Summary

This policy addresses the practices and controls for the management of client data.  This policy supports contractual obligations established with many clients through operating and data service agreements agreed to by the parties.  

Scope

This policy covers the storage, transmission, and management of data stored within or managed by Connor Group systems which has been provided by a client and the client considers as their asset.  

Responsibility

Connor Group Information Technology in coordination with Connor Group Legal is responsible for ensuring this policy is adequate for the risks and contractual obligations associated with storing client-provided data.  IT management will also ensure that sufficient standards, controls and monitors are in implemented to ensure adherence to this policy.  

Details

  • All established policies and practices for data managed by Connor Group apply to this policy unless specific exceptions are approved, documented, and referenced from this policy.  
  • No co-mingling of client data stores
    • Client data must be stored in containers specific to each client.
    • Client data may never be stored in a way that co-mingles data from multiple clients within a container.
    • Separation of client data must be made at a data store service's highest level.
    • Client data may be co-mingled in an encrypted database that has gone through and has a documented Information Security review and approval.
  • Access controls are limited to necessary and authorized persons and processes with the least necessary privileges
    • In adherence to the least-permissions necessary model, access controls for client data containers shall be set and maintained so employees, contractors, vendors, applications, etc. are granted only the minimum permissions necessary to conduct Connor Group business with that data.
    • The default permission for all client data is deny all, with explicit permissions allowed by documented approval.
    • Persons and processes granted access to client data stores require a direct established relationship to Connor Group's business activities with the relevant client.
    • Access to client data shall be restricted to computer systems compliant with Connor Group's Endpoint Management Standard.
  • Service accounts are not granted full access to all client data stores
    • Access to client data stores must be by named individual accounts.
  • Client Data Storage
    • All client data must be encrypted at rest utilizing current industry standard encryption as defined in the Data Storage Policy.
    • Client data shall only be stored in repositories explicitly assigned for client data by Connor Group IT.
  • No unauthorized processing of client data
    • Client data may only be processed or used for purposes specifically authorized by the client through an engagement's scope of work, data processing agreement, or other established documentation agreed to by Connor Group Legal and the client.
  • Changes to access or processing of client data
    • Any material changes to the access control rules or the scope of processing of client data must follow standard change control and be approved by Connor Group's Legal team prior to the changes being made.