Introduction
In its everyday business operations Fiber Group Sh.p.k. collects and stores data of many types and in a variety of different formats. The relative importance and sensitivity of this data also varies.
It is important that this data is protected from loss, destruction, falsification, unauthorized access and unauthorized release and range of controls are used to ensure this, including backups, access control and encryption.
Within the context of the Fiber Group Data Security Standards which is based on internal company standard but also reflect clients compliancy requirements including PCI-DSS, SOC2 type 2, GDPR, etc.; it is strictly forbidden to store certain types of data within Fiber Group Shpk’s systems. This policy highlights this data.
Fiber Group Sh.p.k. also has a responsibility to ensure that it complies with all relevant legal, regulatory and contractual requirements in the collection, storage, retrieval and destruction of data.
This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Fiber Group Sh.p.k. systems.
The following policies are relevant to this document:
- Information Security Policy
- Cryptographic Policy
- Physical Security Policy (Retention information)
1. Data Retention and Protection Policy
This policy begins by establishing the main principles that must be adopted when considering data retention and protection. It then sets out the types of data held by Fiber Group Shpk and their
1.1 General Principles
There are a number of key general principles that must be adopted when considering data retention and protection policy. These are:
- Data must be held in compliance with all applicable legal, regulatory and contractual requirements
- Data must not be held for any longer than required
- The protection of data in terms of its sensitivity. confidentiality, integrity and availability must be in accordance with their security classification
- Data must remain retrievable in line with business requirements at all times
1.2 Data Types and Guidelines
In order to assist with the definition of guidelines for data retention and protection, data held by Fiber Group Sh.p.k. are grouped into the categories listed in Table 1. For each of these categories, the required or recommended retention period and allowable storage media are also given, together with a reason for the recommendation or requirement.
Note that these are guidelines only and there may be specific circumstances where data needs to be kept for a longer or shorter period of time. This should be decided on a case by case basis as part of the design of the information security elements of new or significantly changed processes and services.
1.3 Internet Account Management, Security and Monitoring
- Storage of physical records
Paper records (i.e., non-electronic records) must be stored in such a way that they are both sufficiently accessible and safeguarded against environmental damage. For example, an active contract may be stored on ordinary paper in a file cabinet in an office. Restricted data must be stored locked up. However, for permanent storage, that contract may require specialized environmental controls over temperature and humidity. Vital records needed for disaster recovery may need to be stored in a disaster-resistant safe or vault to protect against fire, flood, earthquakes, tornado, etc.
- Circulating physical records
Circulation refers to the cycle of retrieving a physical record, tracking it while checked out from storage, and then returning the record is referred to as circulation. At its simplest, circulation is handled by manual methods such as simply writing down who has a particular record, document etc. and when they should return it. However, a computerized records management system may provide better efficiency and accuracy in the tracking of circulating records.
- Electronic Records
Unlike physical records, management of electronic (i.e., digital) records requires a computer, server, or other digital storage equipment. Particular concerns exist about digital preservation—the ability to retain and still be able to access and read electronic records over time as technologies change. With electronic records, technical expertise is needed to assure that the content, context and structure of records is preserved and protected. Generally the information kept on the servers or on the cloud (E.g: Google sheet, Google Docs, etc,) must follow the least privilege principle. (That states a subject should be given only those privileges needed for it to complete its task).
1.4 Use of Cryptography
Where appropriate to the classification of information and the storage medium, cryptographic techniques will be used to ensure the confidentiality and integrity of the data.
Care must be taken to ensure that encryption keys used to encrypt data are securely stored for the life of the relevant data and comply with the organization’s policy on cryptography (see Cryptographic Policy).
Data Category |
Description |
Retention Period |
Reason for Retention Period |
Allowable Storage Media
|
Accounting |
Invoices, purchase orders, accounts and other historical financial records |
5 years from the end of the fiscal year in which they are issued |
Current tax legislation |
Electronic/Paper |
Budgeting and Forecasting |
Forward-looking financial estimates and plans |
10 years |
Current tax legislation |
Electronic/Paper |
Audit Logs |
Security logs e.g. records of logon/logoff and permission changes |
6 months |
Data protection requirement; Law for the prevention of money laundering and financing of terrorism |
Electronic/Paper |
Operational Procedures |
Records associated with the completion of operational procedures |
Permanent |
Maximum period of time elapsed regarding dispute |
Electronic/Paper |
Customer |
Customer names, addresses, order history, credit card and bank details |
5 years after the termination of the relationship |
Data protection requirement |
Electronic/Paper |
Supplier |
Supplier names, addresses, company details |
5 years after end of supply |
Maximum period within which dispute might occur |
Electronic/Paper |
Human resources |
Employee names, addresses, bank details, tax codes, employment history, CV |
12 months from the date of receipt of the communication by the employer. |
Employment law |
Electronic/Paper |
Contractual |
Legal contracts, terms and conditions, leases |
10 years after contract end |
Maximum period within which dispute might occur |
Electronic/Paper |
1.5 Media Selection
The choice of long-term storage media must consider the physical characteristics of the medium and the length of time it will be in use.
Where data are legally (or practically) required to be stored on paper, adequate precautions must be taken to ensure that environmental conditions remain suitable for the type of paper used. Where possible, backup copies of such data should be taken by methods such as scanning or microfiche. Regular checks must be made to assess the rate of deterioration of the paper and action taken to preserve the data if required.
For data stored on electronic media such as tape, similar precautions must be taken to ensure the longevity of the materials, including correct storage and copying onto more robust media if necessary. The ability to read the contents of the particular tape (or other similar media) format must be maintained by the keeping of a device capable of processing it. If this is impractical an external third party may be employed to convert the media onto an alternative format.
1.6 Data Retrieval
There is little point in retaining data if they are not able to be accessed in line with business or legal requirements. The choice and maintenance of data storage facilities must ensure that data can be retrieved in a usable format within an acceptable period of time. An appropriate balance should be struck between the cost of storage and the speed of retrieval so that the most likely circumstances are adequately catered for.
1.7 Data Destruction
Once data have reached the end of their life according to the defined policy, they must be securely destroyed in a manner that ensures that they can no longer be used.
Depending on the data type to be destroyed, industry certified disposal companies shall be used and a record of safe disposal in the form of a certificate will be obtained.
Our Company has a data cancellation policy to which the activities of eliminating sensitive information and personal data are attested ( eg. paper document, electronic document, archive, database, growth media, correspondence for which destruction is foreseen) and the disposal of paper and discarded electronic media;
There are well-defined technical ways of securely erasing data which include:
- wipe or overwrite with data (software)
- degauss (hardware).
These methods are indicated by the Privacy Guarantor himself as suitable for the permanent removal of data.
Considering the business processes and the likelihood with which similar events can occur, the company has chosen to use the software mode, that is to use suitable and certified for the purpose of carrying out the secure deletion of data.
The software chosen by the company for the deletion of archives from the memories of are the following and all have these characteristics:
- they are open source software; allows you to permanently delete disks and partitions from sensitive data, or entire folders and individual files;
- support the file systems used in the company (NTFS, FAT, Ext4 etc.);
- use powerful and famous data destruction algorithms including D.o.d. 5220-22.M, US Army, Peter Guttman.
Depending on the erasing scope, the following software are identified:
- DISK WIPE (Windows operating system) and DBAN (LINUX operating system) for erasing DISKS OR PARTITIONS.
- ERASER (Windows operating system) and SHRED or WIPE (LINUX operating system) for SINGLE FILES OR FOLDERS.
1.8 Data Review
The retention and storage of data must be subject to a regular review process carried out under the guidance of management to ensure that:
- The policy on data retention and protection remains valid
- Data is being retained according to the policy
- Data is being securely disposed of when no longer required
- Legal, regulatory and contractual requirements are being fulfilled
- Processes for data retrieval are meeting business requirements
- The policy is still meeting the requirements of PCI DSS compliance
The results of these reviews must be recorded.
2. Compliance
Fiber Group SH.P.K. compliance standards and among them PCI-DSS requires that cardholder data is handled uniquely and independently to other data classifications. Fiber Group Shpk ensures these requirements, summarized in the following sections, are fulfilled.
Fiber Group shpk does not keep any cardholder data in storage, because all cardholder data are transmitted via Customer CRM.
2.1 Sensitive Authentication Data (SAD)
It is forbidden to store Sensitive Authentication Data (SAD) even if encrypted. If SAD is received it must be rendered unrecoverable upon completion of the authorization stage of the payment process.
Sensitive Authentication Data is the following information on credit/debit cards:
- Full Track Data – Magnetic strip on the back of the card or the chip on the front of the card
- CAV2/CVC2/CVV2/CID – The three- or four-digit value, typically on the back of the card next to the signature section
- PIN/PIN BLOCK - Personal identification number entered by cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message
2.2 Primary Account Number (PAN)
The primary account number is the long sixteen-digit number across a payment card. Although this can be stored if the organization requires to do so for business reasons the following requirements must be met:
- The PAN must be masked when displayed or sent. The maximum number of digits permitted to be displayed are the first 6 and last 6 digits
- The PAN must never be transmitted without strong encryption. See the Cryptographic Policy for more information
- Only staff members with legitimate business need can see the full PAN
- The PAN must be rendered unreadable anywhere it is stored. See the Cryptographic Policy for more information
- PANs are never to be sent via end to end user messaging (e.g. email, IM, SMS, webchat etc.)
Access to the full sixteen digits of the primary account number is only available to roles required to do so for legitimate business reasons. Below is a list of these roles with business justification:
- Line Managers – Required to access full PAN for verification purposes
- Finance Director - Required to access full PAN for verification purposes
- Information Security Officer – Required to access full PAN to ensure it is being protected and controlled in the correct manner
- ICT – Required to access full PAN to ensure it is being protected and controlled in the correct manner