1. Purpose (Policy Statement)
The management of Salam Mobile Company is committed for meeting the requirement, maintaining and continuously improving effective personally identifiable information (PII) security that safeguards information assets as well as the intellectual properties of Salam Mobile and clients.
2. Identification of all PII residing in Salam Mobile environment
An organization cannot properly protect PII it does not know about. Salam Mobile follows this broad definition of PII to identify as many potential sources of PII as possible (e.g., databases, shared network drives, backup tapes, contractor sites). PII is ― any information about an individual maintained by Salam Mobile, including:
1) Any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and
2) Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Examples of PII at Salam Mobile shall include, but will not be limited to:
3. Minimization of the use, collection, and retention of PII
Salam Mobile shall minimize the use, collection and retention of PII to what is strictly
necessary to accomplish its business purpose and mission. Salam Mobile shall, thereby, greatly reduce the likelihood of harm caused by a breach involving PII.
Salam Mobile shall:
4. Categorization of PII
PII in Salam Mobile shall be evaluated to determine its PII confidentiality impact level so that appropriate safeguards can be applied to the PII.
The PII confidentiality impact level shall be rated as low, moderate, or high to indicate the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.
Salam Mobile shall use the following factors to determine the PII confidentiality impact level.
Salam Mobile shall evaluate how easily PII can be used to identify specific individuals. For example, a SID uniquely and directly identifies an individual, whereas a telephone area code identifies a set of people.
Quantity of PII
Salam Mobile shall consider how many individuals can be identified from the PII. Breaches of 25 records and 25 million records may have different impacts. The PII confidentiality impact level should only be raised and not lowered based on this factor.
Data Field Sensitivity
Salam Mobile shall evaluate the sensitivity of each individual PII data field. For example, an individual’s SID or financial account number is generally more sensitive than an individual’s phone number or ZIP code.
Salam Mobile shall also consider how many individuals can be identified from the PII. Breaches of 25 records and 25 million records may have different impacts. The PII confidentiality impact level shall only be raised and not lowered based on this factor.
Salam Mobile shall also evaluate the sensitivity of the PII data fields when combined.
Context of Use
Salam Mobile shall evaluate the context of use — the purpose for which the PII is collected, stored, used, processed, disclosed, or disseminated. The context of use may cause the same PII data elements to be assigned different PII confidentiality impact levels based on their use. For example, suppose that
Salam Mobile has two lists that contain the same PII data fields (e.g., name, address, phone number). The first list is people who subscribe to a general interest newsletter produced by the organization, and the second list is people who work undercover in law enforcement. If the confidentiality of the lists is breached, the potential impacts to the affected individuals and to the organization are significantly different for each list.
Obligations to Protect Confidentiality
If Salam Mobile is subject to any obligations to protect PII, it shall consider such obligations when determining the PII confidentiality impact level. Obligations to protect generally include laws, regulations, or other mandates.
Access to and Location of PII
Salam Mobile shall take into consideration the nature of authorized to access the location of PII. When PII is accessed more often or by more people and systems, or the PII is regularly transmitted or transported offsite, then there are more opportunities to compromise the confidentiality of the PII.
5. Application of Safeguards for PII based on the PII Confidentiality
Since all PII cannot be protected in the same way, Salam Mobile may apply appropriate safeguards to protect the confidentiality of PII based on the PII confidentiality impact level.
Salam Mobile may do the following operational safeguards, privacy-specific safeguards, and security controls as appropriate.
Creating Policies and Procedures
Salam Mobile shall develop comprehensive policies and procedures for protecting the confidentiality of PII.
Salam Mobile shall reduce the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training before being granted access to systems containing PII.
Salam Mobile may de-identify records by removing enough PII such that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. De-identified records can be used when full records are not necessary, such as for examinations of correlations and trends.
Using Access Enforcement
Salam Mobile may control access to PII through access control policies and access enforcement mechanisms (e.g., access control lists).
Implementing Access Control for Mobile Devices
Salam Mobile may prohibit or strictly limit access to PII from portable and mobile devices, such as laptops, cell phones, and personal digital assistants (PDA), which are generally higher risk than non-portable devices
Providing Transmission Confidentiality
Salam Mobile may protect the confidentiality of transmitted PII. This may be accomplished by encrypting the communications or by encrypting the information before it is transmitted.
Salam Mobile may monitor events that affect the confidentiality of PII, such as inappropriate access to PII.
Transfer of PII
Whenever physical media are used for information transfer, a system shall be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers shall be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not in route.
Independent Evidence of Information Security
In cases where individual cloud service customer audits are impractical or may increase risks to security, Salam Mobile, as the public cloud PII processor shall make available to prospective cloud service customers, prior to entering into, and for the duration of, a contract, independent evidence that information security is implemented and operated in accordance with the public cloud PII processor’s policies and procedures.
6. Incident response plan to handle breaches involving PII
An information security incident should trigger a review by the public cloud PII processor, as part of its information security incident management process, to determine if a data breach involving PII has taken place Breaches involving PII are hazardous to both individuals and organizations. Harm to individuals and organizations can be contained and minimized through the development of effective incident response plans for breaches involving PII.
Salam Mobile shall develop plans that include elements such as determining when and how individuals should be notified, how a breach should be reported, and whether to provide remedial services, such as credit monitoring, to affected individuals.
7. Coordination for PII
Salam Mobile shall establish close coordination among all controls responsible for PII. They may propose and implement technical security controls to enforce the
confidentiality of PII. Close coordination of the relevant experts shall help prevent incidents that could result in the compromise and misuse of PII by ensuring proper interpretation and implementation of requirements.
8. Contractual Agreements for PII
Contractual agreements that involve PII shall clearly allocate responsibilities between Salam Mobile as the public cloud PII processor, its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, PaaS or SaaS category of the cloud computing reference architecture). Salam Mobile, as a public cloud PII processor, shall designate a point of contact for use by each of its cloud service customers regarding the processing of PII under the
9. Event Logging for PII
A process shall be put in place to review event logs with a specified, documented periodicity, to identify irregularities and propose remediation efforts.
Where possible, event logs shall record whether or not PII has been changed (added, modified or deleted) as a result of an event and by whom.
Salam Mobile, as the public cloud PII processor, shall define criteria regarding if, when and how log information can be made available to or usable by its cloud service customer. These procedures shall be made available to the cloud service customer.
Where a cloud service customer is permitted to access log records controlled by Salam Mobile as the public cloud PII processor, Salam Mobile shall ensure that the cloud service customer can only access records that relate to that respective cloud service customer’s activities, and cannot access any log records which relate to the activities of other cloud service customers.
Salam Mobile shall put in place measures to ensure that logged information is only used for its intended purposes.
Salam Mobile shall put in place a procedure to ensure that logged information is deleted within a specified and documented period.