Canada Life Cyber Security Statement 2018

Similar documents
Protecting your data. EY s approach to data privacy and information security

ADIENT VENDOR SECURITY STANDARD

NEN The Education Network

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Google Cloud & the General Data Protection Regulation (GDPR)

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Information Security Controls Policy

Cyber Risks in the Boardroom Conference

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Cyber Security Program

QuickBooks Online Security White Paper July 2017

NYDFS Cybersecurity Regulations

AUTHORITY FOR ELECTRICITY REGULATION

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Manchester Metropolitan University Information Security Strategy

WORKSHARE SECURITY OVERVIEW

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Data Protection and GDPR

Sage Data Security Services Directory

CCISO Blueprint v1. EC-Council

April Appendix 3. IA System Security. Sida 1 (8)

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Checklist: Credit Union Information Security and Privacy Policies

Keys to a more secure data environment

Cyber Review Sample report

Policy. Business Resilience MB2010.P.119

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

A practical guide to IT security

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

WHITE PAPER- Managed Services Security Practices

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Information Security Controls Policy

External Supplier Control Obligations. Cyber Security

Security and Privacy Governance Program Guidelines

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

TEL2813/IS2820 Security Management

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Version 1/2018. GDPR Processor Security Controls

This document provides a general overview of information security at Aegon UK for existing and prospective clients.

Apex Information Security Policy

POSITION DESCRIPTION

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

Continuous protection to reduce risk and maintain production availability

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Corporate Information Security Policy

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

INFORMATION ASSET MANAGEMENT POLICY

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

SFC strengthens internet trading regulatory controls

Run the business. Not the risks.

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Avanade s Approach to Client Data Protection

Global Statement of Business Continuity

Digital Health Cyber Security Centre

Information Security Policy

FDIC InTREx What Documentation Are You Expected to Have?

Business Continuity and Disaster Recovery

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Appendix 3 Disaster Recovery Plan

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

GDPR Compliance. Clauses

M&A Cyber Security Due Diligence

Information Technology General Control Review

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

EU General Data Protection Regulation (GDPR) Achieving compliance

Security Architecture

Senior Manager Information Technology (India) Duration of job

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Lakeshore Technical College Official Policy

Cloud Security Standards and Guidelines

Oracle Data Cloud ( ODC ) Inbound Security Policies

Business continuity management and cyber resiliency

What It Takes to be a CISO in 2017

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Security Standards for Electric Market Participants

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

University of Sunderland Business Assurance PCI Security Policy

SOLUTION BRIEF Virtual CISO

Education Network Security

The Common Controls Framework BY ADOBE

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

ROLE DESCRIPTION IT SPECIALIST

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Table of Contents. Sample

Security Management Models And Practices Feb 5, 2008

Cybersecurity Overview

Internet of Things Toolkit for Small and Medium Businesses

Security Principles for Stratos. Part no. 667/UE/31701/004

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

Business Continuity Policy

Gujarat Forensic Sciences University

Transcription:

Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability for the safeguarding of information assets. The supporting standards outline the requirements that have been determined necessary to comply with legal, regulatory or contractual obligations and Cyber Risk. Stewardship and Classification Canada Life holds information which has been obtained from a number of sources. Some information is created by Canada Life or is otherwise acquired and held as proprietary information belonging to the company. Other information is gathered from third parties (e.g. our customers, employees, clients, advisers and business partners) who have entrusted such information to Canada Life as its steward. Canada Life will designate information owners for all information assets. Information owners are responsible for meeting the Company s internal control requirements as defined by the Information Security Policy and its supporting standards. Access Control Canada Life will strictly limit access to information assets based upon their classification. Access rights are managed and extended by the appropriate information owner. Privileged accounts are migrating to a dedicated Privileged Account Management (PAM) platform. Personnel Security Canada Life conduct regular information security awareness programmes to ensure staff are aware of information security risks, the policy, supporting standards, safe practices and their individual responsibility. Canada Life reserves the right to conduct additional security and reference checks on its staff, based upon the classification of the information assets they are required to access or have exposure based on their job duties. Acceptable Use All Canada Life staff commit to using information assets for business purposes and in a manner consistent with its information classification, the Information Security Policy, the supporting standards, the company s Code of Business Conduct and Ethics and other applicable business practices and procedures. Physical and Environmental Security Canada Life will define, implement and manage appropriate physical security measures in all locations, to protect information assets based upon the Information Classification Scheme. 1

Risk Management Approach In 2014, cyber security was recognised as a significant emerging risk due to the increase in cyberattacks targeting financial institutions. The Enterprise began a multi-year enhancement to our information security capabilities to ensure appropriate focus was placed on cyber security protection. This led to the establishment of a Cyber Security Programme to provide effective and sustainable capabilities to protect the Company from current and emerging cyber threats and enable and support business strategies The Cyber Security Programme is implementing the governance, policies, staff, processes, and technologies required to assess and mitigate cyber risks and attacks, first to remediate the current gaps and then safeguard the Company on a sustainable on-going basis. The first initiative in the programme was the creation of a Cyber Security Architecture and Strategy that protects the business and provides traceability from the services and technologies being implemented to key business drivers. The process followed to develop the cyber strategy started with understanding the business goals and objectives. Based on that information, the risks to the business were examined and control objectives were established to mitigate those risks. A logical security architecture was then established that described the security services required to satisfy those objectives. Security policies and standards were refreshed to support the control objectives. A services based roadmap was produced to guide delivery activities. Business Modelling Business Attributes Business Risk Modelling Control Objectives Security Strategies Control Objectives Policies & Standards Security Policies & Standards List of Services Logical Security Architecture Technologies, People, Process Roadmap Program Planning & Executive 2

Cyber Security in Canada Life Canada Life takes the protection of our Information Assets seriously and has, through a multi-year Cyber Security Programme, enhanced the already strong controls. Perimeter The European perimeter defences are constantly being enhanced to protect the organisation against the cyber threat. Such enhancements include, Distributed Denial of Service (DDOS) protection, Intrusion Detection (IDS) and Intrusion Prevention (IPS) and firewalls providing multiple layers of defence. Further enhancements are inflight and include the implementation of Web Application Firewalls (WAF) and Secure code reviews for internet facing systems. To ensure that the risk is monitored the Perimeter is subject to both Vulnerability Assessments and external application Penetration testing. Email The email gateways used by Canada Life are being upgraded to address the Cyber Risk and will include state of the art detection and analysis and Targeted Attack Protection. Browsing All LAN browsing utilises proxy technology which are configured to allow or block traffic based on URL classification. Servers Servers are being built to international standards for hardening and monitored for compliance against this chosen standard. Access to these servers is managed via a Privileged Account Management (PAM) solution and servers have antivirus software which is centrally managed. Laptops All corporate laptops are encrypted and have additional protection including Antivirus, Host Intrusion Protection (HIPS) and Data Loss Technology. Threat Intelligence Central Security Services (CSS), the primary operational security group within GWLE IS, receives threat intelligence from a wide variety of sources. The vast majority of actionable intelligence is delivered automatically as part of rule base updates that form part of the commercial products (e.g. McAfee Anti- Virus) licenced to protect the environment. In addition, a growing number of in-house security professionals leverage a corporate membership with the Information Security Forum (ISF) and Financial Services- Information Sharing and Analysis Centre (FS-ISAC) on an ad hoc basis to apprise the organization of evolving threats. This is further augmented by publicly available threat intelligence services (e.g. https:// myonlinesecurity.co.uk/.) Representatives from various Information Security disciplines within GWLE IS also visited a peer company in 2016 to share experiences. This information sharing continued into 2017 through its participation in the inaugural Irish Computer Society Security Forum where it met with companies from various industries to discuss and share in confidence Incident response The Critical Incident Response Team (CIRT) procedure is invoked when appropriate by our Service Management team to ensure a co-ordinated response to IT incidents which meet a defined set of criteria indicating a risk of high business impact. These procedures are designed to work with the standard IT Incident Management processes in order to bring critical incidents to resolution in a timely fashion. 3

DR / BCP All critical data is backed up according to an agreed retention policy. This data is backed up to disk locally and replicated to the Disaster Recovery site. Restores of the data are tested periodically. Samples are tested quarterly and regular tests are performed through business requests for business as usual (BAU) data restores. Detailed BCP plans are in place and are reviewed annually. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective. There is an annual enterprise-wide test of our DR Infrastructure. The general purpose of this exercise is to demonstrate the recovery capability of selected production systems to the recovery site. Aware and compliant with Laws Regulation A register of external requirements is maintained centrally. A review of this register is undertaken annually to determine whether any new requirements need further assessments or a specific requirement previously assessed require any further reviews. This annual review prompts us to identify any new or changed legal, regulatory or contractual external requirements that might be relevant to IS. The requirements are gathered through discussions involving various stakeholders such as Legal Officers, Corporate Compliance staff, Risk Officers, Account Managers and I.S. Process Owners. Risk & Compliance Analyst assesses any new or changed legal, regulatory or contractual external requirements in order to determine if they are applicable to I.S. and update the External Requirements register. The key findings and recommendations are reported to the IS senior management on annual basis. Subject matter experts are consulted as appropriate to confirm applicability and determine priority. Board of Directors responsibilities Our Board is provided with regular reporting on cyber and other IT risks and their roles and responsibilities with respect to the management of these risks. The board is provided with access to skilled IT Risk professionals to ensure adequate understanding of Cyber and IT risks. The Chief Information Security Officer also presents to the board periodically. Management of 3rd party relationships The IS team within Canada Life has a number of governance functions with processes and guidelines in place to ensure we mitigate risk with third parties while creating and realising economies of scale and synergies as part of the Great West Life (GWL) group of companies. Our IS team on initial engagement with 3rd parties perform normal due diligence expected of any commercial/business relationship however it also, through its Security and Compliance teams performs deeper due diligence on potential 3rd party suppliers, looking at their offering/capability from a security and compliance perspective. If a potential 3rd party supplier meets our security/compliance standards our Vendor Management team then engages with a 3rd party to put robust contracts in place to reduce our business and legal risk while fulfilling our business needs, often using our global reach and leverage allowing us to be part of contracts already in place with our Canadian parent (GWL). Ongoing management of a 3rd party service/delivery is delivered under an SLA framework contained in our contracts and managed by our internal contract manager(s) (typically the individual who owns/budgets for the service/product in-house), who in turn is subject to a framework, and integral audit at frequent intervals to ensure compliance. Financial Fraud Canada Life has policies and procedures in place to meet all UK legislation in connection with the prevention and detection of financial crime. Canada Life has made every attempt to ensure the accuracy and reliability of the information provided in this Document. However, the information is provided on an as is basis without warranty of any kind. Canada Life does not accept any responsibility or liability for the accuracy, content, completeness or reliability for the information contained herein. 4

Canada Life Limited, registered in England no. 973271. Registered office: Canada Life Place, Potters Bar, Hertfordshire EN6 5BA. Telephone: 0345 6060708 Fax: 01707 646088 www.canadalife.co.uk Member of the Association of British Insurers. Canada Life Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. CL01482 418R

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback