This website uses cookies. View our privacy policy for more information about this. To accept the use of non-essential cookies, please click "I agree"
For: Fleet Transport Consultant Limited (FTC)
Area: DVLA ADD Service Management
Policy Number: ISMS-DVLA-001
Version: 1.0
Effective Date: 19th Aug 2024
Review Date: August 2025
Approved By: Zaheer Aziz
This Information Security Management System (ISMS) Policy outlines the procedures and controls implemented by Fleet Transport Consultant Limited (FTC) to manage driver licences, Driver Certificate of Professional Competence (CPC) management, and tachograph (Tacho) card validity using the DVLA ADD service. The aim is to ensure compliance with ISO 27001 standards, the General Data Protection Regulation (GDPR), and other relevant legislation, while ensuring the security and confidentiality of the driver data stored in the Azure cloud.
This policy applies to the department within FTC that utilises the DVLA ADD service. It covers the management of driver licences, CPC records, and Tacho card validity. The policy is relevant to all employees, contractors, third-party service providers, and third-party developers who have access to or are involved in the management, development, or support of the DVLA ADD service.
Confidentiality: Ensure that driver data is accessed only by authorised systems and not visible to any individuals within or outside the organisation.
Integrity: Maintain the accuracy and completeness of driver data throughout its lifecycle.
Availability: Ensure that the DVLA ADD service and associated data are available to authorised systems when needed.
Information Security Officer (ISO): Responsible for ensuring the overall security of the DVLA ADD service and compliance with this policy.
Azure Cloud Administrator: Manages and secures the Azure environment where driver data is stored.
Data Protection Officer (DPO): Umar Aziz (umar@theftc.co.uk) is responsible for ensuring compliance with GDPR and overseeing data protection measures.
Service Users: Employees or systems that interact with the DVLA ADD service for driver data management.
Third-Party Developers: External developers responsible for the design, development, and ongoing support of the DVLA ADD service.
Data Storage: All driver data, including licence details, CPC information, and Tacho card validity, shall be stored exclusively in the Azure cloud environment. No physical or local copies of the data shall be kept.
Data Access: Direct access to driver data is restricted to the DVLA ADD service and authorised systems. No individual within FTC shall have direct access to view or modify the driver data.
Data Retention: Driver data shall be retained in the Azure cloud for the duration required by law or contractual obligations, after which it shall be securely deleted in compliance with relevant standards.
Encryption: All driver data stored in the Azure cloud must be encrypted both at rest and in transit, using industry-standard encryption protocols.
Access Controls: Access to the Azure cloud environment shall be controlled through multi-factor authentication (MFA) and role-based access controls (RBAC). Only authorised systems shall be granted access to the DVLA ADD service.
Audit and Monitoring: Regular audits of access logs and security controls shall be conducted to ensure compliance with this policy. Any unauthorised access attempts shall be investigated and reported to the ISO and DPO.
Incident Management: Any security incidents involving the DVLA ADD service or driver data must be reported immediately to the ISO. An incident response plan shall be in place to handle breaches, with steps for containment, investigation, and remediation.
FTC's system automatically logs all activities undertaken on the DVLA ADD service. This includes actions performed by FTC staff, clients, third-party developers, and even the DVLA ADD service itself.
Comprehensive Logging: All interactions with the system, including data access, modifications, and administrative actions, are logged automatically. This ensures that every activity is recorded, providing a complete audit trail.
Review and Analysis: The audit logs are regularly reviewed to detect any unusual or unauthorised activities. This allows FTC to identify potential security risks and take corrective action promptly.
Continuous Improvement: The insights gained from reviewing audit logs are used to continuously improve FTC’s security measures, ensuring that the system remains resilient against emerging threats.
Retention and Security: Audit logs are securely stored in the Azure cloud environment and are retained for a period consistent with legal, regulatory, and business requirements. These logs are also protected with the same encryption and access controls applied to other sensitive data.
FTC acknowledges the crucial role played by third-party developers in the design, development, and ongoing support of the DVLA ADD service. As per ISO 27001 guidelines, FTC is obligated to ensure that all third-party developers adhere to the same standards of information security and data protection as required by this policy.
Contractual Obligations: FTC has established contracts with third-party developers that explicitly require compliance with ISO 27001, GDPR, and other relevant security standards. These contracts include clauses that mandate the implementation of appropriate security measures, regular security assessments, and adherence to FTC's ISMS policy.
Due Diligence: Before engaging third-party developers, FTC conducts thorough due diligence to assess their capability to meet the required security standards. This includes reviewing their security policies, certifications, and previous performance in managing similar projects.
Ongoing Monitoring: FTC regularly monitors the activities of third-party developers to ensure continuous compliance with security and data protection standards. This includes periodic security reviews, audits, and the assessment of any new risks that may arise from changes in the system or the environment.
Access Control: Third-party developers are granted access to the DVLA ADD service and associated systems on a need-to-know basis, and all access is controlled through MFA and RBAC. Any access granted is logged and subject to regular audit.
Incident Reporting: Third-party developers are required to immediately report any security incidents or vulnerabilities discovered during the development or support of the DVLA ADD service. FTC works closely with the developers to investigate and resolve any issues promptly.
ISO 27001 Compliance: The DVLA ADD service management shall be regularly reviewed to ensure it meets the requirements of ISO 27001.
GDPR Compliance: All personal data processed via the DVLA ADD service shall be handled in accordance with GDPR requirements. Data subjects' rights, such as access, rectification, and erasure, shall be upheld.
Third-Party Services: Any third-party services, including those provided by developers, used in conjunction with the DVLA ADD service must comply with the security and data protection standards outlined in this policy.
This policy shall be reviewed annually or in response to significant changes in the DVLA ADD service, legal requirements, or the security environment. Any changes to the policy must be approved by the Information Security Officer and communicated to all relevant stakeholders.