Security can be defined as “the state of being free from unacceptable risk”. The risk relates to losses as follows:
- Confidentiality
This refers to the privacy of data
- Integrity
Integrity refers to the accuracy of data (Pure loss of data by equipment failure, virus attack, or intentional data corruption)
- Availability.
Availability exists when the data is made available as intended, and only to the intended recipients by someone who really is whom he/she claims to be.
Data Classification
Three classes of data are of interest here:
Class 1: Public/not classified
Any information not in Classes 2 or 3
Class 2: Internal Information
For these data the confidentiality and integrity is important but not vital for the business. For example: Telmaco’s management data
Class 3: Confidential
For these data, the confidentiality, integrity and availability is critical to Telmaco’s and Customer’s business because these data are either proprietary to the Customer or they simply expresses views resulting from consulting activities, hence belonging to the Customer. Example: data belonguing to customers or partnering companies, etc.
This category applies even when the relationship Customer-Telmaco is not regulated by commercial agreements or contracts, or governed by an agreed confidentiality accord
Policy
Data Storage within Telmaco’s perimeter
Class 1 data: No specific provision
Class 2 data: This data may be stored encrypted
Class 3 data: This data must be stored encrypted at least to a level AES 128 or equivalent. This shall be so even if the data is delivered to Telmaco in clear. Hard copy shall be avoided or shredded immediately after use.
Data Transmission out of Telmaco’s perimeter
Class 1 data: No specific provision
Class 2 data:
- email may be digitally signed
- email may be encrypted
- attached files may be encrypted at least to a level AES 128 or password protected
- In email replies, the same level of security as the sender’s shall be applied
Class 3 data:
- email must be digitally signed
- email must be encrypted
- attached files must be encrypted at least to a level AES 128 or equivalent
- In email rreplies, the same level of security as the sender’s shall be applied
- Disclaimer: Recognising that service to Client’s business has to proceed and that Telmaco cannot apply a level of security higher than that of the Client’s, Telmaco denies any responsibility for the security of information where the recipient has not supplied its Public Key
- Class 3 files that could not be encrypted by Client’s Public Key shall be encrypted by a pass-phrase. The pass-phrase shall be transmitted through a separately distinct media.
Data Destruction
Class 1 data: No particular requirement, use of ‘Delete’ is acceptable
Class 2 data: No particular requirement, use of ‘Delete’ is acceptable
Class 3 data: Files shall be destroyed by a minimum of 3 passes shredder.
