Personal Data Protection

AssetChief employs several features to facilitate towards achieving regulatory compliance with data protection acts, in particular the PDPA act in Singapore. The United States does not at present have a comprehensive personal data protection policy.

The requirements laid out in the PDPA are good common-sense practices that can benefit users who value the protection of their personal data no matter which country they reside in.

We've reproduced below the list of requirements laid out by the PDPA and how AssetChief or RiaForm Technology aims to meet those requirements in its hosted system:

1. Provide clear direction for ICT security goals and policies for personal data protection within the organisation.

AssetChief provides a Policy and Procedures tab that allows for a centralized and easily accessible list of goals and policies relating to securing personal data. RiaForm has a number of policies in place internally for this purpose.

2. Identify and empower the person(s) accountable for personal data protection within the organisation.

AssetChief provides a role ("Security Manager") on the user profile to easily identify staff who are responsible for security.

3. Establish and enforce ICT security policies, standards and procedures.

The policies are enforced through the centralization of security audit and incident workflow in AssetChief, which are automatically communicated internally and regularly reviewed.

4. Review and update ICT security policies, standards and procedures periodically to ensure relevance.

Each policy entry can be set up with a Review Schedule to ensure they are automatically assigned and signed-off for review and audit purposes on a regular basis. RiaForm establish a quarterly review of internal policies.

5. Establish end-user policies to prevent misuse of ICT systems

RiaForm have established clear policies on the proper use of sensitive data in hosted systems.

6. Institute a risk management framework to identify the security threats to the protection of personal data, assess the risks involved and determine the controls to remove or reduce them.

AssetChief provides a risk management system, which utilizes risks identified against each asset along with historic information such as security-related incident reports, in order to ascertain the risk of each asset. This is aggregated into a risk management report that can be subscribed to and sent to appropriate managers on a weekly basis.

7. Assess the effectiveness of the risk mitigation controls periodically.

All identified risks can be configured for regular review (using the What’s Next / Review action).

8. Assess the security risks involved in out-sourcing or engaging external parties for ICT services and mitigate them

Whenever a work order is created in AssetChief that is outsourced, it is assigned to a staff member who is responsible for overseeing the work and they can specify the details of the out-sourcing. They can identify the risks and performance of the outsourced work through the work order workflow.

9. Classify and manage the personal data by considering the potential damage (e.g. reputational or financial) to the individuals involved should the data be compromised.

Individual fields in AssetChief can be reviewed and designated as sensitive in several ways, including specifying that the field should be encrypted when stored, hidden from certain users or never displayed in the user interface.

10. Conduct periodic checks for personal data stored in ICT systems. For personal data that is not required in any form anymore, securely dispose the data (refer to section 8). If there is a need to retain the data but not in identifiable form, e.g. for performing data analytics, consider anonymising the data.

Regular security audits of the databases containing personal data are scheduled and assigned automatically through AssetChief.

11. Conduct physical asset inventory checks regularly to ensure all computers and other electronic devices (e.g. portable hard drive, printer, fax machine etc) used to store or process personal data are accounted for.

AssetChief maintains a list of all assets in the organization. An inspection tour is configured in AssetChief to regularly check these assets to ensure they are still available and haven’t been compromised.

12. Educate employees on ICT security threats and protection measures for personal data. This includes the organisation’s ICT security policies, standards and procedures.

The policies and procedures in AssetChief are easily accessible to all staff. RiaForm have specific information in their policies that detail the type of threats that hosted servers are vulnerable to.

13. Keep ICT security awareness training for employees updated and conduct such training regularly.

The Certification / Training area under each staff member in the Users tab of AssetChief allows you to put in the schedule for reviewing certification and training. RiaForm ensure that these policies, and any updates therein, are constantly brought to the attention of staff.

14. Conduct regular ICT security audits, scans and tests to detect vulnerabilities and non-compliance with organisational standards.

The Tours tab in AssetChief allows for regular inspections to be defined. These are automatically assigned on a regular basis and must be completed by the assignee. RiaForm have a number of regular inspections of hosted systems to check for security vulnerabilities and non-compliance.

15. Apply prompt remedial actions to detect security vulnerabilities and any noncompliance with established policies and procedures.

An Incident Report is raised in AssetChief whenever a noncompliance is detected. This is routed according to preconfigured workflow to ensure swift remedial action is employed.

16. Implement measures to ensure ICT system logs are reviewed regularly for security violations and possible breaches.

As per item 14 above, system and session logs are reviewed regularly on all hosted systems.

17. Determine a suitable authentication method, single factor or multi-factor, for accessing personal data based on the risk of damage to the individual in case of a data breach.

All users must be authenticated before being allowed to access the system. Strong passwords are required. Optional two-factor authentication can be employed.

18. Determine a suitable maximum number of attempts allowed for a user to authenticate his or her identity based on the type of data to be accessed.

All users are restricted by a maximum number of allowed logins before an account will automatically be locked-down.

19. Implement account lockout when the maximum number of attempts is reached, to prevent dictionary or brute-force attacks, which refer to methods of systematically checking all possible keys or passwords until the correct one is found.

The system automatically locks down an account by imposing a long, complex password on the account if a certain number of failed-logins are attempted. The password is automatically changed periodically within a certain time window.

20. Password used for authentication has a length of at least 8 characters containing at least 1 alphabetical character and 1 numeric character

All passwords must have at least one capital letter, one lower case letter, one digit and one symbol. They must be at least 8 characters in length.

21. When password used for authentication is typed in, it is to be hidden under placeholder characters such as asterisks or dots.

All passwords are hidden from display with appropriate masking.

22. Password used for authentication is encrypted during transmission and also encrypted or hashed in storage. Review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure.

Because the site uses SSL/HTTPS, all transmissions are automatically encrypted. Passwords are also encrypted in storage using the Rijndael encryption algorithm.

23. Users are required to change their passwords regularly. The frequency should be based on the risk of damage to the individual if the data is compromised.

All passwords have an expiration date based on a default of 90 days. This can be modified on a per-user basis. When passwords are close to expiring, the user will be emailed each day to reset their password. Once expired the password will be reset to a random, complex password automatically.

24. Change default passwords to strong passwords at the earliest possible opportunity.

All passwords in AssetChief must be strong passwords.

25. Implement authorisation mechanisms and processes to check if the person accessing the system has appropriate access rights to data requested within the system.

AssetChief is built using WorkflowFirst which provides an extensive authentication system. All data is only accessible through an authenticated session.

26. Define user roles or groups for systems that enable access to personal data. Access rights for each user role or group should be clearly defined and reviewed regularly

All users must have roles selected, and each role has predefined permissions. These are reviewed regularly to ensure they only allow access where appropriate through the regular security audits.

27. Grant a user only the necessary access rights to personal data within systems to fulfil their role or function.

Only administrators are able to select the roles for users. Only the necessary roles are applied to each user.

28. Track and review usage of accounts and their associated access rights regularly. Remove or change access rights for unused or obsolete accounts promptly

AssetChief logs all account logins under the user profile, in the “Login History” list, and it can be regularly reviewed by administrators for unusual activity, including failed login attempts, and the IP address of the user initiating the login.

29. Log all successful and failed access to systems to help detect unauthorised attempts to gain access to them.

30. Identify storage media to be destroyed or sold, and put in place a process to track whether personal data had been stored on them.

The company policies and procedures ensure that storage media are properly cleared before they are disposed of.

31. Perform secure deletion, erasure or destruction of electronic personal information on storage media before redeploying, exchanging or disposing of the media.

The company policies and procedures ensure that storage media are properly cleared before they are disposed of.

32. Perform physical or other known methods of destruction of storage media such as degaussing and incinerating when secure deletion, erasure or deletion of personal data stored on the media is not possible. This may be the case with faulty storage media.

As above.

33. Equip networks with defense devices or software.

Appropriate anti-malware and anti-virus software is installed on PCs.

34. Review configuration settings regularly to ensure they correspond to current requirements.

Said protection software is automatically kept up to date.

35. Design and implement the internal network with multi-tier or network zones, segregating the internal network according to function, physical location, access type etc.

Servers are situated on a network separate to individual PCs. The servers are accessed through a remote desktop service through a gateway and firewall.

36. Protect computers by using password functions.

All computers are protected by Windows’ password protection, among other authentication mechanisms.

37. Install anti-malware software such as anti-virus, anti-spyware, and softwarebased firewall on computers. Keep them updated and perform scans regularly.

All PCs have anti-virus and anti-malware software installed, as well as firewalls.

38. Encrypt sensitive personal data, which has a higher risk of adversely affecting the individual should it be compromised. Review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure.

All sensitive information is encrypted in the database.

39. Prevent unauthorised personnel from viewing the screens of personal computers easily, such as by using privacy filters, or through positioning of the personal computer

All computers have an idle computer-lock in place as per internal policy.

40. Enforce password policy as indicated in Table 4.

All WorkflowFirst applications enforce strict password strength constraints.

41. Implement additional controls for shared computers to prevent access to personal data, e.g. those keyed in by another user.

RiaForm do not utilize shared computers.

42. Identify and take stock of the portable computing devices and removable storage media used by your organisation.

All such assets are recorded and managed in AssetChief.

43. Minimise storage of personal data on portable computing devices and removable storage media. Remove personal data that is no longer required as soon as possible. (For additional information, refer to Section 8)