AssetChief employs several features to facilitate towards achieving regulatory compliance with data protection acts, in particular the PDPA act in Singapore. The United States does not at present have a comprehensive personal data protection policy.
The requirements laid out in the PDPA are good common-sense practices that can benefit users who value the protection of their personal data no matter which country they reside in.
We've reproduced below the list of requirements laid out by the PDPA and how AssetChief or RiaForm Technology aims to meet those requirements in its hosted system:
1. Provide clear direction for ICT security goals and policies for personal data protection within the organisation.
AssetChief provides a Policy and Procedures tab that allows for a centralized and easily accessible list of goals and policies relating to securing personal data. RiaForm has a number of policies in place internally for this purpose.
2. Identify and empower the person(s) accountable for personal data protection within the organisation.
AssetChief provides a role ("Security Manager") on the user profile to easily identify staff who are responsible for security.
3. Establish and enforce ICT security policies, standards and procedures.
The policies are enforced through the centralization of security audit and incident workflow in AssetChief, which are automatically communicated internally and regularly reviewed.
4. Review and update ICT security policies, standards and procedures periodically to ensure relevance.
Each policy entry can be set up with a Review Schedule to ensure they are automatically assigned and signed-off for review and audit purposes on a regular basis. RiaForm establish a quarterly review of internal policies.
5. Establish end-user policies to prevent misuse of ICT systems
RiaForm have established clear policies on the proper use of sensitive data in hosted systems.
6. Institute a risk management framework to identify the security threats to the protection of personal data, assess the risks involved and determine the controls to remove or reduce them.
AssetChief provides a risk management system, which utilizes risks identified against each asset along with historic information such as security-related incident reports, in order to ascertain the risk of each asset. This is aggregated into a risk management report that can be subscribed to and sent to appropriate managers on a weekly basis.
7. Assess the effectiveness of the risk mitigation controls periodically.
All identified risks can be configured for regular review (using the What’s Next / Review action).
8. Assess the security risks involved in out-sourcing or engaging external parties for ICT services and mitigate them
Whenever a work order is created in AssetChief that is outsourced, it is assigned to a staff member who is responsible for overseeing the work and they can specify the details of the out-sourcing. They can identify the risks and performance of the outsourced work through the work order workflow.
9. Classify and manage the personal data by considering the potential damage (e.g. reputational or financial) to the individuals involved should the data be compromised.
Individual fields in AssetChief can be reviewed and designated as sensitive in several ways, including specifying that the field should be encrypted when stored, hidden from certain users or never displayed in the user interface.
10. Conduct periodic checks for personal data stored in ICT systems. For personal data that is not required in any form anymore, securely dispose the data (refer to section 8). If there is a need to retain the data but not in identifiable form, e.g. for performing data analytics, consider anonymising the data.
Regular security audits of the databases containing personal data are scheduled and assigned automatically through AssetChief.
11. Conduct physical asset inventory checks regularly to ensure all computers and other electronic devices (e.g. portable hard drive, printer, fax machine etc) used to store or process personal data are accounted for.
AssetChief maintains a list of all assets in the organization. An inspection tour is configured in AssetChief to regularly check these assets to ensure they are still available and haven’t been compromised.
12. Educate employees on ICT security threats and protection measures for personal data. This includes the organisation’s ICT security policies, standards and procedures.
The policies and procedures in AssetChief are easily accessible to all staff. RiaForm have specific information in their policies that detail the type of threats that hosted servers are vulnerable to.
13. Keep ICT security awareness training for employees updated and conduct such training regularly.
The Certification / Training area under each staff member in the Users tab of AssetChief allows you to put in the schedule for reviewing certification and training. RiaForm ensure that these policies, and any updates therein, are constantly brought to the attention of staff.
14. Conduct regular ICT security audits, scans and tests to detect vulnerabilities and non-compliance with organisational standards.
The Tours tab in AssetChief allows for regular inspections to be defined. These are automatically assigned on a regular basis and must be completed by the assignee. RiaForm have a number of regular inspections of hosted systems to check for security vulnerabilities and non-compliance.
15. Apply prompt remedial actions to detect security vulnerabilities and any noncompliance with established policies and procedures.
An Incident Report is raised in AssetChief whenever a noncompliance is detected. This is routed according to preconfigured workflow to ensure swift remedial action is employed.
16. Implement measures to ensure ICT system logs are reviewed regularly for security violations and possible breaches.
As per item 14 above, system and session logs are reviewed regularly on all hosted systems.
17. Determine a suitable authentication method, single factor or multi-factor, for accessing personal data based on the risk of damage to the individual in case of a data breach.
All users must be authenticated before being allowed to access the system. Strong passwords are required. Optional two-factor authentication can be employed.
18. Determine a suitable maximum number of attempts allowed for a user to authenticate his or her identity based on the type of data to be accessed.
All users are restricted by a maximum number of allowed logins before an account will automatically be locked-down.
19. Implement account lockout when the maximum number of attempts is reached, to prevent dictionary or brute-force attacks, which refer to methods of systematically checking all possible keys or passwords until the correct one is found.
The system automatically locks down an account by imposing a long, complex password on the account if a certain number of failed-logins are attempted. The password is automatically changed periodically within a certain time window.
20. Password used for authentication has a length of at least 8 characters containing at least 1 alphabetical character and 1 numeric character
All passwords must have at least one capital letter, one lower case letter, one digit and one symbol. They must be at least 8 characters in length.
21. When password used for authentication is typed in, it is to be hidden under placeholder characters such as asterisks or dots.
All passwords are hidden from display with appropriate masking.
22. Password used for authentication is encrypted during transmission and also encrypted or hashed in storage. Review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure.
Because the site uses SSL/HTTPS, all transmissions are automatically encrypted. Passwords are also encrypted in storage using the Rijndael encryption algorithm.
23. Users are required to change their passwords regularly. The frequency should be based on the risk of damage to the individual if the data is compromised.
All passwords have an expiration date based on a default of 90 days. This can be modified on a per-user basis. When passwords are close to expiring, the user will be emailed each day to reset their password. Once expired the password will be reset to a random, complex password automatically.
24. Change default passwords to strong passwords at the earliest possible opportunity.
All passwords in AssetChief must be strong passwords.
25. Implement authorisation mechanisms and processes to check if the person accessing the system has appropriate access rights to data requested within the system.
AssetChief is built using WorkflowFirst which provides an extensive authentication system. All data is only accessible through an authenticated session.
26. Define user roles or groups for systems that enable access to personal data. Access rights for each user role or group should be clearly defined and reviewed regularly
All users must have roles selected, and each role has predefined permissions. These are reviewed regularly to ensure they only allow access where appropriate through the regular security audits.
27. Grant a user only the necessary access rights to personal data within systems to fulfil their role or function.
Only administrators are able to select the roles for users. Only the necessary roles are applied to each user.
28. Track and review usage of accounts and their associated access rights regularly. Remove or change access rights for unused or obsolete accounts promptly
AssetChief logs all account logins under the user profile, in the “Login History” list, and it can be regularly reviewed by administrators for unusual activity, including failed login attempts, and the IP address of the user initiating the login.
29. Log all successful and failed access to systems to help detect unauthorised attempts to gain access to them.
AssetChief logs all account logins under the user profile, in the “Login History” list, and it can be regularly reviewed by administrators for unusual activity, including failed login attempts, and the IP address of the user initiating the login.
30. Identify storage media to be destroyed or sold, and put in place a process to track whether personal data had been stored on them.
The company policies and procedures ensure that storage media are properly cleared before they are disposed of.
31. Perform secure deletion, erasure or destruction of electronic personal information on storage media before redeploying, exchanging or disposing of the media.
The company policies and procedures ensure that storage media are properly cleared before they are disposed of.
32. Perform physical or other known methods of destruction of storage media such as degaussing and incinerating when secure deletion, erasure or deletion of personal data stored on the media is not possible. This may be the case with faulty storage media.
As above.
33. Equip networks with defense devices or software.
Appropriate anti-malware and anti-virus software is installed on PCs.
34. Review configuration settings regularly to ensure they correspond to current requirements.
Said protection software is automatically kept up to date.
35. Design and implement the internal network with multi-tier or network zones, segregating the internal network according to function, physical location, access type etc.
Servers are situated on a network separate to individual PCs. The servers are accessed through a remote desktop service through a gateway and firewall.
36. Protect computers by using password functions.
All computers are protected by Windows’ password protection, among other authentication mechanisms.
37. Install anti-malware software such as anti-virus, anti-spyware, and softwarebased firewall on computers. Keep them updated and perform scans regularly.
All PCs have anti-virus and anti-malware software installed, as well as firewalls.
38. Encrypt sensitive personal data, which has a higher risk of adversely affecting the individual should it be compromised. Review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure.
All sensitive information is encrypted in the database.
39. Prevent unauthorised personnel from viewing the screens of personal computers easily, such as by using privacy filters, or through positioning of the personal computer
All computers have an idle computer-lock in place as per internal policy.
40. Enforce password policy as indicated in Table 4.
All WorkflowFirst applications enforce strict password strength constraints.
41. Implement additional controls for shared computers to prevent access to personal data, e.g. those keyed in by another user.
RiaForm do not utilize shared computers.
42. Identify and take stock of the portable computing devices and removable storage media used by your organisation.
All such assets are recorded and managed in AssetChief.
43. Minimise storage of personal data on portable computing devices and removable storage media. Remove personal data that is no longer required as soon as possible. (For additional information, refer to Section 8)
This is enforced as per standard company policy.
44. Secure portable computing devices and removable storage media when not in use. This can be done by keeping them under lock and key, attaching them to a fixture by a security cable, hand-carrying, and not leaving them unattended.
This is enforced as per standard company policy.
45. Configure portable computing devices to automatically lock upon a period of inactivity, whereby a password is required to resume usage.
This is enforced as per standard company policy.
46. Assess the applications that users can install and establish a policy for the use and tracking of the organisation’s portable computing devices and removable storage media.
This is enforced as per standard company policy.
47. Identify and take stock of the MFPs within your organisation.
These assets are recorded in AssetChief.
48. Put in place a process to check that any MFP scheduled for destruction, removal or sale does not contain any personal data in the internal storage device
This is enforced as per standard company policy.
49. Remove (return to owner or destroy) any uncollected printouts and faxes that contain personal data.
Such checks are performed regularly. They can be configured in AssetChief in the inspection Tours area, to remind someone to check all printers, scanners and faxes for unintentional sensitive documents left behind.
50. Strictly control users’ direct access to the database, e.g. to execute arbitrary SQL commands or access the database schema.
All SQL Server databases are locked down so they are only accessible by the server software and a system administrator.
51. Check that the database is hardened and not placed in a vulnerable spot within the network.
The database is protected by the firewall and is not accessible through TCP/IP, only named pipes that can be accessed from the server application and administrative software on the server.
52. Encrypt confidential or sensitive personal data that has a higher risk of adversely affecting the individual should it be compromised. Review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure
All data identified by RiaForm as being sensitive in AssetChief is encrypted when it is stored in the database.
53. Install anti-malware software to the email server and clients. Keep the software updated and perform scans regularly.
All outgoing email is handled by Amazon’s SES service which is adequately protected.
54. Before sending out emails, review all recipients to ensure there is no unintended recipient.
Enforced as per company policy.
55. Encrypt or password protect attachments containing personal data that has a higher risk of adversely affecting the individual should it be compromised. The password should be communicated separately. For encryption, review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure, whereas for password protection ensure a strong password is used.
Enforced as per company policy.
56. Perform data validation on user input to prevent buffer overflow attacks, injection attacks and XSS attacks.
AssetChief runs in .Net which has special mechanisms to protect against buffer overflow. Through its use of WorkflowFirst it also utilizes a database layer that stops SQL injection attacks, and has special mitigation to detect XSS attacks.
57. Ensure that files containing personal data are not accidentally made available on a website or through a web application. Even if the link to such files is not published, it may still be discovered and accessed.
Enforced as per company policy.
58. Perform cookie data validation, as well as URL validation to correspond with the session in use.
Such functionality is automatically provided by the WorkflowFirst platform on which AssetChief is developed.
59. Do not allow ‘backdoors’ that allow bypass of user authentication to access personal data. Do not rely on robots exclusion protocol (robots.txt) to hide webpages.
Such “backdoors” are not allowed in WorkflowFirst. All users must be defined in the Users tab list of the application. The system administrator should be overridden in the Users tab.
60. Test and apply updates and security patches as soon as they are available to relevant components of the organisation’s ICT systems. These components include those described in this guide, i.e. network devices, servers, database products, operating systems and application software on computers and mobile devices, software libraries, programming frameworks, firmware (to control hardware).
Servers are reviewed for Windows patches on a regular basis as per the inspection tours defined in AssetChief.
61. ICT Outsourcing - For bespoke solutions
RiaForm does not outsource development.
62. ICT Outsourcing - For ready-made solutions
RiaForm does not outsource ready-made solutions.