Newfox hosts infrastructure for several UK based businesses. This policy outlines requirements for the handling of customer data received and hosted by Newfox. Such data could be sensitive, confidential, personally identifiable or financial in nature.
Newfox client’s systems and data are hosted in a segregated area which is protected from unauthorised access both physically and electronically. This protects the security and integrity of customer data.
2. Scope Personnel
This policy applies to all Newfox employees and other limited individuals with authorised access, such as employees who manage the hosting infrastructure for Newfox.
This policy applies to all files and other data resident on hosted platforms provided by Newfox for their customers.
Where there is a business need to be exempted from any of the requirements in this policy (too costly, too complex, adversely impacting other business requirements), authorisation must be obtained from Newfox via firstname.lastname@example.org All exemptions must be subject to a risk review.
4. Requirements Access
a) Secure authentication protocols are used to validate user identity prior to enabling access to the physically secured area (and thus any computer in the secured area). There is manned 24/7 security requiring photo ID or encrypted access card to specifically identify the user
b) Systems require a secure username and password for access which is compliant with Newfox’ password policy. These credentials must be unique to Newfox and must not be used on any other internal or external systems or services.
c) Systems must be configured to lock after a period of inactivity, up to, but no longer than 30 minutes.
d) Access logs for systems will be logged centrally. These logs will be monitored by system owners to identify or prevent unauthorised access attempts. Once discovered, prompt steps will be taken to prevent any further unauthorised access.
e) Access is limited to Newfox employees and other limited individuals who need access in order to serve a legitimate business purpose. Approval from Newfox management is required to authorise a new individual.
f) Terminated or suspended individuals will have their physical and electronic access blocked. Any passes, devices, codes, passwords and means of obtaining access to such area and such data will be de-activated.
g) Newfox management conduct a quarterly review of access entitlements.
h) Newfox has a designated area for demonstrations to visitors. Visitors must be escorted by an authorised employee at all times. If you are responsible for escorting visitors, you must restrict them to the section of Newfox designated for demonstrations only, in order to avoid exposure of confidential information.
i) If an unknown, unescorted or otherwise unauthorised individual is identified in the physically secured area, Newfox management must be notified immediately.
j) Customer and other confidential data must not be left on desks unattended.
l) In-Scope Data is stored on the separate Newfox network. Laptops should only be used for the storage of normal business data which is not covered by the scope of this policy.
m) Remote access to hosted Data is secured via a two-stage authentication process which firstly requires the user to log onto the corporate network via a laptop and secondly requires the user to log onto the separate Newfox network. In-Scope Data will remain on the separate Newfox network and the user controls the desktop PC situated within the separate Newfox network via the remote laptop.
n) Data that must be moved within Newfox may only be transferred via approved secure transfer mechanisms. Newfox will provide systems or devices that fit this purpose. You must not use other mechanisms to handle Data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with Newfox management.
o) Systems must be protected in line with Newfox corporate standards and industry best practice. All company laptops are built with this standard protection. Specifically, the systems must operate:
i. Up-to-date anti-malware protection;
ii. A firewall;
iv. Appropriate patching.
p) Systems which are running a lower protection standard for legitimate business purposes (for example legacy LOB application) must be isolated.
q) All In-Scope Data must be protected by encryption as follows:
i. Sophos encryption products are the selected technical product for encryption of portable media or laptops;
ii. Backups of Newfox data will be encrypted in line with industry best practices and hosted in an area of physical security to protect against the loss of in scope data. Access to the backups will be restricted to a named group of individuals authorised by Newfox management;
iii. Devices hosting data within Newfox will use current industry best practice algorithms and cryptographic strength;
iv. Data in transit from Newfox is encrypted using an industry trusted standard.
5. Data Retention
Newfox will retain Data securely within its primary hosted platform and select data backup partners who demonstrate the same process.
Employees in scope will be provided with security awareness training to ensure they are aware of the behaviours, practices and procedures required by this policy.
You have a responsibility to uphold this security policy. In the event that you find a system or process which you suspect is not compliant with this policy you have a duty to inform Newfox management so that they can take appropriate action.
7. Owner & Approval
The Newfox DPO is the owner of this document and is responsible for awareness and compliance among members of the Newfox team.