Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Task details

Review cycle

  •   Sarah Roberts Review text and compare to GDrive/Internal wiki

Annually

Iframe
srchttps://drive.google.com/file/d/13rXT1xV65kpJcFrKexRfb4gP0hJXH7KO/preview
width50%
alignmiddle
height400

View file
nameInformation Security & Data Privacy by Design Policy - 2024.pdf

Purpose

The purpose of the Information Security and Data Privacy by Design Policy data protection by design and default approach is to establish the key principles and requirements that will enable PKB to embed Information Security and Data Privacy into new services, systems, and/or software for all internal PKB services (including those that are customer facing) and customer-facing shared services.

...

For the avoidance of doubt within this document, a “service” describes any software, application, system, service, or product that is built and/or purchased to support PKB business or customer needs. It excludes any systems that are built or managed to the requirements of a single customer (as this will normally be defined through contract schedules).

Scope

The Information Security and Data Privacy by Design Policy data protection by design and default approach applies to all those who have access to PKB systems and information, regardless of location or the types of information or systems that they have access to; this includes both permanent and temporary employees, contractors, suppliers and agents working on behalf of PKB.

This policy approach particularly applies to staff responsible for the design and development of services that are used to store or process information belonging to PKB, our customers or any third parties; whether the service retains or stores any information or temporarily stores information with the purpose of carrying out the transformation of information on another system.

...

Line managers are responsible for the day-to-day management of staff and advise on the implementation of Information Security and Data Privacy policies and procedures within their business areas and for ensuring compliance by their staff.

Policy

Information Security and Data Privacy Data protection by design and default is to be considered at the conception stage of each service and any non-functional requirements connected with information security or data privacy are to be made in the early stages of any information system design. 

...

It is the policy that all Information Asset Owners within PKB ensure these principles are adopted with any project that is likely to have a direct or indirect impact on any information they own.

Information Security and Data Privacy Data protection by design and default will be embedded into the design from conception and will remain until the service is decommissioned.

  • Information Security and Data Privacy protection by Design design and default will be the default approach for all projects.

  • Information Security and Data Privacy Data protection by design and default controls will be appropriate to the level of risk.

  • Information Security and Data Privacy Data protection by design and default controls will be proactive and not reactive, where possible Information Security and Data Privacy data protection by design and default controls will not be “traded off” for functionality or convenience without the commensurate risk being accepted at the appropriate management level.

  • Information will be adequately protected through its entire lifecycle.

  • The processing of any personal information should be transparent as to how it is being processed but access-restricted only to those who have a “need to know”.

  • The processing of personal, sensitive, or confidential information will be the minimum required to achieve the purpose.

...

These principles are to be followed when developing or delivering a service, either internally for PKB or when developing or delivering a service for our customers. 

Project Governance

Introduction

Staff that both lead and implement projects within PKB are responsible for the ongoing information security and privacy of their service and the ongoing confidentiality of information processed by the delivered service.

...

Project Managers are responsible for guiding projects to a successful conclusion either as part of a new initiative or to upgrade/replace a current system or service. This includes the integration of information security and data privacy controls that are required to deliver a secure system that processes information in a controlled and lawful manner.

Information Security and Data Privacy Requirements

It is inevitable that nearly all projects will have Information Security and Data Privacy requirements in some form or another, these requirements will vary from project to project depending on the functional requirements of the service and the information that is stored and processed. Some upgrade projects will have few if any security requirements above those of the original service, and compared to new services which may have a large number of requirements, the projects are differentiated as below:

...

A list of types of personal and special category information can be found in Appendix A.

Pre-Project

Information Security and Data Privacy Data protection by design and default requirements are to be embedded into the design from inception, this includes the Information Security and Information Governance Teams and/or the Data Protection Officer understanding any potential high-risk areas at the outset of any project that may either impact the information security profile of PKB or the personal information of our customers, employees or partners.

...

  • How the personal information to be used has been obtained.

  • Where personal information is to be used.

  • Whether the purpose for which the personal information was initially collected is compatible with the project’s purpose.

  • Where one set of personal information is cross-referenced or aggregated to provide new information.

  • Where re-use is initially thought to be incompatible with the original purpose for which the personal information was collected.

  • In any of the above cases, further assessments will need to be carried out before the information can be used.

Project Initiation

During the initiation of a project, it will be clear whether the involvement of the Information Security and Information Governance Teams and/or the Data Protection Officer is required. 

...

When the risk assessment has taken place, the solution (People, Process, or/and Technology) and the project deliverables will be categorised as either High, Medium, or Low potential risk to PKB. This rating will determine the Information Security and Data Privacy controls that will be required to ensure any potential risk or impact falls inside PKB’s risk appetite and in the case of personal information, is commensurate with the rights and freedoms of data subjects and the GDPR regulation as a whole.

The Information Security and Data Privacy data protection by design and default controls will be agreed upon by the stakeholders (Project Manager, Information Security, Information Governance, DPO, etc.) during the initiation phase and will be tracked through delivery and acceptance into business as usual (BAU). 

...

Refer to the Supplier Assurance Standard for further details.

Delivery

During the early part of the project delivery (or even in some cases the late part of initiation) it may be decided that the project cannot implement a specific control, this can be for a number of reasons:

...

All of these reasons may be appropriate to an individual circumstance, any decision to accept the risk of not implementing a defined Information Security and Data Privacy data protection by design and default control shall require acceptance at the appropriate level within PKB, up to the executive level depending on both the likelihood and the impact to the information.  It is also possible to introduce other controls that may partially or completely mitigate the risks rather than the most appropriate control. In this case, a gap analysis will take place to assess the alternate controls, and if necessary a risk raised on any residual risk remaining after the alternate controls are in place.

Any remaining risks will be placed on the relevant risk register (depending on the type of risk and the area impacted) and either accepted or tracked through the solution's entire lifecycle.

Verification and Testing of Information Security and Data Privacy Controls

Protection Controls

High and Medium impact projects will have their control design and delivery verified and tested, this may include specific User Acceptance Testing (UAT) (for items such as access controls) vulnerability testing (for internal and externally facing projects), and penetration testing (for external or customer-facing projects). This testing is to be organised and completed within the project, and the results released to the Information Security and Information Governance team/DPO for verification and acceptance.

Where the project involves personal information, the project manager will be responsible for ensuring they have liaised with the Information Security and Information Governance team/DPO to ensure all information protection aspects have been considered and the effectiveness of the mitigating measures taken is to the satisfaction of the DPO.

Project Closure

The Information Security and Data Privacy Data protection by design and default process will vary depending on the impact of the project and the potential risks with its implementation from an Information security and data privacy perspective.

  • High Impact Projects – The Information Security and Information Governance team and where appropriate the DPO will continue to be a stakeholder in the projects and its transition to BAU. This will involve confirmation by the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective.

  • Medium Impact Projects - The Information Security and Information Governance team and where appropriate the DPO will continue to be a stakeholder in the projects and its transition to BAU. This will involve confirmation by the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective.

  • Low-Impact Projects – With low-impact projects security should be advised, especially if there has been any change to information security and data privacy controls since delivery.

Change Control Board

When the final go-live is to take place before the project goes to the Change Control Board

...

The Change Control Board will be notified by the Project Manager, if the project manager or any member of the CCB believes the impact of the project is flawed then they are to discuss it with the Data Protection Officer depending on the focus of the impact.

Transition into Business as Usual

Some but not all projects will need to go through a transition into BAU, in particular, but not restricted to projects delivering services with new functionality. Within the specific case of Information Security and Data Privacy, a number of key areas need to be transitioned to the relevant parties:

  • Any personal information will need to have a nominated Information Asset Owner responsible for the ongoing due diligence required through the entire lifecycle of the information, for example, the assurance of information retention policies.

  • Any specific security controls such as access control mechanisms, encryption, and other security controls will need to be transitioned to the relevant parties for ongoing management.

  • Any residual risk will need to be transferred to the relevant BAU department to ensure ongoing monitoring and continual acceptance and/or mitigation.

ISO 27001 Certification

PKB is ISO27001 compliant and the certificate is held by Google because all data is hosted within Google Cloud Platform (GCP) data centers (with the scope of certification including the physical security of the data centres). Further details can be found here.

Business as Usual

After go-live, the ongoing security maintenance is the responsibility of the BAU teams. After introduction into service, the solution will be auditable from an internal perspective and systems will be brought into the regular audit schedule of the Compliance Team, and for high-impact projects which will be audited on an annual basis. 

...

New services that are deemed as high-impact will be scheduled for an internal audit within 12 months of go-live, medium and low-impact services will be moved into the ongoing internal audit schedule.

Innovation Governance

Information security governance and the implementation of security and data privacy controls in a period of innovation may sometimes seem problematic. However it is key to understand the specific risks and impact that any new service will have both on PKB and our customers, and the disruption that implementing these controls at inception may bring to the development process.

Supporting the Business

It is important to understand that PKB will only succeed by developing unique services to sell to its customers, security and data privacy requirements can curtail that development in the initial stages, hence when designing an innovative service it is more efficient to focus on the functionality and outcomes required. Therefore it is normal to start initial development without the additional burden of security and data privacy controls while developing functionality.

This is an accepted risk of doing business and at the beginning an appropriate response, however as the service gets closer to a deliverable state it is important to begin integrating control mechanisms to ensure the service can maintain the Confidentiality, Integrity, and Availability of the information it contains. To enable the Information Security and Information Governance Teams to run a system called Elastic Governance.

Elastic Governance

Elastic Governance allows for innovation to be trialed and refined early in the process without being encumbered with a large number of security controls at the outset. It divides innovation into three sections:

...

The middle stage can include multiple stages of development. The key principle is that for each stage the functionality becomes closer to release, and the more Information Security and Data Privacy more data protection by design and default requirements and the related controls are integrated with the solution.

Use of Live Data for Development and Testing Purposes

The use of operational live information containing personal information or any other PKB confidential information for testing purposes is not permitted.

In cases where using live information containing personal information, special categories of personal information, or any other business confidential information for testing purposes cannot be avoided, the policy exception process must be followed.

Secure Development Practices

PKB shall ensure secure development practices are followed at all times in line with industry-recognised security standards, all developed code/applications shall undergo security tests such as static code reviews, vulnerability tests, and/or penetration tests to verify the security posture of the developed application/code.

Refer to the Supplier Assurance Standard for further details.

Document Management & Control

PKB systems and information remain the property of PKB at all times and PKB reserves the right to monitor compliance to policies in line with all applicable laws, with due regard and respect for the fair treatment of all employees, and to protect its network from systems and events that threaten or degrade operations.

PKB reserves the right to copy and examine any PKB-owned files or information resident on systems or devices. If the device or its use is in contradiction to PKB Policy or allegedly related to unacceptable use, those responsible may be subject to disciplinary action up to and including dismissal, and where applicable may be referred to the police for prosecution.

...

Examples of Personal Data and Special Category Data items are shown in the table below.

Personal Information

Special Category Information 

(sensitive personal data)

Name

Health Data

Personal Address

Biometric Data

Personal Telephone Number

Genetic Data

Personal Email Address

Race

Date of Birth

Ethnic Origin

National Insurance Number

Political Opinions

Nationality

Religion

Passport Details

Philosophical Beliefs

Driving Licence Details

Trade Union Membership

Personal IP Address

Data concerning a Natural Person’s sex life

Signature

Sexual Orientation

Job Title

Personal Financial Information

Personal Vehicle Registration

Employment History

Personal Salary & Benefits Details

Criminal Records

Business Email Address

Business Address

Business Telephone Number

Skype ID