IT Security
Key IT Security Risks
Personal Data is largely held in:
A) Financial Services Division
B) Private Clients Division
Key Data is that which could permit the possibility of Identity Theft or that relating to banking information.
Data could be stolen by staff or third-parties.
The controls and procedures below demonstrate how we attempt to mitigate these risks
Management Controls
The lines of responsibility relating to IT Security are …….
We have an information security policy held and reviewed regularly by …………
We can detect loss of data by …..
We train staff concerning their data security obligations by …...
Access rights to IT
How we control access to IT (unique username and unique and changing passwords); strong passwords; who controls the username and password?
Controls over internet and e-mail use
Files and lap-tops off-site
Data Management
Housekeeping - backing up
Offsite data – laptops, memory sticks, CDs - encryption
Encryption of data held offsite
Encryption of information sent off-site either electronically or physically
Theft of data by means of memory sticks and CD
Disabling of USB Ports and CD writers where appropriate
Log of memory sticks and laptops
Random Checks of laptops and memory stick
Clear, consistent and secure IT back-up and housekeeping procedures
Encryption of backed-up data (particularly if held at a third party)
Due Diligence on third-parties or staff holding backed-up data
Assessment of risk of staff’s use of web-mail, social networking sites, instant messaging and file sharing software
Disposal of Data
Data should be disposed of in a secure fashion
The following should be considered:
Security of data disposal procedures – removal, destruction and wiping of hard drives before disposal
Training of staff
Third Party Suppliers
You should be satisfied that you know any third-party suppliers are, the security surrounding any data they hold or have access to, and how they vet their staff
Third-party suppliers who could have access to IT data are:
· IT archive providers
2 Security personnel
3 Any other third-parties likely to visit the offices
4 IT suppliers
Compliance and Monitoring
We monitor the possible loss of data by …….