page contents
Select Page

iQuda Policy for Information Security on Laptops and Portable Media

Policy details

Version 2

Date of this version: 05/10/2016

Reference: Q202

1. Introduction

iQuda Ltd’s information security policy is intended to provide a pragmatic, workable policy that provides an optimum level of security while remaining compatible with our day to day activities and workload.

The security of information on laptops and portable media is seen as a high risk area. This policy provides guidance to cover security in this area.

2. Purpose

iQuda Ltd is concerned with ensuring that all sensitive information and confidential data is used in a secure manner. Portable electronic storage devices are widely used, and iQuda Ltd needs to ensure that their use does not compromise data security.

3. Scope

All staff working for or on behalf of iQuda Ltd who have access to our information and that of our clients, and specifically those users who have access to any Personally Identifiable Data (PID) need to read and comply with this policy.

4. Definitions

Portable device means any of:

  • Laptop computer, notebook computer, netbook etc, typically running windows, MacOS, Unix or Linux
  • PDA (Personal digital assistant)
  • Tablet
  • Phone, smartphone, MP3 player or any other device with data storage or data access capacity

Portable medium means any of:

  • CD or DVD
  • External hard disc
  • USB memory stick
  • Storage card

Personal information is defined as

1. Any information relating to a living individual (employee, client or other) who can be identified either from the data or from that information used in conjunction with other information that may be available. Please see the Data Protection Act (1998) for more detailed information.

2. Any information relating to a client or their organisation, where that client or their organisation can be identified either from the data or from that information used in conjunction with other information that may be available.

Confidential information is privileged or proprietary information that could cause harm, including reputational damage, to iQuda Ltd, our clients or to individuals.

5. Policy

Portable devices

All iQuda Ltd laptops that are used both inside and outside of the office are encrypted to at least AES256. Staff must ensure that a laptop without encryption is never used outside our office for work involving personal or confidential information. All laptops and portable media must be kept secure at all times by the employee responsible for them. If a device contains any PID, it will have remote wiping implemented.

Personal mobile phones must not be used for work purposes, except for access to emails via Gmail. If you choose to access workplace email through your personal mobile phone, this must be approved by Anthony Jones via a QRF iQuda Change Request Form. In the event that a personal mobile phone is lost, it must be reported to Anthony Jones.

Cryptographic Keys

All cryptographic keys, resulting from the encryption of portable devices, must be protected during their lifetime. Cryptographic keys may be used for the lifetime of a machine only. After a machine is retired, the cryptographic key must be destroyed. This applies to the entire lifecycle of each encrypted device.

Portable devices Register

All devices are to be signed for in the portable devices register held by the Service Desk manager. Please speak to the Service Desk Manager if you require a portable device.

Transportation

iQuda Ltd policies apply to all iQuda owned devices and media. This includes devices and media that are in transportation. All devices and media transported are the ultimate responsibility of the user transporting it – this is detailed in the staff handbook. Devices and media containing information shall be protected against unauthorized access, misuse or corruption during transportation. All portable devices are to be signed for in the portable devices register. No personal devices are permitted for transportation of data. The staff member(s) transporting a device or media storage device are responsible for its adequate protection during transportation. Staff are expected to apply due diligence while transporting devices.

Portable media

iQuda Ltd will issue encrypted portable USB storage devices to authorised staff. iQuda owned PC’s and portable devices will only allow the copying of iQuda Ltd data or that of our clients to an iQuda Ltd encrypted USB device.This policy has been established to protect the data held by iQuda Ltd in its secure data files.

  • Authorised staff will be entitled to use USB devices to transport data. Encrypted USB memory sticks and external hard drives, which meet the minimum security standard are issued to authorised users. The minimum security standard is: 256 bit Advanced Encryption System (AES).If a device contains any PID, it will have remote wiping implemented.
  • A record will be kept of USB sticks, external hard drives and passwords issued so that they can be traced and the information retrieved if the storage devices are lost or the user forgets the password.
  • No staff will be authorised to use their own pre-encrypted USB sticks or external hard drives.
  • Staff cannot bring their own USB sticks into iQuda.

Sending data in an email attachment

Staff must ensure that they comply with iQuda Ltd data protection policies when sending information in an email attachment.

Destruction of data

Devices containing information and data must be wiped to at least HMG S5 standards after use. Retired computers/devices are overwritten with 7 passes before being physically destroyed. At end of life all, electronic files must be multi-pass patterns wiped to HMG S5 on site prior to disposal and degaussed or physically destroyed.

6. Responsibilities

All staff with access to iQuda Ltd information are responsible for adhering to this policy. If a USB stick or external hard drive is issued, and lost, please inform Anthony Jones or Vincent de Beer immediately.

7. Information handling and transmission principles

The following principles underpin this policy:

  • Confidential client information containing PID must never be printed under any circumstances. Confidential staff or client information and data must only be printed, communicated verbally or copied electronically when necessary for the following reasons:
    • Communications with clients, management and other pre-authorized persons;
    • Communications with other professionals where consent has been given;
    • Data back ups (these will comply with iQuda encryption and remote wiping policies);
    • Work schedules to facilitate effective working practices.
    • Where data is copied to electronic media, or printed it will be stored securely, and securely destroyed when no longer required.
    • Devices containing information and data must be wiped to at least HMG S5 standards after use. Retired computers/devices are overwritten with 7 passes before being physically destroyed. At end of life all electronic files must be multi-pass patterns wiped to HMG S5 on site prior to disposal and degaussed or physically destroyed.
    • Staff working remotely must access data by using the iQuda Ltd remote access Terminal Server, which is a secure connection, restricted by two factor and active directory authentication.
    • If staff do not have access to the iQuda Ltd Remote Access Terminal Server, and need to access company or client data away from the office, they must follow process and contact their direct manager requesting the required access.

Please also refer to the following policies:

Reference       

Policy name

Q210

iQuda acceptable use of assets policy

Q209

iQuda Firewall Security Infrastructure Policy

Q208

iQuda Internet and email acceptable use policy

Q215

iQuda Supplier Security Policy

Q207

iQuda access control policy

Q206

iQuda Remote access policy and procedure

Q205

iQuda Wifi Terms and conditions of use

Q204

iQuda IT password policy

Q203

iQuda IG overarching policy

Q213

iQuda Information risk management policy

Q214

iQuda incident management procedure

Q200

iQuda Staff confidentiality code of conduct

Share This