIS’s ITservicedeskifindoubt.
2.EnsurethatchangestoconfigurationormaintenanceofthedevicearecarriedoutbyIRISITstaff,ortheirdesignatedagent.
KeepinginformationandITsecure
Do
1. TakeextracarewithUSBsticks,removablestorageandportabledevices,anddonotstoreconfidentialinformationonthemunlesstheinformationisencrypted.
2. Usesecureprintingforconfidentialorpotentiallysensitiveinformation.SecureprintingisexplainedindetailintheISMS.
3. Storecorporateinformationinsecureshareddrivesratherthanonthelocaldriveofyourdevice.
4. Beawareofyourobligationsunderdataprotectionlegislationwhendealingwithorusingpersonaldata– seeIRISDataProtectionPolicyformoredetailsonthis.
5. Shredpaperrecordscontainingconfidentialinformation,oruseconfidentialwastebins.
Don’t
1. Disclose or publish corporate or confidential information belonging to IRIS or its customers, unlessauthorisedandpermittedbyIRIS’spoliciesandproceduresorasrequiredbylaw.
2. Createormaintainablog,WikiorsocialmediasiteonbehalfofIRISwithoutexpresspermissiontodoso.
3. Disposeofpotentiallyimportantcompanyinformationwithouttheapprovaloftheinformationowner.
4. Lendbusinessmobiledevicesallocatedtoyoutoanyoneexternaltothecompany,includingfriendsandfamily.
5. IntroduceanyvirusestoIRISsystems.Thisincludesanycomputercodesthatwilladverselyaffecttheperformanceorsecurityofoursystemsornetworks.
6. Damage,alterordisruptIRIScomputerssystemsornetworks,includingobtainingpasswords,encryptionkeysoranythingthatwouldallowunauthorisedaccessbyyouoranyoneelse.
7. Connectdevicestoournetworks,unlesstheITTechnicalManagerhasapprovedthedevice.
Miscellaneous
Do
1. RememberthatmobiledevicesandcommunicationsystemssuppliedbyIRIS(includingemailandtheinternet)areprovidedforbusinessactivities.Reasonableandappropriatepersonaluseispermitted,butthismustnotimpactonproductivityandmustbewithinthestrictlimitssetoutinfullinthe‘AcceptableUse’Policy.Keepinmindusemaybemonitored.
2. Remember that intellectual property createdor developedby IRIS employees duringworkinghoursand/orwithIRISequipmentisIRIS’sproperty.
3. Avoidactualorpotentialconflictsofinterest,suchasaccessingIRIScustomerdataforprivatebusinesspurposes.
Don’t
1. Usesocialmediaforpersonaluseduringworkinghours.
2. Make or accept premium calls, reverse charges, international calls and similar, unless for essentialbusinesspurposes.
3. UseIRISsystemstoengageinanyactivitywhichcauses,orcouldbeconstruedascausingharassment,discriminationorvictimisation.
4. Abuselicenceagreementsbycopyingorinstallingthirdpartysoftwaremultipletimes(unlessallowedbythelicenceagreement).
Seriousmisconduct
Anyactionsoractivities(intendedoraccidental)causing,orwithpotentialtocausethecompromiseofIRIScomputersystems,informationornetworksisseriousmisconduct.Thisincludes:
• Security breaches or disruptions of network communications. Disruptionmay include networksniffing, pinged floods, packet spoofing, denial of service and forged routing information formaliciouspurposes.
• Unauthorisedportscanningorsecurityscanning.ThiscanonlybesanctionedbytheITDirector(GroupSystems)forthepurposesoftestingnetworksecurity.
• Networkmonitoringwhichwill interceptdatanot intendedfortheemployee'shost,unlessthisactivityhasbeenauthorised.
• Circumventing user authentication or security of any host, network or account or runningpasswordcrackingprograms.
• Interferingwith,ordenyingservicetoanyuserotherthantheemployee'shost(forexample,denialofserviceattack).
• Using any program/script/command, or sending messages of any kind, with the intent ofinterferingwithordisablingauser'ssession.
• Downloading, installing or executing any file containing malware which may damage orcompromisecomputersystemsordata.
• Unauthorisedcopyingoralteringconfigurationorsystemfiles.• InterferingwithIRIS’soranotherorganisation'semailservice.• Downloadingorintroducingtoolsorutilitiesthatmaypotentiallybeusedforhackingactivitiesand
undertakinganysuchactivityonanysystemwhetherownedormanagedbythecompanyornot.• Providingorsellingcompanyinformation,customerdataorpersonaldatawithoutapprovaland
forpersonalgain• Defacingwebsites,downloadinganddistributingpornography,runningagamblingoperationor
undertaking any other activity using company resources that would bring the company intodisrepute.
IRISInformationSecurityManagementSystemSummaryofPolicies
AllstaffhaveapersonalresponsibilitytofamiliarisethemselveswiththepoliciesincludedintheISMS.ThefullsetofstandardsarepublishedontheKashFlowsystemandisavailabletoallstaff.ThefollowingisabriefoutlineofthepurposeofeachPolicyintheISMS:
AcceptableUsePolicy
ThepurposeoftheAcceptableUsePolicyistoensurethatallcomputersystemsandnetworksownedormanagedbyIRISareoperatedinaneffective,safe,ethicalandlawfulmanner,anditistheresponsibilityofeverycomputerusertoknowtheserequirementsandtocomplywiththem.
AccessControlPolicy
ThepurposeoftheAccessControlPolicyistoensurethatinformationsystemsresourcesandelectronicinformationassetsownedormanagedby IRISareavailabletoallauthorisedpersonnel.ThePolicyalsodealswiththepreventionofunauthorisedaccessthroughmanagedcontrolstocreateasecurecomputingenvironment.
Anti-VirusPolicy
This Policy is about protecting networks, systems and equipment from malicious code and malware.Laptopsandmobiledevicesaremostatriskastheymayonlybeconnectedtothenetworkperiodically.TheappropriateuseofAnti-Virussoftwarewill lessentheriskofthecompanyexperiencingthistypeofsecurityincident.
BusinessContinuity/DRPolicy
ThepurposeoftheITBusinessContinuity/DRPolicyistoensurethatIRIShastheappropriateresourcesavailable for planning, establishing, implementing, operating, monitoring, reviewing, maintaining andcontinually improvingaBusinessContinuity/DRcapability,thatwillenabletheorganisationstopreparefor,respondtoandrecoverfromdisruptiveincidentswhentheyarise.ThescaleofeventscoveredbythisPolicyrangesfromminororpartialsystemunavailability(businesscontinuity)throughtototalsystemloss(disasterrecovery).
CloudComputingPolicy
ThepurposeoftheCloudComputingPolicyistoensurethattheconfidentiality,integrityandavailabilityof the company's information is maintained when services are delivered through a Cloud Computingenvironment.AstheCloudcanbeprivateorpublic, localor international it is importanttoensurethatarrangementsaresupportedbyaServiceagreement,meetthecompany'srequirementsforinformationsecurity,andenablestatutoryandlegislativeobligationstobemet.
CommunicationandMobileDevicesPolicy
ThepurposeoftheCommunicationandMobileDevicesPolicyistoadviseacceptableusewithregardtomobiledevices(includingmobilephones),andcommunicationsystemsusedforbusinessactivities.Withtheconvergenceofdataandvoiceandvideocommunicationsystems,theabilitytoconnectremotelytointernal systems, and the wide range of options offered by mobile devices, it is essential that thesetechnologiesbeusedbyauthorisedpersonsforlegitimatebusinessactivities.
ComputerSystemsandEquipmentUsePolicy
ThepurposeofthisPolicyistoadviseusersofthecompany'sexpectationsregardingtheacceptableuseofthetechnologyprovidedtothem.
CyberCrimeandSecurityIncidentPolicy
ThepurposeoftheCyberCrimeandSecurityIncidentPolicyistoensurethatthecorrectproceduresarefollowedshouldsystemsbeaffectedbyasecurityincidentorotherevent.Theimpactaneventwillhaveonbusinesscontinuitywilldependonhowwellitishandled.
EmailPolicy
ThepurposeoftheEmailPolicyistodocumenthowelectronicmailsystemsandservicesaretobeused.Email has become a major communication channel and a common means of conducting day-to-daybusiness.CompliancewiththesePoliciesisessentialtoensurethatimportantemaildocumentsbecomepartofthecorporateknowledge-baseandtoensurecompliancewithinformationmanagementandlegalrequirements.
EncryptionPolicy
ThepurposeoftheEncryptionPolicyistoensurethatencryptionkeysaresecurelymanagedthroughouttheirlifecycle.Thisincludestheircreation,storageandthemannerinwhichtheyareusedanddestroyed.
FirewallManagementPolicy
ThepurposeoftheFirewallManagementPolicyistoensurethattheexternalperimeterdefenceforIRISisconfigured,managedandmaintainedtopreventtheoccurrenceofamajorsecuritythreat.
HardwareManagementPolicy
ThepurposeoftheHardwareManagementPolicyistoensurethatthecorrectproceduresarefollowedwithregardtothepurchase,deployment,maintenanceandreplacementofcomputerhardwareandotherdevices.
InformationManagementPolicy
TheInformationManagementPolicysetsouttheguidelinesformanagingthedataandinformationstoredinthefilesanddirectoriesthatcomprisetheelectronicinformationrepositoriesofIRIS.
InternetUsePolicy
ThepurposeoftheInternetUsePolicyistoensurethattheinternetisusedforbusinesspurposes,andtoensurethatusersconducttheironlineactivitiesinanappropriate,responsibleandethicalmanner.
LaptopAndTabletSecurityPolicy
ThepurposeofthisPolicyistoinformthosewhohavebeenallocatedalaptopcomputerortabletofthecompany'srequirementsfor itsuseandcare.Theft, lossordamagetoportablecomputers isbecomingincreasinglycommonplace.Thecostsofreplacementarenotjustfinancialandincludelossofdata, lostproductivity,increasedinsurancepremiumsandthetimetoconfigureandsetupanewmachine.There
arealsorisksassociatedwiththelossorexposureofsensitive,uniqueorpersonalinformation,includingreputation,commercialadvantageandprivacyandthisPolicyseekstomitigatetheserisks.
LegalCompliancePolicy
ThepurposeoftheLegalCompliancePolicyistoensurethatstaffunderstandtheimplicationsofprivacy,confidentiality,copyright,intellectualproperty,misrepresentationandotherrelevantlegislationinrespecttoinformationandinformationsystems.
NetworkManagementPolicy
The purpose of the Network Management Policy is to protect IRIS's internal computer systems andnetworksfromabuseorexploitationanddefinestheparametersformanaging,designingandconnectingtothecompany'scomputersystems.
OnlineServicesPolicy
Thepurposeof theOnlineServicesPolicy is toprovide theguidelines forconfiguringsystems tosafelyenablebusinesstransactionstobecarriedoutovertheInternetasanalternativeservicechannel.Theterm"business" can apply to anything, from providing information online tomaking payment for a serviceonline,andrefersprovidingandusingonlineservices.
PasswordAndAuthenticationPolicy
ThisPolicydescribestheauthenticationrequirementsforaccessinginternalcomputersandnetworksandincludesthoseworkingin-houseaswellasthoseconnectingremotely.Everyperson,organisationordeviceconnecting to internal IT resourcesandnetworksmustbeauthenticatedasavaliduserbeforegainingaccesstoIRIS'scomputersystems,networksandinformationresources.
PersonnelManagementPolicy
The purpose of the Personnel Management Policy is to ensure that those using and managing IRIS'scomputersystemsandnetworksactinaresponsibleandethicalmanner.Itisalsointendedtominimisethethreatofaninternalsecuritybreach.
PhysicalAccessPolicy
ThepurposeofthePhysicalAccessPolicyistoprotectIRIS'sITresourcesfromharm,abuseorexploitationanddescribestheparametersforcontrollingtheenvironmentalconditionsforcriticalcomputingdevices.
RemoteAccessPolicy
ThisPolicydescribesthesecurityrequirementsforremoteaccessconnectionstoITresources.Itcoversawidevarietyoftechnologiesandmethodsofeffectingtheconnection.
SoftwareManagementPolicy
ThepurposeoftheSoftwareManagementPolicyistoensurethatthecorrectprocessesandproceduresarefollowedwhenpurchasing,developing,deploying,maintainingandreplacingsoftwareapplications.Itassistswithcompliancewithindustrystandards,encouragesconsistencythroughoutIRIS,andensuresthatsoftwarecontinuestomeettheneedsofthebusiness.
SpecialAccessPolicy
Special Access relates to System Administrator and Domain Administrator rights. The purpose of theSpecial Access Policy is to ensure that only those users needing special access rights and enhancedprivileges to manage the company's computer systems and networks are granted them with theappropriatecontrols.
Appendix 2: RISSoftwareGroupdataprotectionpolicy
Versionnumber 1Author VincenzoArdilio
Dateofissue 27March2017Documenttype Policy
Replaces DataProtectionGroupCompliancePolicy2010Approvedby ExecutiveCommitteeApprovaldate
DataProtectionImpactScreening NoPIArequiredDateofnextreview March2018
Introduction
IRISactsinthecapacitiesofControllerandProcessorofpersonaldata.WeareaProcessorinrespectofthe personal information entrusted to us by our customers in our products and solutions. We are aController in thatwemake decisions on how andwhywewill use personal data. For example, as anemployer,wehold recordsaboutour staff.Also,asacommercialorganisation,wedirectlymarketourproductstoprospectivecustomers,andsomedatausedinthesecampaignswillbeclassedaspersonal.
IRISiscommittedtofulfillingitsobligationsundertheGeneralDataProtectionRegulation(GDPR),andanysubsequent data protection legislation. We have produced this policy to provide assurance to ourcustomersandstaff.
Laterinthisdocumentweprovideanexplanationastohowresponsibilityfordataprotectioncomplianceisdelegated.ThisdocumentalsositsalongsidetheIRISInformationSecurityManagementSystem,andissubjecttoongoingreview,atleastannually,inlightofchangesinlawguidanceandworkingpractice.
Statementofdataprotectionpolicy
IRISwillusepersonaldatalegallyandsecurelyregardlessofthemethodbywhichitiscollected,recordedandused,andwhetherweholditwithinourproducts,onaGroupnetworkordevice,infilingsystems,onpaper,orrecordedonothermaterialsuchasaudioorvisualmedia.
IRISregardstheproperandgoodmanagementofpersonaldataascrucialtothesuccessofourbusiness.Observinggooddataprotectionpracticeplaysahugeroleinmaintainingcustomerconfidence.WeensurethatIRISrespectsprivacyandtreatspersonaldatalawfullyandcorrectly.
Wewillensurethat:
• ThereissomeoneactinginthestatutoryroleofDataProtectionOfficeronbehalfoftheIRISGroupofcompanies.ThispersonisIRISSoftwareGroupLtd’sDataProtectionandSecurityManager.
• Responsibilityforeachsystemorproduct’sdataprotectioncomplianceisassignedtooneormorespecificindividuals.
• Ourcollectionanduseofpersonaldatacomplieswiththedataprotectionprinciples,datasubjectrights,relevantregulationsandcodesofpractice,whereverweareactingasController.
• Weprovideappropriateprivacynoticesthroughwhatevermeanswecollectpersonaldata,suchas on application forms, products, web pages and via telephone wherever we are acting asController.
• AppropriatetechnicalandorganisationalmeasuresforallofourproductsandGroupITsystemsareimplementedtoensurealevelofsecurityappropriatetotherisks.
• Everyone managing and handling personal data understands that they are contractuallyresponsibleforfollowingthegooddataprotectionpracticesetoutinthispolicyandthesupportingguidanceandstandards.
• Everyonemanagingandhandlingpersonaldataisappropriatelytrained,supervisedandaudited.• Ourprivacynoticesmakecleartoanyonethatwantstomakeenquiriesaboutourpersonaldata
processing, can do so through the Data Protection Officer or the product’s designated dataprotectionrepresentative.
• Ourhandlingandprocessingofpersonalinformationareregularlyrisk-assessedandevaluated.• Acorporateprocedureisinplacetoreportandinvestigatepersonaldatabreacheswithoutundue
delay.• WekeepthestatutoryrecordsrequiredunderGDPRaswellasany furtherrecordsrequiredto
demonstrate compliance, such as risk assessments, policies, working procedures, records ofconsentandsoon.
Inaddition,whereIRISisactinginthecapacityofdataProcessor,wewill:
• Provideourcustomerswithappropriateguaranteesinrespectofthetechnicalandorganisationalmeasureswehaveinplacetoprotectpersonaldataandtoprotecttherightsofdatasubjects.
• Process thepersonal data only ondocumented instructions from the customer, includingwithregardtotransferstoathirdcountryoraninternationalorganisation.
• Ensure that persons’ authorised to process the personal data entrusted to us are under anappropriatestatutoryobligationofconfidentiality.
• Assistthecustomer,asfaraspossible,byappropriatetechnicalandorganisationalmeasures,tofulfilthecustomer’sobligationtorespondtodatasubjectsexercisingtheirrightsassetoutinthedataprotectionlegislation
• Atthechoiceofthecustomer,deleteorreturnallthepersonaldataaftertheendoftheprocessingcontract,anddeletecopies,unlessthelawrequiresustostorethepersonaldataforlonger
Staffrolesandresponsibilities
AllStaff
Allstaffwill:
a) Routinelyassessthekindofinformationtheyusewhilstcarryingouttheirworkandwhethertheyhaveresponsibilityforanypersonaldata.
b) Ensure they understand how this policy, its associated guidance notes and their localworkingproceduresaffecttheirworkandusepersonalinformationaccordingly.
c) Followlocalproceduresthatapplytothesystemsandproductstheyhaveaccessto inordertohandlepersonaldataappropriately.
d) Reportdatabreachesand“nearmisses”inlinewiththecorporateCriticalIncidentProcedure.
SeniorManagement
SeniorManagementTeammemberswill:
a) Identify information assets they are responsible for which involve or affect the processing ofpersonalinformation.
b) ActasInformationAssetOwners(IAOs),meaningthey’ll:• Takeownershipofinformationassetsandtheextentofcompliancewithdataprotectionrules.• Leadandfosteraculturethatvalues,protectsandusespersonaldataethically.• Understand what information is transferred in and out of the information asset(s) they are
responsiblefor.• Knowwhohasaccessandwhy,andensurethatuseoftheassetismonitored.
c) EnsurethatarecordofprocessingactivitiesismaintainedinlinewithGDPRrequirementsfordataControllers(See‘StatutoryRecords’section).
d) Ensure that a record of the categories of processing activities carried out on behalf of eachcustomer is maintained in line with GDPR requirements for data processors (See ‘StatutoryRecords’section).
e) Understandandaddressriskstotheasset(s),provideassurancetotheCIOandDataProtectionOfficer,andensure thatanydata risk incidentsaremanaged in linewith theCorporateCriticalIncidentProcedure.
f) AppointInformationAssetManagers(IAMs)tohaveroutineresponsibilityforthedataprotectioncomplianceofinformationassetswithintheirbusinessunit.Theaimisforclearanddocumentedaccountabilityforthecomplianceofallinformationassets.
g) EnsuretheDataProtectionOfficerhasaccesstotheregisterofinformationassetsandallrecordsassociatedwithcompliance.
h) Ensure that the Data Protection Officer is present where decisions with data protectionimplicationsaretaken,andthatallrelevantinformationispassedtotheDataProtectionOfficerinatimelymannerinordertoallowprovisionofadequateadvice.
i) Ensure that theprinciplesofdataprotectionbydesignanddefaultareapplied toeachnewormajor update to projects or proposals (including product development) involving the use ofpersonal information orwith potential to affect privacy. TheData ProtectionOfficermust be
informedatanearlystageof theproposal,andanycorporate templatesprovidedtomeet therequirementsofdataprotectionbydesignanddefaultshouldbeused.
j) Ensurethatstaff(includingtemporarystaffandcontractors)thathaveaccesstopersonaldataalsohaveaccesstoinstructionsthatincludetheactionstheymusttaketoprotectpersonaldataandprivacy.
k) InconsultationwithHR,toensurethatarrangementsareinplacetovetindividuals(suchasstaffand contractors) toHMGBaseline Personnel Security Standards (BPSS) before giving access tofinancialdata,paymentcardinformationandspecialcategorypersonaldataforthefirsttime.
l) EnsurestafftrainingneedshavebeencommunicatedtotheDataProtectionOfficer.
InformationAssetManagers
ManagerswhoareInformationAssetManagers(IAMs)will:
a) Haveday-to-dayresponsibilityforthecomplianceofinformationassetsassignedtothembytheIAO.
b) ImplementcontrolmeasuresasrequiredordelegatedbytheIAO.c) Wheredelegated,maintain the statutory recordsonbehalf of the IAO (see ‘Statutory records’
system).
LineManagers
AllLineManagerswill:
a) Ensurenewrecruitsreceivetraining,includingonthejobtraining,onlocalworkingprocedurestoensuretheyhandlepersonaldatainacompliantandsecureway.
b) Ensure their staff have access to training and materials including guidance, checklists andtemplatesprovidedbyIRIStoensurecompliancewithdataprotectionregulations.
c) Ensurethatdatabreachesand‘nearmisses’arereportedinlinewiththeCorporateCriticalIncidentProcedure.
HRServices
HRServiceswillberesponsibleforthefollowing:
a) BPSSchecksfornewstaffwhowillhaveaccesstospecialcategorypersonaldata,financialdataandpaymentcardinformation,beforeaccesstosystemsholdingsuchdataisgiven.
b) Ensurethatnewmembersofstaffaremadeawareof thispolicydocumentat recruitmentandinduction stage, and also that a specific confidentiality provision is included in contracts ofemploymentandjobdescriptions.
DataProtectionOfficer
TheDataProtectionOfficerwill:
a) Informandadvisethebusiness,includinganyemployeeswhocarryoutprocessingoftheirdataprotectionobligations.
b) Monitor data protection compliance against the relevant legislation and company policies inrelationtotheprotectionofpersonaldata,theassignmentofresponsibilities,awarenessraisingandtrainingofstaffinvolvedintheprocessingofpersonaldata.
c) Provide advice, where requested, as regards data protection impact assessments and themonitoringoftheperformance.
d) ActasIRISGroup’scontactpointfortheInformationCommissioner’sOfficeincludingconsulting,whereappropriate,withregardtoanymatterrelatingtotheIRISGroup’sdataprocessing.
e) EnsurethatthisDataProtectionPolicy,theassociateddocuments,andguidancearekeptuptodateandcommunicatedtostaffinanappropriatemanner.
f) Arrangefortheprovisionofadviceandtrainingtostaffonrequest.g) ManagethenotificationofIRIS'sprocessingtotheInformationCommissioner’sOffice.h) InvestigatepersonaldatabreachesanddatasecurityincidentsinliaisonwiththeInformationAsset
OwnerandproviderecommendationstotheChiefInformationOfficer.i) Actinanindependentmanner,andwillnotperformdutiesortasksthatwouldgiverisetoaconflict
ofinterests.
TheDataProtectionprinciplesandDataSubjectrights
TheDataProtectionprinciples
Personaldatashallbe:
a) Processedlawfully,fairlyandinatransparentmannerinrelationtothedatasubject('lawfulness,fairnessandtransparency').
b) Collectedforspecified,explicitandlegitimatepurposesandnotfurtherprocessedinamannerthatisincompatiblewiththosepurposes('purposelimitation').
c) Adequate,relevantandlimitedtowhatisnecessaryinrelationtothepurposesforwhichtheyareprocessed('dataminimisation').
d) Accurateand,wherenecessary,keptuptodate;everyreasonablestepmustbetakentoensurethatpersonaldatathatisinaccurate,inregardtothepurposesforwhichtheyareprocessed,areerasedorrectifiedwithoutdelay('accuracy').
e) Keptinaformwhichpermitsidentificationofdatasubjectsfornolongerthanisnecessaryforthepurposesforwhichthepersonaldataareprocessed('storagelimitation').
f) Processedinamannerthatensuresappropriatesecurityofthepersonaldata,includingprotectionagainstunauthorisedorunlawfulprocessingandagainstaccidentalloss,destructionordamage,usingappropriatetechnicalororganisationalmeasures('integrityandconfidentiality').
Datasubjectrights
Datasubjectshave:
a) TherighttoreceivefromIRISanyinformationrelatingtoprocessingofpersonaldatainaconcise,transparent,intelligibleandeasilyaccessibleform,usingclearandplainlanguage.
b) Therightofaccesstotheirownpersonaldata,adescriptionofhowitisbeingused,thesource,howtoexercisetheirrightsandtocomplainetc.
c) Therighttorectification.d) Therighttoerasure(‘righttobeforgotten’).e) Therighttorestrictionofprocessing.f) Therighttodataportability.g) Therighttoobject.h) Therightnottobesubjecttoautomatedindividualdecision-makingandprofiling.
StatutoryRecords
‘DataController’
WhereIRISactsasa‘DataController’,theywillsupply:
a) Thenameandcontactdetailsof theControllerand,whereapplicable, the jointController, theController'srepresentativeandtheDataProtectionofficer.
b) Thepurpose(s)oftheprocessing.c) Adescriptionofthecategoriesofdatasubjectsandofthecategoriesofpersonaldata.d) Thecategoriesofrecipientstowhomthepersonaldatahasbeenorwillbedisclosed, including
recipientsinthirdcountriesorinternationalorganisations.e) Whereapplicable,transfersofpersonaldatatoathirdcountryoraninternationalorganisation,
including the identification of that third country or international organisation and thedocumentationofsuitablesafeguardswhererelevant.
f) Wherepossible,theenvisagedtimelimitsforerasureofthedifferentcategoriesofdata.g) Where possible, a general descriptionof the technical andorganisational securitymeasures in
place.h) Records that demonstrate compliance with the data protection principles (for example, data
protectionbydesignanddefaultrecords,riskassessments,trainingrecordsandsoon).
‘DataProcessor’
WhereIRISactsasa‘DataProcessor’,theywillmaintainarecordofallcategoriesofprocessingactivitiescarriedoutonbehalfofaController,containing:
a) ThenameandcontactdetailsoftheProcessororProcessors,andofeachControlleronbehalfofwhich the Processor is acting, and, where applicable, of the Controller's or the Processor'srepresentative,andtheDataProtectionofficer.
b) ThecategoriesofprocessingcarriedoutonbehalfofeachController.c) Whereapplicable,transfersofpersonaldatatoathirdcountryoraninternationalorganisation,
includingtheidentificationofthatthirdcountryorinternationalorganisationand,inthecaseoftransfersreferredtointhesecondsubparagraphofArticle49(1),thedocumentationofsuitablesafeguards.
d) Wherepossible,ageneraldescriptionofthetechnicalandorganisationalsecuritymeasures.
Definitions
‘Informationasset’isabodyofinformationthatisdefinedandmanagedasasingleentitysothatitcanbeunderstood, shared, protected and exploited effectively. For example, an information assetmay be aproduct,database,ITsystem,fileorfilingsystem.Inthecontextofmanagingpersonaldataprocessing,itcan alsobeuseful to classify vendors, outsourceddataprocessors (such as cloudhosts), software andhardwareasinformationassets.
'Personal data' means any information relating to an identified or identifiable natural person ('datasubject');anidentifiablenaturalpersonisonewhocanbeidentified,directlyorindirectly,inparticularbyreferencetoanidentifiersuchasaname,anidentificationnumber,locationdata,anonlineidentifierortooneormorefactorsspecifictothephysical,physiological,genetic,mental,economic,culturalorsocialidentityofthatnaturalperson.
'Processing'meansoperations,suchascollection,recording,organisation,structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosurebytransmission,disseminationorotherwisemakingavailable,alignmentorcombination,restriction,erasureordestruction.
'Restriction of processing' means the marking of stored personal data with the aim of limiting theirprocessinginthefuture.
'Profiling'meansanyformofautomatedprocessingofpersonaldataconsistingoftheuseofpersonaldatatoevaluatecertainpersonalaspectsrelatingtoanaturalperson,inparticulartoanalyseorpredictaspectsconcerningthatnaturalperson'sperformanceatwork,economicsituation,health,personalpreferences,interests,reliability,behaviour,locationormovements.
'Filingsystem'meansanystructuredsetofpersonaldatawhichareaccessibleaccordingtospecificcriteria,whethercentralised,decentralisedordispersedonafunctionalorgeographicalbasis.
'Controller'means thenatural or legal person, public authority, agencyor other bodywhich, aloneorjointlywithothers,determinesthepurposesandmeansoftheprocessingofpersonaldata.
'Processor' means a natural or legal person, public authority, agency or other body which processespersonaldataonbehalfofthecontroller.
'Recipient'meansanaturalorlegalperson,publicauthority,agencyoranotherbody,towhichthepersonaldataaredisclosed,whetherathirdpartyornot.
'Consent'ofthedatasubjectmeansanyfreelygiven,specific,informedandunambiguousindicationofthedata subject's wishes by which he or she, by a statement or by a clear affirmative action, signifiesagreementtotheprocessingofpersonaldatarelatingtohimorher.
'Personaldatabreach'meansabreachofsecurityleadingtotheaccidentalorunlawfuldestruction,loss,alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwiseprocessed.
'Geneticdata'meanspersonaldatarelatingtotheinheritedoracquiredgeneticcharacteristicsofanaturalpersonwhichgiveuniqueinformationaboutthephysiologyorthehealthofthatnaturalpersonandwhichresult,inparticular,fromananalysisofabiologicalsamplefromthenaturalpersoninquestion.
'Biometricdata'meanspersonaldataresultingfromspecifictechnicalprocessingrelatingtothephysical,physiological or behavioural characteristics of a natural person, which allow or confirm the uniqueidentificationofthatnaturalperson,suchasfacialimagesordactyloscopicdata.
'Dataconcerninghealth'meanspersonaldatarelatedtothephysicalormentalhealthofanaturalperson,includingtheprovisionofhealthcareservices,whichrevealinformationabouthisorherhealthstatus.
'Representative' means a natural or legal person established in the Union who, designated by thecontrollerorprocessorinwritingpursuanttoArticle27,representsthecontrollerorprocessorwithregardtotheirrespectiveobligationsunderthisRegulation.
'Enterprise'meansanaturalorlegalpersonengagedinaneconomicactivity,irrespectiveofitslegalform,includingpartnershipsorassociationsregularlyengagedinaneconomicactivity;
'International organisation' means an organisation and its subordinate bodies governed by publicinternationallaw,oranyotherbodywhichissetupby,oronthebasisof,anagreementbetweentwoormorecountries.
‘Thirdcountry’meansacountryoutsideoftheEU.
Appendix 3: Acceptableuseofassets
1. ObjectiveToprovideasecurenetworkenvironmentforstaffandinformationsystemsbyensuringallworkstationsandserversareappropriatelyconfiguredwithuptodateantivirus,operationalandsecuritypatches.
Thispolicydefinesthecompanyrequirementsforallstaffforworkingwithcomputerequipmentincludingworkstations,laptops,tabletsandallnetworkservers.ThepolicymustbereadinconjunctionwiththeStaffHandbook.
• Preventingthemisuseofcompanyinformationprocessingfacilities.• Protectionagainstinstallationanduseofmalicioussoftware.• EnsurelegalcompliancewithIntellectualPropertyRights(IPR).• Definesrequirementsfortheexchangeofinformation(e-mails,messagingoruseoftheinternet).
2. ScopeandIndexThisprocedureappliestoalluseofassetsbyKashFlowstaff.Anybreachoftheserequirementsmaybeconsideredmisconductandbesubjecttodisciplinarymeasures.
This procedure details the controls required by the following control objectives defined inAnnexA ofISO27001:2013:
SoA Ref Requirement A.8.1.3 Acceptable use of assets A.8.1.4 Return of Assets A.8.2.3 Handling of assets A.8.3.1 Management of removable media A.8.3.2 Disposal of media A.8.3.3 Physical media transfer A.11.2.5 Removal of assets A.11.2.6 Security of equipment and assets off-premises A.11.2.7 Security disposal or re-use of equipment A.11.2.8 Unattended user equipment A.11.2.9 Clear desk and clear screen policy
3. Procedure
AccesstoKashFlowinformationprocessingfacilitiesandsystemsshallbegrantedonlywherethereisalegitimatebusinessneed.
Employeesshallonlygainaccesstoanduse informationassetsandinformationprocessingfacilitiesforwhichtheyarespecificallyauthorised.
EmployeesshallbeallowedtouseKashFlowinformationprocessingfacilitiesforlimitedpersonaluse,inadditiontobusinessuse,consistentwithlocalmanagementrequirements.
KashFlowinformationwillonlybeaccessedviaVPNonKashFlowlaptopsorcontrolledhomedevices.
Employees shall note that failure to adhere to this Acceptable Use Policy will increase the risk of aninformationsecuritybreachforwhichtheyshallbeheldresponsibleandmayleadtodisciplinaryaction.
3.1UsernamesandPasswords
Employeesshallbeissuedwithauniqueusernameandaconfidentialpassword.Passwordsshallalwaysbeselectedcarefullyandshallbekeptconfidentialbycommittingthemtomemory.
RulesforrobustpasswordselectionaredefinedbyActiveDirectory.Theseinclude:
• Minimum8charactersinlength.• Specialcharacters,numbersandupper/lowercaserequired.• Changedafter90days.• Thenewpasswordcannotbethesameastheprevious.
3.2MaliciousSoftwareControl
EmployeesshallremainvigilanttothethreatofmalicioussoftwaretoKashFlowcomputersatalltimes.Employeesshallneverrunsoftwareoropenanyfileswithoutfirstensuringthattheyarefreeofmalicioussoftware. Emails fromunknown sources shall be treated as suspect, and reported to the IT team forinvestigationandreportedbacktotheemployee.
Employees using remote access using non-company devices shall be responsible for maintaining andupdatingtheirmalicioussoftwarecontrols.TheyshallseekadvicefromtheITTeamonhowtodothis.
3.3ProtectionofCopyrightMaterial
ThepenaltiestoKashFlowandemployeesforusingunauthorisedsoftwarecanbesignificant.Employeesshallonlyusesoftwarethathasbeenpurchasedbythecompany.EmployeesshallnottakecopiesofanyKashFlowsuppliedsoftwarenorloadanysoftwarethathasnotbeensourcedbythecompany.
3.4EmailUsagePrinciples
KashFlowprovidesemailtoassistemployeesintheperformanceoftheirjobs. Whilst itsuseshouldbeprimarilyforofficialcompanybusiness,incidentalandoccasionalpersonaluseofemailshallbepermitted,ontheunderstandingthat:
• Personalmessagesshallbetreatedthesameasbusinessmessages.• Personaluseof theemail systemshallnever impact thenormal traffic flowofbusinessrelated
email.
KashFlowshallreservetherighttopurgeidentifiablepersonalemailtopreservetheintegrityoftheemailsystems.Emailshallonlybeusedwherethetransmissionofsuchinformationisincompliancewithrelevantlegislationandregulation(suchasthatrelatingtocreditcardtransactionsandthePaymentCardIndustryDataSecurityStandard).
No employee shall send, forward or receive emails that in any way may be interpreted as insulting,disruptive or offensive by any other person, or company, or whichmay be harmful to themorale ofemployees.Examplesofprohibitedmaterialinclude:
• Sexuallyexplicitmessages.• Unwelcomepropositions,requestsfordates,orloveletters.• Profanity,obscenity,slander,orlibel.• Ethnic,religious,orracialslurs.• Politicalbeliefsorcommentary.• Anymessagethatcouldbeconstruedasharassmentordisparagementofothersbasedontheir
sex,race,sexualorientation,age,nationalorigin,disability,orreligiousorpoliticalbeliefs.
All email traffic, including attachments, shall be monitored and reviewed, and any action deemedappropriateshallbetaken.
Allemployeesshallensurecompliancewithallrelevantlegislation.
Allinformationshallbeownedbythecompanyandnotbyindividuals.
Theemailsystemshallnotbeusedforpersonalfinancialgain.
Contractualcommitmentsshallonlybemadeviaemailbythosesoauthorised.Anysuchcommunicationshallbefiledsecurelyforlateraccessandcomplywiththelatestlegalguidanceregardingelectronicmailsignatures.
3.5InstantMessagingandVideoCalls
Shouldonlybeusedforbusinessuseonly.
3.6InternetUsage
KashFlowprovides its employeeswith internet access to assist them in theperformanceof their jobs.Whilstitsuseshouldbeprimarilyforofficialcompanybusiness,incidentalandoccasionalpersonaluseoftheinternetispermitted,ontheunderstandingthat:
• Personal use of the internet shall never impact the business-related Internet access or uponKashFlowoperationalactivities.
• Accesstosocialnetworksisallowedduringbreaktimes.• KashFlowreservestherighttocurtailanemployee’sinternetaccesstopreserveitsreputationand
theintegrityofitssystems.• MessagesshallnotbepostedonanyinternetmessageboardorothersimilarWebbasedservice
thatwouldbringKashFlow intodisrepute, orwhich a reasonablepersonwould consider tobeoffensiveorabusive.Thelistofprohibitedmaterialisthesameasthoseforemail.
• EmployeesshallnotplaceontheInternetanyopinionorstatementthatmightbeconstruedasrepresentingKashFlow.
• Employeesshallnotleavetheirname,otheridentification,includingtheaddressofthecomputerinuse,whichmayallowotherstolocateoridentifythecompany.
• KashFlowshallreportanyillegalactivitytothepolice.EmployeesshallalsobeliabletoKashFlow’sowndisciplinaryprocess.
• Internetaccessshallnotbeusedforpersonalfinancialgain,ortohostawebsiteonanyKashFlownetwork.
• Anemployee’suseofthesystemshallnothaveanoticeableeffectontheavailabilityofthesystemforotherusers.Employeesshallnotparticipateinon-linegamesorhaveactiveanywebchannelsthatbroadcastfrequentupdatestotheircomputer.
• EmployeesshallnotvisitWebsitesthatdisplaymaterialofapornographicnature,orwhichcontainmaterial thatmaybeconsideredoffensive. Employeesshallnotify ITteamimmediatelyshouldaccidentalaccesstosuchmaterialoccur.Nodisciplinaryactionshallbetakenagainstemployeeswhoaccidentally access sites containingdubiousorunethicalmaterial providing theyadvise ITteam in a timelymanner. However, in order to avoid disciplinary action, it is the employee’sresponsibilitytoensurethatsuchunauthorisedaccessdoesnothappenonafrequentbasis.
• EmployeesshallnotdownloadanyfilesorsoftwarefromtheInternet,orcaptureanyimagesthataredisplayed,astheremaybeanynumberofissuesconcerningcopyright,malicioussoftwareandoverallfunctioningofthecomputer.
• EmployeesshallnotentertheiremailaddressonaWebsiteunnecessarilyasthismightexposeKashFlowtosecurityriskssuchasmalicioussoftwareattacksorunwantedjunkmessages.
• EmployeesloggedinatacomputershallbeconsideredtobethepersonbrowsingtheInternet.Under no circumstances shall employees browse the Internet from an account belonging toanotheremployee.
• ITteamshallmonitorandlogallInternetaccessbyemployeesandreservestherighttodisclosethisinformationtoanyrelevantauthority.
3.7DataProtection
KashFlowisrequiredbylawtocomplywiththeDataProtectionAct1998,asamendedfromtimetotime,whenprocessingpersonaldata. Employeeshaveapersonalresponsibilitytoensurethattheymakeanactivecontributiontowardsmeetingtheselegalobligations.
IncertaincircumstancesfailuretocomplywiththeDataProtectionAct1998mayresultinemployeesbeingpersonallyliableforsuchnon-compliance.
3.8UseofEquipmentOff-Premises
Employeesareallocatedassetsasrequiredbytheirrole,someofthesemaybeallowedoff-siteasrequired.
Employees shall exercise appropriate care when using the company’s information assets outside thenormalofficeenvironment.Thisparticularlyapplieswheninformationisprocessedonlaptops,tabletsandmobiletelephones.Usersmustbeawareoftheriskofinformationleakagefromtheuseofdisplaysscreensinpublicplacesandmustneverviewcompanysensitiveinformationthatmightbeseenbyothers. If indoubtwaitforuntilaprivateareaisavailable.
3.9ClearDeskandClearScreen
Employeesshallensurethattheconfidentialityofsensitiveinformationisnotbreachedwhilstsuchfilesanddocumentsareintheirpossession.
Tofacilitatesuchcontrol,KashFlowoperatesaClearDeskPolicy.Thismeansthatdesksandotherworkingareas shall be cleared of all sensitive information when employees leave them unattended for anypurposes.
Employeeswhoaredealingwithsensitiveinformationshallsecureitinappropriatestoragewhenevertheyleavetheirworkstation.Similarly,employeesshallensurethattheconfidentialityofrecordsorfacilitiestowhichtheyhaveauthorisedaccessisnotbreachedwhentheyareawayfromtheirdesk.
ClearScreenPolicy:Whenever leavingaworkstation/laptopactivatedbutunattended,employeesmustlockthescreenbyeitherpressing‘CTRL/ALT/DEL’orthe‘WINDOWSKEY/L’.Thiswillblankthescreenandlocktheworkstationsothatitrequiresaloginpasswordtoactivate.
3.10ManagementandDisposalofMedia
It isunlikelythatmediawillbeusedtostoresensitive information. It temporarystorage is required, ITteammustbe contacted todetermine the requirementsandpossible controls required (i.e. encryptedmemorystick).
Datashallbetransferredfromanymediareceivedintosecurestorageonthenetwork.MediamustthenbeforwardedtotheITteamtoarrangesecuredestruction.
Harddiscsareallsecurelydestroyedthroughanapproveddisposalcompany.
3.11SecureDisposalorRe-UseofEquipment
AllequipmentnolongerrequiredmustbereturnedtotheITteam,whowill:
• AmendthelocationintheAssetRegister.• Storetheequipmentinasecurelocationuntildisposal/re-usecanbearranged.• Fordisposalensureanydatastoragedrivesaresecurelywiped (i.e.usingsoftwareavailable to
over-writedata)orthedatastoragedrivesarephysicallydestroyed.Thismaybecarriedoutin-houseofviaanapprovedsub-contractor,certificateofdestructiontobesupplied.
• Forre-useensureanydatastoredisdeletedasabovebeforethedeviceisre-allocated.TheAssetRegisterisamendedaccordingly.
3.12PaperWaste
Allpaperwasteiscollectedinsecurebinsandsecurelyshreddedviaanapprovedsecuredisposalcompany.
Ifstaffidentifydocumentsthatareparticularlysensitive(financialorpersonnel),theyareresponsibletodirectshredusingtheofficebasedshredders.
Appendix 4: Criticalincidentprocess
Introduction
ThefollowingsectionoutlineswhyIRIShasacriticalincidentprocess,andwhatourdefinitionofa‘criticalincident’is.Italsocoverswhata‘personaldatabreach’is,andwalksyouthroughIRIS’scriticalincidentprocess, aswell asexplains thedifferent rolesand responsibilitiesemployeeswillplayduringa criticalincidentprocedure.
WhyhaveaCriticalIncidentProcedure?
Therearemanyreasonswhyit’sessentialtohaveacriticalincidentprocedure,suchas:
Commercially
• Makingcustomersfeelassuredthattheirdataisstoredsafelyandthatproceduresareinplacetomaintainitssecurity.
Regulatory
• Wecan’tcomplywithdataprotectionlaw(DataProtectionAct1998andGDPR)withoutapersonaldatabreachprocedure.
• PCI-DSSandCyberSecurityEssentialsdictatethatwehaveadatabreachprocedure.
Financial
• Nothavingadatabreachprocedurecanleadtounlimitedfinancialriskthroughregulatoryfinesandlitigation.
Goodbusinesspractice
• Wewanttolearnfromcriticalincidentstoavoidfuturerepetition.• It’scrucialwegetthebusinessbackupandrunningnormallyasquicklyaspossible.• Acleardatabreachprocedurecanimprovethemonitoringofdataandtheabilitytointerpretthe
reports,whichcanhelptoidentifyincidentsbeforetheyhaveanimpact.• IncreasestaffconfidenceastheyknowthataprocessexiststokeepITservicesworking.
Whatdowemeanby‘CriticalIncident’
WithinIRIS,thisisdefinedas:
a) Anincidentthatpreventsallsiteusersaccessingoneormorecriticalbusinesssystems.Thiscouldbeonesystemaccessingallsites,oronesiteinitsentirety.
b) Anincidentthatcouldhaveadetrimentaleffectoncustomerdeliveryorservices.c) Loss or potential loss of control of confidential data (this would include actual personal data
breachesand‘nearmisses’).d) Unauthorisedaccesstosystemsorfacilities(includingoffices).
Whatdowemeanby‘personaldatabreach’?
AccordingtoGDPRarticle4,a‘personaldatabreach’meansabreachofsecurityleadingtotheaccidentalor unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal datatransmitted,storedorotherwiseprocessed.
AnyseriousdatabreachesmustbereportedtotheICOwithin72hours.
CriticalIncidentStage1
CriticalIncidentoccurs
ITlogincidentandcategorise
Isthisincidentregardingavailabilityorinformationsecurity/
personaldata?
Informationsecurity/personaldataincidentStage2
Minor
Informationsecurity/personaldatabreach
ITinformDPO
AssessIncident
Determineincidentlevel Significant
NotifyCIO&otherrelevantparties
DataProtectionOfficerrole:
• Containmentandrecovery.• Assessmentoftherisks.• Notificationofbreaches.• Evaluationandresponse.
Putinplaceaction&resolutionplan
Informationsecurity/personaldataincidentStage3
Putinplaceaction&resolutionplan
ICONotifiable Yes
ObtainCEOagreementtoapproachICO
InformICO
Closeincidentandnotifyservicedesk
No
End
AvailabilityincidentStage2
AvailabilityIncident
DeterminePrimarycase
Facilities System Product
Informfacilitiesmanager InformITManager InformCTO
IncidentManagerresponsibilities:
• Ownsincidentresolutionplan.• Coordinatesincidentresponse.• Chairsincidentupdatecalls.
FollowCriticalIncidentManagementProcess
End
IRISCriticalIncidentManagementProcess
No
IncidentManagerreceivesincident
DoestheincidentrequiretheinvocationofBCPplan? Yes
BCPProcess
Formincidentmanagementgroup.Identifyresolverleadand
communicationlead
ResolverLead(s) CommunicationLead(s)
IRISCriticalIncidentManagementProcess–ResolverLead
ResolverLead(s)
Workontheissueasapriority
Isadditionalhelprequired?
No
Engageadditionalsupportandagreeregularcommsupdates.
Provideassistancewherenecessary
Worktoresolve
Yes
ObtainregularupdatesandinformtoIncidentManager
ProvideregularupdatetoIncidentManager
Closecall
Onresolution,completeincidentreportwithin1weekcontaininglessonslearntandactionstaken
ResolverLeadresponsibilities:
• Ownstheincidentresolution.• Engages additional resources,
skills and third parties asneeded.
• Provides regular feedback tothe Incident Manager onprogress.
• CreatestheIncidentReport.
IRIScriticalincidentmanagementprocess–CommunicationLead
CommunicationLead(s)
Use‘TextLocalService’tonotifyallManagersGroup
Sendoutpopulatedemailtemplatetoappropriateparties
UpdateIRISintranetwithoutagedetails
Iftheincidentimpactsthecustomer,informCMO
Ifneeded,setupandleadhourly‘JoinMe’meetings
Obtain30minuteupdatesfromtechnicallead
Providebusinessupdateseveryhourviatextandemail
Istheissueresolved?
Closecall
Sendnotificationswithnextstepsforresolution
Sendfinalnotificationsviasamemethods
WorkaroundFullyresolved
No
CommunicationLeadresponsibilities:
• Ownsregularcommunicationofincidentprogress.
• Schedulesupdatemeetings.• Sends text alerts, emails and
updatesIntranetonafrequencyagreed with the IncidentManager.
IRIScriticalincidentmanagementprocess–BCP
BCPProcess
IdentifysiteBCPownerandcontacttoagreeinvocation
FollowsiteBCPplan
Obtain30minuteupdatesfrommanager
Istheissueresolved
BCPProcess
No
Yes
Appendix 5: RISBusinessContinuityPlanstatement
TheIRISGroup’spolicyistomaintainthecontinuityofitsactivities,systems,facilitiesandprocessesandwherethesearedisruptedbyanyeventtoenableittoreturnto‘normal’operationsassoonaspossible,takingfullyintoaccounttheimpactofanydelayonqualityofservice,reputationandfinances.
TheobjectivesofbusinesscontinuityplanningaretoensurethatIRIS:
• Understandsitscriticalactivitiesandmaintainsthecapabilitytoresumeoperationswithinagreedtimeframes,followingthedeploymentofacontingencyplanningresponse.
• Increasesresiliencebyprotectingcriticalassetsanddata(electronicandotherwise)throughaco-ordinatedapproachtomanagementandrecovery.
• Minimisesimpactsusingafocused,well-managedresponseactivity.
IncompilingbusinesscontinuityplansIRIScommitstothefollowing:
• Takingallreasonablemeasurestopreventandavoidanydisruptiontonormaloperations.• Considering continuity planning and resilience implications in all process, project, change and
systemdevelopments.• Making advance arrangements for the recovery of infrastructure components (e.g.
accommodation,transport,telecommunications,equipmentandsupplies).• Makingadvancearrangementstore-locateorre-organiseoperationstoallowcriticalprocessesto
continue.• Providingresilienceforinformationsystemsanddata,oralternativewaysofworkingintheevent
oftheirfailure.AllnewsystemsandprocessestobeinlinewithIRIS’sInformationSecurityPolicy• Protectingstaff,visitorandthirdpartywelfareduringandfollowinganincident.• Ensuringtheeffectivenessofplansandrecoveryarrangementsthroughrobustandregulartesting
andtraining.• Updatingplansfollowingsignificantchangestocontingencyplanningrequirements.Suchchanges
mayoccuraspartoforganisationalchangeplanningandmanagement.
This policywill, unless otherwise stated, apply to all IRIS Group companies andwill not be limited torecoveryofITinfrastructurealone.
ThispolicyhasbeenapprovedbytheChiefExecutive.
Appendix 6: ISP03-HR
1. ObjectiveToensureallstaffareassessedbeforestartingemploymentaremanagedduringtheirtimeatKashFlow,andthatappropriateactionsaretakenontermination.
2. ScopeandIndexThisprocedureappliestoallstaffemployedbyKashFlow.
TheproceduredetailsthecontrolsrequiredbythefollowingcontrolobjectivesdefinedinAppendixAofISO27001:2013:
SoA Ref Requirement A.7.1.1 Screening A.7.2.2 Information security awareness, education and training A.7.3.1 Termination or change of employment responsibilities
3. Procedure
Pre-EmploymentScreening
AnyconcernswillbediscussedwiththeLineManagerandifnotresolvedshallbeescalatedtoaHRteamtogiveguidance.Recordsaremaintainedinthepersonnelfiles.
a) Interviewprocesscoordinatedbythedepartmenthead.b) Verificationofcriticaltraining,copiesofappropriatecertificates.c) Creditchecks,DBRandpolicerecordchecksdependentonthejobrole.d) Positiveverificationoftwoworkrelatedreferences,recordsofverificationkeptinpersonnelfiles.e) Positiveverificationofidentityandlivingaddress.Photo-ID(drivinglicenceorpassport).f) IfnotaUKnational,confirmationoftherighttoworkintheUK.g) Acceptedandsignedcontract.Acceptedandsignedcontract.
Induction
a) Completionofthe InductionSheet,carriedoutbytheHRteamandITTeam. Inductiontrainingcoversinitialpersonnelrequirementsandintroductiontothecompany,healthandsafety,quality,ITinductionandinformationsecurityawareness.TherewillbesignedacceptanceoftheawarenesstrainingandITPoliciesbythenewstarter.
b) IssueofAccessRightsfollowingtherequirementsofISP06.c) Issueofbuildingaccesscard.
OngoingControl
a) Employees shall receive regular appraisals from their LineManager. The appraisalwill identifyadditionaltrainingrequirementsthatcanbeusedifrequiredtocompileanindividualorcompanytrainingplan.
b) RegularupdatesonInformationSecuritycontrols,awarenessandobjectivesidentifiedshallbee-mailedtoallstaff,coordinatedbytheTechnicalSystemsManager/TechnicalOperationsManager.
c) AnyseriousissuesorconcernswillbehandledfollowingtheprocessdefinedintheStaffHandbookincludingdisciplinaryactions.
ChangeinResponsibilities/Roles
a) The new Line Manager shall assess the requirements of the new role and compare to theemployee’spreviousroleandcompleteraisedanITticket ifachangeinaccessrequirements isevident(ISP06).
b) Actionsmustberecordedtoensuresecurity ismaintainedwiththechangingresponsibilityandaccessoftheemployee.
c) Itmaybethatnewequipmentisrequiredorpreviouslyissuedequipmentmustbereturned.d) Theremaybespecific staffvetting requirements for thenewrole thatdidnotoccurwhen the
employeeoriginallystartedwork.e) Theymaybesecuritycontrolsthatarerequiredormaynolongerberequired.f) Thetimingoftheactionsdependsontheroleoftheemployeeandriskstothecompany.
Termination
a) TheLineManager/HRteammustraisean ITticketwhenanemployee leavesthecompanyorhandsinaletterofresignation.Actionsmustberecordedtoensuresecurityismaintained.Thetimingoftheactionsdependsontheroleoftheemployeeandriskstothecompany.
b) Ifthereareconcernsontheaccessavailabletotheemployeeoncetheyhavehandedtheirnoticein,theLineManagermustinformtheTechnicalSystemsManager/TechnicalOperationsManagertoassesstheriskandagreeandcarryoutactionstoprotectinformationsecurity.Itmaybesomeoftheactionsonterminationbeingcarriedoutearlysuchasreturnofkeys,restrictioninaccessorchangeorcodes.
c) Ontermination,allactionstakenshallberecordedontheticket.Theseinclude:
• Returnofassetssuchaslaptops/phonesetc.• Emailaccountsre-directedtoLineManager.• Returnofbuildingkeysifapplicable.• Iftheemployeewasinpossessionofcodesforanysecurelocks,arrangementsshallbemadeto
changethecodesimmediately.• Removalofaccessrightsonthesystem.
Appendix 7: Rackspace
Introduction
ThestandardKashFlowHRPrivateCloudPlatformislocatedwithinthetier3datacentreofourHostingServiceProviderRackspaceinSlough,UK.Beingatier3datacentreallcomponents(suchasnetworkandpower)areredundantthroughout,withRackspaceofferingexceptionallyhighlevelsofuptime.
KashFlow have a dedicated account manager within Rackspace and leverage the fanatical supportagreementthatensuresover99%oftheirsupportcallsareansweredwithin5minutes.KashFlowraisesupportticketsassoonastheyarenotifiedofanycustomer incident(whichcouldbeplatformrelated)duringnormalKashFlowSupporthours.Outsideof supporthoursRackspacemonitor thesystems24/7fixinganyplatformfaultsandinformingKashFlowoncecomplete.
Theplatform is built uponWindowsClustering and loadbalancing forweb services, SQL clustering fordatabase services and Terminal Services for Legacy Payroll customers. All customers’ databases areisolated,anddata is stored in individualcustomer’sSQLServerdatabases.This sharedarchitecture isscaledtobeabletorunallcustomerservices intheeventofahardwarefailure.Automaticfailoverofservicestohotcomponentsisinplaceforresilience.
AllserversareoperatingatlowlevelsofCPUandmemoryutilisation,andaremonitoredbybothRackspaceandKashFlow.ShouldCPUandmemoryutilisationbecomeanissue,thencapacityisincreased.
TheplatformissecuredwithinRackspaceontheirownsegregatednetworkandfrontedbyCiscofirewalls– access into the data halls are tightly controlled and Rackspace pride themselves on being ISO27001 accredited which is the only auditable international standard which defines the requirements for an Information SecurityManagement System (ISMS). The standard is designed to ensure the selection of adequateandproportionatesecuritycontrols.
All KashFlowdata is shipped to servers located at a separate geographical Rackspacedatacentre via asecure2factorVPNconnection.
Rackspacefanaticalsupport
Rackspaceisdifferentfromotherproviders.Inanindustryhighlyfocusedontechnology,theychoosetofocusonexceptionalserviceasmuchasonrobustIT.It’stheirgoaltoprovidethebestserviceyouhaveeverexperienced.Yourcompletesatisfactionistheirsoleambition-anythinglessisunacceptable.
FanaticalSupportistheirnamefortheoutstandingservicetheyprovide.TheirdrivingpurposeistotakecareofallbusinessesutilisingRackspace,tomakesurethingsgoassmoothlyaspossible.
Rackspacefanaticalsupportpromise
Rackspacepromisetomeetorexceedexpectationsinthefollowing5areas:
Responsiveness They are available 24/7/365 by phone or ticket to support the infrastructurededicatedtoKashFlowandtakespecialcaretoassistwithurgentrequests.
Ownership They take personal responsibility for KashFlow’s infrastructure and services. Theyempowertheiremployeestomakedecisionsandtakeactionsonourbehalf.Aliveescalationcontactwillbereadilyavailabletousatalltimes.Theywillfollowthroughontheircommitmentstous.
Resourcefulness Theyemploycreativeandpracticalsolutionsforourprivatecloudservice,includingissuesrelatedtothenetwork,hardwareoroperatingsystem.
Expertise Theywill alwayshave subjectmatterexpertsavailablewhoknowhow to identifyproblemsandoffersolutions.Theirsupportteamswillprovideadvicetousaboutourenvironmentusingtheirindustryandtechnologyexpertise.
Transparency Theyactively listenandprovideuswithdirectandindividualisedcommunications.Theiranswerstoourquestionswillbestraightforwardandhonest,andtheywillnotavoid tough questions. They never use scripts, but instead provide personalresponsesaddressingourspecificissues.
Security
KashFlows’sPrivateCloudinfrastructureisprotectedbysomeoftheindustry’smostpotentsecuritytoolsandtechniques:
• Theirdatacentresarephysicallyprotected24/7byon-sitesecurityguards,andonlyRackspacedata-centrestaffhavephysicalaccesstothedatahalls.
• SecurityengineersmonitorbothRackspace-manageddevicesandexternalthreats.• ServeroperatingsystemsarehardenedtoRackspaceinternalstandardsoninstallation.They
applynewsecuritypatchesasnewthreatsemerge.• ManagedantivirusserviceispoweredbySophos,andfullymanagedbytheirexperts.• Fullymanagedfirewalls.
Systemperformancemonitoring
RackspaceprovideKashFlowwiththefollowingperformancemonitoringservice:
Rackwatch – 24/7 portmonitoring servicewhich checks the availability of our servers, confirming ourhardwareisoperatingcorrectly.
Backupandrestore
Rackspace’sManaged backup services provide encrypted backups to tape utilising a full / differentialbackupstrategy.
Rackspacecarefullybalancetheneedtorestoredataquicklyagainsttheneedtominimiseperformanceimpactonoursystems.
Servicelevelmetrics
ThefollowingmetricsaredefinedfromRackspacetoKashFlow:
NetworkConnectivity:100%available,excludingmaintenance.
DataCentre:100%availableincludingpowerandcooling,excludingmaintenance.
HardwareProblems:Fixedwithin1houroffaultdiagnosis.
Customerservicemetrics
Rackspacesurveytheircustomersquarterly,measuringonanongoingbasistheimpactoftheRackspacerelationship.
Inaddition,theyrateeverysinglefaultresolution(or‘ticket’)fortransactionalcustomersatisfaction.Forthispurpose,theyusethevariantquestion“Basedupontheworkcompletedinthisticket,howlikelywouldyoubetorecommendRackspacetoafriendorcolleague?”
Onanannualbasis, theycommission independentresearchwhichcomparescustomersatisfactionofarangeofhostingproviders.Theresultsareshownbelow:
Source:VansonBourne
Vanson Bourne is a specialist research-based ITmarketing consultancy. This independent research collated theresponsesfrom376purchasersonManagedHostingServices.
Infrastructureanddatacentrespecifics
Rackspace’smulti-homedCiscoPoweredNetworkisbuiltonhardenedroutersandauditedbyCisco,whichassists in obtainingmaximum-security protection. The network also incorporates a patentedDenial ofServicemitigationservicetoprotectagainstexternalthreats.Togethertheseenablethemtodeliverontheir100%networkguarantee(excludingRackspacemaintenanceperiods).
KashFlowuseRackspacedatacentresintheUK,whichare:
• Engineeredwithfullyredundantconnectivity,power,heating,ventilationandcoolingtoavoidanysinglepointoffailure
• Staffed24/7byhighlytrainedtechnicalsupportstaff
MultiplelevelsofsecurityensureonlydatacentreOperationsEngineersarephysicallyallowednearourrouters, switches and servers. This enables them to deliver on their 100% infrastructure availabilityguarantee.
Physicalsecurity
Nopublicaccess PublicaccesstoRackspacedatahallsisstrictlyforbidden.Thisremovestheneed for anyone other than highly trained Rackspace Engineers to beallowed into the data halls. It also helps themprovide a higher level ofservicethananyoneelseintheindustry.
Videosurveillance Livevideosurveillanceofeachdatacentre facility ismonitored24/7. Allentrances to the building and data centre aremonitored to ensure onlyauthorisedpersonnelentersensitiveareas.
Onsitesecuritypersonnel
Rackspace’sonsitesecurityteammonitorseachdatacentrebuilding24/7.Theirsecuritypersonnelprovidethefirstlayerofsecurityforaccesstothedatacentre.
Biometricsecurity Biometric scanners are used to restrict access to each data centre. Thebiometricsecuritysystemsrepresentthesecondlayerofsecurityforaccesstothedatacentre.Withintheorganisation,onlyRackspaceengineersareauthorisedtoaccessrestrictedareas.
Passcards In conjunction with the biometric scanners, access to each facility isrestrictedtothosewhoholdaRackspacepasscard.Thepasscardsarealsorequired for moving from room to room within the data centre. Theirsecuritypasscardsystemisthethirdlayerofsecurityinthedatacentre.
Powersystems
Eachdatacentregetsitspowerfromcommercialutilityundergroundconduits.
There isa10-minutebatterybackuptoprovidecontinuouspower ifa short failureof themainsutilitysupplyoccurs. Wealsohavemultipledieselgeneratorswithfull-loadcapability,onstandbytoprovidelong-termpowerinanemergency.
UPSsystems:Thepowersystemsaredesignedtorununinterruptedevenintheunlikelyeventofatotalpoweroutage.AllyourstagingandproductionsystemsarefedwithconditionedUPSpowerwhichwillrun
ifutilitypowerfails.TheirUPSpowersubsystemisN+1redundantwithinstantaneousfailoverincasetheprimaryUPSfails.
Dieselgeneratorsystems:Theiron-sitedieselgeneratorswillautomaticallystartintheeventofapowersurge or power system failure. The power subsystems are designed to cut over immediatelywith nointerruptionintheeventofapowerfailure.Bothareregularlytestedtoensuretheywillfunctionproperlyintheeventofapowersystemfailure.
Cooling
KashFlow’sHRmaindatacentrehasaclosedloopchilledwatersystem.Itiscooledby5x1.5MWchillersinanN+1arrangement(8atmaximumcapacity).
Eachdatahallisconfiguredinahotandcoldaislearrangement.An800mmpressurisedplenumisfedbycomputer-roomair-handlingunitsinanN+25%arrangementconnectedbyaflow-and-returnchilledwaterloop.
Smokedetection&firesuppression
Early warning of any fire hazards at the facility is provided by Protec Stratus high sensitivity smokedetectionsystems.ThesearebackedupbyProtecfirealarms.
Intheunlikelyeventthattheworstshouldhappen,firesuppressionisprovidedbydrypipedoubleknocksprinklers.Thisrequirestwosmokedetectorsinasinglezonetotriggeranalarm.Thesprinklerheadbulbwillthenonlyburstwhenthetemperatureexceeds60˚Cinthatimmediatearea.
Rackspacenetwork
TheRackspaceNetworkhasbeenengineeredfromthegrounduptoaccommodatethehighavailabilitydemandsofoutsourcedsolutions.
Connectivity:Rackspaceprovidesa fully resilientandredundantnetwork infrastructureontowhichwebasetheKashFlowHRPrivateCloud.TheirentirelyswitchednetworkemploysCisco6500chassis-basedswitchesrunningHostStandbyRoutingProtocol(N+1hotfailover).Thisensuresdatacanberoutedevenintheeventofdeviceorlinkfailure.InternetconnectivityisprovidedviamultiplelinkstoTier1bandwidthproviders. Coupled with our Cisco-powered infrastructure, this enables us to maintain 100% networkavailability,excludingRackspacemaintenanceperiods.
BGP4routing:RackspacerunstheBorderGatewayProtocol(BGP4)forbestcaserouting.Shouldoneoftheirprovidersfail,packetsleavingournetworkareautomaticallyredirectedthroughanotherrouteviaadifferentprovider.
Bandwidthutilisation:TheRackspaceUKNetworkisrunningatapproximately20%capacityatpeaktimes.Thisenablesthemtoaccommodateeventhelargestspikesintraffic.Asnetworkutilisationreaches30%,theyautomaticallyaddmorenetworkcapacity.ThishelpstoensureKashFlowdonotexperiencenetworkdegradation,evenifoneoftheirprovidershasanoutage.
Rackspacecustomers
Belowaresomeexamplesofthemanycustomer’scurrentlyutilisingRackspaceforhostingservices:
eCommerce
PublishingandMedia
PublicSector
IT/Telecoms
Financial andLegal
IT Services /SaaS
Rackspacepartners
Astheworld’sleaderinhostingandcloudcomputing,Rackspacehasforgedcloseworkingrelationshipswithkeyinfrastructurevendors.Asaresult,theyhaveexceptionalaccesstoequipmentsupplies,softwareupdatesandpatchesandvendorlevelexpertise,including:
RedHat
Rackspacehasalwaysbeena staunch supporterof theopen source community. TheywerethefirstRedHatPremierHostingPartnerinEurope.RecognisedastheexpertsindeployingandmanagingLinuxconfigurations,RedHatisalsoaRackspacecustomer.TheyhavemorecertifiedRedHatengineersatRackspacethanatanyothercompanyapartfromRedHat.
Microsoft
Since 2006, Rackspace has been an accreditedMicrosoft Gold CertifiedPartnerforitsexpertiseinMicrosoftHosting.ThismakesitoneofthesixinitialApplicationInfrastructureProvidersintheworld.
Microsoft named Rackspace winner of the Advanced InfrastructureSolutions,HostingSolutionsPartneroftheYearin2007,2005and2003.
VMware
VMwareprovidesvirtualisationsoftwareforRackspace’sprivatecloudsolutions.Thisisaprovensolutionfor customers needing flexibility of virtualisation and the security and robustness of a dedicatedinfrastructure.TheKashFlowHRPrivateCloudisbuiltuponVMware.
Dell
RackspacepartnerswithDell tooffer reliableandhighly scalable,managedhosting serverand storageplatforms.
Cisco
Ciscoprovidesend-to-endenterprisenetworksolutionsfromthemostcomprehensivelineofnetworkingproducts available in the Industry. Rackspace uses Cisco networking products exclusively and has acertifiedCiscoPoweredNetwork.
Rackspaceawards&certifications
Polices,ProceduresandControls
ISAE3402isaninternationalauditingstandardintendedtoprovidecustomersandprospectswiththirdpartyvalidatedvisibilityofaserviceprovider’scontrols.
RackspaceissubjecttoanISAE3402TypeII(SOC1)auditannuallycoveringalldatacentrefacilitiesglobally.AreportontheauditisgeneratedeachNovembertoreporttheresultsforthepastyear,andtheseare
available to current and potential customers subject to signature of appropriate Non-DisclosureAgreements.
InformationSecurity
AllhostingoperationsperformedinRackspace’sUKdatacentreshavebeencertifiedcomplianttomultipleISOstandards.
TheircertificationsandlinkstothecertificatescanbeviewedontheRackspacewebsitebyfollowingthislink:https://www.rackspace.com/en-gb/certifications-uk
CustomerService
AttheNationalCustomerServiceawardsfor2010,Rackspacewonboth:
• TheawardforFrontLineCustomerServiceTeamfor2010.• Themostcovetedoverallaward,CustomerServiceTeamoftheYear.
Thisisthesecondconsecutiveyeartheyhavebeenrecognisedbytheseawards:in2009Rackspacealsowon“CustomerServiceTeamoftheYearforB2B”andthehighesthonour“CustomerServiceTeamoftheYear”
Rackspacereceivedthe‘EmployeroftheYear’awardintheNationalBusinessAwardsinNovember2011.InparallelRackspacewasawardedtheRuband’Honneur forCustomerFocus in theEuropeanBusinessAwards. In both national and European awards, the Customer Focus awards are presented to theorganisation that can best demonstrate that it has the customer at the heart of its business. Such aprestigiousawardhighlightsthesuperiorsupportthatRackspaceprovidesfortheircustomers,arguablythebestinthecountry.
EmployeeEngagementandDevelopment
In2011and2012,TheSundayTimesBestCompaniesAwardsrecognisedRackspaceasanoutstandingplacetowork.ThisisareflectionofthetrackrecordRackspacehasestablishedoverfiveyears.
Rackspacewas thehighestplaced ITservicesprovider in theFinancialTimesUK’s50BestWorkplacesrankingfor2012.In2009RackspacewasalsoawardedaLaureateawardforbeingplacedinthetop50forfive(nowsix)consecutiveyears.
EnvironmentalSustainability
In2010RackspacewasnamedITOperatoroftheYearintheprestigiousGreenITAwards2010.Over75organisationswerenominatedforTheGreenITAwardsandwinnerswere selectedby readersof theGreen ITmagazineand itswebsite.TheGreen IT Awards are a benchmark by which IT companies are measured forenvironmentalperformance.Theawardsalso showcase the roleplayedbygreenmarketing and sustainability communications in informing people about greenissues,productsandlifestylechoices,andprovidesexamplesofexcellenceandbestpracticeincommunicatingsustainabilityandgreenissues.
Rackspacevision
TounderstandthekindofrelationshipKashFlowcanexpectwithRackspace,youmaywanttounderstandtheirvision,andthevaluesbelow.
RackspaceisrecognisedbyGartnerasaleaderforvisionandabilitytoexecute.
GartnerGroupistheleadingindustryanalystfocusingontheinformationtechnologysector.Their2012“MagicQuadrant”forManagedHostingincludingCloudpositionsRackspacesquarelyasaLeader.
Source:MagicQuadrantforManagedHostingincludingCloud,Gartner,2012
Rackspace’sCoreValues, summarisedbelow, reflectwho theyare, andhelpmove them towards theirvisionofserviceleadership.
1. FanaticalSupportinalltheydo:Rackspacereallyarefanaticalabouttheirpeople,theirservicesandtheircustomers.Theylive,eatandbreathecustomerservice.
2. Resultsfirst,substanceoverflash: It’sallaboutdelivery,Rackspace investonly inwhatdeliversendresultstotheircustomers.Ifit’snotgoodforyou,thenit’snotgoodforthem.
3. Committed togreatness: Theyarededicated tobuildingRackspace into somethinggreat,aswellasdeliveringanoutstandingservice.Theyalsostrivetobeanorganisationthatmakesapositiveimpactontheworld,makingarealdifferencetoourownlives,andthelivesofourcustomers.
4. Passionfortheirwork:TobringthecommitmentyouexpecttoRackspace’sservice,theyhavetobepassionate about what they do. Rackers are pretty special people – they only hire people who arecommitted, dedicated, with the courtesy, patience, friendliness and empathy to ensure you have anoutstandingexperience.
5. Fulldisclosureandtransparency:Theyalwaystellitlikeitis.TherearenosmokescreensatRackspaceandsotheypromisecompletetransparencytocustomersonanyissuesthatarise,nomatterhowminor.It’sallabouttrust.
6. TreatRackerslikefriendsandfamily:Happystaffleadstohappycustomers.BeingapartofRackspacereallydoesfeellikeasurrogatefamily,helpingeachotheroutandshowingtheycarecomesnaturally.