urbanerecycling.com - e-waste recycling and data destruction - logo

Last Updated: 12/14/2021

Created By: Dellinda Rabinowitz

 

What is This Policy?

 

This Data Security Policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of data with which you should be concerned.

 

Key Takeaways

 

 

Overview, Purpose, and Scope

 

Effective security is a team effort, which means everybody at Urban E Recycling has a crucial role to play. This policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of data with which you should be concerned.

This Data Security Policy applies to everyone who works for Urban E Recycling, including our employees, contractors, and third parties who have access to any Urban E Recycling data.

 

Roles & Responsibilities

 

It is the responsibility of every employee to know these guidelines and to conduct their activities accordingly. Urban E Recycling management reviews and approves this policy, but if you identify an issue you should bring it to the attention of your manager.

 

Requirements

Data Classification

 

At Urban E Recycling we have access to different types of information. Some of it is more sensitive and needs special protection; this could be due to a law or industry regulation, or the information could have some business value.

We use the levels of data classification in the table below to determine how sensitive information is and what protection mechanisms are required. It is the responsibility of the system owner, data owner, and any custodians to ensure any data and systems are properly classified.

Level Definition & Examples Dos & Don’ts
Public Information may be shared with anyone.

e.g. Information on company website such as HQ address, published financial statements, marketing materials.

Do: Share it!

Don’t: Assume information is public unless you can verify it

Internal Information may be shared only internally or with external parties under an NDA; may require a valid need to know.

e.g. Company directory, company policies, unpublished financial statements, business plans

Do: Verify a user’s need to know (e.g. job function) before sharing. Check with your manager if you’re unsure. Use secure sharing methods, e.g. encrypted cloud storage.

Don’t: Share outside the company without verifying an NDA is signed. Send without encrypting.

Restricted Access is tightly restricted; only users with a verified need to know are allowed access.

e.g. HR data, Customer-provided data, Personally Identifiable Information, PCI data

Do: Implement tight access controls and encryption. Use extra diligence, such as formal access requests and approvals.

Don’t: Share this information.

 

Data Handling

 

Urban E Recycling data requires protection in accordance with its classification label. Once data has been classified, the owner and/or custodian must ensure that appropriate safeguards are in place.

 

Minimum Standards for Protection

 

The table below details appropriate protection required for data, based on classification:

Classification Minimum Protection Required Primary Focus
Public – adequate backup and restoration capability

– measures to prevent unauthorized changes to data after it is published by Urban E Recycling

Data Availability, Integrity
Internal – manual encryption

– manual measures to prevent unauthorized changes (e.g. manual public key cryptography, auditing)

Data Confidentiality, Integrity
Restricted – systematic enforcement of encryption

– systematic enforcement of measures to prevent unauthorized changes

Data Confidentiality, Integrity

Appropriate Use for Intended Purpose

 

Data in use at Urban E Recycling may be highly sensitive, and is only to be used for its intended, management-approved purpose. All data collected must have a defined purpose (e.g. to support the service we provide to our customers, for regulatory compliance, etc.). Any use of this data must be in support of that defined purpose. Use for any other purpose, including personal snooping, unauthorized sharing with business partners, or other uses is prohibited.

 

Asset End of Life and Disposal

 

Data present on any assets must be handled appropriately when the asset reaches the end of its useful life. Data destruction must follow an approved method (see Backup & Retention Policy, Destruction Procedures), based on the classification of the data and the type of asset being disposed of.

Assets which require special handling include but are not limited to: removable optical media (CD/DVDs), USB thumb drives, smartphones, tablets, and cloud storage services. Devices containing hard disk drives (HDDs) and solid state drives (SSDs) must also be handled appropriately, including servers, workstations, laptops, printers, network devices, and cloud applications.

 

Physical Security

 

All Urban E Recycling-owned resources must have identified Resource Custodians, who are responsible for securing their resources from unauthorized physical access. Resources can include facilities, computing systems, or devices such as laptops or tablets. The following physical security requirements must be met for all resources:

 

Encryption

 

Urban E Recycling information requires protection, to ensure both confidentiality and integrity when data is stored or transmitted. Appropriate encryption should be used to protect all data classified Internal or Restricted; additional protection methods should also be used to provide layered security.

 

Encryption at Rest

 

Data should be encrypted at all times, where feasible, when stored on any medium. This includes removable storage such as USB drives, portable devices including laptops and tablets, and production environments such as servers or cloud hosting.

 

Encryption in Transit

 

All data in transit across untrusted networks must be encrypted, e.g. when transmitted across the internet. Data in transit across trusted networks should be encrypted. Data in transit may be encrypted via one or both of the following two methods:

 

When encryption is used, it must follow industry best practices, as well as any applicable laws and regulations. Guidance for acceptable encryption algorithms can be found in FIPS 140-2 and ISO/IEC 19790:2012; if there is a doubt regarding requirements, seek guidance from Urban E Recycling management.

Cryptographic keys are considered Restricted data under Urban E Recycling’s data classification scheme, and therefore require additional protection. These should ideally be generated, stored, managed, and destroyed using a key management system; if manual procedures are used they should be documented and audited regularly.

 

Mobile Devices

 

Urban E Recycling’s mobile devices are at increased risk due to their portability – it is much easier for them to be lost or stolen. It is therefore essential that such devices be considered especially when implementing protections.

A mobile device is any computing device capable of storing Urban E Recycling data which is inherently portable. Examples include laptops, smartphones, tablets, USB drives, portable hard drives, smartwatches, etc.

 

Minimum Security Capabilities

 

Portable devices must meet the following security capabilities in order to be used for storing, processing, or transmitting Urban E Recycling data:

 

Use of Untrusted Networks

 

Mobile devices which support network connectivity must support encryption in line with the Encryption in Transit requirements of this policy, especially when connecting to untrusted or public networks. Acceptable security on untrusted networks includes secure protocols such as HTTPS and TLS, a Urban E Recycling-managed VPN, or the like.

 

Enforcement

 

Any exceptions to this policy must be approved by senior management in writing.

Any user found to have violated this policy will be subject to disciplinary actions, up to and including termination of employment.

 

Exceptions

 

Any exception to this policy must be approved in writing by management. Such exceptions will only be granted when there is a legitimate business need and adequate compensating controls exist to reduce the risk of the policy exception.

 

 

Skip to content