Information Security Policy

Size: px
Start display at page:

Download "Information Security Policy"

Transcription

1 Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website:

2 University of Brighton Information Services Contents Executive Summary... 4 Scope... 4 Governance commitments and responsibilities... 4 Roles and responsibilities... 5 Information security programme Context of the organisation Risk management Management review External review and certification... 8 Information security controls... 8 Mobile devices and teleworking Mobile devices policy Teleworking/Remote Working Policy Human Resources Security Policy Prior to employment During employment Policy awareness Disciplinary procedure Termination of employment Students Guests...11 Asset management Asset management policy Controls Acceptable use of IT assets Classification of information assets Asset labelling and handling Third-party requirements Access control Access control policy Physical access Logical access /application access Access review Cryptography...13 Page 2 last update April 2015

3 Policy Controls Physical security Policy Building security standards Clear desk and clear screen policy Disposal of equipment Operations management Policy Controls Communications security Policy Controls Information transfer Information exchange agreement Security during acquisition and development Policy Controls Secure development principles Use of test data Supplier relationships Policy Controls Incident and weakness management Policy Controls Business continuity management Policy Controls Compliance Policy Controls... 21

4 University of Brighton Information Services Executive Summary This Information Security Policy is designed to describe how the University intends to protect information resources from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities. Information security (IS) is achieved by implementing a suitable set of controls, including policies, processes, procedures, organisational structures, and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the University are met. This plan governs the privacy, security, and confidentiality of the University s data (especially highly sensitive data) and the responsibilities of departments and individuals for such data. IT security measures are intended to protect information assets and preserve the privacy of University employees, clients, sponsors, suppliers, and other associated entities. Inappropriate use exposes the University to risks including virus attacks, compromise of network systems and services, and legal issues. All users of the University s information technology resources are required to follow the guidelines stated in the UoB IT Regulations and are bound by this plan as well as other University policies and procedures as terms of their employment. All employees share responsibility for the security of the information and resources in their respective departments. This plan will be reviewed and updated at least once a year or when the environment changes Scope This policy, and the Information Security Management System (ISMS), applies to everyone working for or on behalf of the University, including temporary employees, contractors, volunteers, students and guests who have access to the University s information technology resources. Assets include data, images, text, or software, stored on hardware, paper or other storage media. The policy covers all University premises, and premises where data is processed on behalf of the University as data controller. Governance commitments and responsibilities Information security governance is the responsibility of the Senior Management Team (SMT) and consists of the leadership, organisational structures, and processes to ensure that the University s information technology infrastructure sustains and extends the University s strategies and objectives. The SMT has established the overall approach to governance and control to provide strategic direction, ensure objectives are achieved, ascertain risks are Page 4 last update April 2015

5 Information Security Policy managed appropriately and verify that the University s resources are used responsibly. The SMT shows its commitment by developing and implementing good internal controls as well as ensuring the promotion and awareness of IT requirements and plans throughout the University s activities. The University s strategic vision is linked with the IT department s goals and objectives, ultimately ensuring that the University s business meets customer and legal requirements while undergoing continual improvement. Roles and responsibilities In the context of this policy, it is the role of the Senior Management Team to provide oversight and direction regarding information systems security and privacy assurance, University-wide. The SMT, working through the appropriate IT Governance arrangements, will set objectives for the Information Security Management System (ISMS), approve policies and make it clear that it is their will that all policies are adhered to at all times. They will periodically review the performance of the ISMS, in order to verify that stated objectives are being met. The Information Security Management representative is responsible for implementing the University s security programmes, including risk management. S/he plays a leading role in ensuring that the management system is approved, implemented, maintained and improved. The Data Protection and Records Officer is responsible for ensuring that appropriate policies, awareness and training are in place across the university with regard to compliance with the Data Protection Act. S/he will act as a first point of contact for any employee, contractor or student who has any queries about compliance to this piece of legislation. This responsibility is undertaken by the University Legal Adviser. Department Information Security Representatives will be the main point of contact for information security matters within their school or department. They will ensure that all University information security policies are understood and applied, will be the main point of contact and will assist in keeping departmental risk registers up to date. Where policy is not met, they will report this in to the Information Security Management representative or through an appropriate committee to the Board of Governors. Data/Asset owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality and availability of the information technology resources and data they own. They are also responsible for periodically reviewing that only those who require access to perform their job responsibilities have access to the data they own. This must be done at least annually. IT security practitioners (e.g., network, system, application, and database administrators; computer specialists; security analysts), regardless of their school or departmental affiliation, are responsible for ensuring that the chosen technological controls under their control are implemented as desired by the Printed Thursday, 30 July 2015 Page 5

6 University of Brighton Information Services organisation. They will monitor tools as appropriate, review logs as required, and report any incidents, problems or weaknesses that they identify as part of their role. Staff user is a person who has been granted explicit authorisation to access the data by the owner. The user must use the data only for purposes specified by the owner, comply with security measures specified by the owner or custodian (i.e., securing login-id and password), and not disclose information or control over the data unless specifically authorised in writing by the owner of the data. Student user is a person who has been granted explicit authorisation to access the University network or information processing facilities. They must abide by the University IT Regulations document that is provided to all newly enrolled students. Guest users are non-members of the University who have been provided with temporary access to the University s data and systems for the purpose of conducting some legitimate activity as part of the University. They must abide by the University IT Regulations and must be informed of them before being provided with access. Information security programme Through this document and associated policies, the University has established, documented and implemented an information security programme. The system is designed to improve the effectiveness of IT operations and to ensure that regulatory requirements are satisfied. This programme has been implemented to ensure the confidentiality and integrity of the University s information while maintaining appropriate levels of accessibility. In order to ensure the security and confidentiality of sensitive information and to protect against any anticipated threats or hazards to the security or integrity of data, the University has put in place all reasonable technological means, (i.e., security software, hardware) to keep information and facilities secure. The University has defined its own security controls, which are to be consistent with security requirements and controls prescribed by law and/or standards bodies (ISO etc.). See also section Context of the organisation The University seeks to operate its services and facilities in a manner consistent with the spirit of free inquiry that informs its fundamental purpose. In practice, this requires a balance to be struck between regulatory compliance and open access; a balance wherein, for example, the individual student or researcher is given unrestricted access to the Internet in return for a commitment to individual responsibility. A similar balance applies in relation to access to buildings and to open access facilities. The University wishes to ensure that only authorised users may gain access to these facilities but seeks also to ensure the means of so doing are relatively simple and convenient. The University seeks also to ensure that its activities as a producer of Page 6 last update April 2015

7 Information Security Policy information (e.g. relating to staff, students, performance, research, etc.), whilst again compliant with regulatory requirements, are balanced in this case by the legitimate requirement to exploit these assets for purposes of planning and business improvement. 5.2 Risk management The University is committed to a rigorous risk management framework, which it operates through the Risk Management Steering Group (RMSG). The management of risk that is associated with information security will be overseen by this Group. Within the context of the overall framework additional factors will be brought into play to allow for more detailed assessment of specific information security elements. The management of information security risk at a detailed level takes place through the appropriate IT Governance mechanisms. IT Governance, School and department heads are responsible for ensuring that the RMSG is kept fully appraised of the risk status of information security activity. Colleges, Schools, and Departments must ensure that risk assessments are conducted regularly in order to: Determine the nature and extent of the University s information resources Understand and document the risks in the event of failures that may cause loss of confidentiality, integrity, or availability of information resources Identify the level of security necessary for the protection of the resources. Ascertain whether the current controls remain adequate to provide risk mitigation. Assess whether the threat environment has changed Internal Audit will carry out periodic risk based audit reviews relating to information security as an independent check on the policies, systems and controls in place. The reports of these assessments will be considered by the IT Governance body and will, in turn, inform the University s overall risk profile. 5.3 Management review The IT Governance body will review the performance of the ISMS on a regular basis. The topics to be discussed at a management review meeting will include the following: A review of the information security policy and this information security plan The results of any assessments of the ISMS (internal and external audits of the ISMS policies, procedures and controls) The status and trends of any actions arising from these reviews The status and trends of any incidents or significant weaknesses raised since the last meeting Printed Thursday, 30 July 2015 Page 7

8 University of Brighton Information Services Any feedback or other information provided by third parties (customers, consultants, special interest groups) Any decisions as to whether new products, techniques should be candidates for implementation An assessment as to whether any implemented products, tools or techniques have had the desired improvement effects A review of the agreed effectiveness measures. Any decisions regarding potential improvements to the measures, processes, procedures, controls & resources supporting the ISMS will be recorded as an actions list. ISMS objectives will be reviewed and updated as necessary. 5.4 External review and certification The University is not, at this stage, seeking formal accreditation to the ISO standard. It will, however, undertake from time to time an independent external assessment of the information security management system. Information security controls Mobile devices and teleworking Mobile devices policy The University has adopted a mobile devices policy. This is to ensure that the use of such devices is controlled in order to: Enable the correct data to be made available where it is required. Maintain the integrity of the data. Prevent unintended or deliberate consequences to the stability of the University s computer network. Avoid contravention of any legislation, policies or good practice requirements. Build confidence and trust in the data that is being shared between systems. Maintain high standards of care in ensuring the security of Protected and Restricted information. Prohibit the disclosure of information as may be necessary by law. All removable media for use on information systems owned or operated by the University are covered by this policy. Removable media include tapes, mobile phones (or any other portable electronic device) with USB capability, removable or external hard disc drives, optical discs (BluRay, DVD and CD- ROM), and solid state memory devices including memory cards and sticks. The policy is documented in the University s IT Regulations section and the Information Service Mobile Device support model. Page 8 last update April 2015

9 Information Security Policy Teleworking/Remote Working Policy In the modern working environment it is often necessary that staff work away from an office. This almost inevitably means using mobile phones, computer tablets, laptop computers and equipment not provided by the University. Information security needs to be maintained when outside of the controlled environment of the University. In order to ensure this, a policy has been set which all employees must follow when working remotely. This policy offers guidance to staff working away from the office on the maintenance of high information security standards whilst also taking into account the duty of care of an employer under such circumstances. The policy is documented in the University s IT Regulations. 6.2 Human Resources Security Policy The following controls have been adopted to reduce the risk of theft, fraud or misuse of information facilities by employees, contractors and third-party users. The University s human resources policies apply to all persons within and external to the organization that use information or information processing facilities. The policies and practices adopted are designed to ensure that all employees and relevant contractors: Receive appropriate checks and vetting prior to employment, depending on the level of access to data they will have, and the sensitivity of the role to be filled. Fully understand the security responsibilities and liabilities of their role(s); Are aware of information security threats and concerns, and the necessary steps to mitigate those threats; and Will be provided with initial information security training, and subsequent training relevant to their role Are equipped to support organisational privacy and security policies in the course of their normal work, through appropriate training and awareness programs that reduce human error; and Exit the organisation, or change employment responsibilities within the organization, in an orderly manner Prior to employment All potential employees are interviewed to ensure that the individuals are suitable for the role. Appropriate screening is undertaken to ensure that employees are eligible to work in the UK and that their experience and qualifications match that stated in their CV. Job descriptions state the requirement to adhere to University policies, while the contract of employment clearly states the need to maintain confidentiality at all times During employment All employees, contractors and temporary staff are provided with training materials, reinforcing the content of the contract of employment and the Printed Thursday, 30 July 2015 Page 9

10 Data Protection Policy Application Standards Departmental Security Policy Info Security Policy (this document) UoB IT Regulations University of Brighton Information Services guidance documented in the University s IT Regulations, in order that all employees are aware of information security threats and concerns, their responsibilities and liabilities, and to be adequately equipped to support the security policy in their day-to-day work, and to reduce the risk of human error. Employees with specific roles and responsibilities within the ISMS e.g. Department Information Security Representatives or Data/Asset Owners will be given training to allow them to fulfil their role Policy awareness A number of policies and procedures have been established in order to state expected practices and behaviours. Not all polices are relevant to all members of the University. The following table indicates which policies are to be understood by which member type. Role Executive X X X X Management ISMS Management X X X X X Representative Department X X X X X Information Security Representatives IT Security X X X X Practitioners Data / Asset Owners X X X Staff, Contractors X X X Students, Guests X Disciplinary procedure The HR Staff Central site holds a documented Disciplinary Procedure, with breach of confidentiality and misuse of equipment stated as examples of misconduct Termination of employment On termination or change of employment, HR and IT staff work together to ensure that all physical and logical access is revoked, and all assets are returned. Employees and contractors are reminded of their ongoing requirement to maintain confidentiality Students Students will be governed according to the policies set out in the student handbook. The policies in this document will be reasonably re-interpreted to Page 10 last update April 2015

11 Information Security Policy apply to students. For example, the student disciplinary process and termination of studentship will apply in respect of HR policy statements above Guests Where guests are undertaking work for or on behalf of the University they are to be governed by this policy as if they were staff. Where guests are visitors to the University in some other capacity, they are to be governed by this policy as if they were students with an appropriate interpretation of the disciplinary and termination policies. Asset management Asset management policy It is a fundamental requirement that assets within the scope of this information security policy need to be identified and tracked, and that the requirements for safe handling of these assets is understood by those who may use or access those assets. For clarity, assets may be, but not limited to, things such as electronic data, paper documents, records, s, computers, mobile or storage devices. Through this policy and controls the University seek to ensure that assets are: Identified: The University understands what assets are held and where those assets are Owned: Classified: Persons responsible for assets have been identified and are aware of their ownership The importance of each asset is understood in terms of the impact to the University should it be lost, misused, compromised etc. Protected: Assigned users are aware of what they can and cannot do with a particular asset, based on its classification. They are aware of their requirement to safeguard assets assigned to them. And they are aware that the unsafe use of assets should be quickly reported through appropriate management channels Controls Identification and control of physical assets Identification and tracking of physical assets is necessary, in order that the whereabouts and status of devices can be tracked, and assets recovered as required. For this reason the Asset Management Policy documented in the Departmental Information Security Policy states each department or function's requirements for maintaining registers of assets Identification and control of information assets The University maintains inventories of information assets on all systems that are considered in-scope, with Department Information Security Representatives responsible for keeping these registers up to date. Printed Thursday, 30 July 2015 Page 11

12 University of Brighton Information Services They form the basis of any information security risk assessment. Guidelines for maintaining registers is documented in the Departmental Information Security Policy Acceptable use of IT assets The University recognises that it is vital that all employees are aware of their responsibilities to use all assets responsibly, whether the asset is a physical item (e.g. laptop, phone, USB device) or informational (e.g. data). For this reason, guidance on acceptable use of University assets has been documented and issued to all staff through the University s IT Regulations Classification of information assets For information assets, a classification scheme has been adopted by the University. This scheme is documented in the University s IT Regulations section 7.1. All information assets should have been assigned one of the classifications Asset labelling and handling In order to assist users in deciding how to protect information, data handling guidelines in accordance with the classification scheme have been adopted by the University. This scheme is documented in the University s IT Regulations Third-party requirements The University recognises that third parties may require specific labelling or handling requirements that need to be adhered to. While the University classification/labelling scheme has been adopted to assist users in deciding how to protect information, client requirements may supersede these instructions as long as it does not place information at risk. If third-party handling requirements are less rigorous than those outlined in University policies, or risk is identified, employees are required to raise this with their Departmental Information Security Representative or line manager Access control Access control policy Authorisation and control of access to facilities and information systems is a crucial tool in ensuring information security. The protection of information assets from unauthorised access is an important business requirement. It is the policy of the University that only authorised personnel have access to facilities and information systems and that such access is limited, dependent on the role of the individual concerned. Access will be provided only when required. This policy applies to permanent and temporary employees of the University, students and those visitors, contractors or other third parties that may require access. Page 12 last update April 2015

13 Information Security Policy Physical access Physical security controls and secure areas are used to minimise unauthorised access, damage, and interference to information and information systems. Physical security means providing environmental safeguards for controlling physical access to equipment and data on the University network in order to protect information technology resources from unauthorised use, in terms of both physical hardware and data perspectives. The minimum expected requirements for controlling physical access to all university buildings has been documented in the University s Departmental Information Security Policy. This policy covers elements such as Expected physical security controls Use and control of secure areas Control of visitors and guests Data centre and server room environments Logical access /application access Access to systems and applications needs to be carefully controlled, particularly whenever protected information is concerned. The minimum expected requirements for controlling logical access to all university systems has been documented in the Application Standards policy. This policy covers elements such as Access control (authentication, user registration, de-registration) Control of privileged accounts Remote access Control of third party accounts Access review In order to verify whether the procedures for granting and revoking access are functioning as expected, access arrangements need to be reviewed periodically. The requirements for doing so are documented in the Application Standards policy Cryptography Policy The University has standards for encryption to ensure that sensitive data is protected from disclosure. The requirements for users to protect data in transmission are documented in the University s IT Regulations. Suitably strong encryption measures are employed and implemented, whenever deemed appropriate, for information during transmission and in storage. The requirements for the use of encryption methods within applications is documented in the Application Standards policy. Printed Thursday, 30 July 2015 Page 13

14 University of Brighton Information Services Controls The following principles have been adopted in the creation of guidelines on the use of cryptography: It is a fundamental policy of the University that all sensitive information will be protected while passing over public networks. Encryption is only permitted when authorised, using permitted technologies and methods. No unauthorised encrypted containers are permitted on the University network. 6.6 Physical security Policy Physical security controls and secure areas are used to minimise unauthorised access, damage, and interference to information and information systems. Physical security means providing environmental safeguards for controlling physical access to equipment and data on the University network in order to protect information technology resources from unauthorised use, in terms of both physical hardware and data perspectives Building security standards The minimum expected standards for all university buildings have been documented in the Departmental information Security Policy. This policy covers elements such as: Expected physical security controls Use and control of secure areas Control of visitors and guests Data centre and server room environments Access control Equipment disposal Paper waste disposal All buildings are expected to comply with the policy wherever possible. It is recognised that the large and diverse estate does mean that there will be occasions where buildings cannot meet the required level of control. Where this is the case, the risk must be assessed and recorded in departmental risk registers Clear desk and clear screen policy While University offices should be physically secure so as to prevent unauthorised access, and the physical security policies should reduce the likelihood that an intruder could gain access, it is recognised that it isn t possible to guarantee that unwanted physical access could occur. For this reason, it is important to reduce the impact should anything occur by minimising what could be taken should an intruder gain access to facilities. The University has therefore, in some departments, implemented a Clear Desk and Screen Policy. This is documented in the University s IT Regulations. Page 14 last update April 2015

15 Information Security Policy Disposal of equipment The University recognises the need to ensure that all data and licensed software has been removed from data storage devices prior to disposal. This requirement applies to all media containing data including: Laptop, PC and Server Hard drives Backup tapes USB pen drives Removable drives CDs, DVDs and tapes The requirements to manage this process safely and securely has been documented in the Departmental Information Security Policy. A central function is available from the Estates and Facilities department to ensure requirements are met. 6.7 Operations management Policy System and communications protection refers to the key elements used to assure data and systems are available and exhibit the confidentiality and integrity expected by owners and users to conduct their business. The appropriate level of security applied to the information and systems is based on the classification and criticality of the information and the business processes that use it. The system's integrity controls must protect data against improper alteration or destruction during storage, during processing, and during transmission over electronic communication networks. The key elements of system and communications protection are backup protection, denial of service protection, boundary protection, use of validated cryptography (encryption), public access protection, and protection from malicious code. Operations management refers to implementing appropriate controls and protections on hardware, software, and resources; maintaining appropriate auditing and monitoring; and evaluating system threats and vulnerabilities. Proper operations management safeguards all of the University s computing resources from loss or compromise, including main storage, storage media (e.g., tape, disk, and optical devices), communications software and hardware, processing equipment, standalone computers, and printers Controls The following controls have been implemented in order to allow: Change control - Change to the live infrastructure must be controlled. All changes will be approved, will be implemented by authorised persons and will be logged. Malware protection All computers on the University network will have industry- recognised anti-malware software installed, with real-time monitoring and updates. Backups All information is backed up to ensure that data can be recovered within time-scales required. Printed Thursday, 30 July 2015 Page 15

16 University of Brighton Information Services Capacity management The University will monitor capacity of the production environment to ensure that service remains available. Factors such as CPU usage, memory usage, disk space and network utilisation will be used to monitor capacity. Logging and monitoring Server logging (system, error, security) will be enabled on all servers, and will be kept for a minimum of 30 days, to allow for fault fixing and investigation as required. Control of installed software Privileges on computing equipment will be restricted whenever possible, so that users are not able to disable or amend key security controls. Users are also provided with clear instruction that they are not permitted to install any software on University assets unless it has been approved. This guidance is to be found in the University s IT Regulations. Clock synchronisation All servers will receive real-time clock synchronisation from an NTP source. Technical vulnerabilities The requirements to remain on supported vendor software (operating systems, applications) and the expected patching procedures and schedules are documented in the UoB Application Standards. Technical Testing All testing will be carefully planned and agreed to ensure it has no severe impact to the live services. Environments All production environments should have a separate testing environment to remove the need to test on any live platform. An exception would be where technical vulnerability testing is to be done on the production systems. 6.8 Communications security Policy Network attacks launched from the Internet or from internal sources can cause significant damage and harm to information resources including the unauthorised disclosure of confidential information. In order to provide defensive measures against these attacks, firewall and network filtering technology must be used in a structured and consistent manner Controls The University maintains appropriate configuration standards and network security controls to safeguard information resources from internal and external network mediated threats. The following controls have been adopted: Perimeter security controls Firewalls and Intrusion Detection Systems (IDS) are deployed at the University border and Intrusion Prevention Systems (IPS) are deployed on core services to augment normal system security measures to prevent denial of service attacks, malicious code, or other traffic that threatens systems within the network or that violates the University s information security policies. Firewalls and or IDS/IPS are also deployed as appropriate to limit access to systems that host restricted or essential information. Page 16 last update April 2015

17 Information Security Policy The default administrative password for any firewall or equivalent network device should be changed to an alternative, strong password. Each rule that allows network traffic to pass through the firewall (e.g. each service on a computer that is accessible through the boundary firewall) should be subject to approval by an authorised individual and documented (including an explanation of business need). Firewall rules will be built so that permitted traffic is restricted to only those users, addresses, ports and protocols required to allow effective communication. Unapproved services, or services that are typically vulnerable to attack (such as Server Message Block (SMB), NetBIOS, tftp, RPC, rlogin, rsh or rexec), should be disabled (blocked) at the boundary firewall by default. Firewall rules that are no longer required (e.g. because a service is no longer required) should be removed or disabled in a timely manner The administrative interface used to manage boundary firewall configuration should not be accessible from the internet. Whenever security levels are provided by any third party, there will be a formal agreement in place which describes expected service levels. This may be in the form of an SLA, a published level of service or a bespoke agreement. The service paid for will be monitored and the Third Party will be required to address any deficiency. Whenever required, networks will be segregated to provide an additional level of security. All changes to any security device, whether hardware or software, must follow the University s IT change procedures. Networks and applications will be subject to vulnerability testing, based on client requirements. Technical vulnerability testing will also be considered when systems undergo significant change, or where felt appropriate. Any such testing will be carefully scheduled, planned and conducted to minimise the risk of interruption to service. Server security controls Unnecessary user accounts (e.g. guest accounts and unnecessary administrative accounts) should be removed or disabled. Any default password for a user account should be changed to an alternative, strong password. Unnecessary software (including application, system utilities and network services) should be removed or disabled. The auto-run feature should be disabled (to prevent software programs running automatically when removable storage media is connected to a computer or when network folders are accessed). A personal firewall (or equivalent) should be enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default. Further information on expected security levels for applications in use are documented in the Application Standards policy. Printed Thursday, 30 July 2015 Page 17

18 University of Brighton Information Services Information transfer Where employees are responsible for transferring information, this must be done based on the data handling guidelines described in section 6.3 of this policy. The requirement to protect sensitive information during transit is documented in the University s IT Regulations. Where transfer data is part of system or application processes, the expected levels of protection are documented in the Application Standards policy Information exchange agreement Where appropriate, data processing agreements will be established between the University and any third party with which information is exchanged. 6.9 Security during acquisition and development Policy The University recognises that it is essential that IT systems in use are secure. Processes have been developed to ensure that security is an integral part of information systems across the entire life-cycle. In particular this includes specific security requirements for information systems that provide services over public networks. The requirements of information security are to be part of any new system Controls The following controls have been implemented: All decisions to make significant changes to core University systems used (whether through acquisition or through development) must be authorised by the Technical Design Authority. The required security will be identified during scoping meetings. Directors, IT security practitioners and the Information Security Management Representative will attend as a minimum with other parties brought in as required. All large changes must follow a defined project lifecycle. This will either be performed by the Strategic Programmes and Planning Office, or to the same level of governance by individual departments and schools. Change to the live infrastructure must be controlled. All changes will be approved, will be implemented by authorised persons and will be logged. The requirement for Departments to ensure this is documented in the UoB Application Standards document. All new or changed systems will have agreed system acceptance criteria as defined in Information Services project management processes. Evidence of testing will be retained, and will be reviewed prior to any authorisation to make the system live. Segregation of duties is enforced so that developers are not able to make changes to the live environment. All changes to the staging and production environment must follow the University s IT change procedures. The University uses only recognised industry suppliers when buying Commercial-Off-The-Shelf (COTS) software. Page 18 last update April 2015

19 Information Security Policy Should a third party be used to develop any bespoke software, they will be expected to prove to the University that security has been maintained. Well known vulnerabilities (e.g. the OWASP top ten, SANS institute top twenty critical controls) will be considered and, where necessary, explicitly tested against prior to system acceptance Secure development principles It is essential that information security forms part of the acquisition or development of applications or systems hosting any confidential data. All applications are assessed against the minimum standards documented in the Application_Standards policy. This lists mandatory and desirable attributes that should be assessed, and each application measured against. All mandatory controls must be implemented, while desirable attributes should be considered and applied were felt be appropriate. The minimum standards documented covers: Access Controls Encryption and Cryptography Physical Security & Resilience Logging Security in the Development Process Operations Security Change Management Business Continuity Compliance Use of test data No live data is permitted to be used in development or test systems unless permission has been gained from the data owner Supplier relationships Policy The University is aware of the requirement to ensure that the services provided by external suppliers meet expectations, both in terms of information security and agreed service levels. The risk posed by suppliers will be understood, and controls implemented to ensure that all parties are satisfied that security will be maintained Controls The following controls have been implemented: When suppliers are engaged, departments are strongly encouraged to use the Information Services Project Management Office function. As part of risk assessment, suppliers, contractors and other third parties have been considered and recorded in an Asset and Risk register where there is thought to be a potential risk. The right to audit suppliers on aspects of information security will be considered and applied in contracts where practical and where thought necessary. Printed Thursday, 30 July 2015 Page 19

20 University of Brighton Information Services Where applicable, suppliers will be required to demonstrate that their security controls meet the University s policy, either by completing questionnaires, supplying certificates or by allowing University staff or representatives to audit systems or premises. Appropriate non-disclosure or confidentiality agreements will be drawn up and signed by suppliers and the University. Access to premises will be carefully controlled, as described in the Physical Security section of this document. Any access to central systems by third parties will be provided only after authorisation from Directors and IT Security Practitioners. Appropriate firewall rules will be implemented to ensure access is restricted to the minimum possible traffic (IP, port). Third party accounts will be disabled when not in use. Where the supplier provides a service, the service provided will be monitored, reviewed and audited as necessary Incident and weakness management Policy While the information security management system has been planned and implemented in order to minimise the likelihood that an incident will occur, it is recognised that there may be occasions where policies and procedures are not followed, either by staff at the University, contractors, clients, suppliers or any other third party. The University is committed to respond to any breach of confidentiality, integrity or availability of any assets either of the organisation or of its clients Controls The following controls have been implemented to ensure that any incidents arising are quickly reported, receive an appropriate response, and are used to improve the information security management system: Incident reporting procedures have been written and communicated to all employees. These have been documented in the University s IT Regulations. All staff and relevant third parties will receive training that includes specific instruction on the requirement to report any incidents or potential incidents that are noted. Forensic readiness procedures have been documented and IT security practitioners are aware of the requirement to preserve any evidence for use in any subsequent investigation. Management are committed to dealing with any incidents in a timely manner, and will communicate as necessary with all interested parties and stakeholders. Incidents and weaknesses are an agenda item at every Information Security management review meeting. This will allow management to identify any trends and patterns, and to identify any potential improvements to policies, procedures, controls and infrastructure that might be considered. Page 20 last update April 2015

21 Information Security Policy 6.12 Business continuity management Policy The University provides a safe, secure IT environment to serve its users requirements in order to ensure stability and continuity of the business. It is recognised that incidents can occur which can interrupt normal business practices. The University is committed to minimising the impact of any such incident that might affect the organisation s premises, staff or equipment Controls The following controls have been implemented in order to ensure that the University s ability to meet the necessary recovery objectives remains possible: Business continuity plans have been developed. These will be reviewed and updated at least annually, or when significant changes to the business occur Business continuity plans will be regularly tested. The techniques used will vary from desktop scenario testing, communication cascades and, where possible testing of the potential to work in any recovery location. The University is committed to ensuring that information security requirements remain the same in adverse situations, compared to normal operational conditions. The requirements for information security will be part of any formal business continuity testing. The requirements for departments to maintain and test plans are documented in the Departmental Information Security Standards policy Compliance Policy The University is aware of the requirement to comply with all legal, statutory and contractual requirements. The organisation seeks to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements Controls The following controls have been implemented: A register of legislation has been drawn up stating the main legislation faced. This is captured in the IT Regulations document. This is regularly reviewed in accordance with the document control procedures. A Data Protection and Records officer is in place. The University s policies and procedures have been designed to ensure that the requirement to meet data privacy laws is built in to day-to-day operations. All employees and relevant contractors receive training in this topic. Software licenses are carefully managed. All employees and relevant third parties are made aware that they are not allowed to install software without authorisation. The details of this policy are found in the University s IT Regulations. Should any audit tools be employed, these will be restricted to IT Administrators only. System audits will be carefully planned to minimise Printed Thursday, 30 July 2015 Page 21

22 University of Brighton Information Services impact on operational systems (for example, scope agreed, access readonly, or IT resources identified). The use of cryptography within the organisation is compliant with applicable laws on usage and the University would surrender keys should an external investigation require this. Requirements for applications and systems to comply with requirements form part of the minimum standards outlined in the Application Standards policy. Page 22 last update April 2015

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

University of Brighton School and Departmental Information Security Policy

University of Brighton School and Departmental Information Security Policy University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

How To Protect Decd Information From Harm

How To Protect Decd Information From Harm Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

Working Practices for Protecting Electronic Information

Working Practices for Protecting Electronic Information Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Intel Enhanced Data Security Assessment Form

Intel Enhanced Data Security Assessment Form Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

ISO 27002:2013 Version Change Summary

ISO 27002:2013 Version Change Summary Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Cyber Essentials Questionnaire

Cyber Essentials Questionnaire Cyber Essentials Questionnaire Introduction The Cyber Essentials scheme is recommended for organisations looking for a base level Cyber security test where IT is a business enabler rather than a core deliverable.

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

University of Liverpool

University of Liverpool University of Liverpool IT Asset Disposal Policy Reference Number Title CSD 015 IT Asset Disposal Policy Version Number v1.2 Document Status Document Classification Active Open Effective Date 22 May 2014

More information

How To Ensure Network Security

How To Ensure Network Security NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette

More information

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by: Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

More information

Information Security Management. Audit Check List

Information Security Management. Audit Check List Information Security Management BS 7799.2:2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts

More information

CloudDesk - Security in the Cloud INFORMATION

CloudDesk - Security in the Cloud INFORMATION CloudDesk - Security in the Cloud INFORMATION INFORMATION CloudDesk SECURITY IN THE CLOUD 3 GOVERNANCE AND INFORMATION SECURITY 3 DATA CENTRES 3 DATA RESILIENCE 3 DATA BACKUP 4 ELECTRONIC ACCESS TO SERVICES

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

How To Protect School Data From Harm

How To Protect School Data From Harm 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

IT Data Security Policy

IT Data Security Policy IT Data Security Policy Contents 1. Purpose...2 2. Scope...2 3. Policy...2 Access to the University computer network... 3 Security of computer network... 3 Data backup... 3 Secure destruction of data...

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

Data Protection Act 1998. Bring your own device (BYOD)

Data Protection Act 1998. Bring your own device (BYOD) Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

More information

Scotland s Commissioner for Children and Young People Records Management Policy

Scotland s Commissioner for Children and Young People Records Management Policy Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Course: Information Security Management in e-governance

Course: Information Security Management in e-governance Course: Information Security Management in e-governance Day 2 Session 2: Security in end user environment Agenda Introduction to IT Infrastructure elements in end user environment Information security

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Version: 2.0. Effective From: 28/11/2014

Version: 2.0. Effective From: 28/11/2014 Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

Guidance on the Use of Portable Storage Devices 1

Guidance on the Use of Portable Storage Devices 1 Guidance on the Use of Portable Storage Devices Introduction Portable storage devices ( PSDs ) such as USB flash memories or drives, notebook computers or backup tapes provide a convenient means to store

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy

More information

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Responsible Access and Use of Information Technology Resources and Services Policy

Responsible Access and Use of Information Technology Resources and Services Policy Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment

More information

Mobile Devices Policy

Mobile Devices Policy Mobile Devices Policy Item Policy description Division Director Contact Description Guidelines to ensure that mobile devices are deployed and used in a secure and appropriate manner. IT Services and Records

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government

Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government Department of Information Technology Remote Access Audit Final Report January 2010 promoting efficient & effective local government Background Remote access is a service provided by the county to the Fairfax

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

Merthyr Tydfil County Borough Council. Information Security Policy

Merthyr Tydfil County Borough Council. Information Security Policy Merthyr Tydfil County Borough Council Information Security Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of

More information