RICS draft professional statement - Data handling and prevention of cybercrime

3 Best practice principles

These principles underpin and support the mandatory requirements listed in chapter 2 of this professional statement.

The scope of RICS professional statements encompasses all RICS members, some of whom work within non-regulated firms. It is understood that members are not always able to dictate the controls in place within the firm, but it is expected that members personally show diligence and best practice around the reliability and security of personal and client data.

Where working in collaboration with others, an RICS regulated firm should put binding agreements in place to protect the security and reliability of personal and client data used or shared during the collaboration.

The right to process and handle personal data is often expressed explicitly by data subjects through contractual agreements or 'opt-in' checkboxes on websites. Although this is a common form of consent, and is required to fulfil consensual obligations set out in GDPR legislation, implicit consent may be derived through common interactions with clients.

For example, if a client sends an email to a company in order to understand how a service was delivered, this provides implicit consent to be contacted by the company to which the email was addressed about that service. Similarly, handing over a business card at a meeting demonstrates implicit consent to be contacted about services that could be reasonably considered to pertain to the original context of the meeting.

However, care should be taken when consent is assumed around marketing activities. In these instances, explicit consent should be obtained. When in doubt, speak to the appointed data handling representative, or your regional data handling regulatory body (see appendix A for a list of data handling legislative bodies by country).

3.1 Technology infrastructure

With regard to their technology infrastructure, RICS regulated firms and RICS members in principal positions should:

  • review the software and hardware in use and keep it up to date through the installation of patches and firmware upgrades
  • maintain an asset register and dispose of assets in a secure manner
  • periodically review system logs and access restrictions
  • use only company approved equipment on internal networks
  • store computers that are not in use in a secure location and ensure the use of security cables to secure PCs to desks where appropriate
  • use encrypted email for highly sensitive communication and
  • implement two-factor authentication where access to client data and personal data is deemed a significant security risk.

Data logging, the automatic act of writing file and device access records, should be maintained for access to personal data or client data, and used retroactively in the event of a data breach to understand the implications of the breach.

Each instance of a user logging in to applications that store personal data or client data, and each export request, should be logged where it is feasible to do so. The log should be maintained for at least three months. These records may be investigated in the event that a breach is detected to discover which device or user accessed the affected systems. Therefore, it should include details such as the location the access originated from (i.e. the IP address); the time and date of access; and, where applicable, the data requested.

One best practice approach is proactive monitoring, in which alerts are generated upon the detection of abnormal behaviour. This allows system administrators to respond to alerts rather than have to review large log files. It is also important that log event times should be synchronised across all devices. This ensures that the time logged on each system is accurate and allows for cross-referencing. If files or applications are hosted across multiple servers, established services such as Network Time Protocol (NTP) can be used for time synchronization, and the system administrator should be able to ensure this capability is configured correctly.

User privileges should be reviewed and monitored regularly. The number of privileged accounts (those that have elevated access rights beyond the standard levels) should be minimised.

For RICS regulated firms that support mobile and/or home working, this should be enabled though the use of secure Virtual Private Networks (VPNs) rather than relying on data being stored on user-owned devices.

RICS regulated firms may wish to consider performing internal and external penetration testing, both at regular intervals and after any major system upgrade. It may then form part of best practice procedures to gain further insight into the security of their infrastructure and data systems.

3.2 Data handling

In addition to the mandatory requirements on data handling outlined in chapter 2, RICS regulated firms and RICS members in principal positions should:

  • perform regular testing of data recovery procedures
  • hold regular data security training sessions
  • avoid the use of default passwords and update passwords periodically
  • store sensitive personal data in separate parts of the IT infrastructure (either logical or physical), ensuring access control is maintained and
  • ensure screen locks are enabled on unattended computers.

RICS members should:

  • attend data security training awareness courses where available

avoid the use of default passwords for any of the systems they have access to, and update their passwords periodically

  • make use of data encryption where possible and appropriate and
  • follow the data retention policies of the relevant organisation.

Encryption of data is important to ensure that data breaches cannot happen through the loss of IT equipment. Laptops, external hard drives and USB flash drives are especially vulnerable to the theft or accidental loss of the data they contain, and therefore should be encrypted at all times. Encryption usually requires the entry of a password upon device start-up (before any user-associated password request) and ensures that the device is unreadable without the encryption password. This is not the case with standard user account passwords, which simply prevent unauthorised access to user files or services.

Apple Mac computers are encrypted without the need for any action by users, but not all Windows PCs have encryption enabled by default. Encrypting File System (EFS) is a service available on Windows 10 and should be used - as a minimum level of security - to encrypt personal and client data. Another tool available to Windows users is BitLocker, which is a utility that encrypts the entire hard drive.

Data recovery tests should take place at least once a year to ensure that offsite backups are usable, and should often be tested in conjunction with disaster recovery testing, which tests an organisation's resilience when key services are disrupted. The recovery process should be tested using process documents that should be accessible by other methods than through the company network. For example, this can be achieved by ensuring the relevant documents are printed and stored in a secure location, ideally offsite, to ensure they can be accessed in the event that a disaster affects access to the building.

Regular data security training should be delivered to staff at all levels, and cover guidance on data handling and local regulations. Attendance registers for these training sessions should be maintained, in order to ensure all staff have taken part. Training should encompass issues such as email security and the use of personal data and sensitive data.

3.3 Compliance

RICS regulated firms should:

  • maintain policies pertaining to data breaches and malware detection that are reviewed annually, in order to document the processes and procedures that should take effect upon either malware detection or the discovery of a data breach.
  • implement secure audit trails to record data access and updates linked to individual user accounts and
  • provide contact details for the person responsible for the oversight of data handling, either through a publicly available website or upon request.

An RICS regulated firm's risk register should include risks arising from significant data breaches or malware attacks.

The risk assessment required by RICS regulated firms should consider the amount and nature of personal and client data held; where and how it is held; the processes and technical protections in place to prevent unauthorised access, loss, or events that would adversely affect the reliability of the data; and the likely harm that would be caused by a data breach.

Data handling policies should include contact details for the company's data handling representative, the IT team and any external communications team. These procedures should be referenced, along with the appropriate invocation steps, to alert data centres and offsite backup service providers where required.

Data handling policies should also give guidance on when a breach must be reported to a regulator, and when it should be reported to the affected data subject and/or RICS.

Significant data breaches should be reported to the affected data subject(s) and/or RICS where the RICS regulated firm considers that the breach is likely to result in a high risk of adversely affecting individuals' rights or freedoms, or of damaging the reputation of the profession.

Records kept by an RICS regulated firm of data breaches should also include information about how the breach occurred, and any steps that have been taken by the firm to mitigate the risk of future breaches arising from the same cause or causes.