| Page Properties | ||||
|---|---|---|---|---|
| ||||
|
| Iframe | ||||||||
|---|---|---|---|---|---|---|---|---|
|
| View file | ||
|---|---|---|
|
Purpose
The purpose of the Information Security and Data Privacy by Design Policy data protection by design and default approach is to establish the key principles and requirements that will enable PKB to embed Information Security and Data Privacy into new services, systems, and/or software for all internal PKB services (including those that are customer facing) and customer-facing shared services.
...
For the avoidance of doubt within this document, a “service” describes any software, application, system, service, or product that is built and/or purchased to support PKB business or customer needs. It excludes any systems that are built or managed to the requirements of a single customer (as this will normally be defined through contract schedules).
Scope
The Information Security and Data Privacy by Design Policy data protection by design and default approach applies to all those who have access to PKB systems and information, regardless of location or the types of information or systems that they have access to; this includes both permanent and temporary employees, contractors, suppliers and agents working on behalf of PKB.
This policy approach particularly applies to staff responsible for the design and development of services that are used to store or process information belonging to PKB, our customers or any third parties; whether the service retains or stores any information or temporarily stores information with the purpose of carrying out the transformation of information on another system.
Responsibilities
Designing, developing, and delivering PKB services imposes certain standards, responsibilities, and obligations on us to ensure compliance with PKB policies, agreed management systems (such as ISO 27001) as well as UK and international law. All employees with the responsibility for managing projects, designing systems, delivering systems, and/or introducing new systems are responsible for understanding and adhering to the principles of this policy and the details defined in the various other PKB Information Security and Data Privacy policies which can be found on the PKB wiki.
...
Line managers are responsible for the day-to-day management of staff and advise on the implementation of Information Security and Data Privacy policies and procedures within their business areas and for ensuring compliance by their staff.
Policy
Information Security and Data Privacy Data protection by design and default is to be considered at the conception stage of each service and any non-functional requirements connected with information security or data privacy are to be made in the early stages of any information system design.
These considerations must be embedded in the design of any system that is likely to process personal or sensitive information including but not limited to the collecting, storing, and transmitting of any personal, sensitive, or confidential information.
Foundational Principles
The following principles are focused on the design of systems, software, and processes, and focus on the actions of system developers, system engineers, and architects. In all cases, the accountability of the information security and privacy of information, personal or otherwise, resides solely with the Information Asset Owner.
It is the policy that all Information Asset Owners within PKB ensure these principles are adopted with any project that is likely to have a direct or indirect impact on any information they own.
Information Security and Data Privacy Data protection by design and default will be embedded into the design from conception and will remain until the service is decommissioned.
Information Security and Data Privacy protection by Design design and default will be the default approach for all projects.
Information Security and Data Privacy Data protection by design and default controls will be appropriate to the level of risk.
Information Security and Data Privacy Data protection by design and default controls will be proactive and not reactive, where possible Information Security and Data Privacy data protection by design and default controls will not be “traded off” for functionality or convenience without the commensurate risk being accepted at the appropriate management level.
Information will be adequately protected through its entire lifecycle.
The processing of any personal information should be transparent as to how it is being processed but access-restricted only to those who have a “need to know”.
The processing of personal, sensitive, or confidential information will be the minimum required to achieve the purpose.
...
These principles are to be followed when developing or delivering a service, either internally for PKB or when developing or delivering a service for our customers.
Project Governance
Introduction
Staff that both lead and implement projects within PKB are responsible for the ongoing information security and privacy of their service and the ongoing confidentiality of information processed by the delivered service.
...
Project Managers are responsible for guiding projects to a successful conclusion either as part of a new initiative or to upgrade/replace a current system or service. This includes the integration of information security and data privacy controls that are required to deliver a secure system that processes information in a controlled and lawful manner.
Information Security and Data Privacy Requirements
It is inevitable that nearly all projects will have Information Security and Data Privacy requirements in some form or another, these requirements will vary from project to project depending on the functional requirements of the service and the information that is stored and processed. Some upgrade projects will have few if any security requirements above those of the original service, and compared to new services which may have a large number of requirements, the projects are differentiated as below:
...
A list of types of personal and special category information can be found in Appendix A.
Pre-Project
Information Security and Data Privacy Data protection by design and default requirements are to be embedded into the design from inception, this includes the Information Security and Information Governance Teams and/or the Data Protection Officer understanding any potential high-risk areas at the outset of any project that may either impact the information security profile of PKB or the personal information of our customers, employees or partners.
...
How the personal information to be used has been obtained.
Where personal information is to be used.
Whether the purpose for which the personal information was initially collected is compatible with the project’s purpose.
Where one set of personal information is cross-referenced or aggregated to provide new information.
Where re-use is initially thought to be incompatible with the original purpose for which the personal information was collected.
In any of the above cases, further assessments will need to be carried out before the information can be used.
Project Initiation
During the initiation of a project, it will be clear whether the involvement of the Information Security and Information Governance Teams and/or the Data Protection Officer is required.
...
When the risk assessment has taken place, the solution (People, Process, or/and Technology) and the project deliverables will be categorised as either High, Medium, or Low potential risk to PKB. This rating will determine the Information Security and Data Privacy controls that will be required to ensure any potential risk or impact falls inside PKB’s risk appetite and in the case of personal information, is commensurate with the rights and freedoms of data subjects and the GDPR regulation as a whole.
The Information Security and Data Privacy data protection by design and default controls will be agreed upon by the stakeholders (Project Manager, Information Security, Information Governance, DPO, etc.) during the initiation phase and will be tracked through delivery and acceptance into business as usual (BAU).
...
Refer to the Supplier Assurance Standard for further details.
Delivery
During the early part of the project delivery (or even in some cases the late part of initiation) it may be decided that the project cannot implement a specific control, this can be for a number of reasons:
...
All of these reasons may be appropriate to an individual circumstance, any decision to accept the risk of not implementing a defined Information Security and Data Privacy data protection by design and default control shall require acceptance at the appropriate level within PKB, up to the executive level depending on both the likelihood and the impact to the information. It is also possible to introduce other controls that may partially or completely mitigate the risks rather than the most appropriate control. In this case, a gap analysis will take place to assess the alternate controls, and if necessary a risk raised on any residual risk remaining after the alternate controls are in place.
Any remaining risks will be placed on the relevant risk register (depending on the type of risk and the area impacted) and either accepted or tracked through the solution's entire lifecycle.
Verification and Testing of Information Security and Data Privacy Controls
Protection Controls
High and Medium impact projects will have their control design and delivery verified and tested, this may include specific User Acceptance Testing (UAT) (for items such as access controls) vulnerability testing (for internal and externally facing projects), and penetration testing (for external or customer-facing projects). This testing is to be organised and completed within the project, and the results released to the Information Security and Information Governance team/DPO for verification and acceptance.
Where the project involves personal information, the project manager will be responsible for ensuring they have liaised with the Information Security and Information Governance team/DPO to ensure all information protection aspects have been considered and the effectiveness of the mitigating measures taken is to the satisfaction of the DPO.
Project Closure
The Information Security and Data Privacy Data protection by design and default process will vary depending on the impact of the project and the potential risks with its implementation from an Information security and data privacy perspective.
High Impact Projects – The Information Security and Information Governance team and where appropriate the DPO will continue to be a stakeholder in the projects and its transition to BAU. This will involve confirmation by the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective.
Medium Impact Projects - The Information Security and Information Governance team and where appropriate the DPO will continue to be a stakeholder in the projects and its transition to BAU. This will involve confirmation by the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective.
Low-Impact Projects – With low-impact projects security should be advised, especially if there has been any change to information security and data privacy controls since delivery.
Change Control Board
When the final go-live is to take place before the project goes to the Change Control Board
...
The Change Control Board will be notified by the Project Manager, if the project manager or any member of the CCB believes the impact of the project is flawed then they are to discuss it with the Data Protection Officer depending on the focus of the impact.
Transition into Business as Usual
Some but not all projects will need to go through a transition into BAU, in particular, but not restricted to projects delivering services with new functionality. Within the specific case of Information Security and Data Privacy, a number of key areas need to be transitioned to the relevant parties:
Any personal information will need to have a nominated Information Asset Owner responsible for the ongoing due diligence required through the entire lifecycle of the information, for example, the assurance of information retention policies.
Any specific security controls such as access control mechanisms, encryption, and other security controls will need to be transitioned to the relevant parties for ongoing management.
Any residual risk will need to be transferred to the relevant BAU department to ensure ongoing monitoring and continual acceptance and/or mitigation.
ISO 27001 Certification
PKB is ISO27001 compliant and the certificate is held by Google because all data is hosted within Google Cloud Platform (GCP) data centers (with the scope of certification including the physical security of the data centres). Further details can be found here.
Business as Usual
After go-live, the ongoing security maintenance is the responsibility of the BAU teams. After introduction into service, the solution will be auditable from an internal perspective and systems will be brought into the regular audit schedule of the Compliance Team, and for high-impact projects which will be audited on an annual basis.
...
New services that are deemed as high-impact will be scheduled for an internal audit within 12 months of go-live, medium and low-impact services will be moved into the ongoing internal audit schedule.
Innovation Governance
Information security governance and the implementation of security and data privacy controls in a period of innovation may sometimes seem problematic. However it is key to understand the specific risks and impact that any new service will have both on PKB and our customers, and the disruption that implementing these controls at inception may bring to the development process.
Supporting the Business
It is important to understand that PKB will only succeed by developing unique services to sell to its customers, security and data privacy requirements can curtail that development in the initial stages, hence when designing an innovative service it is more efficient to focus on the functionality and outcomes required. Therefore it is normal to start initial development without the additional burden of security and data privacy controls while developing functionality.
This is an accepted risk of doing business and at the beginning an appropriate response, however as the service gets closer to a deliverable state it is important to begin integrating control mechanisms to ensure the service can maintain the Confidentiality, Integrity, and Availability of the information it contains. To enable the Information Security and Information Governance Teams to run a system called Elastic Governance.
Elastic Governance
Elastic Governance allows for innovation to be trialed and refined early in the process without being encumbered with a large number of security controls at the outset. It divides innovation into three sections:
...
The middle stage can include multiple stages of development. The key principle is that for each stage the functionality becomes closer to release, and the more Information Security and Data Privacy more data protection by design and default requirements and the related controls are integrated with the solution.
Use of Live Data for Development and Testing Purposes
The use of operational live information containing personal information or any other PKB confidential information for testing purposes is not permitted.
In cases where using live information containing personal information, special categories of personal information, or any other business confidential information for testing purposes cannot be avoided, the policy exception process must be followed.
Secure Development Practices
PKB shall ensure secure development practices are followed at all times in line with industry-recognised security standards, all developed code/applications shall undergo security tests such as static code reviews, vulnerability tests, and/or penetration tests to verify the security posture of the developed application/code.
Refer to the Supplier Assurance Standard for further details.
Document Management & Control
PKB systems and information remain the property of PKB at all times and PKB reserves the right to monitor compliance to policies in line with all applicable laws, with due regard and respect for the fair treatment of all employees, and to protect its network from systems and events that threaten or degrade operations.
PKB reserves the right to copy and examine any PKB-owned files or information resident on systems or devices. If the device or its use is in contradiction to PKB Policy or allegedly related to unacceptable use, those responsible may be subject to disciplinary action up to and including dismissal, and where applicable may be referred to the police for prosecution.
Appendix A
Examples of Personal Data and Special Category Data items are shown in the table below.
Personal Information | Special Category Information (sensitive personal data) |
Name | Health Data |
Personal Address | Biometric Data |
Personal Telephone Number | Genetic Data |
Personal Email Address | Race |
Date of Birth | Ethnic Origin |
National Insurance Number | Political Opinions |
Nationality | Religion |
Passport Details | Philosophical Beliefs |
Driving Licence Details | Trade Union Membership |
Personal IP Address | Data concerning a Natural Person’s sex life |
Signature | Sexual Orientation |
Job Title | Personal Financial Information |
Personal Vehicle Registration | |
Employment History | |
Personal Salary & Benefits Details | |
Criminal Records | |
Business Email Address | |
Business Address | |
Business Telephone Number | |
Skype ID |