RELEVANT DEFINITIONS IN THIS POLICY
| Statement | Meaning |
|---|---|
| availability | the capacity of information systems to be accessible and useable when required, and (ii) to be able to resist attacks and recover from failures |
| confidentiality | the principle of protecting information and preventing its disclosure to anybody other than those who have a right and need to know |
| information security management system (ISMS) | a systematic approach to managing sensitive organisational information so that it remains secure |
| information system | any of UBS corporate telecommunications and/or computer related equipment or interconnected system or subsystem of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of voice and/or data |
| integrity | a standard of performance that guarantees information is created, amended, or deleted only by the intended authorised means |
POLICY
- Information is an asset of UBS.
- Restricted Information used to support UBS operations and any confidential information must be securely stored.
- Information in electronic format is password and privilege protected.
- Hard copy documents are stored in a lockable cabinet, within a lockable room.
- Information will be used in a manner that protects the integrity of the data and the privacy of those associated with it.
- Confidential, sensitive, and proprietary information will be protected from corruption, loss, unauthorised access, and disclosure.
- UBS is developing procedures for the implementation of this policy that: ensure the availability of appropriate information and services to its employees, customers, and business partners.
- minimise the possibility of a threat to information security causing loss or damage to UBS, its staff, its customers, and business partners.
- minimise the extent of loss or damage from a security breach or exposure.
- provides for the safeguard of information when not held on UBS premises.
- All UBS staff and business partners who have access to UBS information systems will be informed of their responsibilities and obligations with respect to security.
- The principles of information security will be consistently and effectively applied during the planning and development of UBS activities.
- Compliance with this policy will be monitored on a regular basis.
PROCEDURE
Information Security Classification. Information is classified as:
- Restricted (Sensitive company information that must not to be divulged or discussed outside of the limited circulation or access provided)
- Company Confidential (Corporate data not to be divulged or passed to non-UBS employees or contractors without a Non-Disclosure Agreement (NDA) in place.)
- Private (Personal information relating to employment, health, Pay or specific individual arrangements
- Unrestricted (is available within the public domain)
Information Security Roles and Responsibilities
Information Owner
Information Owners will be senior business unit managers who have been given the authority to collect, create, retain, and maintain information and information systems within their assigned area of control. The Information Owner may delegate some operational responsibilities but will retain accountability and is required to:
- determine the value of the information within the information system.
- the statutory requirements regarding privacy and retention.
- assign an appropriate security classification as described above.
- assign custody of the information.
- authorise access to the Information
- communicate the control requirements to the custodian and users of the information.
Information Custodian
Information Custodians are those individuals who control information systems regardless of physical or logical location, storage medium, technology used, or the purpose(s) they serve.
- The information custodian will be responsible for the administration of controls as specified by the owner. This task will include:
- implementing physical and or technical controls.
- administering access to information.
- ensuring the availability of information by implementing appropriate recovery options based on the business criticality of the information in their possession, as per the disaster recovery or business continuity plan.
Information User
Employees are individuals who have been granted explicit authorisation by the relevant Information Owner to access, alter, destroy, or use information within an information system.
An Information User will be responsible for:
- using the information only for the purpose intended by the owner.
- complying with all controls established by the owner and custodian.
- ensuring that classified or sensitive information is not disclosed to anyone without permission of the owner
Network Security
Devices connected to the UBS communications network by any means must be protected and data secured by appropriate measures. The operating system software, device firmware, application software and other software:
- is protected with the latest security-related patches from the vendor, and
- will run up-to-date anti-virus software.
Every device connected to UBS network must be approved before installation. At a minimum, this information must contain names and contact information along with the hardware address of the device.
The fundamental concept of least privilege and default to deny must be applied to all devices connected to UBS network.
- Allowances must be the exception rather than the rule and must be based on a legitimate business or academic need.
- These exemptions must be negotiated with IT Services before they are or attempted to be implemented =.
UBS reserves the right to suspend access to preserve the availability and integrity of the network.
Reference Documents:
- AS/NZS 7799.2:2003: Information Security Management – Specification for
Information Security Management Systems - Privacy and Personal Information Protection Act 1998 No 133
- Health Records and Information Privacy Act 2002
- Australian Copyright Act 1968
- Copyright Amendment (Digital Agenda) Act 2000
- Protected Disclosures Act 1994