PCA Staff guide: Information Security Code of Practice (ISCoP)

Transcription

1 PCA Staff guide: Information Security Code of Practice (ISCoP) PCA Information Risk and Privacy Version December 2014 PCA Information Risk and Privacy Page 1

2 Introduction Prudential Corporation Asia ( PCA ) allows you to access information necessary for you to do your job. Applicability / Scope This Code applies to all Staff of all entities within PCA. This includes both Life and Eastspring businesses, Regional Head Office and other companies within the scope of management of PCA. Risk Statement This Code addresses a number of Information Risk requirements aimed at: safeguarding the information that we use in all aspects of our business operations. This includes paper, computer files, s, telephone conversations, faxes, instant messages and any other forms in which information is stored, transmitted or processed; defending PCA from potential liabilities from unauthorised activity, e.g., theft of policyholder information, downloading of copyright or illegal material, implied contracts in ; protecting staff by preventing others from accessing and misusing their userids and information, blocking defamatory or indecent material. Our jobs and the continuing success of PCA are dependent on information and it is up to each of us to protect it. Definitions The term PCA owned equipment refers specifically to equipment supplied by PCA to you for use to conduct of your work. The term PCA authorised equipment covers any use of personally owned devices (Bring Your Own Device) as well PCA owned equipment. The term Staff includes employees, contractors, or temporary staff directly employed by PCA, but excludes agents. Compliance In using equipment and accessing any PCA information you must follow the conditions set out in this Code. you are required to read and acknowledge the contents of this Code upon joining PCA, or signing any form of contract to work for PCA, and to reconfirm that acknowledgement on an annual basis. Please speak to your local Information Risk team for advice on any aspects of this Code. The Code of Practice 1. Permitted Use 2. Monitoring PCA authorised equipment and resources are provided (or use is allowed) for business purposes. All PCA information processed or stored on PCA authorised equipment is viewed as a PCA asset. PCA reserves the right to monitor all business related data and activity on PCA authorised equipment and assets. You should have no expectation of privacy in your use of these. You are held accountable for your actions and PCA reserves the right to cooperate as necessary with legal authorities and/or injured third parties in the investigation of any suspected crime or inappropriate act. PCA reserves the right to delete, block and report on any material or activity which PCA defines as inappropriate. PCA Information Risk and Privacy Page 2

3 3. Inappropriate Actions [Note: this is not an exclusive list and PCA reserves the right to add to this list at any time and communicate changes to you as necessary] 4. Backup and Archive 5. Securing Information Limited personal use of PCA owned equipment is permitted, as long as it does not interfere with the performance of your duties and the privilege is not abused. However, the following are examples of inappropriate behaviour and may lead to disciplinary and/or termination action if/when identified: Conduct of any illegal activities; Accessing, downloading or storing pornographic material; Creating, accessing, downloading or forwarding any material which is abusive, unethical, discriminatory or offensive; Soliciting for personal gain; Conducting a personal business; Making indecent remarks, proposals or any comment which may defame or embarrass staff, PCA or any third party; Wasting PCA s time and resources by playing games or engaging in similar activities. All s and other information or documents are backed up and archived to allow PCA to meet governance, legislative and regulatory requirements. Any personal items included within these processes cannot be guaranteed to be treated as private. You must ensure that all PCA authorised equipment and property provided to you remains secure. You must lock unattended PCs or devices, e.g., by password, key, biometric, etc. You must ensure that Passwords and /or tokens are not available for people to find You should collect Printed material/faxes as soon as possible You should store papers and documents in folders or binders. The following types of information, regardless of the media involved (, e.g., paper, CD, DVD, USB devices), must be stored in locked offices, cabinets or desk drawers when not in use: Sensitive Restricted Customer/employee personal data Blank Prudential s or PCA s stationery (e.g. letterheads) with potential value to fraudsters You must keep keys to cabinets, offices or desk drawers properly secured (e.g. locked in key cabinets or when carrying keys do not make it obvious what the keys are for). If you are working remotely (e.g., hotels, home, etc.) then PCA authorised equipment, and information (in any form) should be kept secure and care should be taken when disposing of any information - if necessary return it to the office for secure disposal. You must inform your manager immediately of any lost or stolen equipment or information. You should only connect PCA authorised devices to PCA owned devices. You should only use PCA authorised equipment to process PCA information. PCA Information Risk and Privacy Page 3

4 6. Use of electronic communication and Internet You are personally responsible for any or instant messaging which you send. Consider the sensitivity and content of any messages you send and take appropriate measures to ensure that messages are sent securely and that the content will have no adverse impact on PCA. Contractual obligations may arise from commitments made orally, via or via formal paper based documents. Therefore, you should not enter into, or commit PCA to, any contractual arrangement in whatever form, unless authorised to do so. Be careful to ensure that any communication relating to a contract negotiation, does not involve a commitment between PCA and a third party, until all internal approvals have been obtained and negotiations are finalized. You are responsible for appropriate circulation and classification of information. You should not use externally provided electronic communication services (e.g. gmail, Whatsapp, etc.) for business communications; unless this is authorised with business justification. When you are using the Internet, do not download or execute any programs or software unless approved by IT. You must not put PCA information on external websites, unless authorised to do so. You should use common sense when using electronic communications and consider carefully the impact your communications might have. Do not use broadcast facilities or large mailing lists for documents, unless authorised to do so. When you are sending sensitive information via or any other means, care should be taken to verify the appropriateness of the recipients and whether the addresses and addressees are correct. Access to your company is normally restricted to you as owner of the address. However, if others are going to need access to your mail because you are going on holiday or unavailable, then use the delegated authority function within an system. Ask your local Information Risk Manager (IRM) or IT Help Desk for details of the process. 7. Remote Working 8. Copyright & Intellectual Property Rights 9. Access General You are fully liable to PCA for any loss that PCA sustains as a result of any unauthorised acts performed by both you or your delegates in communications from PCA addresses. Ensure that you take backups of information from your laptop and transfer any material to the PCA network as soon as possible to avoid losing data. You should be careful when using wireless devices and check that you access only public or PCA provided services. Any material, systems or software developed or created by you during the course of your employment with PCA, is the property of PCA. All intellectual property rights (IPR) and copyright remain with PCA and material, systems or software must not be used, copied or distributed outside PCA, unless you are authorised to do so. On cessation of employment, all material, systems and software must be returned to your manager. You must only use licensed material (e.g. software, images) in line with the copyright conditions attached to them. You should not install software on PCA owned devices to avoid PCA breaching any license agreements or exposing PCA owned equipment and information to possible damage. Your access to systems, buildings and information should be authorised by line management and/or the information owner. PCA Information Risk and Privacy Page 4

5 You should never attempt to exceed the authority levels granted to you. 10. Access Passwords and Security Tokens 11. Phone, Fax, Printer and Copier Security You must notify your manager if you no longer require access to a system, building or information. Your userid and password are unique to you and activities conducted using them will be attributed to you and become your responsibility. You should manage Passwords. In particular: Change default or issued passwords to something known only by you; Do not share your password unless authorised and approved; Try to remember passwords (or PINS) on PDAs, mobile phones, VOIP, voic , security tokens and other equipment; Do not write your password or PIN down in a way that is easy to find. Store them carefully so that they remain secret to you; Change passwords regularly, when systems force you to, and at least every 90 days, where possible; Change it immediately if you think an unauthorised person knows it; and Do not repeat passwords. You should choose strong passwords following the guidelines below: a. Passwords must be 8 character or more and complex b. Complex passwords must consist of: i. at least 1 numeric character ; and ii. alphabetic characters which should include both upper and lowercase characters. You must take care of any security token provided to you (e.g. smartcard, building pass, SecureID). When answering the phone, and before giving out any information, you should identify the caller and make sure that they are authorised to receive the information they are requesting. You should take care when talking on the phone, especially when on a mobile in public places, as you never know who might be listening in. When you are sending or receiving sensitive faxes always ensure that you are there to receive them and that you provide confirmation of receipt. Make sure that the recipient is expecting a fax and provides confirmation of receipt. Agreement All PCA staff are required to complete and sign the agreement below, and then return it as directed locally (unless an automated system is used to issue and record agreement). Your agreement will be retained either as a paper-based document or as an electronic acknowledgement. PCA Information Risk and Privacy Page 5