INFORMATION SYSTEMS POLICY
Yellowbus is committed to protecting information assets in accordance with applicable legal, regulatory, contractual and compliance requirements. Yellowbus is dedicated to collecting, handling, storing and disposing of sensitive information properly and securely. The Information Security Policy ensures the following controls are in place:
- Authority & Access Control
- Access to information shall be restricted to authorized users who have a business need to access the required information.
- Authorization for access to restricted information must be granted by the Chief Information Security Officer.
- System access/ Operating system access logs: Notes both successful and unsuccessful log on attempts.
- Access violations reporting: Yellowbus maintains a process for providing reports of invalid log on attempts upon request.
- Classification of Data
- The company shall implement appropriate information classification controls, based upon the results of formal risk assessment and guidance from standards
- Data support and Operations
- All systems hosting personal information including data collected from customers should be protected in alignment with the company’s corporate standards and industry best practice. The systems operate:
- Up to date anti-malware protection
- A firewall
- Encryption
- Be appropriately patched
- All systems hosting personal information including data collected from customers should be protected in alignment with the company’s corporate standards and industry best practice. The systems operate:
- Backup storage
- Backups of data will be encrypted in line with the industry best practices and hosted in an arear of physical security to protect against loss of in scope data. Backup data will be stored in a computer data center and a single office that is locked when unattended.
- Data transfer
- Any information being transferred on a portable company provided device, mass storage device or laptop outside the company or across a public network must be encrypted in line with industry best practices and applicable with legal regulations.
- Security Awareness
- Information security awareness shall be included in the staff induction process.
- An ongoing awareness program shall be established and maintained ensuring the staff awareness is refreshed and updated as necessary.
