Information Security Response Workbook

<Tender Procedure Title>

Instructions for Completion
Mandatory Completion Instructions
Please complete ONLY the tab indicated in the corresponding Pre-Qualifiying Questionnaire
Please DO NOT include any imbedded attachments in this workbook

General Advice
Please respond to all questions and include any documents to evidence your responses with your completed questionnaire.
Please enter your responses into the column marked 'Response' (note: other cells will be locked)
Please review the tab "UoW Standards and Best Practice" to aid completion as an indication of the University's expectation
Notes:
Completion of the following sections relating to information security and business continuity is required for tenders where non-personal or non- sensitive data is being
collected, processed or stored
Non-Personal or Non-Sensitive data refers to data which is neither a) relating to a individuals nor b) is commercially sensitive and aligned with ICO guidance, this covers
electronic and hardcopy information.

Question Response
1. Technical Requirements
a. Define what password strength policy is
b. How often are the servers patched
c. What encryption is used to secure username / password login
2. Data Protection/Information Security
a.What information security and audit measures have been implemented to secure access to, and limit use of information within your organisation
b.What physical security arrangements are in place where this data is to be processed and stored
c. What audit logs for access and deletion of data are available
d. How long are audit logs kept for
e. What data erasure /data retention policies and procedures are in place
3. Business Continuity
a.What continuity plans are in place to cover loss of staff resource and expertise
b.What continuity plans are in place in the event of loss of or severe disruption to/loss of premises
c.When was the business continuity/disaster recovery plan last tested
d. What data back-up procedure is in place
e. What are the recovery timescales
Notes:
Completion of the following sections relating to information security and business continuity is required for tenders where personal data is being collected, processed or
stored
Personal data refers to data which relate to a living person who can be identified from the data or from the data and other information in the possession of, or likely to come
into the possession of the party holding the data. Aligned with ICO guidance, this covers electronic and hardcopy information.

Question
1.Technical Requirements
a. Encryption
i. What encryption standards are used when storing data at rest
ii. What encryption standards are used for data in transit
iii. Is data ever stored in an unencrypted form
b. Password Policy
i. Define what password strength policy is
ii. What encryption is used to secure username / password login
c. Server Management
i. How often are servers penetration tested
ii. How often are the servers patched
iii. What is the firewall policy (specify all open ports)
iv. What Intrusion Detection devices are in use
d. Antivirus
i. What Antivirus solution is in place
ii. How often are the antivirus signatures updated
2. Data Protection/Information Security
a. Data Protection Act
i.Please confirm that your organisation has Data Protection Registration to cover the purposes of analysis and for the classes of data requested
ii.Please describe the content of any Data Protection training provided to your staff; how regularly it is provided and updated, and to whom it is provided
iii. Who is the Data Protection Officer or Caldicott Guardian (if NHS)
b. Data Audit and Access Control
i. What audit logs for access and deletion of data are available
ii. How long are audit logs kept for
iii. What data erasure /data retention policies and procedures are in place
iv.What information security and audit measures have been implemented to secure access to, and limit use of information within your organisation
c. Data Security
i.What physical security arrangements are in place where this data is to be processed and stored
ii. What user privilege control is in place
iii. What information is shared regarding data breaches and near misses
iv. What procedures are in place for investigating security breaches
3.Business Continuity
a.What continuity plans are in place to cover loss of staff resource and expertise
b.What continuity plans are in place in the event of loss of or severe disruption to/loss of premises
c.When was the business continuity/disaster recovery plan last tested
d. What data back-up procedure is in place and encryption
e. What are the recovery timescales
Notes:
Completion of the following sections relating to information security and business continuity is required for tenders where sensitive data is being collected, processed or
stored
Sensitive data refers to data which relate to a living person who can be identified from the data or from the data and other information in the possession of, or likely to come
into the possession of the party holding the data and which consists of information relating to the following:
a) racial/ethic origin
b) political beliefs, affliations with trade unions
c) religious beliefs
d) medical history
e) sexual life
f) commission/alleged commission of any offence including any proceedings relating to offences (alleged or otherwise)

g) financial details (i.e. card details) when coupled with other personal data (compliance to PCIDSS requirements should be evidenced in case of payment systems)
Aligned with ICO guidance, this covers electronic and hardcopy information.
N.B the University of Warwick regards commercially sensitive information as ICO-defined sensitive information for the purposes of data management
Question Response
1.Technical Requirements
a. Encryption
i. What encryption standards are used when storing data at rest
ii. What encryption standards are used for data in transit
iii. Is data ever stored in an unencrypted form
b. Password Policy
i. Define what password strength policy is
ii. What encryption is used to secure username / password login
c. Server and Network Management
i. How often are servers penetration tested
ii. How often are the servers patched
iii. What is the firewall policy (specify all open ports)
iv. What Intrusion Detection devices are in use
v. How are network and virtual machines segregated
d. Antivirus
i. What Antivirus solution is in place
ii. How often are the antivirus signatures updated
2. Data Protection/Information Security
a. Data Protection Act
i.Please confirm that your organisation has Data Protection Registration to cover the purposes of analysis and for the classes of data requested
ii.Please describe the content of any Data Protection training provided to your staff; how regularly it is provided and updated, and to whom it is provided
iii. Who is the Data Protection Officer or Caldicott Guardian (if NHS)
b. Data Audit and Access Control
i. What audit logs for access and deletion of data are available
ii. How long are audit logs kept for
iii. What data erasure /data retention policies and procedures are in place
iv.What information security and audit measures have been implemented to secure access to, and limit use of information within your organisation
c. Data Security
i.What physical security arrangements are in place where this data is to be processed and stored
ii. What user privilege control is in place
iii. What information is shared regarding data breaches and near misses
iv. What procedures are in place for investigating security breaches
3.Business Continuity
UOW STANDARDS AND BEST PRACTICE

Question

1.Technical Requirements
a. Encryption
i. What encryption standards are used when storing data at rest
ii. What encryption standards are used for data in transit
iv. Is data ever stored in an unencrypted form
b. Password Policy
i. Define what password strength policy is
ii. What encryption is used to secure username / password login
c. Server and Network Management
i. How often are servers penetration tested
ii. How often are the servers patched
iii. What is the firewall policy (specify all open ports)
iv. What Intrusion Detection devices are in use
v. How are network and virtual machines segregated
d. Antivirus
i. What Antivirus solution is in place
ii. How often are the antivirus signatures updated
2. Data Protection/Information Security
a. Data Protection Act
i.Please confirm that your organisation has Data Protection Registration to cover the purposes of analysis and for the
ii.Please describe the content of any Data Protection training provided to your staff; how regularly it is provided and
iii. Who is the Data Protection Officer or Caldicott Guardian (if NHS)
b. Data Audit and Access Control
i. What audit logs for access and deletion of data are available
ii. How long are audit logs kept for

iii. What data erasure /data retention policies and procedures are in place
iv.What information security and audit measures have been implemented to secure access to, and limit use of inform
c. Data Security

i.What physical security arrangements are in place where this data is to be processed and stored
ii. What user privilege control is in place
iii. What information is shared regarding data breaches and near misses
iv. What procedures are in place for investigating security breaches
3.Business Continuity
a.What continuity plans are in place to cover loss of staff resource and expertise
b.What continuity plans are in place in the event of loss of or severe disruption to/loss of premises
c.When was the business continuity/disaster recovery plan last tested
d. What data back-up procedure is in place and encryption
e. What are the recovery timescales
4. Additional Data Protection Terms
a. Physically, where is the data kept. Is it ever located outside of the UK / EU? - INFORMATION ONLY
b. Please complete appropriate section of Add'l Data Protection Terms Tab - MANDATORY
University of Warwick Preferred Standard or Best Practice

Please note that where a specific standard, protocol or manufacturer programme is referenced below, the University will con
responsibility of the Participating Supplier to demonstrate the equivalence. Should this equivalence not be satisfactorily dem
accordingly and may result in a sub satisfactory score.

AES256, PGP, FIPS 140-2 (desirable for personal data, essential for sensitive data)
AES256, SMIME, SCP, SSL (essential for personal and sensitive data)
No

minimum 8 characters, upper, lower case and special characters are mandatory
https (128bit), ssh, AES256

Annually, every 6 months

Monthly
Default deny, only essential ports open
SNORT, Cisco, Juniper
VLANs, VM isolation

Symantec, Kapersky
Hourly, daily

Should be confirmed by all suppliers and contractors

Details of regular training (face to face, best practice gudelines for staff, clear procedures)
Named contact

All access is logged

Logs are kept for 6 months

Would expect to see mention of cross shredding shredding and confidential waste process for paper records, shredding of DVD
with a suitable software tool, sufficient protection of media which cannot be wiped intially. Financial data should be wiped to P
Information Security Policy, training and guidance for staff, procedures and specific technology used, ISO27001 (preferred indu

access to site, requiring authorised key or card entry audit logs available for when entry / exit has occurred. Key or card acces
physical site.
Least privilege principle is in place
The University should be informed of any data breaches and near misses and clear processes should be in place to prevent and
internal investigation team, outsourced to third party

Staff cover plans and details of impact of service delivery.

Identification of alternative premises, defined timescales for recovery.
Some form of annual testing would be preferred (either desktop or real life test)
Nightly backups taken, stored off site, encryption - AES256, PGP
The acceptability of the stated recovery timescales would depend in the needs of the user and should be determined by user g

Require confirmation of where all data (including primary and back up data) is hosted, stored, processed, used or disposed of
Require signature of appropriate Additional Data Protection Terms and Conditions (see tab) depending on physical location of d
Additional Data Protection Terms and Conditions

In respect of UoW Standards and Best Practice response to Question 4

Please respond to A, B or C as appropriate

A.) Where A Supplier Hosts And / Or Supports Software And Acts As A Data Processor Within UK And EU Jurisdiction:

"[Supplier Name] shall undertake that [Supplier Name] will at all times comply with all applicable laws, regulations, regulatory requirements and codes or practice in
connection with any data processing obligations or requirements under the terms of the Universitys agreement, including without limitation complying with all the
provisions of the UK Data Protection Act 1998 and any regulations or instruments thereunder and of Directive 95/46/EC of the European Parliament and of the
Council on the Protection with Regard to the processing of Personal Data and on the Free Movement of Such Data ( together the Data Protection Laws) and shall
not do or cause or permit to be done anything which may cause or otherwise result in a breach by the University of Warwick of the same."

Supplier Name:
Signed:
Printed Name:
Position:

If outside of UK jurisdiction but within EU jurisdiction, please demonstrate compliant equivalence to UK Data Protection Laws.

IF SECTION A IS NOT APPLICABLE, SECTION B MUST BE COMPLETED. SECTION C ALSO TO BE COMPLETED WHERE APPLICABLE

B.) Where The Supplier Hosts And Or Supports Software And Acts As A Data Processor Outside Of EU Jurisdiction And Outside Of United
States Of America Jurisdiction:

Where the supplier seeks to take data offshore and outside of the EC then the Directive requires that such party agree to the model form agreement Commission
Decision of 27th December 2004 including Standard Contractual Clauses for the Transfer of Personal Data from the Community to Third Countries).

Supplier Name:
Signed:
Printed Name:
Position:

C.) Where The Supplier Hosts And Or Supports Software And Acts As A Data Processor Outside Of EU Jurisdiction, But Within United States
Of America Jurisdiction:

If the supplier does comply with safe harbour provisions then they will be required to agree the following with the University

[Supplier Name] abides by the safe harbour framework as set forth by the U S Department of Commerce regarding the collection, use and retention of data from the
European Union. Where there is a technical or operational reason and only for so long as it cannot be reasonably dealt with in the EU and necessitates the transfer to
personal data originating from the University of Warwick outside of the E U by [Supplier Name] may temporarily process such data returning it to the EU with all
copies as soon as is reasonably practicable. [Supplier Name] confirms and acknowledges to the University of Warwick that it shall at all times process personal data in
accordance with the Data Protection Act 1998 ( the Act) solely for the purposes of providing the Research Grant Administration and Workflow Management System
and any associated services and / or software and in the manner specified from time to time by the University of Warwick in writing and for no other purpose or in
any manner except with the express prior written consent of the University of Warwick

Supplier Name:
Signed:
Printed Name:
Position:

In the event that your organisation already complies with Safe Harbour provisions, please provide evidence to this effect in the form of certification and
registration number.