Only authorised staff should have access to data or information processing facilities.
The following controls have been put in place:
· We encrypt data maintained on our databases or files accessible via the Internet as this is a common cause of compromise.
· We vet all personal.
· We identity individual users of information processing facilities, assign a unique User identification and password sequence (USER ID) to each individual user of information
processing systems.
· We hold each individual accountable for all activity performed under his or her USER ID.
· We require that each use of a USER ID be traceable to the individual who logs on.
· We do not use vendor-supplied system passwords and other security parameters, we change them.
· We have set procedures for suspending and revoking USER IDs.
· We update USER ID passwords monthly or as often as is deemed suitable.
· We Block the USER ID of anyone who leaves the business or department.
· We use the USER ID system to set up a clear audit trail to track access to data.
· We destroy all redundant and damaged media (hard discs, servers, floppy discs etc).
· Access to our terminals is restricted and all processing departments are secure.
· We operate a clean desk policy.
The following controls have been put in place:
· We use anti-virus software developed by a reputable supplier.
· We update anti-virus software regularly.
· We use virus detection software to scan computers and media for known viruses.
· We use virus repair software with caution and only where virus characteristics are fully understood and the correct repair is certain.
· We have banned unauthorised software.
· We regularly review the software and data content of systems supporting critical business processes.
· We investigate the presence of unknown files or unauthorised amendments.
· We virus check all media coming from outside the business.
· We have a set procedure for reporting and recovering from virus attacks.
· We have a business continuity plans for virus attacks, including data and software back-up and recovery.
· We keep security patches for software up to date.
· We regularly test security systems and procedures.
· We have installed and maintain a network firewall.
· We encrypt data sent across networks.
E-mail is a fast and useful business tool, but it is not confidential; it can be altered and even the name of the sender can be faked.
The following controls have been put in place:
· We encrypt all data sent via E-mail.
· We ensure all e-mail is for business use only.
· We review and delete messages regularly.
· We securely archive any messages that need to be retained off the server.
· We discourage the use of executable code (‘exe’ files) received via e-mail.
If this is essential, we make sure that virus detection and prevention measures are used.
· If alternate users work with the same computer, we make sure that the alternate user cannot exceed their authority.
· We require employees to report any e-mail abuse to the appropriate department or person.
· We preserve the confidentiality of any sensitive information that is accidentally revealed to us.
· We keep e-mail records including a record of deletions.
· We have implemented a stringent staff policy:
1) e-mail reviews are a condition of use (e.g. ‘the monitoring and review of all email messages, sent and received, can occur at any time without notice’).
2) as part of employment policy, you may discipline employees for using racial, religious, or sexual abuse, threatening, or discriminatory language via company e-mail
3) e-mail users are personally responsible for the security of information in their messages.
Information that comes in by telephone, by fax or in the post is handled with care.
· We collect and file securely all documents that contain personal data, order information and or cardholder information, such as order forms, carbons, fax printouts and paper copies of telephoned orders.
· Documents are locked away securely after use.
· We make sure that staff handling telephone sales, ask callers only for appropriate cardholder information.
· We monitor all “customer facing” telephone calls, including sales calls.
· Paper transaction records are shredded.
If Compromised
If we believe that cardholder information has been obtained by an unauthorised person or company, this fact must be reported to Streamline and the appropriate authorities as soon as possible together with details of all the account numbers involved and all the circumstances of the compromise.
Telephone, Fax and Paper
Computer Viruses
Page 2 Info File: Electronic control of access to data
