Information for third parties Information Security This document provides a general overview of information security at Aegon UK for existing and prospective clients. This document aims to provide assurance that we have the appropriate control and protection in place, but also to reaffirm that we ll not disclose information or perform any actions that will put any of our customers at risk, breach our regulatory requirements or invalidate our liability insurance. Aegon and Data Protection In our capacity as a pension provider, as per the definition under the Data Protection Act (DPA) and the upcoming General Data Protection Regulation (GDPR), we are a data controller (i.e. we determine the purposes and manner in which we process the personal data that we collect). When an individual plan or company pension scheme is set up, we don t enter into data processor agreements with employers or advisers as we ll not be processing personal data on behalf of them or their organisation. We re providing a product to an individual and so, when an individual takes out a plan with us or an employee of a company joins a company pension scheme, we have a direct contractual relationship with that individual (i.e. the planholder). As data controller of the personal data that we collect either from individuals, employers or advisers, we re required to comply with the requirements of the DPA, including: That the data we hold is adequately protected, That it s kept up to date and accurate and That we allow our planholders to exercise their rights. If we, as a financial services provider, breached the DPA, we would be liable for any potential sanctions and regulatory scrutiny. In order to achieve compliance with our obligations under the DPA, we ve policies, standards and guidance in place and ensure that the appropriate controls and safeguards are implemented to protect the personal data. General Data Protection Regulations (GDPR) We re fully aware of the upcoming changes to data protection regulations that will come into force in May 2018 under GDPR. We ve already appointed a Group Data Protection Officer and have a local Data Protection Officer in place. We have also set up a GDPR programme, looking into the requirements of the new regulations and what they mean to us, our customers and processes. This will enable us to identify and take the necessary steps to achieve compliance.
The programme has Subject Matter Experts from across the organisation, including Data Protection, Information Security, Legal, IT and business representatives. Our Data Protection team are involved in all aspects of the programme and are actively monitoring both the Information Commissioners Office (ICO) and Article 29 Working Party updates to ensure that the GDPR project is working with the latest guidance.. Information Security Risk Management The table below provides an overview of the key governance positions within our business. To ensure we have the right governance and controls in place to operate in the right Chief Executive Office way. Responsible for: Chief Operating Customer services Officer Information Technology Platform development Responsible for: Chief Risk Officer Leading an effective risk management framework Human Resources Director Enterprise Information Security Manager Ensuring that risk is well managed Responsible for: Delivering HR services Ensuring that the organisational design, people policy and practice enable the us to achieve our ambitions Responsible for: Information Security Data Protection Aegon UK operates the three lines of defence approach: First line of defence are our business functions and are accountable for the risks and controls within our first line functions. Second line of defence is our full Risk Team. The Risk Team develop and implement risk frameworks and oversee the first line on their management of risk. Third line of defence is Internal Audit who are an independent assurance function who review all activities across our business.
Security Policies and Standards Our information security policy is reviewed and published annually and covers: Information Security Policy Organization of Information Security Information Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance Information Security Risk Management The Group Information Security Policy Guidance and Minimum Standards set out the minimum requirements to which business units must adhere when implementing controls to comply with the Information Security Policy. It covers: Information Security Organisation - Information Security Roles and Responsibilities - Governance Over External Parties Information Assets Management - Responsibility for Information Assets - Information Asset Classification Human Resources Security - Prior to Employment - During Employment - Termination or Change of Employment - Internet Use - Email Use Physical and Environmental Security - Physical Security Perimeter Requirements - Physical Entry Controls - Securing Sensitive and Information Processing Areas - Protecting Against External and Environmental Threats - Securing Public Access, Delivery and Loading Areas - General Equipment Security and Protection
Communications and Operations Management - Procedures and Responsibilities in respect of IT Operations - Third Party Delivery Management - Systems Planning and Acceptance - Protection Against Malicious and Mobile Code - Backups - Network Security Management - Media Handling (digital and non-digital) - Exchange of Information - E-commerce Services - Monitoring o Audit Logging o Monitoring System Use o Protection of Log Information o Administrator and Operator Logs o Fault Logging o Clock Synchronisation Access controls - Business Requirements for Access Control - User Access Management User Registration - User Access Management - Access Control Systems and Segregation of Duty - User Access Management Privilege Management - User Access Management Password Management - User Access Management Protection Against Unauthorised Access - User Access Management Review of Access Rights - Clear Desk and Clear Screen Requirements - Network Access Controls - Operating System Access Controls - Application and Information Access Control - Mobile Computing and Access controls Information Systems Acquisition Development and Maintenance - Security Requirements of Information Systems - Correct Processing in Applications - Cryptographic Controls - Security of System Files - Security in Development and Testing - Technical Vulnerability Management Information Security Incident Management Business Continuity Compliance Guidance - Internet and email acceptable use guidance - Data transfer guidance - Clear desk and clear screen guidance - Mobile computing user responsibilities and guidance
Certifications and Audits We re a financial services company regulated by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) and are subject to regular independent financial and IT system audits by both internal and independent third party auditors. We re Cyber Essentials certified, and aligned with ISO 27001 assessing our own compliance internally, as well as conducting external audits and benchmarking exercises. Our key IT service provider Aegon Group Technologies (AGT) has been SSAE16 SOC 1 Type II audited by Pricewaterhouse Coopers (PWC). The conclusion of this audit is that the controls are appropriate and effective for providing infrastructure services and application support services. Human Resources Recruitment As a company dealing with finances, we re required by the FCA to do identity and history checks on all potential employees. Before employment can begin, we ll carry out the following checks: Satisfactory references Health questionnaire Credit and criminal history Proof of eligibility to work in the United Kingdom. Additional checks as needed for specific roles. Identity Management We manage our employees through our HR system which interfaces with Active Directory to ensure appropriate and timely management of staff accounts. Information Security Awareness Every year all employees have to exceed a minimum test score after completing an information security ELearning course. We conduct phishing simulations/tests quarterly against a (rotating) sample of our users in order to identify who needs additional awareness/training. Leavers Process We have a leavers process that ensures that equipment is returned and access revoked on the day their employment terminates. Physical and Environmental Security Data Centre Security Access to the Edinburgh data centre and operations floors is restricted through a card key system and monitored on a 24x7 basis. All data centre visitors are required to present identification, sign the visitor s log and be escorted by an Aegon employee at all times while in the data centre. A limited subset of individuals within each data centre have access to the data centre operations floor where the core technology equipment resides. Access privileges to the data centre are granted based on an individual s job responsibility and requires management approval prior to granting access. Employees who have data centre access privileges are reviewed at least annually.
Environmental Controls The data centres have equipment to protect against and/or limit damage due to theft, fire, and lightening, flooding, loss of electricity and temperature fluctuations. Smoke and heat detectors and a sprinkler system are located throughout each building. Offices All entry and exit points are protected by CCTV and images retained for 90 days. Operational entrances are manned and have physical barriers such as turnstiles. Fire exits and entrances not in operation, are protected by intruder alarm systems. Access and User Controls Private Network Access Port-base Network Access Control (PNAC) ensures that only authorised devices can connect to our private network. Remote Access Remote access requires two-factor authentication comprising login ID/Password and a generated one-time passcode. Laptops can establish a VPN in order to access services on our private LAN. Without a laptop, remote access via an SSL VPN with data leak controls such that files cannot be transferred (i.e. uploaded or downloaded) and copy and paste is disabled. Laptops and Mobile Devices Our laptops use full disk encryption. Writing to removable media (e.g. USB drives) is disabled. Where sensitive data requires physical transfer using electronic media such as USB or external hard drives encryption is applied and procedures employed to ensure the safe transfer from sender to recipient. Users can access email from personal devices using a secure mobile device management solution. This solution applies encryption to the data at rest and provides secure transmission, two-factor (device certificate and password) authentication, remote wipe and other security features such as no copy and paste. Authorised Access and Recertification Access to systems and applications controlled by request process requiring authorisation by a line manager and is limited based on the principles of least privilege and need-to-know. Access to systems containing sensitive information is reviewed at least annually. The frequency of recertification depends on the sensitivity of the access. System and database administrator access is reviewed quarterly. General User and Data Leakage Controls By default our employees: Have restricted workstation policies. For example, software cannot be installed and there are no local administrative privileges. Can only access authorised website categories. For example, file transfer and webmail sites cannot be accessed. Must securely email customer information. Our Customer Data leakage Prevention (CDLP) solution blocks emails if customer information is not protected. Have to request write access to removable media.
Communications and Operations Management Aegon UK and Aegon Group Technologies (AGT) Aegon UK (AUK) and Aegon Group Technology (AGT) are business units within our group of companies. AGT provide AUK with IT services such as: Desktop/laptops Messaging & other productivity applications Remote Access Servers Network Security Data Centres Service/access request system Security administration AUK manage: AUK specific Ecommerce and line of business applications Third parties Information security awareness Hardening and Patching Servers are built to a hardening standard based on the CIS Benchmark. Server teams monitor for security patches and vendor announcements. All security patches are applied to the server test environments before being applied to production in a scheduled manner based on the security patch criticality. Logging and Monitoring Critical computer system, database, and network devices audit logs must be kept for longer than the reconciliation period. Our Security Information and Event Management (SIEM) system ingests security events from network devices and alerts the Security Operations Centre (SOC) who respond accordingly. Anti- malware Controls An email hygiene service filters emails identified as spam, malware or having other suspicious characteristics based on analysis of domain reputation, content and header and envelope attributes. All employees access the Internet through a proxy that prevents access to certain categories such as adult, webmail or file sharing sites. The web proxy also blocks access to websites with a poor reputation such as those identified as a phishing or malware distribution site. Workstations and servers have antimalware software that scans files on access and also execute scheduled scans. We also use a network security solution that will detect suspicious activity (e.g. anomalous network connection attempts) by hosts on the Aegon internal network.
Incident Management All DP breaches and security incidents must be reported as soon as they are identified. We have a security incident response process. This starts with the logging of a security event (which may be an incident). There are escalation routes depending on the severity of the incident and whether it affects other Aegon business units. An incident with a significant impact will be escalated to our Business Disruption Management Team (BDMT). An incident that affects multiple business units are escalated to the Global Security Incident Response Team (GISIRT). Vulnerability scanning and Penetration testing Windows and UNIX/LINUX servers are scanned weekly for vulnerabilities. Our external IP addresses are scanned regularly by AGT and a third party. High-risk applications are penetration tested annually or when there is a significant change. Cyber threat management We work in coordination with our Global Cyber Threat Management Program to understand, address and react to any new, emerging or existing threats: Utilizing Threat Intelligence to identify threats, threat actors and tools that may be used against us. Participate in Intelligence Sharing Communities, by sector, country and globally. Stage Red Team operations to validate controls and Incident Response plans. Encryption and Protection of Sensitive Information We have four data categories: Public. Internal. Confidential. Strictly Confidential. Third Party Services We conducts information security due diligence on third parties. The process involves assessing the potential information security impacts associated with the service. The potential impact associated with the service determines the level of detail and assurance gathered. We assign relationship managers to ensure ongoing governance and monitoring of key suppliers. Test Data and Environments Access to production data is restricted. We use development and test environments that are segregated from production systems and don t have access to production data. Decommissioning A process ensures that all equipment and media that contain sensitive data are cleansed and properly disposed of. Drives are either physically destroyed or wiped by a specific software program so that no data is retrievable. Hardware is securely destroyed by third party disposal company to ensure that environmental standards are met.
All equipment disposals of AGT supported assets are monitored by AGT management for compliance on a quarterly basis. Disaster Recovery and Business Continuity Please refer to AUK s business continuity statement (provided separately).