Get started

Data Security Policy

Last Updated August 2023

Secure Screening Services must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of data in scope is a critical business requirement, yet flexibility to access data and work effectively is also critical.

It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. Its primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale. 



Data Security Policy Scope

  1. Any employee, contractor or individual with access to Secure Screening Services systems or data.
  2. Definition of data to be protected
    • PII
    • Financial
    • Restricted/Sensitive
    • Confidential
    • IP

Policy – Employee requirements

  1. You need to complete Secure Screening Services’ security awareness training and agree to uphold the acceptable use policy.
  2. If you identify an unknown, un-escorted or otherwise unauthorised individual in Secure Screening Services you need to immediately notify the duty supervisor.
  3. Visitors to Secure Screening Services must always be escorted by an authorised employee. If you are responsible for escorting visitors, you must restrict them appropriate areas.
  4. You are required not to reference the subject or content of sensitive or confidential data publicly, or via systems or communication channels not controlled by Secure Screening Services. For example, the use of external e-mail systems not hosted by Secure Screening Services to distribute data is not allowed.
  5. Please keep a clean desk. To maintain information security, you need to ensure that all printed in scope data is not left unattended at your workstation.
  6. You need to use a secure password on all Secure Screening Services systems as per the password policy. These credentials must be unique and must not be used on other external systems or services.
  7. Terminated employees will be required to return all records, in any format, containing personal information. This requirement should be part of the employee onboarding process with employees signing documentation to confirm they will do this.
  8. You must immediately notify the data controller if a device containing in scope data is lost (e.g. mobiles, laptops etc).
  9. If you find a system or process which you suspect is not compliant with this policy or the objective of information security you have a duty to inform the data controller so that they can take appropriate action.
  10. If you have been assigned the ability to work remotely you must take extra precaution to ensure that data is appropriately handled. Seek guidance from the data controller if you are unsure as to your responsibilities.
  11. Please ensure that assets holding data in scope are not left unduly exposed, for example visible in the back seat of your car.
  12. Data that must be moved within Secure Screening Services is to be transferred only via business provided secure transfer mechanisms (e.g. encrypted USB keys, file shares, email etc). Secure Screening Services will provide you with systems or devices that fit this purpose. You must not use other mechanisms to handle in scope data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with the data controller.
  13. Any information being transferred on a portable device (e.g. USB stick, laptop) must be encrypted in line with industry best practices and applicable law and regulations. If there is doubt regarding the requirements, seek guidance from the data controller.

Data security policy: Data Leakage Prevention – Data in Motion

Purpose

Secure Screening Services must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of in scope data is a critical business requirement, yet flexibility to access data and work effectively is also critical.

It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. Its primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.

Scope

  1. Any Secure Screening Services device which handles customer data, sensitive data, personally identifiable information or company data. Any device which is regularly used for e-mail, web or other work- related tasks and is not specifically exempt for legitimate business or technology reasons.
  2. The Secure Screening Services information security policy will define requirements for handling of information and user behaviour requirements. This policy is to augment the information security policy with technology controls.
  3. Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted being authorised by security management. See Risk Assessment process (reference your own risk assessment process)

Policy

  1. Secure Screening Services data leakage prevention (DLP) technology will scan for data in motion.
  2. The DLP technology will identify large volumes (thus, of high risk of being sensitive and likely to have significant impact if handled inappropriately) of in scope data. A large number of records is defined 1000 records
    In scope data is defined as
    • Credit card details, bank account numbers and other financial identifiers
    • E-mail addresses, names, addresses and other combinations of personally identifiable information
    • Documents that have been explicitly marked with the Secure Screening Services Confidential’ string.
  3. DLP will identify specific content, i.e.:
    • Sales data – particularly forecasts, renewals lists and other customer listings
    • Exports of personally identifiable information outside controlled
  4. DLP will be configured to alert the user in the event of a suspected transmission of sensitive data, and the user will be presented with a choice to authorise or reject the transfer. This allows the user to make a sensible decision to protect the data, without interrupting business functions. Changes to the DLP product configuration will be handled through the Secure Screening Services IT change process and with security management approval, to identify requirements to adjust the information security policy or employee communications.
  5. DLP will log incidents centrally for review. The management team will conduct first level triage on events, identifying data that may be sensitive and situations where its transfer was authorised and there is a concern of inappropriate use.
    These events will be escalated to company directors to be handled through the normal process and to protect the individual.
  6. Where there is an active concern of data breach, the IT incident management process is to be used with specific notification provided to the company directors.
  7. Access to DLP events will be restricted to a named group of individuals to protect the privacy of employees. A DLP event does not constitute evidence that an employee has intentionally, or accidentally lost data but provides sufficient basis for investigation to ensure data has been appropriately protected.

Reporting requirements

  • Weekly reports of incidents to the data controller
  • High priority incidents discovered by IT should be immediately flagged with the data controller. 3. Monthly report showing % devices compliant with DLP policy