Summary
This article describes Connor Group's policies for the movement of data (transmission) between locations or systems. Unless specific mention is given as a detail of a policy, the transmission of data in this policy refers to the electronic movement of data over a network or the physical movement of data by any means such as removable storage media.
Data transmission decisions and controls take into account whether the data is being moved between internal or external systems and whether those systems have been secured through standard encryption technologies, such as a VPN or with TLS. Also taken into consideration is the security classification of the data being transmitted.
Scope
-
Internal systems on internal networks
- These are systems and networks that are fully managed by Connor Group, operate behind a network firewall device managed by Connor Group, and on a network system where access to the network is fully managed by Connor Group.
- Connor Group managed systems moving data on networks not managed by Connor Group or across networks not managed by Connor Group
- Special considerations for highly sensitive data such as PII or financial data,
-
Internal systems on internal networks
Responsibility
- IT Engineering - establishment of infrastructure and controls
- IT Support - Monitoring by observation through daily interactions
Details
Internal Networks
All Connor Group internal networks shall be secured using modern business or enterprise class network equipment. The devices used for establishing internal networks shall be kept current with software and firmware updates on a scheduled determined by IT management. IT management shall establish standards for deployment of vendor updates.
Intrasite network communication shall be secured using modern VPN technologies selected by IT management. Intrasite network communications encapsulated by VPN technology are secured internal transmissions.
It is considered acceptable to allow open (unencrypted or plain text type) transmission of private data within these secured internal intrasite and local site boundaries. However, as a best practice, private data should also be protected in transmission through standard forms of encryption whenever practical.
At no time shall privileged data be transmitted unencrypted on any network segment where it's conceivable that the plain contents of that data could be intercepted or subject to eavesdropping by any system or user.
External Networks
Aside from the transmission of data that would be classified as general common data under the standard for data classification, all data transmissions not isolated to secure internal networks shall be made over secured channels such as a VPN or via secured transport mechanisms such as TLS as determined by IT management. At no time shall private or privileged data be transmitted "in the clear" (unprotected by encryption).
The use of 3rd party VPN solutions with company resources is not permitted except in cases where a client provides the VPN solution and requires it be used to access their data as a condition of the engagement.
Email Transmission
Emails containing sensitive or confidential information shall have the content of the message encrypted before transmission to parties outside the company. IT management shall determine the classifications of sensitive or confidential that encryption will be applied to. Encryption is not required for transmission of email between company users.
Administration
Effective from |
|
Policy owner |
|
Policy administrator |
|
Application |
All policies and schedules of Connor Group |
|
|
Version, File reference |
1.0, 1 |
Published externally |
|
Approved by and approval signature |
|
Carried over from Connor Group IT's Bookstack.