Versions Compared

Old Version 4

changes.mady.by.user Shriti Raikundalia

Saved on

compared with

New Version 5

changes.mady.by.user Shriti Raikundalia

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Purpose

The purpose of the Information Security and Data Privacy by Design Policy data protection by design and default approach is to establish the key principles and requirements that will enable PKB to embed Information Security and Data Privacy into new services, systems, and/or software for all internal PKB services (including those that are customer facing) and customer-facing shared services.

...

For the avoidance of doubt within this document, a “service” describes any software, application, system, service, or product that is built and/or purchased to support PKB business or customer needs. It excludes any systems that are built or managed to the requirements of a single customer (as this will normally be defined through contract schedules).

Scope

The Information Security and Data Privacy by Design Policy data protection by design and default approach applies to all those who have access to PKB systems and information, regardless of location or the types of information or systems that they have access to; this includes both permanent and temporary employees, contractors, suppliers and agents working on behalf of PKB.

This policy approach particularly applies to staff responsible for the design and development of services that are used to store or process information belonging to PKB, our customers or any third parties; whether the service retains or stores any information or temporarily stores information with the purpose of carrying out the transformation of information on another system.

...

Line managers are responsible for the day-to-day management of staff and advise on the implementation of Information Security and Data Privacy policies and procedures within their business areas and for ensuring compliance by their staff.

Policy

Information Security and Data Privacy data protection by design and default is to be considered at the conception stage of each service and any non-functional requirements connected with information security or data privacy are to be made in the early stages of any information system design. 

...

It is the policy that all Information Asset Owners within PKB ensure these principles are adopted with any project that is likely to have a direct or indirect impact on any information they own.

Information Security and Data Privacy Data protection by design and default will be embedded into the design from conception and will remain until the service is decommissioned.

  • Information Security and Data Privacy protection by Design design and default will be the default approach for all projects.

  • Information Security and Data Privacy Data protection by design and default controls will be appropriate to the level of risk.

  • Information Security and Data Privacy Data protection by design and default controls will be proactive and not reactive, where possible Information Security and Data Privacy data protection by design and default controls will not be “traded off” for functionality or convenience without the commensurate risk being accepted at the appropriate management level.

  • Information will be adequately protected through its entire lifecycle.

  • The processing of any personal information should be transparent as to how it is being processed but access-restricted only to those who have a “need to know”.

  • The processing of personal, sensitive, or confidential information will be the minimum required to achieve the purpose.

...

A list of types of personal and special category information can be found in Appendix A.

Pre-Project

Information Security and Data Privacy Data protection by design and default requirements are to be embedded into the design from inception, this includes the Information Security and Information Governance Teams and/or the Data Protection Officer understanding any potential high-risk areas at the outset of any project that may either impact the information security profile of PKB or the personal information of our customers, employees or partners.

...

When the risk assessment has taken place, the solution (People, Process, or/and Technology) and the project deliverables will be categorised as either High, Medium, or Low potential risk to PKB. This rating will determine the Information Security and Data Privacy controls that will be required to ensure any potential risk or impact falls inside PKB’s risk appetite and in the case of personal information, is commensurate with the rights and freedoms of data subjects and the GDPR regulation as a whole.

The Information Security and Data Privacy data protection by design and default controls will be agreed upon by the stakeholders (Project Manager, Information Security, Information Governance, DPO, etc.) during the initiation phase and will be tracked through delivery and acceptance into business as usual (BAU). 

...

All of these reasons may be appropriate to an individual circumstance, any decision to accept the risk of not implementing a defined Information Security and Data Privacy data protection by design and default control shall require acceptance at the appropriate level within PKB, up to the executive level depending on both the likelihood and the impact to the information.  It is also possible to introduce other controls that may partially or completely mitigate the risks rather than the most appropriate control. In this case, a gap analysis will take place to assess the alternate controls, and if necessary a risk raised on any residual risk remaining after the alternate controls are in place.

...

High and Medium impact projects will have their control design and delivery verified and tested, this may include specific User Acceptance Testing (UAT) (for items such as access controls) vulnerability testing (for internal and externally facing projects), and penetration testing (for external or customer-facing projects). This testing is to be organised and completed within the project, and the results released to the Information Security and Information Governance team/DPO for verification and acceptance.

Where the project involves personal information, the project manager will be responsible for ensuring they have liaised with the Information Security and Information Governance team/DPO to ensure all information protection aspects have been considered and the effectiveness of the mitigating measures taken is to the satisfaction of the DPO.

Project Closure

The Information Security and Data Privacy Data protection by design and default process will vary depending on the impact of the project and the potential risks with its implementation from an Information security and data privacy perspective.

  • High Impact Projects – The Information Security and Information Governance team and where appropriate the DPO will continue to be a stakeholder in the projects and its transition to BAU. This will involve confirmation by the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective.

  • Medium Impact Projects - The Information Security and Information Governance team and where appropriate the DPO will continue to be a stakeholder in the projects and its transition to BAU. This will involve confirmation by the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective.

  • Low-Impact Projects – With low-impact projects security should be advised, especially if there has been any change to information security and data privacy controls since delivery.

Change Control Board

When the final go-live is to take place before the project goes to the Change Control Board

...

The middle stage can include multiple stages of development. The key principle is that for each stage the functionality becomes closer to release, and the more Information Security and Data Privacy more data protection by design and default requirements and the related controls are integrated with the solution.

...