logologoOnline Bankinglogo
DATA PRIVACY POLICY

                    

 

March 27, 2020

 

 

Version 1.0

 

 

 

 

 

Please note: This policy may change with or without prior notice. However, the Credit Union will make a reasonable effort to seek input from key stakeholders prior to any changes.

 Version 

Date Created

Description

Prepared By

Date of Approval by the Board of Directors

1.0

27-03-2020

Initial Release

Tiesha Anderson

15-07-2020

 

 

 

 

 

TABLE OF CONTENTS

 

1.1 Purpose .............................................................................................................................. 4

Exceptions ............................................................................................................................... 9

List of Exceptions ..................................................................................................................... 9

Related Policies and Standards ................................................................................................. 9

Amendment/Termination .......................................................................................................... 9

 

 

1.1 Purpose

The objective of this policy is to define adequate controls to protect the privacy of information collected, processed, stored and managed by N.C.B. Employees Co-operative Credit Union Limited (NCBECCU). This policy aims to secure the data in order to maintain the confidentiality and integrity of NCBECCU’s IT Infrastructure. It also delivers a quality assurance to NCBECCU’s business by ensuring the solitude of NCBECCU’s Business Information dependencies on IT functionality.

 

1.2 Scope

This policy applies to:

  • All staff (permanent and on contractual basis) and non-employees (contractors, consultants, suppliers, vendors, Board of Directors, and volunteers) of NCBECCU and other individuals and entities responsible for administering and maintaining the credit union’s IT infrastructure.

 

1.3 Policy Statements

 

1.3.1 Data Access

 

  1. Access to confidential information shall be controlled in line with User Access Management Policy and Procedure. The access to NCBECCU’s IT Infrastructure shall be governed by IT Manager and Risk & Compliance Officer or person designated by the General Manager.

 

  1. All staff, both permanent and temporary, vendors and partners shall be given access to

NCBECCU’s IT systems (IT Assets and Services) on need basis only after NonDisclosure Agreements (NDA’s) have been signed and after the approval from the General Manager.

 

  1. Records of all enabled and access privileges shall be maintained by the IT Department. IT Manager and Risk & Compliance Officer or person designated by the General Manager shall review user’s access privileges on a regular basis to ensure unauthorized access is revoked.

 

  1. A review of privileged user access to NCBECCU’s IT Infrastructure shall be conducted periodically by IT Manager and Risk & Compliance Officer or person designated by the General Manager.

 

  1. Desktop and Laptop users with access to sensitive information shall be configured as per the credit union’s configuration standard which should include control of administrative privileges and restrictions on installation of additional applications.

 

 

 

  1. Users shall be authenticated prior to access to NCBECCU’s IT systems. Such authentication should be through a centralized authentication mechanism (such as active directory). IT Manager and Risk & Compliance Officer or person designated by the General Manager shall ensure the implemented authentication mechanism provides the desired level of security in line with the criticality of the system/application.

 

  1. Third party authentication devices such as hardware tokens or biometric controls shall be used for validating high privileged users such as system administrators and database administrators wherever feasible.

 

  1. Log on banners shall be implemented on all critical NBECCU IT systems and shall clearly state the terms and conditions for usage including informing the user that monitoring is enabled on the system.

 

  1. Users shall be responsible and liable for all actions from their accounts and must take due care to secure their account credentials including not sharing the account details with anyone.

 

  1. Users with temporary access to information or NCBECCU IT systems shall be tracked and their access shall be revoked as soon as the need for same is over. An expiry date shall be set for temporary accounts.

 

  1. Users must not maintain any confidential information on their desktops while also securing all their physical records under lock and key. The keys for such safe shall be managed securely by the user.

 

  1. Users shall take necessary precautions to protect NCBECCU IT infrastructure under their control. This could include the following but not restricted to:

 

  • Secure official laptops;
  • Do not change systems configurations (Including software settings, user privileges, etc.);
  • Lock computer systems while taking a break;
  • Do not discuss sensitive information in public places;
  • Restrict viewing confidential information in public places; and
  • Do not share personal or confidential information over insecure channels such as public Internet access points or over telephone networks.

 

  1. Users shall not share NCBECCU related information outside the credit union without prior approvals.

 

  1. IT team shall ensure all online applications have a maximum idle time defined for the sessions. Sessions which exceed the idle time must be disabled and further access shall be provided only after re-authentication.
  2. NCBECCU IT systems where feasible shall display the date/time of the previous successful logon.

 

  1. Remote administration of critical systems shall be restricted. If required, such access shall be provided only over secure channels with IP based restrictions or two factor authentications.

 

  1. Remote access to NCBECCU IT systems for employees, both permanent and contractual, shall be permitted only after the risks from such access have been reviewed by IT Manager and Risk & Compliance Officer or person designated by the General Manager.

 

  1. Information/data processing systems shall be configured such that if a hardware or a software component of information processing system malfunctions and/or the system fails, it shall by default not grant uncontrolled access to users.

 

  1. All NCBECCU IT systems shall be configured as per the credit union’s configuration standard for operating systems, applications and databases.

 

  1. Periodic review of the secure configuration shall be carried out by the IT Manager and Risk & Compliance Officer or person designated by the General Manager.

 

 

1.3.2 Data Sharing

 

  1. Users are responsible for information for which they have access and shall not share such information with anyone without prior authorization.

 

  1. Authorized users shall use only credit union provided external storage media (if any, such as USBs, CD ROMs, DVD ROMs, etc.) for sharing information. Storage devices shall support strong encryption and must be used only for official purposes. Usage of personal storage devices such as personal CD/DVD ROM, USB drives and personal external hard drives is not permitted for sharing information.

 

  1. Users shall not forward sensitive information over insecure channels such as persona emails. In case such information needs to be shared, prior authorization from the IT Manager and Risk & Compliance Officer or person designated by the General Manager shall be taken and necessary controls such as encryption and password protection shall be implemented prior to sharing.

 

1.3.3 Data Storage

 

  1. NCBECCU IT systems hosting confidential information shall store sensitive data in an encrypted format. The implemented controls shall ensure even high privileged users such as system and database administrators cannot view or access such information.
  2. Data on all critical NCBECCU IT systems (such as servers, configuration files, email servers/archival storages, etc.) shall be backed up on a regular basis in line with the relevant data backup procedures.

 

  1. There shall be controls in place to ensure all physical documents (paper documents) are protected in line with their classification level.

 

 

1.3.4 Data Storage

 

  1. Guest Wireless Access Points shall not be directly connected to NCBECCU network.

 

  1. Sensitive information shall be transmitted/transferred in encrypted format and over secure channels within NCBECCU network.

 

  1. All passwords stored in a system or transferred over a network shall always be encrypted to avoid any unauthorized disclosure.

 

Note: Data transmission between NCBECCU IT department and other departments shall also be considered to fulfill the data privacy requirements laid down in this policy.

 

 

1.3.5 Third Party Controls

 

  1. Third party agreements with vendors and partners shall contain clauses for nondisclosure during information/data sharing. Information shall be shared with vendors and partners only after both parties have agreed to the terms and conditions for information/data sharing.

 

  1. The agreement with third party shall cover the conditions for access, accepted controls and responsibility and the consequences for security breaches.

 

  1. Remote access from third party networks to NCBECCU network shall not be permitted unless authorized by the IT Manager and Risk & Compliance Officer or person designated by the General Manager. Such access shall be configured on a time bound basis and revoked as soon as the need for the same is over or the approved time has been exceeded. When access is revoked all parameters such as passwords should be reset.

 

 

1.3.6 Network Controls

 

  1. Groups of information processing systems, services and users shall be segregated on networks based on their sensitivity, mission value and classification of information stored or processed, exposure to public networks/users and corresponding risk levels.

 

  1. All access between the segregated networks segments shall be appropriately controlled by security devices such as firewalls based on security requirements.

 

  1. NCBECCU applications which host critical data shall use multi-tiered architecture to allow for better security and scalability.

 

  1. Wireless access and publicly accessible systems provided to guests shall be segregated from the rest of internal network.

 

 

1.3.7 Physical Security

 

  1. All NCBECCU systems shall be hosted in secure / restricted areas such as data centers. Physical records/forms containing sensitive/personal information shall also be stored in secure locations.

 

  1. The secure / restricted areas shall be protected with appropriate authentication controls such as biometrics and keypad access control. Minimum of two factor authentication shall be implemented for access to secure / restricted areas.

 

  1. Logs shall be maintained to track movement of external vendors or partners to the secure / restricted areas.

 

  1. Visitors must declare information processing devices such as laptops at the entrance of the secure / restricted areas.

 

 

1.3.8 Data Disposal and Destruction

 

  1. All information in NCBECCU, both paper and electronic format shall be disposed as per the credit union’s Asset Disposal policy.

 

1.3.9 Customer Data

 

All customer data shall be protected.

 

The following terms shall be addressed prior to giving customers access to any of the credit union’s assets:

 

  1. Integrity;
  2. Restrictions on copying and disclosing information;
  3. Description of the product or service to be provided;
  4. A statement that all access that is not explicitly authorized is forbidden;
  5. A process for reworking access rights or interrupting;
  6. The connection between systems;
  7. Arrangements for reporting, notification, and investigating security breaches;
  8. The target level of service and unacceptable levels of service;
  9. The right to monitor, and revoke, any activity related to the credit union’s assets;
  10. The respective liabilities of the credit union and the customer;
  11. Responsibilities with respect to the legal matters; and
  12. How it is ensured that the legal requirements are met.

 

 

1.3.10 Change Management

 

  1. Changes to NCBECCU IT systems shall be strictly controlled and managed in accordance with Change Management Policy.

 

 

1.3.11 Security Incident Management

 

  1. Any incident pertaining to NCBECCU IT systems or the supporting infrastructure such as unauthorized intrusion, physical, electronic or otherwise, to databases storing sensitive data shall be reported and handled in accordance with the IT Policy.

 

Exceptions

No deviation or special arrangement will be permitted under any circumstances outside of the established policy exception handling process.

 

List of Exceptions

No exceptions at this time.

 

Related Policies and Standards

  1. IT Policy
  2. Cyber Security Policy
  3. Change Management Policy
  4. Asset Policy

 

 

Amendment/Termination

The credit union reserves the right to modify, amend or terminate this policy at any time.