Information Security Policy¶
This information security policy is a key component of Workstars overall information security management. It incorporates Workstars handling of personal data, protection of that data, security of our systems, and staff procedures.
Workstars is committed to safeguarding personal information. We are legally obliged to use the information in line with all laws concerning the protection of personal information, including, but not limited to, Regulation (EU) 2016/679 General Data Protection Regulation (GDPR).
Objectives, Aim and Scope¶
The objectives of Workstars Information Security Policy are to preserve:
Access to data shall be confined to those with appropriate authority.
Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
Information shall be available and delivered to the right person, at the time when it is needed.
Information shall be stored securely with appropriate safeguards in place and shall be encrypted where appropriate.
The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications, and networks owned or held by Workstars by:
- Ensuring that all members of staff are aware of, and fully comply with, the relevant legislation as described in this policy.
- Describing the principals of security and explaining how they shall be implemented in the organisation.
- Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.
- Protecting information assets under the control of the organisation.
This policy applies to all information, information systems, networks, applications, locations, and employees of Workstars, or supplied under contract to it.
Responsibilities for Information Security¶
Ultimate responsibility for information security rests with the Directors of Workstars, and, as Workstars is a relatively small organisation, on a day-to-day basis the Directors shall be responsible for managing and implementing the policy and related procedures.
All staff comply with information security procedures including the maintenance of data confidentiality and data integrity. They are responsible for the operational security of the information systems they use.
Workstars is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of Workstars, who may be held personally accountable for any breaches of information security for which they may be held responsible.
Workstars shall comply with the following legislation and other legislation as appropriate:
- Regulation (EU) 2016/679 General Data Protection Regulation (GDPR)
- Data Protection Act (1998)
- Data Protection (Processing of Sensitive Personal Data) Order 2000
- Copyright, Designs and Patents Act (1988)
- Computer Misuse Act (1990)
- Health and Safety at Work Act (1974)
- Human Rights Act (1998)
- Regulation of Investigatory Powers Act 2000
- Freedom of Information Act 2000
Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems or stored data.
In order to minimise loss of, or damage to, all assets and equipment shall be physically protected from threats and environmental hazards.
All information security events and suspected weaknesses are to be noted. All information security events shall be investigated to establish their cause and impacts with a view to avoiding similar events.
The organisation shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to cooperate fully with this policy.
An audit trail of system access and data use by staff shall be maintained.
The organisation shall ensure that business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.
Workstars DO NOT store Payment Card information of any kind. However we follow the principals of the PCI DSS standard to show our commitment to data security and our belief in secure data practices:
Install and maintain a firewall configuration
All Workstars servers and laptops are protected by firewalls or equivalent security controls.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Default passwords are never used. Where possible the following are implemented:
- key based access
- complex passwords
- single sign on
- multi factor authentication
All Workstars internal accounts with access to sensitive data require multi factor authentication.
Protect stored data.
Data is stored in line with our Encryption Policy (see below). Client data is not permitted on employee endpoints.
Encrypt transmission of data across open, public networks.
TLS is used for all access to the portal and where appropriate secure VPN is utilised.
Maintain a Vulnerability Management Program
Servers and endpoints are regularly scanned for vulnerabilities. Automatic patching is enabled.
Use and regularly update anti-virus software.
Servers and endpoints are protected by anti-virus and anti-malware software.
Develop and maintain secure systems and applications.
We use secure coding standards, code reviews, testing and automated code analysis. Our develops are trained to be aware and address the OWASP Top 10 (see https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)
Implement Strong Access Control Measures
All applications have extensive ACL measures to limit access to what is required and to log all changes against unique accounts.
Restrict access to data by business need-to-know.
Only staff with a need to access client data to do their job have access to client systems.
Assign a unique ID to each person with computer access.
Every Workstars employee has a unique ID when accessing their computer or management account. All customers and employees have individual accounts. Account sharing is not permitted.
Restrict physical access to data.
Workstars use cloud providers to host our servers. All providers are checked to ensure they have appropriate security controls in place including physical access restrictions.
Track and monitor all access to network resources and data.
We use a centralised logging and monitoring systems to track access to network resources, hardware and our application.
Regularly test security systems and processes.
Security checks are automated and processes are reviewed and checked for compliance.
Maintain a policy that addresses information security.
This Encryption Policy sets out the principles and expectations of how and when information should be encrypted and the use of encryption for Workstars owned portable devices and storage.
What is encryption?¶
Encryption is the process of encoding (or scrambling) information so that it can only be converted back to its original form (decrypted) by someone who (or something which) possesses the correct decoding key.
When to use encryption?¶
Encryption must always be used to protect strictly confidential information transmitted over data networks to protect against risks of interception. This includes when accessing network services which require authentication (for example, usernames and passwords) or when otherwise sending or accessing strictly confidential information (for example, in emails).
Where confidential data is stored on or accessed from mobile devices (for example, laptops, tablets, smartphones, external hard drives, USB sticks, digital recorders) the devices themselves must be encrypted (using “full disk” encryption), irrespective of ownership.
Where strictly confidential data is stored in public, cloud based storage facilities the data must be encrypted prior to storing to ensure that it is not possible for the cloud service provider to decrypt the data. Where data is subject to an agreement with an external organisation, the data should be handled (stored, transmitted or processed) in accordance with the organisation’s specified encryption requirements.
Special care should be given when the data contains:
- Data sets relating to living, identifiable individuals, including, employees, customers and their employees.
- Any information relating to living, identifiable individuals which might potentially be used for fraud or identity theft, including, but not limited to, bank account or credit card details, national insurance number, personal contact details, date of birth, salary related information, staff performance, grading, promotion or personal and family lives.
- Data relating to living, identifiable individuals’ health, disability, ethnicity, sexual health, political or religious affiliations, trade union membership or criminal offences/convictions.
- Any Financial related data.
- Any information that has been provided to Workstars in confidence.
- Business related data that would be likely to disadvantage Workstars in its funding, commercial or policy negotiations.
- Meeting papers or data relating to proposed changes in strategy, policies or procedures, before the changes are agreed and announced.
In relation to email, any personal or commercially sensitive data should only be sent via the Workstars email system when absolutely necessary and where that is true, the data must be sent in an encrypted form. The recommended method would be to attach the data as an encrypted file to one email then sending the recipient details of how to decrypt in a separate email in order to reduce the chances of interception or any accidental or malicious distribution of the sensitive data. Utilities such as the 7-Zip application installed as a standard package on Workstars PCs offer an easy method to encrypt files before transmission.
In most cases, encryption keys will be in the form of a password or passphrase. Losing or forgetting the encryption key will render encrypted information unusable so it is critical that encryption keys are effectively managed. When devices are encrypted by IT Helpdesk staff, Airwatch will take responsibility for the secure management of the keys. In all other cases, it will be the individual member’s responsibility to manage the keys in their Workstars Lastpass account.
There are many different encryption standards available. Only those which have been subject to substantial public review and which have proven to be effective should be used. Specific guidance is available from the IT Helpdesk and/or the Data Protection Officer.
All new laptops, tablets and portable storage devices purchased by IT will be supplied with encryption pre-installed and enabled. Any memory stick or USB storage device may have encryption applied through an appropriate software tool. The encryption standards used for securing Workstars purchased devices are:
- BitLocker AES-XTS standard, built into Microsoft Windows
- FileVault2 AES-XTS standard, built into Mac OSX
The Workstars platform automatically encrypts sensitive files (e.g. Employees Data files) uploaded by our clients using AES-256. Each client has its own key stored in the database, for additional security the client key in itself is encrypted with another Workstars master key which is stored on disk. All cloud servers are configured to encrypt data at rest.
Workstars will only collect information necessary to provide the Workstars service. This includes name and contact information for clients and partners, as well as employee data provided by the clients that use our platform.
Workstars will NEVER pass any personal information to any third party at any time without your prior permission.
Our Information Security Policy has the full support of the Company and the Board of Directors. To ensure that this policy is properly implemented, Workstars regularly reviews its information security progress at board level.