OUR SECURITY POLICY

Last updated: October 03, 2022

This policy strives to ensure compliance with applicable legislation, industry best practice and other mandated security frameworks. The purpose of same is to protect data, information and equipment that may be accessible to parties utilizing equipment and networks belonging to the GoGetIt. Therefore, the aim of this policy is to prevent unauthorized access to both physical and electronic information. In summary, the policy strives to protect:

  • Hardcopy (paper) records of a confidential and/or sensitive nature.

  • IT equipment used to access electronic data; and

  • IT equipment used to access the GoGetIt’s network.

The mechanisms to ensure such protection may be as simple as a lock on a filing cabinet or as complex as the security systems in place to protect the GoGetIt’s IT data centers. The protection required needs to be appropriate to the level of information held and the consequential risks of unauthorized access. Each Department is responsible for assessing the level of protection required for their areas, locations and information held.

Policy Statement

The purpose of this policy is to:

  • Each Department is responsible for assessing the level of protection required for their areas, locations and information held.

  • Establish standards regarding the physical and environmental security of GoGetIt’s information.

  • All GoGetIt employees, contractors, and users with access to the GoGetIt’s equipment and information (electronic and paper records) are responsible for ensuring the safety and security of the GoGetIt’s equipment and information.

Scope of the Policy

  • This policy applies to all users of the GoGetIt’s owned, leased and/or hired facilities and equipment.

  • The policy defines what paper and electronic information belonging to GoGetIt, should be protected and provides guidance on the way such protection can be achieved.

  • This policy also describes employee’s roles and the contribution they are expected to make to the safe and secure use of the GoGetIt’s information.

Secure Areas

Critical or sensitive information must be stored in secure areas protected by appropriate security controls.
A risk assessment should identify the appropriate level of protection to be implemented to secure the information being stored. Examples of secure areas for protection are:

  • A room with sensitive paper-based information; and

  • A machine room containing IT file servers.

  • Physical security must begin with the building itself and, therefore, an assessment of perimeter and their vulnerability must be conducted

  • The building must have appropriate control and security mechanisms in place for the nature of information and equipment that is stored within, these could include:

    • Alarms fitted and activated outside working hours.

    • Window and door locks.

    • Window bars on lower levels.

    • Access control mechanisms fitted to all accessible doors (where codes are utilized, they should be regularly changed and known only to those people authorized to access the area / building).

    • CCTV cameras.

    • Staffed reception area; and

    • Protection against damage e.g., fire, flood, vandalism.

As an example, access to secure areas such as the data center and IT equipment rooms must be adequately controlled and physical access to buildings should be restricted to authorized persons.
Staff working in secure areas should be ready to notify security and Management should they come across any party not known to them and/or not authorized to be in such secure area.
Each department must ensure that doors and windows are properly closed and/or locked before vacating the building daily.

Paper Based Data Security

Paper based (or similar non-electronic) information must be assigned an owner and a classification. If it is classified as personal or confidential, information security controls to protect it must be put in place. A risk assessment should identify the appropriate level of protection for the information being stored. Paper in an open office must be protected by the controls for the building in "Secure Areas" and other appropriate measures that could include:

  • Filing cabinets that are locked with the keys stored away from the cabinet.

  • Locked safes.

  • Stored in a Secure Area protected by access controls.

Equipment Security

All general computer equipment must be in suitable physical locations that:

  • Reduce the risk of theft, for example, if necessary, items such as laptops should be physically attached to the desk.

  • Facilitate workstations handling sensitive data being positioned to eliminate the risk of the data being seen by unauthorized people.

Desktop PCs must not have data stored on the local hard drive; data must be stored on the network file servers, including approved cloud storage. This ensures that information lost, stolen or damaged via unauthorized access can be restored with its integrity maintained.
To mitigate the risk that data might be stored on the local desktop/drive, Bitlocker must be activated on all media drives.

All servers located outside of the data center must be sited in a physically secure environment. Business critical systems should be protected by an Un-interrupted Power Supply (UPS) to reduce the operating system and data corruption risk from power failures. The equipment must not be moved or modified by anyone without authorization from Information Services.

All items of equipment must be recorded on an inventory, both a Departmental and the Information Services inventory. Procedures should be in place to ensure inventories are updated as soon as assets are received or disposed of.
All equipment must be security marked and have a unique asset number allocated to it. This asset number should be recorded in the Departmental and the IS / IT inventories.

Cabling security

Cables that carry data or support key information services must be protected from interception or damage.
Power cables should be separated from network cables to prevent interference. Network cables should be protected by conduit and where possible avoid routes through publicly accessible areas.

Equipment Maintenance

Information Services, all Departmental ICT representatives and 3rd party suppliers must ensure that all the GoGetIt equipment is maintained in accordance with the manufacturer’s instructions and with any documented internal procedures to ensure it remains in working order. Staff involved with maintenance must:

  • Retain all copies of manufacturer’s instructions.

  • Identify if equipment is owned and under warranty, maintenance agreement or rental with maintenance agreement.

  • Identify recommended service intervals and specifications.

  • Enable a call-out process in event of failure.

  • Ensure only authorized technicians complete any work on the equipment.

  • Record details of all remedial work carried out.

  • Identify any insurance requirements.

  • Record details of faults incurred, and actions required.

A service history record of equipment should be maintained so that when equipment becomes older decisions can be made regarding the appropriate time for it to be replaced.

Equipment maintenance must be in accordance with the manufacturer’s instructions. This must be documented and available for support staff to use when arranging repairs.

Security of Equipment off Premises

The use of equipment off-site must be formally approved by your line manager. Equipment taken away from the GoGetIt’s premises is the responsibility of the user and must:

  • Record details of faults incurred, and actions required.

  • Be logged in and out.

  • Not be left unattended.

  • Concealed whilst transporting.

  • Not left open to theft or damage whether in the office, during transit or at home.

  • Where possible, be disguised (e.g., laptops should be carried in less formal bags).

  • Be encrypted if carrying personal or confidential information.

  • Be password protected.

  • Be adequately insured as per company insurance practice.

Users should ensure, where necessary and required that insurance cover is extended to cover equipment which is used off site. Users should also ensure that they are aware of and follow the requirements of the insurance policy. Any losses / damage must be reported to the ITI Department and the Insurance Section
(if applicable), losses or damage to equipment must be recorded in the departmental and ITI inventories. Staff should be aware of their responsibilities in regard to Data Protection.

Secure Disposal or Re-use of Equipment

Equipment that is to be reused or disposed of must have all of its data and software removed/destroyed. If the equipment is to be passed onto another organization (e.g. returned under a leasing agreement) the data removal must be achieved by using professional data removing software tools. Software media must be destroyed to avoid the possibility of inappropriate usage that could break the terms and conditions of the licenses held. All equipment being disposed of must be prepared for release within the mandated criteria of the GoGetIt recycling policies (see Disposal of Redundant Computer Equipment)

Delivery and Receipt of Equipment

To confirm accuracy and condition of deliveries and to prevent subsequent loss or theft of stored equipment, the following must be applied:

  • Equipment deliveries must be signed for by an authorized individual using an auditable formal process. This process should confirm that the delivered items correspond fully to the list on the delivery note.

  • Loading areas and holding facilities should be adequately secured against unauthorized access and all access should be auditable.

  • Subsequent removal of equipment should be via a formal, auditable process.

Policy Compliance

If you are found to have breached this policy, you may be subject to the GoGetIt disciplinary procedure.
If you have broken the law, you may be subject to prosecution.
If you do not understand the implications of this policy or how it may apply to you, seek advice from the ITI Department or contact the HR Department.