Information Security & Data Protection Training Course

Data Protection is a legal requirement for every business and organisation which must be able to demonstrate measures have been taken to ensure confidentiality and the safe handling of information. Cloud Direct is fully compliant with applicable legislation such as The Data Protection Act (2018) and GDPR, as well as being ISO27001 (Information Security) and ISO20000 (IT Service Management) accredited.

This online training course will help you to learn how to deal with Information Security & Data Protection issues in the workplace.

Information Security Guide

What is ISO27001?

ISO27001 is the recognised international standard for Information Security Management.

The standard sets out guidance for good security practice and allows us to publically demonstrate to our customers that we manage their sensitive business data appropriately.

By implementing good security, Cloud Direct aims to make the service we offer our customers as risk free as possible.

All Cloud Direct employees have access to sensitive company and customer information and as such we must have controls in place to manage this.

A full copy of the ISO27001 standard can be found in the Process Management Library in SharePoint here.

Managing Information Security

It is Cloud Direct's responsibility to manage and ensure the Confidentiality, Integrity, and Availability of all information assets. This is referred to as CIA.

A breach of CIA would represent a failure to keep our customers, or our own internal data, secure. If you suspect or know of a breach of CIA you must report this to your Line Manager or the IMS Team immediately.

Confidentiality

Confidentiality concerns the privacy of data and ensuring measures are in place to prevent unauthorised access to sensitive data. 

We classify data into different categories which are then subjected to a range of security controls. We control access to confidential data by using strong passwords and encryption.

Integrity

Integrity involves maintaining the consistency, accuracy and trustworthiness of data over its lifecycle. Controls must be in place to ensure that data is not altered unless authorised to do so.

We control the integrity of data by backing up critical systems and implementing access control procedures.

Availability

Availability is ensuring that data is available when it is required, whether by a customer or a Cloud Direct employee.

We control availability of data by maintaining hardware, providing sufficient bandwidth, and by backing up critical systems.

In short, we need to ensure that data is kept private, is not altered without authorisation, and that when the customer wants their data, they can get it.

Information Classification

To avoid the potential for customer or company information being communicated to unauthorised parties, all information is classified using one of the categories below.

  • CONFIDENTIAL
    • INTERNAL: Confidential data that is NOT appropriate to send to an external recipient. For Cloud Direct employee eyes only.
    • EXTERNAL: Confidential data that is appropriate to send to an external recipient, such as customers, suppliers, and shareholders. This could include invoices, tenders, reports, and applicable customer data.
    • HR: Data containing sensitive personal information (external and/or internal).
    • FINANCE: Data containing financial information (external and/or internal).
  • NON-CONFIDENTIAL: Information that is fit for public release.
  • GENERAL: Information not relating to Cloud Direct or its customers.

If you are unsure whether information should be classified as confidential or not, assume that it is confidential and treat it as such.

Further Reading

Using Azure Information Protection

Azure Information Protection (AIP) is a cloud based solution that helps an organisation label and protect its documents and emails. 

Cloud Direct uses AIP to allow its employees to label data in Office Applications, including Outlook.

A user guide explaining how to use AIP is available in the ServiceNow Knowledge Base here.


Information Control Policy

The Information Control Policy further details the different classification labels and how Cloud Direct stores, retains, and disposes of information.

This document is for Cloud Direct employees only and can be found in the Process Management Library in SharePoint here.

Devices

Company Owned Devices

Security of information on laptops and mobile devices is a particular concern. Mobile devices are regularly lost, stolen or damaged. All company owned devices (PCs, laptops, and mobiles) are managed using Microsoft Intune (Mobile Device Management) which manages the following areas:

  • Experience.
  • Updates.
  • Authentication.
  • Encryption.
  • Defender (anti-virus).
  • Device lock.
  • Security.

Personal Devices

Employees and contractors frequently perform tasks which require connecting to Cloud Direct's systems and networks using their own devices. In order to ensure that information is not at risk, employees are expected to follow the BYOD policy (see below).

Cloud Direct retains the right to manage corporate data that is stored on Personal Devices. Cloud Direct has the ability to manage corporate data on Personal Devices using Microsoft Intune (Mobile Application Management).

Any questions concerning device management should be escalated to the Internal IT Team by raising an Incident in ServiceNow.

Further Reading

Mobile Computing Policy (inc BYOD)

The Mobile Computing Policy covers the responsibilities of employees that Bring Their Own Device (BYOD), work from home, or use mobile devices. Employees automatically accept this Policy as soon as they attempt to access Cloud Direct (or its customers) data using their own device.

This document is for Cloud Direct employees only and can be found in the Process Management Library in SharePoint here.


Internal Computing Policy

The Internal Computing Policy defines how Cloud Direct employees should use the IT equipment that is assigned to them. All employees accept this Policy as part of the Induction Process for new employees.

This document is for Cloud Direct employees only and can be found in the Process Management Library in SharePoint here.

Non-Conformances & Opportunities for Improvement

Non-Conformances

A non-conformance means something went wrong - a problem has occurred and it needs to be addressed. We addresses non-conformances by identifying and implementing:

  • Corrective action: what can we do to immediately resolve the issue?
  • Preventative action: what can we do to stop this issue happening again?

You may find a non-conformance is a service, product, process, or from a supplier. A non-conformance can be identified through customer complaints, internal audits, external audits, or normal business operations.

It is important that any non-conformances are reported to the IMS Team immediately, using the process at the bottom of this page. If you are unsure if something should be logged as a non-conformance, speak to your Line Manager.

Opportunities for Improvement

An opportunity for improvement (OFI) is exactly what it sounds like - an opportunity to improve something! If you have any suggestions on improvements that can be made to processes, working practices, or products and services Cloud Direct offers, you can raise an OFI for further investigation by the IMS Team.

Further Reading

Using the CSIP in ServiceNow

The CSIP, or Continual Service Improvement Plan, is where non-conformances and opportunities for improvement are recorded. The Cloud Direct Risk Log is also recorded in the CSIP.

If you notice any non-conformances or opportunities for improvement, they should be logged in the CSIP immediately.

A user guide explaining how to use the CSIP is available in the ServiceNow Knowledge Base here.


Non-Conformance Procedure

The Non-Conformance Procedure details how to record and correct non-conformances. 

Also covered is how Cloud Direct identifies corrective and preventative actions, and when implemented how the non-conformance is reviewed and eventually closed.

This document is for Cloud Direct employees only and can be found in the Process Management Library in SharePoint here.

Data Protection Guide

Guidelines for Dealing with Confidential Information

 

1. Safeguard your username, password and any other access credentials you have for systems and applications that deal with confidential information. Consider using a password manager such as LastPass.

2. Protect mobile devices such as smartphones, tablets and USB drives that contain confidential information. Cloud Direct uses Intune to protect corporate devices.

3. Never leave your computer unattended when confidential information is on the screen. Lock your screen before leaving your desk.

4. Before transmitting confidential information to others, be sure that:

  • The transmission complies with the law and privacy and security policies;
  • The recipient has a legitimate business purpose for the information. If you are unsure, speak to your Line Manager;
  • You're sending no more information than is needed by the recipient; 
  • You're sending the information in a protected manner (e.g., encrypted) when called for by the company policies or the law. If applicable, mark documents as CONFIDENTIAL.

5. Retain or destroy confidential information contained in your records in accordance with your record-management policy. Electronic documents should be stored in OneDrive or SharePoint where they can be protected. Paper documents should be shredded.

6. Report any security incidents or privacy breaches that you observe or become aware of as soon as possible. Report any security issues or privacy breaches to [email protected]

Which one of the following shows respect for confidentiality of information?

  • Discussing confidential information over the telephone.
  • Disclosing confidential information only to authorised individuals.
  • Uploading confidential information to a shared web site.
  • Emailing confidential information to a colleague.

How should confidential information be sent using an unsecured network?

  • In an encrypted format.
  • In a compressed format.
  • In an attachment.

Mark the following statements as true or false.

  • Because you work in a secure building, you can discuss confidential information in an open work area.
  • The Information Security Policy and related policies only apply to electronic and hardcopy records and does not apply to verbal discussions.
  • You should always lock your computer when you are away from your desk.

How to Keep Your Password Safe

How can you keep your password secure?

  • Write it in your notebook.
  • Memorise it.
  • Tell a person who you know you can trust.

What is an example of a strong password?

  • 1234567890
  • G*rbea8$e
  • qwerty123
  • johndoe

Mark the following statements as true or false.

  • You should create a strong, different password for each system you access.
  • Whenever possible avoid using password managers.
  • It is OK to share your password with colleagues in your team.

Futher reading

Data Subject Request Procedure

The Data Subject Request Procedure document outlines how to log and respond to a request from a Data Subject under GDPR.

This document is for Cloud Direct employees only and can be found in the Process Management Library in SharePoint here.

Data Breach Procedure

The Data Breach Procedure describes how to recognise and report a suspected, or actual, data breach.

This document is for Cloud Direct employees only and can be found in the Process Management Library in SharePoint here.

Privacy Policy

A public facing Privacy Policy detailing how Cloud Direct collects, uses, and accesses website visitor and customer data.

This document is publically available on the Cloud Direct website here.

General Terms and Conditions

These are the Terms and Conditions that apply to all Cloud Direct customers. Data Protection is detailed in Annex A and came into effect in May 2018.

This document is publically available on the Cloud Direct website here.

Wrap-Up

Breaches of workplace confidentiality can result in a range of problems. Customers tend not to work with companies they think are untrustworthy, and consumers may specifically warn people away from companies that have mishandled private information.

This course has been produced so that employees are aware of the ways of dealing with confidential information and keeping company data safe. 

If you have any questions, or customers have concerns, please contact the IMS Team by emailing [email protected] or by creating a ServiceNow Incident and assigning to the IMS Team assignment group.

Your Responsibilities

Untitled content

Your heading text goes here

Remember the following:

  • Have a guest at the office? Sign them in and escort them at all times.
  • Notice a security issue? Report it by raising an Incident in ServiceNow.
  • Leaving your desk? Ensure your machine is locked and your desk is clear.

Do you know how to view the Cloud Direct Knowledge Base?

The Cloud Direct Knowledge Base can be found in ServiceNow. Just search for 'Knowledge Base' in the left-hand search bar.

The Knowledge Base in ServiceNow is the go-to resource for product, customer, and service specific articles.

  • Yes, I have found the Cloud Direct Knowledge Base.
  • No, I am not sure where to find the Cloud Direct Knowledge Base

Do you know how to view your HR documents?

You can find your HR documents in SharePoint here. Besides yourself, only the HR Team and your Line Manager have access to your personal HR documents.

  • Yes, I have found my HR documents.
  • No, I don't know where to find my HR documents.

Are you aware of your Information Security responsibilties?

If you have any questions, review the beginning of this course or contact James Tyson, Information Security Manager.

  • Yes, I am aware of how to work safely and securely.
  • No, I have some questions.

Do you know what a non-conformance is and how to report one?

Remember that a non-conformance is when something goes wrong and affects either the Information Security of Cloud Direct or one of it's customers, or when a customers service is affected.

There are articles available in the Cloud Direct Knowledge Base in ServiceNow that cover how to raise a non-conformance.

  • Yes, I know what a non-conformance is and how I report it.
  • No, I am not sure what a non-conformance is and I'm unsure how to report one.

Questions? Comments?

If you have any questions or comments, please contact the IMS Team by emailing [email protected] or by creating a ServiceNow Incident and assigning to the IMS Team assignment group.