Exchange of Information and Software
Information and Software Exchange Agreements
Formal agreements will be put in place when information and/or software are to be exchanged between organisations. This policy is necessary to prevent loss, misuse or modification to CX Index’s information by establishing secure agreements that reflect the sensitivity of the business information involved in such and organisation to organisation exchange.
CX Index may seek guidance from an expert or in-house counsel in the area of intellectual property exchange, where appropriate.
The agreements shall cover:
- Responsibilities for controlling and notifying transmission, dispatch and receipt;
- Procedures for notifying sender, transmission, dispatch and receipt;
- Technical standards for packaging and transmission;
- Courier standards;
- Responsibilities and liabilities in case of loss of data;
- Agreed upon labelling system;
- Agreed upon standards for labelling;
- Legal responsibilities for copyright protection, ownership and data protection;
- Technical standards for reading and recording information and software; and
- Special controls for protecting sensitive items.
Agreements shall be formally enacted when the information to be exchanged is of a non-public classification.
The information owner shall be responsible for assuring that agreements are executed.
Security of Physical Media in Transit
The purpose of this policy is to prevent loss, modification, or issue of data that is being physically transported. CX Index will safeguard media or information to commensurate with its data classification.
The Senior Management will provide a list of reliable experienced couriers. Only these couriers shall be used unless the authorisation of the Senior Management is obtained.
All media in transit will be labelled accordingly and packed securely in accordance with the manufacturer’s specifications.
Sensitive information shall be protected from unauthorised access or modification by methods that include:
- Locked containers
- Hand delivery
- Tamper evident containers
- Splitting the information into more than one package and more than on route
The System owner will approve the method for each transport of sensitive information.
Audit logs will be kept for each transport of sensitive media (a classification level of non-public) including:
- What was sent
- To whom it was sent
- Who sent it
- Dispatch time
- Arrival time
- Method of transport
- Special protections
- System owner’s approval
Security of Electronic Media in Transit
The purpose of this policy is to prevent loss, modification, or issue of data that is being electronically transported (i.e. email, fax, and file transfer). CX Index will safeguard media or information to commensurate with its data classification.
Sensitive information shall be protected from unauthorised access or modification by methods that include:
- Use of digital signature and encryption.
- Use of secure use of facsimile equipment.
The System owner will approve the method for each transport of sensitive information.
Audit logs will be kept for each transport of sensitive media (a classification level of non-public) including:
- What was sent
- To whom it was sent
- Who sent it
- Dispatch time
- Arrival time
- Method of transport
- Special protections
- System owner’s approval
Other Forms of Information Exchange
The following policies govern the secure use of voice, facsimile or video equipment to protect the confidentiality and access to information that is communicated through these mediums and to ensure the availability of resources.
CX Index staff shall not reveal sensitive information on the telephone (land or mobile) that can be:
- overheard by others
- when there is a threat of wiretap or other type of potential eavesdropping
- when others at the recipient’s end may be eavesdropping
- in public places or in open offices or offices having thin walls
CX Index staff shall not reveal sensitive information on answering machines that are shared, can be accessed by others or could be the wrong voicemail box.
CX Index staff shall not send or receive sensitive or confidential messages on facsimile machines that store messages.
CX Index’s staff shall check to assure that the phone number that information is being sent to is correct and verify that the information is received.
CX Index’s staff shall verify recipient’s facsimile information with the recipient prior to sending confidential information. The confidential information shall not be sent until the recipient has stated that the information can be sent.
Access to business resources shall be controlled.
Production of Spam
CX Index will take care not to produce Unsolicited Commercial E-mail (otherwise known as spam,) to be sent out to the Internet. Any commercial e-mail should be specifically targeted to recipients in accordance with applicable laws and regulations. If allowed mass e-mailings will be made, the Senior Management will be consulted to determine the effects of these mailings on systems and the network, and appropriate mitigation efforts will be enacted (such as system, time of day, or network path restrictions).