It is important to take all reasonable steps to maintain your data and information security. To have cover, you need to meet the below requirements. This is a summarised, simplified version. For the full (and technical version), please see the policy wording
Requirements
20.1 Up-to-date anti-virus and/or anti-malware software implemented on all desktops, laptops and Sensitive Systems.
20.2 Security related patches and updates applied on Sensitive Systems within three months of release.
20.3 If you have any outdated software, which is no longer supported by the software provider, it must not be accessible from external networks and you must inform us in writing (contact us).
20.4 Password controls implemented on Sensitive Systems. These controls must include:
20.4.1 Password length of at least ten characters.
20.4.2 User account passwords must be changed at least every 120 (one hundred and twenty) days. If your passwords are at least 14 (fourteen) characters in length or multi factor authentication is implemented, then you don’t need to change them every 120 days.
20.4.3 Passwords prevented from being reused for at least 5 password changes.
20.4.4 Passwords are not common dictionary words and cannot within reason be deemed widely used or easily guessable, e.g., the Insured’s name, P@ssword1, etc.
20.4.5 User accounts lockout after (at most) ten failed authentication attempts.
20.4.6 All default installation and administration accounts are secured by changing the account password from the well-known default passwords and/or disabling, deleting, or renaming the account (e.g., account: admin, password: admin)
20.5 Privileges for users with access to Sensitive Systems and Sensitive Information must be revoked within thirty days of them leaving your business or any service provider.
20.6 Resiliency controls including:
20.6.1 Documented disaster recovery and business continuity plans – and relevant key stakeholders are informed.
20.6.2 Backups generated at least weekly or have replication implemented.
20.6.3 Always have a backup or replicated copy which is disconnected, offline or cannot be overwritten from the production environment.
20.6.4 Monitoring for or testing to ensure the successful generation of backups or replication – at least weekly.
20.6.5 Testing the ability to restore data from backups or read from replicated copies at least every six months.
If your business’s Computer System includes a company network:
20.7 Next generation firewalls with geo-location blocking, configured to restrict access to digitally stored Sensitive Information.
20.8 Vulnerable network protocols are secured via disabling/blocking on the firewall or, where required, restricted based on IP address and/or to secured areas.
20.9 Administrative/remote access interfaces such as Remote Desktop Protocol (RDP) are not accessible via the open internet. Where such interfaces are required, these are accessible exclusively over secured channels such as multi-factor authenticated Virtual Private Network (VPN) connections.
20.10 The system and/or activity logs for all Sensitive Systems including firewalls and Active Directory as implemented in your environment are stored for a minimum of six months.