Benefex information security schedule
DEFINITIONS APPLICABLE TO THIS SCHEDULE:
|Benefex Personnel||all employees, staff, other workers, agents and consultants of Benefex;|
|Benefex Systems||the Benefex information technology infrastructure, services and applications used by Benefex customers in respect of OneHub;|
|Customer||the party that has signed a contract with Benefex (whether Benefex Limited or Benefex financial Solutions Limited) for the provision of Benefex’s technology platforms or services (which may include OneHub, Benefex Gateway or broking, consultancy and administration services);|
|Customer data||the data and information provided to Benefex by the Customer or the Employees or other third parties about Employees and their dependants, and the benefits which they have selected or which they receive at the direction of the Customer;|
|Good industry practice||the exercise of that degree of skill, care, prudence, efficiency, foresight and timeliness as can reasonably be expected from a skilled and experienced provider of products and services similar to those provided by Benefex;|
|Information Security Incident||an event (or chain of events) that compromises the confidentiality, integrity or availability of the Customer Data, or breaches the requirements of this Information Security Schedule;|
|Information Security Management Framework||the policies, procedures, standards and guidelines required to establish the level of information security within Benefex for compliance with its external certifications;|
|Information Security Risk Assessment||the performance of appropriate reviews in order to identify, analyse, evaluate and prioritise risks to the Benefex Systems;|
|Infrastructure Providers||third party providers of the Benefex Systems;|
1 INFORMATION SECURITY GOVERNANCE
1.1 Benefex shall:
1.1.1 document its Information Security Management Framework and ensure that it meets the standards and requirements of Good Industry Practice;
1.1.2 measure, review and document its compliance with the Information Security Management Framework at planned, regular intervals (at least annually);
1.1.3 treat information security as a critical business issue;
1.1.4 assign responsibility for information security management at Benefex to appropriate skilled and senior personnel only.
1.2 Benefex shall:
1.2.1 conduct Information Security Risk Assessments on a regular (at least annual) basis and following an Information Security Incident and when there are changes (whether internal or external, including to risk profiles) that could impact the Benefex Systems and/or Customer Data, and devise and implement risk mitigation plans for those risks identified;
1.2.2 ensure that Information Security Risk Assessments assess:
(a) the impact of the Customer Data being disclosed to unauthorised individuals, accidentally corrupted or deliberately manipulated or becoming unavailable;
(b) the impact or degradation to the Benefex Systems;
(c) the impact to the security of the Benefex Systems and / or Benefex’s software development environment and/or the Customer Data;
(d) the need to carry out vulnerability and/or penetration testing to ensure the Benefex Systems remain secure.
1.3 Benefex shall:
1.3.1 perform regular (at least annual) security audits, using an external third party, to review its compliance with the Information Security Management Framework.
1.3.2 perform regular security audits, at least annually using its own internal audit team to review its compliance with the Information Security Management Framework
1.3.3 conduct and document corrective action plans as necessary to remediate findings that may have been identified during a third party or internal audit
1.3.4 monitor the progress of the actions taken to resolve each security audit finding;
1.3.5 make available to the Customer, on request, a copy of the executive summary of each external audit report
2 PORTABLE DEVICES
2.1 Benefex shall ensure that:
2.1.1 all portable devices used by Benefex Personnel which are provided by Benefex which hold or have access to the Customer Data use an industry standard full disk encryption solution;
2.1.2 portable devices provided to Benefex Personnel are:
(a) provided with hardened configurations; kept patched; (where relevant) have properly configured malware protection installed and kept up to date; have access controls implemented; and allow remote disabling, erasure or lockout;
(b) configured to restrict the copying of information only to authorised portable storage devices that are protected with encryption and access restrictions and Benefex shall ensure that any Customer Data that is copied is monitored to help detect or block unauthorised use of, access to or transfer of the Customer Data;
(c) protected by the use of approved, and securely configured web browser software if the devices can be used to access to the Internet.
2.2 Where the use of personal devices by Benefex Personnel is permitted, Benefex shall implement an appropriate acceptable use policy and appropriate security controls.
3 HUMAN RESOURCES SECURITY
3.1 Benefex shall:
3.1.1 carry out background security checks (including right to work; employment history and Disclosure and Barring Service (or equivalent) checks, in each case where permitted by applicable law and/or regulation) on all Benefex Personnel;
3.1.2 ensure that contractual agreements are in place with all Benefex Personnel that define their responsibilities for information security and require compliance with Benefex’s policies and procedures;
3.1.3 provide all Benefex Personnel with appropriate information security awareness education and training and regular updates on organisational policies and procedures, as relevant for their job function;
3.1.4 maintain a formal and communicated disciplinary process to take appropriate action against Benefex Personnel who have committed or caused an Information Security Incident.
4 ACCESS CONTROL
4.1 Benefex shall restrict access to the Benefex Systems under the direct control of Benefex and the Customer Data to authorised Benefex Personnel only, via secure log-on procedures, according to a documented process and enforced by automated access control mechanisms to ensure security logging and enforcement of password rules in accordance with Good Industry Practice.
4.2 Benefex shall ensure that:
4.2.1 each user is uniquely identified and given access appropriate to their role, and shall revoke access promptly when an individual user is no longer entitled to access;
4.2.2 procedures are established to verify the identity of a user prior to providing new, replacement or temporary secret authentication information;
4.2.3 each user shall have unique login credentials. A temporary password will be issued, and on first login the user will be forced to change the temporary password to that required by Good Industry Practice;
4.2.4 access is periodically reviewed for continuing business need;
4.2.5 access is subject to authorisation by the relevant system owner;
4.2.6 where technically possible the use of generic administration user IDs shall be avoided or changed to a non-administrative user ID. Where used, the confidentiality of secret authentication information shall be maintained when shared and communicated among privileged users through a formal management process;
4.2.7 the allocation and use of privileged access rights shall be restricted and subject to more stringent controls including monitoring, greater password complexity and more frequent re-certification;
4.2.8 privileged access rights shall be assigned using the same user ID but will have stronger password security and multifactor authentication.
5.1 Benefex shall implement an industry standard encryption solution when transmitting or electronically accessing Customer Data (in transit or at rest) via a communications network and maintain documented processes in accordance with Good Industry Practice for:
5.1.1 managing the lifecycle of cryptographic keys, including the responsibilities of cryptographic key owners;
5.1.2 key generation and distribution;
5.1.3 protection of cryptographic keys;
5.1.4 key renewal and deactivation;
5.1.5 key backup and recovery;
5.1.6 incident management requirements for loss or misuse of keys;
5.1.7 logging and auditing of key management related activities;
5.1.8 recovery of encrypted information in the case of lost, compromised or damaged keys.
5.2 Benefex shall review (at least annually) and assess cryptographic technology and algorithms it uses to ensure that they are still in accordance with Good Industry Practice.
6 PHYSICAL AND ENVIRONMENTAL SECURITY
6.1 Benefex shall:
6.1.1 implement (and require its Infrastructure Providers to implement) appropriate and effective physical security control processes and systems at the premises where the Benefex Systems are kept and which are under its (or their) control in accordance with Good Industry Practice;
6.1.2 situate or protect equipment to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access;
6.1.3 protect equipment from power failures and other disruptions caused by failures in the supporting utilities;
6.1.4 protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage;
6.1.5 verify that any Customer Data contained in storage media that is no longer required has been securely removed or overwritten prior to disposal or re-use of all items of equipment containing such storage media.
6.2 Benefex shall ensure that the Information Security Management Framework includes requirements for Benefex Personnel to store securely Customer Data to which they have access in the course of discharging their duties and to dispose securely of any printed documents in accordance with Good Industry Practice.
6.3 Benefex shall review (at least annually) its physical and environmental security and implement any necessary controls to mitigate identified risks.
7 CHANGE MANAGEMENT
7.1 Benefex shall, with respect to the Benefex Systems:
7.1.1 implement a documented change management process, which shall cover upgrades and modifications to application software; revisions to parameter tables and settings; modification of business information (e.g. data tables, files and databases); changes to user and operating procedures; emergency fixes; changes to computers and networks;
7.1.2 ensure that the change management process provides for the approval and testing of changes prior to their application to the ‘live environment’ to ensure that they are made correctly and securely and that they do not compromise security controls;
7.1.3 ensure that development, testing, and operational environments are separated to reduce the risks of unauthorised access or changes to the operational environment;
7.1.4 assess changes to the organisation, business processes, information processing facilities and systems so that effects on information security are controlled;
7.1.5 perform checks on a regular basis to confirm that that no unauthorised changes have been made and that security has not been compromised.
8 MALWARE PROTECTION
8.1 Benefex shall:
8.1.1 ensure that where technically possible the Benefex Systems are protected by industry recognised anti-Malware controls that are properly configured and implemented and are kept current;
8.1.2 implement appropriate user awareness and ensure policies prohibit the use of unauthorised software and implement technical controls to enforce such policies;
8.1.3 ensure that there are documented incident management procedures for the Benefex Systems, supported by business continuity plans for recovering from Malware attacks, including all necessary data and software backup and recovery arrangements and availability of specialist technical support.
9 LOGGING AND MONITORING
9.1 Benefex shall:
9.1.1 maintain and protect audit logs recording user activities, exceptions and information security events within the Benefex Systems in accordance with Good Industry Practice;
9.1.2 review such logs on a regular basis and on the identification of any information security incidents or breaches of access rights follow Benefex’s incident management process.
9.2 Benefex shall monitor its resources of traditional information technology infrastructure and cloud services to make projections for future capacity requirements to enable adequate system performance and availability.
10 MANAGEMENT OF TECHNICAL VULNERABILITIES
10.1 Benefex shall:
10.1.1 implement a process to manage technical vulnerabilities in the Benefex Systems;
10.1.2 risk assess the exposure to such vulnerabilities and implement appropriate mitigation measures to address the associated risk, in a timely fashion;
10.1.3 implement the identified measures, following appropriate testing, prioritising highest risks first and using change management processes;
10.1.4 identify information resources that will be used to identify relevant technical vulnerabilities;
10.1.5 regularly monitor and evaluate the technical vulnerability management process to ensure its effectiveness and efficiency.
11 COMMUNICATIONS SECURITY
11.1 Benefex shall:
11.1.1 manage and control networks to protect the Benefex Systems under the direct control of Benefex and the Customer Data, ensuring network traffic is routed through securely configured, managed and monitored firewalls;
11.1.2 where relevant provide clear instruction to Infrastructure Providers to ensure network traffic is routed through securely configured and managed and monitored firewalls;
11.1.3 apply appropriate logging, monitoring and alerting to enable recording and detection of actions that may affect, or are relevant to, information security;
11.1.4 establish responsibilities and procedures for the management of networking equipment;
11.1.5 configure (and shall require Infrastructure Providers to configure) network devices (including routers, switches and firewalls) under its direct control to prevent unauthorised or incorrect updates and to harden the devices against compromise;
11.1.6 restrict access (and require Infrastructure Providers to restrict access) to the Benefex Systems to those devices that meet the following minimum security requirements: devices must (i) be authorised; (ii) run up-to-date malware protection; (iii) have the latest systems and software patches installed; (iv) use a VPN for remote connectivity; (v) where appropriate, use two factor authentication and (vi) where appropriate, have a correctly configured personal firewall;
11.1.7 enforce authorisation of wireless access from approved locations; enforce user authentication and encrypt all the Customer Data being transmitted across the wireless network.
12 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE
12.1 With respect to the Benefex Systems:
12.1.1 Benefex shall ensure that business applications are protected against unauthorised access and disclosure by hardening the operating system; providing ‘defence in depth’; employing secure defaults; ensuring key components ‘fail securely’; running with ‘least privilege’; enforcing separation of privilege; altering default vendor secret authentication information following installation of systems or software;
12.1.2 where the Services and/or the Benefex Systems rely upon any desktop application these shall be identified, inventoried and appropriate risk based controls implemented;
12.1.3 access to program source code shall be restricted; the program source code and the program source libraries shall be managed according to established procedures and Benefex Personnel shall not have unrestricted access to program source libraries;
12.1.4 the use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
13 WEBSITE SECURITY
13.1 Where browser-based applications or websites form part of the Benefex Systems, Benefex shall:
13.1.1 ensure that configuration files and website content are protected against corruption or disclosure;
13.1.2 protect web application sessions against hijacking or cloning by ensuring that session IDs cannot be easily predicted, configuring the security parameters in ‘cookies’ used to hold session information and encrypting network traffic between the web browser and the web server.
14 SOFTWARE DEVELOPMENT AND TESTING
14.1 With respect to the Benefex Systems, Benefex shall:
14.1.1 use a documented Secure Software Development Lifecycle (“SSDLC”) that ensures that security requirements are identified and solutions designed, developed, tested and released only by Benefex Personnel trained in secure development best practices;
14.1.2 carry out assessment and modelling of threats to the system (adversarial and accidental) to enable the application to be designed and built to mitigate any known vulnerabilities that could be exploited by these threats;
14.1.3 establish and appropriately protect secure development environments with physical and logical access controls, segregation of duties and separate development, test and live environments;
14.1.4 protect information and application source code against unauthorised access and modification by: (i) ensuring that changes to program source libraries are appropriately authorised; and (ii) subject to strict change control procedures, holding program listings in a secure environment;
14.1.5 ensure that developed code is peer reviewed and tested prior to release to determine the effectiveness of security controls;
14.1.6 maintain an audit log of all access to program source libraries;
14.1.7 implement change and configuration management controls to application source code within development, test and operational environments with appropriate release processes;
14.1.8 not use the Customer Data in the testing process unless authorised by the Customer in writing and subject to agreed controls being implemented.
15 SUPPLY CHAIN MANAGEMENT
15.1 Benefex shall ensure that all Infrastructure Providers are capable of providing security controls in accordance with the Information Security Management Framework.
15.2 Benefex shall have a documented process for:
15.2.1 risk assessing each Infrastructure Provider to evaluate the level of compliance with Benefex’s security controls requirements;
15.2.2 effecting the termination of arrangements with Infrastructure Providers.
15.3 Benefex shall have an appropriate contractual arrangement with each Infrastructure Provider which includes the right for Benefex to conduct a security assessment to evaluate the Infrastructure Provider’s compliance with the Information Security Management Framework
16 INFORMATION SECURITY INCIDENT MANAGEMENT
16.1 Benefex shall:
16.1.1 implement an Information Security Incident management process to ensure that all potential and actual Information Security Incidents that affect the Customer Data and/or the Benefex Systems are responded to in a quick, effective and orderly manner;
16.1.2 notify the Customer of an Information Security Incident which affects the Customer Data in accordance with the terms of the agreement signed by the Customer;
16.1.3 notify the Customer without undue delay of an Information Security Incident which affects the Customer Data or the Customer’s confidential information (as defined in the agreement signed by the Customer), and provide a report identifying all relevant information about the Information Security Incident including:
(a) the date and time of detection of the Information Security Incident;
(b) the nature and type of the Information Security Incident;
(c) the actual or potential scale of the Information Security Incident;
(d) the confidential information or Customer Data impacted;
(e) any actual or potential containment and/or remediation actions planned or undertaken;
(f) details of any authorities that have been contacted;
(g) whether details of the Information Security Incident have become public knowledge;
17 PENETRATION TESTING
17.1 the Customer may request to conduct their own penetration test providing at least one calendar month notice, supplying the scope, date of test, details of service tester and associated IP addresses.
17.2 Any penetration tests shall be undertaken using the User Acceptance Testing (UAT) platform only
17.3 Benefex shall take into consideration any penetration test findings and will either remediate or provide mitigation based on the Customer findings.
17.4 Benefex shall undertake penetration testing of the IT infrastructure and associated customer applications at least twice per annum at its own cost; and will make the executive report and any corrective action reports available to the customer on request. On receipt of the third-party penetration report, Benefex shall;
(a) evaluate the findings and devise a remediation plan for the Benefex Systems and take steps to mitigate any vulnerabilities found by the penetration testing in a timely manner;
(b) carry out the actions identified in the remediation plan in accordance with such plan and re-test post remediation any critical or high findings, all mediums will be retested at the next 6 monthly third party penetration test;
18 BUSINESS CONTINUITY MANAGEMENT
18.1 Benefex shall establish, document, implement and maintain its business continuity plan and ensure that it meets the standards and requirements of Good Industry Practice.
18.2 Benefex shall review and update its business continuity plan on a regular (at least annual) basis and when significant changes are made to the Benefex Systems, to verify that the required business continuity controls are valid and effective.