Data Security Policy and Procedure

Purpose

This policy and its annexes outline REPC Ltd’s commitment to securing, protecting and efficiently data-wiping/destroying customer equipment and any data it may contain.

Introduction

Digital media and tape are widely used by many companies and organisations to collect and store data. When equipment comes to its end of life or is being replaced and updated with the prospect of being recycled for reuse, it is imperative that any confidential data and or sensitive information stored on the equipment is securely and efficiently destroyed in line with the provisions of the Data Protection Act.

REPC Ltd is committed to collecting securely transporting, data wiping, destroying and issuing Environment Agency compliant certification for magnetic media and data destruction. Equipment processed by REPC includes:
• Hard Drives
• CDs
• Memory sticks
• SIM Cards
• Dongles
• Back-Up tapes
• Video tapes
• Floppy discs
• Microfiche

Collection and Security

• All equipment will be collected using REPC vehicles and security checked staff only;
• An asset collection register is agreed and signed by customers on collection
• Once collected all equipment is supervised at all times
• Our site including loading areas has 24 hour recorded CCTV
• Access to the site and storage facility is restricted via combination locks
• Temporary storage facilities include secure cages and fire safes
• Unauthorised personnel or visitors do not have access to our data wiping suite or cages.

Data Wiping/Destruction

REPC offer our customers a range of packages for secure data wiping and use recognised data erasure software including DBAN, Blancco and Tabernus UK Enterprise Erasure Systems.

REPC’s data erasure processes are compliant with the US Department of Defence 5520.22-M Data Destruction Standard & CESG - Communications-Electronics Security Group, the UK Government’s National Technical Authority for Information Assurance.

Each hard drive will receive 3 passes as standard, however, if required 7 or up to 13 passes can be arranged. Where a hard disk drive is faulty and cannot be erased it is physically destroyed on-site by REPC.

Data Security Incident/Threat

In the unlikely event that REPC data security procedures are not implemented or an incident/breach is identified which compromises the security of data or information of REPC or data/information held by REPC on behalf of our clients or customers. REPC will respond immediately in line with the following Procedure

Emergency Incident Procedure

In the event of an emergency incident or security breach it is the responsibility of all REPC staff, sub-contractors and agents acting on behalf of REPC Ltd to comply with REPC’s emergency incident procedure, reporting any incident, threat of an incident or an incident that almost happened, but, was averted to the designated manager as soon as is safely possible:
• Members of staff discovering the incident/threat/breach must report it immediately to a member of REPC’s senior management team and complete the incident report register.
• If the incident occurs off-site or during transit, contact must be made with a member of the senior management team via telephone immediately (ensuring it is safe to make a call, do not use the phone while driving).
• Affected Operations/Activity should be halted until it is deemed safe to restart.
• An investigation into how the incident, threat occurred shall be undertaken by a designated manager.
• An action plan including communications with any customers or stakeholders affected by the breach should be produced and implementation commenced within 24 hours or as soon as is practically possible.
• A non-compliance incident report must be completed in the non-compliance register

• Once the designated director is satisfied that the incident has been correctly categorised, resolved or there is a plan and controls in place to resolve it and the emergency/security breach or threat is removed, authorisation from the designated manager must be provided before affected operations can be reinstated.
• All incidents/emergencies/security breaches must be reported to REPC’s management team and added to relevant risk assessments as appropriate.

Summary of Security Breach/Threat Incident Procedure

• Security Breach/Threat Identified
• Halt operations
• Reported to designated manager
• Notify Emergency Incident Co-ordinator (EIC)
• Initial assessment undertaken by EIC
• Contain the damage and minimize the risk
• Convene Incident Management Team
• Identify the type and severity of the compromise.
• Incident Recovery Plan produced
• Recommendations made to EIMT
• Notify external agencies if appropriate
• Formally record and add to non-compliance register
• Restart processes when safe to do so
• Assess incident damage and cost.
• Review the recovery plan, update policies and train staff.

Applicable to

This Policy & accompanying procedures must be followed at all times by REPC Ltd staff, volunteers and Sub-contractors or agents acting on behalf of REPC Ltd when collecting, transporting, receiving, storing and processing equipment to and from and on REPC Ltd premises.

Compliance

• All relevant company policies and procedures, including Health and Safety, Privacy, Quality and Environmental must also be followed taking care not to cause injury or endanger you or other REPC staff and agents.
• At all times staff must ensure that all equipment and any data it may contain is treated and handled carefully and securely in line with the policy and procedures outlined in this document and where appropriate in full view of the CCTV cameras.
• In no circumstances should equipment or data be removed from the workshop once booked in, or taken out of the view of the CCTV cameras erected in the ground and 1st floor workshops or be left unattended.
• Failure to comply with this policy and related procedures may result in disciplinary action

Top