Qatar University Information Security Policies Handbook November 2013

Size: px
Start display at page:

Download "Qatar University Information Security Policies Handbook November 2013"

Transcription

1 Qatar University Information Security Policies Handbook November 2013 Information Security Policies Handbook November 2013 Produced by Information Technology Services Department / Information Security Reviewed by Office of Associate Vice President for Facilities & Information Technology

2 Table of Contents 1 PL-ITS-ISO-001: INFORMATION SECURITY POLICY PL-ITS-ISO-002: INFORMATION SECURITY MANAGEMENT PL-ITS-ISO-003: INFORMATION ASSET CLASSIFICATION PL-ITS-ISO-004: PRIVACY AND PROTECTION OF PERSONAL INFORMATION PL-ITS-ISO-005: RISK MANAGEMENT PL-ITS-ISO-006: BUSINESS CONTINUITY MANAGEMENT PL-ITS-ISO-007: IT SYSTEMS SECURITY COMPLIANCE PL-ITS-ISO-008: ACCESS CONTROL AND PRIVILEGES PL-ITS-ISO-009: SOFTWARE SECURITY PL-ITS-ISO-010: MEDIA SECURITY PL-ITS-ISO-011: MALWARE PROTECTION PL-ITS-ISO-012: MOBILE COMPUTING AND TELEWORKING PL-ITS-ISO-013: DATA RETENTION AND ARCHIVAL PL-ITS-ISO-014: SECURITY AWARENESS PL-ITS-ISO-015: INTELLECTUAL PROPERTY PL-ITS-ISO-016: LEGAL AND FORENSICS POLICY PL-ITS-ISO-017: PHYSICAL SECURITY PL-ITS-ISO-018: ACCEPTABLE USE OF INFORMATION RESOURCES PL-ITS-ISO-019: USE OF NETWORK SERVICES PL-ITS-ISO-020: USER ACCOUNT MANAGEMENT PL-ITS-ISO-021: ACCESS POLICY... 79

3 1 PL-ITS-ISO-001: Information Security Policy Contents: Policy Description Policy Security Values Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 1.1 Policy Description Qatar University considers information to be a strategic asset that is essential to its core mission and business operations. Furthermore, the University values the privacy of individuals and is dedicated to protecting the information with which it is entrusted. Therefore, the University is committed to providing the resources needed to ensure the confidentiality, integrity, and availability of its information as well as reduce the risk of exposure that would damage the reputation of the University. 1.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Information Security Policy 3

4 1.3 Policy The Board of Regents, President, senior management and employees at Qatar University are committed to protect the confidentiality and integrity of all the information assets, ensure availability in accordance to business objectives and conduct business in compliance with all statutory, regulatory and legal requirements. 1.4 Security Values The policy supports the following core security values: 1. The Policy is designed to support the mission of the University by protecting the University s resources, reputation, legal position, and ability to conduct its operations. It is intended to facilitate activities that are important to the University. 2. The Policy is consistent with and serves to enforce relevant University policies, contracts and license agreements governing software, copyrighted files, and other forms of intellectual property; and laws and policies governing student, employee, student, and research information, other sensitive information, and records retention laws and policies. 3. Information Privacy is covered in the University Privacy Policy. 4. Not all University resources require the same level of protection. Policy requirements are formulated with the objective that the application of measures be commensurate with the sensitivity and value of resources and the actual threats to those resources. The intent is not to dictate requirements whose implementation would impose unnecessary costs. 5. The Policy articulates requirements that are intended to be consistent with the best practices at institutions of higher education, and in line with local and International standards. 6. All members of the University community share in the responsibility for protecting University resources for which they have access or custodianship. The Policy recognizes that people will need adequate information, training, and tools to exercise their responsibilities and that these responsibilities must be made explicit. 7. The Policy intends that members of the University community be accountable for their access to and use of University resources. 8. The Policy aims to mandate specific procedures and practices only where necessary to provide adequate protection. The goal is that members of the University community be able to exercise their discretion and best judgment when determining how to protect resources for which they have responsibilities, subject to legal and other obligations and policies of the University. Where procedures and practices are required, they are meant to be flexible enough to change as circumstances change. Information Security Policy 4

5 9. It is not possible to prevent all incidents affecting information technology. 10. The Policy is designed to ensure that appropriate measures are taken to prepare for possible incidents, including implementation of business continuity measures to protect critical information systems and processes. 11. The Policy recognizes that revisions may be required and that reassessment of the Policy is valuable. Information Security Policy 5

6 2 PL-ITS-ISO-002: Information Security Management November 2013 Contents: Policy Description Who Should Know This Policy Scope Policy Roles and Responsibilities Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 2.1 Policy Description The Information Security Management Policy establishes the foundation for managing the information security program at Qatar University. 2.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Information Security Management 6

7 2.3 Scope This policy applies to all systems and individuals that access, handle, or use QU information assets. 2.4 Policy Qatar University is committed to ensuring the proper management and security of its information assets in accordance with established best practices, and in compliance with all relevant laws and regulations. In particular, the University shall keep the Qatar Government Information Assurance Policy (GIA) in focus as it develops its information security and assurance strategy. In that regard: 1. Qatar University s executive management fully supports the establishment of an Information Security Office (ISO) that will be the focal point for all information security-related matters involving QU information assets. 2. Qatar University s leadership team is the highest approval authority for all policies and strategic plans related to information security. 3. Qatar University shall establish a steering committee to address the organization s information security issues and provide guidelines for the proper management of information assets. This committee shall include representatives from various academic, research, administrative, and technology fields. 4. The Information Security Office (ISO) is responsible for the development, oversight, and implementation of all information security related functions at all QU managed and operated locations and venues. In addition, the ISO shall assure the proper handling of QU information by third parties through oversight and constant monitoring and review. 5. Major business units at QU shall identify at least one person to act as a liaison with the central Information Security Office. This information security liaison shall be well versed with the major aspects of the business unit, in particular with respect to the flow of information within the unit. 6. Information owners shall be responsible for the identification, proper classification of their information asset. They are also responsible for defining proper access authorization levels to their institutional data. 7. Information custodians shall be responsible for implementing controls identified and recommended by the ISO. 8. Ultimately, the protection of all information resources including hardware, software, data, and documentation, is a fundamental responsibility for all QU personnel. Information Security Management 7

8 2.5 Roles and Responsibilities All QU constituents are expected to fully cooperate with the Information Security Office in its mission to ensure the confidentiality, integrity, and availability of QU information assets QU Executive Management Committee With regard to information security, the QU Executive Management Committee shall: 1. Provide insight, guidance, and general input with regards to QU strategy as it relates to information assurance. 2. Ensure support of various business units for various information assurance initiatives Information Security Steering Committee The Information Security Steering Committee s role is mainly to validate and promote the recommendations of the Information Security Office s leading role in the information assurance process. The Committee s role is critical in: The establishment and ratification of information security policies, guidelines, and standards. Monitoring of guidelines to ensure that QU personnel adhere to the Information security policies. The promotion of information security awareness and its importance to the University Information Security Office (ISO) The ISO shall work with the various functional and technical groups on campus to assure the appropriate levels of confidentiality, integrity, and availability of information assets to the respective stakeholders. The Information Security Office (ISO) shall: 1. Identify, develop, and produce the necessarily policies, guidelines, standards, and other documents needed to ensure the appropriate levels of confidentiality, integrity, and availability (C.I.A.) of information assets. This shall be accomplished in cooperation with the various entities identified in the Information Security Management Policy. 2. Respond to and manage exceptions to information security-related policies. 3. Establish and maintain compliance with relevant laws, regulations, standards, and generally-accepted best practices as they related to information assurance. Information Security Management 8

9 4. Ensure that QU s information security policies are in compliance with the Qatar Government Information Assurance Policy or its equivalent, and associated laws and regulations. 5. Embrace a risk-based information security management program that identifies risks associated with the processing, storage, transmission, and management of QU information assets. 6. Report to senior management and shall have: a. Status sufficient to effectively review systems security and implement recommendations for improvements to systems security; and b. Sufficient authority to implement the QU information security policies and standards 7. Have sufficient resources to execute tasks it has been assigned. 8. Provide central IT management with audit logs of their critical system components. The review and follow-up of issues will be performed on a regular basis. 9. Be directly responsible for ensuring that all QU personnel are aware of their obligations to safeguard the University s information assets. 10. Enforce the implementation of information security policies as set out in this document Information Security Liaison Major business and technical units shall be identified and requested to appoint at least one Information Security Liaison to act as the single point of contact for the ISO within the unit. The Information Security Liaison shall: 1. Be well-versed with the business conducted within the business unit, in particular with regard to the flow and handling of information. 2. Assist the ISO in data classification, process analysis, and risk assessment efforts necessary to implement a risk-based security management framework. 3. Inform the business unit of relevant information security efforts, policies, and guidelines. 4. Ensure that business unit input is communicated to, and considered by the ISO for further action Information Owners Information owners are expected to: 1. Be able to assert their ownership of their data Information Security Management 9

10 2. Define and maintain information assurance profiles for their information and related processes, e.g. classification, access control, chain of authority, etc. 3. Report any breaches or attempts at compromising their information to the appropriate authority Information Custodians Information custodians are expected to: 1. Be able to identify the owners of the data with which they are entrusted. 2. Implement and maintain the required baseline controls necessary to protect the data per the QU information security guidelines. 3. Report any breaches or attempts at compromising their information to the appropriate authority Information Users Information Users must: 1. Comply with all policies approved by Qatar University s Higher Management and communicated by the ISO. 2. Ensure that QU s information resources are maintained and utilized in the most efficient way possible and they are used for legitimate business purposes only. 3. Ensure that information and data are solely used for purposes specified by the resource owner/custodian. Information Security Management 10

11 3 PL-ITS-ISO-003: Information Asset Classification Contents: Policy Description Who Should Know This Policy Overview Scope Policy Information Asset Classification Model Data Handling Guidelines Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 3.1 Policy Description The purpose of the Information Asset Classification Policy is to provide a foundation for the development and implementation of necessary security controls to protect information according to its value and/or risk. 3.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Information Asset Classification 11

12 3.3 Overview For the purpose of information assurance, an information asset ( Asset ) is defined as one of the following: 1. Electronic or other forms of data that are used to conduct a University business 2. Hardware, software, processes, and/or people utilized in the access, processing, transport, and/or storage of data as defined above. A consistent framework for asset classification is a fundamental requirement and a basic building block in establishing of a sound information security policy. The Information Asset Classification Policy defined in this document demands close cooperation between various business units and the Information Security Office in order to properly control and protect QU information. This policy shall remain consistent with the Qatar Government s Information Assurance Policy (GIAP) or equivalent. 3.4 Scope The Information Asset Classification Policy applies to all information assets that handled, maintained, or operated by Qatar University or its associates in the course of conducting the University s business. This policy applies equally to all QU information assets regardless of their location or custodian affiliation. 3.5 Policy 1. All information owners shall classify their information and associated processes according to the guidelines provided below under Guidelines. 2. Qatar University shall implement the minimum appropriate set of baseline controls required to ensure the confidentiality, integrity, and availability of QU information assets. Information custodians and/or the Information Security Office may require the implementation of additional controls as deemed appropriate. 3. All individuals who access/process QU information assets shall adhere to the defined protection controls. 4. The Information Asset Classification policy shall remain in compliance with the Qatar Government Information Assurance Policy (GIAP) or equivalent. 3.6 Information Asset Classification Model The Information Asset Classification model is based on the Qatar Government Information Assurance Policy Manual s Asset Classification Model. Unless otherwise specified, the default classification for all assets is C1 ( Internal ). Information Asset Classification 12

13 The following table summarizes the various classification labels for an asset: Confidentiality, Integrity, and Availability(C.I.A.). The full labeling of an asset is the combination of all three labels, e.g. C0I1A2 label results in an overall M (Medium). Security Classification Table (Adopted from the Qatar Government Information Assurance Manual) Availability A0 A1 A2 A3 Integrity Confidentiality Security Classification C0 L M H I0 C1 L L M H C2 M M M H C3 H H H H C0 L L M H I1 C1 L L M H C2 M M M H C3 H H H H C0 M M M H I2 C1 M M M H C2 M M M H C3 H H H H C0 H H H H I3 C1 H H H H C2 H H H H C3 H H H H Confidentiality C0 Public Public information is intended for general disclosure. There is no requirement for confidentiality controls. Classification label: Unclassified, Public or no label. C1 Internal For internal use; material whose disclosure would cause light to moderate damage to the affected party Only QU employees and staff should have access to internal departmental information. Employees may share internal information with others based upon University business and operational needs. Information Asset Classification 13

14 Classification label: Internal C2 Limited Access November 2013 Access for defined users, roles or user groups, according to specific rules; material whose disclosure would cause serious damage to the affected party (e.g. HR data, sensitive constituent data, etc.). Only QU employees and staff who have a legitimate business and operational need may have access to this type of information. Disclosure of this type of information requires the approval of the data owner. Classification label: Limited Access C3 Restricted Confidential information with access limited to a very small set of persons; material whose disclosure would cause severe damage to the affected party (Board/executive/minister level management changes, decisions etc.). Highly sensitive information should be strictly controlled, granted limited access and disclosure within the QU campus. Only QU employees and staff who have authorization from the relevant information owner, and have a signed confidentiality agreement can access this type of information. In certain cases a written approval might be needed to handle this type of information depending on the data owner and department director. Classification label: Restricted C4+ - National Security Markings Information which has nationwide implications should be marked as Confidential, Secret or TOP secret Integrity Labels Label Description I0 Source of information and time of change are not important I1 It should be possible to identify the source of information and time of changes I2 Source of information and time of change is identified and periodically checked I3 Authenticity and integrity should be provable to third party Information Asset Classification 14

15 3.6.3 Availability Labels Label Reliability Allowed Downtime Allowed Max. Response Time A0 Reliability and productivity/reaction time not important A1 90% 17 hr/week 1-10 hours A2 99% 2 hr/week 1-10 minutes A % 10 min/week 1-10 seconds 3.7 Data Handling Guidelines Guidelines on the handling of classified assets at Qatar University include: 1. Do not discuss or display QU restricted or limited access information in an environment where it may be viewed by unauthorized persons. 2. When sending classified information by , ensure that the content is encrypted. 3. Do not send classified messages via instant messaging or unsecured file transfer unless it is encrypted. 4. Store electronic media (including backups) containing such information in a secure location. If this media contains QU classified information, encrypt it, inventory it and review the inventory periodically. 5. When printing, photocopying or faxing QU classified information, ensure that only an authorized person will be able to obtain the output. 6. Paper documents should be stored in a locked area to prevent unauthorized access. 7. Do not leave keys or access badges for rooms or file cabinets containing classified confidential information in areas accessible to all Destruction University information records should be properly disposed with the assistance of the Information Security Office, which will assist in properly destroying the media holding this information and will take special care not to wipe out needed information Declassification Data declassification can be done either by the owner or by University if the information is no longer Restricted, Limited Access or Internal. While defining the information classification the owner should define the time period for which the information can be considered as classified information. Information Asset Classification 15

16 4 PL-ITS-ISO-004: Privacy and Protection of Personal Information Contents: Policy Description Who Should Know This Policy Scope Responsibilities Policy Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 4.1 Policy Description The purpose of this policy is to identify and implement controls that will keep the risks to information assets at an acceptable level. 4.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Privacy and Protection of Personal Information 16

17 4.3 Scope The policy applies to all personal data held by QU. 4.4 Responsibilities All users of QU IT resources are responsible for adherence to this policy. 4.5 Policy 1. QU is committed to comply with applicable requirements of local and International laws and regulations for data protection and privacy. 2. QU ensures compliance with contractual requirements for data protection and privacy. 3. All QU users handling personal data are responsible for the protection and privacy of the data held in any form, including paper and electronic. 4. Personal data is classified as C2 Limited Access. 5. Any breach of this policy is subject to disciplinary action. Privacy and Protection of Personal Information 17

18 5 PL-ITS-ISO-005: Risk Management Contents: Policy Description Who Should Know This Policy Overview Scope Policy Roles and Responsibilities Vulnerability Assessment Guidelines Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 5.1 Policy Description The purpose of this policy is to identify and implement controls that will keep the risks to information assets at an acceptable level. Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Risk Management 18

19 5.2 Overview Periodic threat and vulnerability assessments are essential and allow for proactive management of the risks associated with the use of information assets. A threat and vulnerability assessment can point out potential weaknesses, thereby allowing the responsible security team to take proactive measures in mitigating the associated risks. The resulting actions can range from defining policies to implementing specific administrative or technical controls. 5.3 Scope This policy applies to all QU information systems, defined as any device, system, or service owned and/or operated by QU or holds QU information. 5.4 Policy 1. Periodic threat and vulnerability assessments shall be carried out based on the criticality of the QU information systems. Identified threats and/or vulnerabilities shall be recommended by the ISO and mitigated by the custodians of the information system prior to deployment. For information systems that are already deployed, the system custodian shall coordinate with the ISO on a suitable mitigation plan. 2. If the system custodians do not mitigate identified threats and/or vulnerabilities within a pre-defined time interval, the ISO shall have the authority to isolate the information system from the network until corrective action is taken. 5.5 Roles and Responsibilities The asset owners shall: 1. In coordination with the ISO, categorize the QU information system as high, moderate or low based on ISO-approved and published guidelines. 2. Ensure that proper authorization and access is given to an ISO-approved assessor for conducting the security assessment. Consent should be provided before performing such assessment. 3. Devise a Plan of Action and Milestone (POAM) based on the threat and/or vulnerability findings and mitigation plans. 4. Authorize re-testing after action is taken to mitigate the identified risks. The security assessor shall: 1. Inform the appropriate stakeholders, including management, the system administrators and system owners of threat and vulnerability assessment activities. Risk Management 19

20 2. Develop threat and vulnerability assessment plans in cooperation with the system managers, which cover the scope of the plans and activities that will be carried out. 3. Execute examinations and tests, and collect all relevant data. 4. Analyze collected data and develop mitigation recommendations. 5. Conduct additional examinations and tests as needed to validate mitigation actions. 5.6 Vulnerability Assessment Guidelines Vulnerability assessment frequency depends on the criticality of the information system based on the Confidentiality, Integrity and Availability ratings, as outlined in the table below: Category Security Assessment Frequency High 6 months Moderate 12 months Low 18 month Risk Management 20

21 6 PL-ITS-ISO-006: Business Continuity Management November 2013 Contents: Policy Description Who Should Know This Policy Scope Policy Institutional Context Responsibilities and Approvals Procedures Definitions Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 6.1 Policy Description QU shall conduct Business Continuity Planning to minimize any disruption to the continuity of its operations. Information Technology Services shall take the necessary steps to ensure the restoration of information service related operations/activities as soon as possible following an emergency or critical incident. 6.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Business Continuity Management 21

22 6.3 Scope This policy applies to all staff and areas within the University and its controlled entities. 6.4 Policy 1. Business continuity management is an integral part of the University s overall risk management, corporate governance and quality management framework. 2. Using a risk management approach, the University s key business interruption risks are to be identified and assessed so as to ensure the uninterrupted availability of all key business resources required to support essential or critical business activities. 3. All unacceptably high business interruption risks will be subject to risk mitigation treatment in line with the University s overall risk management plans. The effectiveness of the business continuity management program is to be constantly monitored and regularly reviewed. 6.5 Institutional Context The University has an obligation to its stakeholders (students, staff and wider community) to ensure that its operations can continue to a pre-determined minimum level in the event of a major disruptive incident. Through the adoption of Business Continuity Management best practices the University will achieve its business continuity objectives of: 1. Providing timely availability of key resources necessary to operate the critical business processes at a level of operation that is acceptable to management 2. Maintenance of staff, student, client and other stakeholder contact and confidence 3. Fulfillment of regulatory requirements 4. Safeguarding our reputation and public image 5. Controlling extraordinary expenditure caused by the event 6. Controlling risk in priority areas. All organizations have potential risk areas. Some of the most common, in the educational institute s context, with associated preventative requirements (controls), are: 1. Information Systems (including academic & other records): ensuring security is maintained; ensuring the physical assets are protected against damage/loss and records are controlled and secure. Business Continuity Management 22

23 2. Financial Systems and Procedures: ensuring systems cannot be misused; ensuring appropriate accountability for expenditure of funding; ensuring security of financial assets. 3. Buildings, Infrastructure and other Assets: ensuring the organization s resources are protected against damage/loss; ensuring University material assets are available to support key business activities Responsibilities and Approvals Risk Management Committee Business Continuity Management is a component of the overall risk management function of the University, overseen at a strategic level by the Risk Management Committee. This committee: 1. ensures that the University maintains effective risk management practices across all areas of its activities; 2. oversees the development of a systematic and coordinated risk management framework; 3. monitors the external risk environment; 4. ensures appropriate Business Units It is the responsibility of the business units, both academic and administrative, to ensure that they have enough information in their specific Business Continuity Plans to enable them to recover from an incident and continue to provide a service to clients within acceptable timeframes Information Security Office The University Information Security Office shall consider coverage and review of this policy during the course of the annual audit program. 6.7 Procedures Under this Policy, it is incumbent upon all University managers to ensure that the key functions for which they have responsibility are able to continue following major disruptive events and that arrangements are in place to achieve this. This requires the proactive development, maintenance and devolution of business continuity planning within their areas. Managers are expected to encourage and Business Continuity Management 23

24 facilitate the active participation of staff in business continuity issues and must ensure that key personnel are able to perform competently during a major disruptive event Developing the Business Continuity Plan (BCP) While a variety of approaches may achieve the same result, there is a common set of requirements that any approach should provide for. These include the means of identifying: 1. The critical business objectives that still must be achieved during and after a major disruption. 2. Stakeholder expectations of acceptable service delivery. 3. The likely scenarios that may result in disruption to the business. 4. What is important to protect, provide or operate during a disruption ie. the critical 5. business functions and processes. 6. The people, infrastructure and data resources required to maintain a minimal 7. acceptable level of operations. 8. Communications requirements and the methods and channels of dissemination The Process 1. Identify the critical business functions and processes that support achievement of key business objectives. This involves the identification of core business objectives, critical business functions that support these objectives and their critical success factors. 2. The maximum period of time (Maximum Acceptable Outage) that each of the University s key functions and processes can operate before the loss of critical resources affects overall operations needs to be defined at this time. 3. Identify the types of disruptions (risks) that are likely to occur and that will need to be catered for. The actual events do not necessarily have to be considered individually, but the impact of losing key resources, facilities, processes etc. as a result of a disastrous event must be. 4. These impacts will probably be similar across the operations of the University but each business unit will need to consider such impacts on its own operations. The vulnerability of business processes and interdependencies should be considered as part of this analysis. Business Continuity Management 24

25 5. Any Business Continuity Plan (BCP) should allow the organization to respond flexibly to a wide variety of potential disruption scenarios. 6. Each business unit will then need to identify its business cycles, because the severity of a disruption will depend upon where each area is within its business cycle. 7. While this, in the University context, will be similar for many areas and units, it will not necessarily be the same for all. During some stages of a business cycle (academic year, for example), a limited resource outage can be more disruptive than at other stages. At these times, decisions in relation to implementing emergency alternative procedures to cater for the outage/loss will need to be made more quickly. 8. Conduct a business impact analysis to identify the effect of the different types of outages/losses on the key business functions/processes at each phase of the business cycle. Often there will need to be alternative approaches to cater for disruptions to or losses of different resources, facilities etc. at various times of the year. The loss of a work space, for example, will require different contingency procedures to the loss of computing resources, even at the same point in the business cycle. Business Continuity Management 25

26 9. Identify and document existing workarounds and continuity arrangements. The development of alternative procedures to be implemented in the event of a major disruption can become part of the area s business improvement plan. 10. Identify the resources required to ensure speedy restoration of a minimum acceptable level of the area s key operations. 11. These might include people (specialist and support); IT infrastructure; information and data (hardcopy and electronic); office and specialist equipment; facilities and accommodation; internal dependencies and/or interfaces (eg. other business units); external dependencies and/or interfaces (eg. suppliers, contractors, customers, competitors and regulators etc), and current stock holdings, among others. 12. The resource requirements for business continuity can be considered in relation to other business requirements and included in budget proposals. 13. Senior management will need to consider the business impact analysis of each area to determine what additional resources are required across the University. The approach to meeting these requirements, including the sequence in which they should be provided, is to be determined. 14. The BCP should be documented in such a way that it is of practical use in a disaster and that it fulfills business, regulatory, training and audit requirements. 15. A BCP communications strategy should be developed which should include identification of who needs information, what information is needed, how that information can be provided, what constraints on its provision might exist and who has the authority to approve the communications. 16. The strategy should also define the means by which different types of messages will be promulgated to each of the stakeholders. 17. There should be BCP testing and training, a verification process to ensure that staff is familiar with the business continuity measures to be implemented and that the various components of the plan function properly. At this stage, plan inadequacies are identified and corrected. 18. BCP reviews and updates should occur on a regular basis to ensure its currency. Any changes to business functions and activities, key dependencies, facilities and supporting infrastructure etc must be reflected in the plan. 6.8 Definitions Disaster : An unexpected disruption to normal business of sufficient duration to cause unacceptable loss to the organization necessitating disaster recovery procedures to be activated. Business Continuity Management 26

27 Disaster Recovery : Activities and procedures designed to return the organization to an acceptable condition following a disaster. November 2013 Business Continuity : The uninterrupted availability of all key resources supporting essential business functions. Business Continuity Management : Provides for the availability of processes and resources in order to ensure the continued achievement of critical objectives. Business Continuity Planning : A process developed to ensure continuation of essential business operations at an acceptable level during and following a disaster. Maximum Acceptable Outage (MAO), also Maximum Tolerable Outage (MTO) and Maximum Downtime (MD): The maximum period of time that critical business processes can operate before the loss of critical resources affects their operations. Business Continuity Management 27

28 7 PL-ITS-ISO-007: IT Systems Security Compliance Contents: Policy Description Who Should Know This Policy Overview Scope Policy Exceptions Security Compliance Standard Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 7.1 Policy Description The purpose of the IT Systems Security Compliance policy is to ensure that information security is considered prior to any IT system procurement or deployment. 7.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets IT Systems Security Compliance 28

29 7.3 Overview The IT Systems Security Compliance Policy defines compliance guidelines for all information systems considered for use at Qatar University. 7.4 Scope The IT Systems Security Compliance policy applies to all IT systems under consideration for use at Qatar University. An IT System is any combination of hardware, software, and/or IT services that will access and/or process Qatar University electronic data. 7.5 Policy 1. All IT systems being considered, purchased, or deployed must undergo a security assessment by the Information Security Office. 2. The security assessment must be included as an integral part of any Request for Proposals, feasibility studies, contracts, or other such efforts that may lead to the procurement of an IT system. 3. IT system compliance requirements are to be set by the QU Information Security Office. 7.6 Exceptions Exceptions to this policy MUST be submitted to the Information Security Office which will review the request and pass it on to the office of the VP for Facilities and Information Technology for further action. Approved exceptions are then documented and communicated to the requesting party. 7.7 Security Compliance Standard Requests for Proposal (RFPs) or communication with potential vendors regarding the requisition of an IT system must consider the security implications of the IT system early in the process. The sections below outline the information that is needed for the Information Security Office to properly assess the suitability of a proposed solution from an information security perspective General Information The following information must be provided to the Information Security Office prior to the RFP/request being released to Procurement: 1. Name/Title of the IT system IT Systems Security Compliance 29

30 2. General system description/purpose 3. System type (e.g. major application, general support system, etc.) 4. Data sources and types that will be used in the product/service November Data security classification, if known (Low, Medium, High; contact the ISO for further details) 6. Contact information: a. QU authorizing official/sponsor b. QU functional/end user contact(s) c. QU technical contact(s) d. Vendor contacts (sales, management, technical) e. Other designated contacts (e.g. major stakeholders) f. Assignment of security responsibility (i.e. person/group responsible for communicating with the Information Security Office regarding information security requirements) VENDOR Requirements The following information must be requested from potential VENDORs as part of their proposal response submittal: 1. An architecture overview of the proposed IT system depicted major components and associated interactions and data exchange boundaries 2. Major IT system components and roles (hardware, software, communication equipment, databases, web servers, etc.) 3. Detailed security design for the proposed solution, including: a. Organizational structure and relationships between systems managers, security personnel, and users b. User roles and access requirements c. Authentication method d. Logical access control (authorization) e. Access control f. Application security and malicious code protection mechanisms g. Security audit and reporting process h. Security awareness requirements i. Physical security requirements 4. A list of security controls that are included, planned, and/or expected for the IT system. A table with the following information would be preferred: IT Systems Security Compliance 30

31 a. Security control title November 2013 b. Details on the implementation requirements and plan for the security control c. Any scoping guidance that has been applied and what type of consideration d. Indicate if the security control is a common control and who is responsible for its implementation 5. A data classification matrix for each data element. At a minimum, the matrix should include: a. Data element description b. Data classification, as follows: C0 Public C1 Internal C2 Limited Access C3 Restricted C4 National Security Markings c. Function/process using the data d. System and/or database where the data is stored e. Associated security controls, as detailed above Hosted Service Requirements For IT systems that are not hosted at QU-managed facilities, potential vendors must provide details on the following, IN ADDITION to the above: 1. Data recoverability and migration process 2. Details on VENDOR s hosting and storage facilities and network redundancy capabilities 3. Operational controls adopted at VENDOR s facilities 4. Data protection controls 5. Incident response process 6. Service level agreements, including clauses that address timely notification of breaches to data security Notification of Change to Solution IT Systems Security Compliance 31

32 Any changes to the project as approved must be communicated to the Information Security team for further review and re-examination for compliance. 7.9 Notification of Security Compliance The Information Security Office will work with the project team on addressing the security requirements and will notify the project manager of the compliance status prior to the RFP being released. IT Systems Security Compliance 32

33 8 PL-ITS-ISO-008: Access Control and Privileges Contents: Policy Description Who Should Know This Policy Overview Scope Policy Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 8.1 Policy Description The purpose of this policy is to prevent inappropriate use of QU resources by the staff, faculty, students and other employees. 8.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Access Control and Privileges 33

34 8.3 Overview The policy is developed to minimize risk to QU resources and information assets by establishing the principle of least privileges for QU users, which includes staff, faculty, students, guests and other employees, to perform the job functions. Technical support staff, security administrators, system administrators and others may have special access account privilege requirements compared to normal users. 8.4 Scope The policy applies to all students, faculty, staff and other employees having access to QU computing systems, applications, network, files and other information resources. 8.5 Policy 1. Asset owners should consider the principle of least privileges, while defining access, to ensure that users has only the right permission to perform their job functions. 2. The allocation of privileged rights should be restricted and controlled 3. Access privileges beyond the need-to-know requirements shall be assessed for risk and dealt with accordingly. 4. Privileges assigned to each user must be reviewed on a regular basis, and modified or revoked upon a change in status within the University. When the privileges assigned to an individual change (e.g. due to a change in role or responsibilities), access to University IT resources should be adjusted accordingly. 5. QU holds the right to revoke the access privileges in case of abuse. 6. Privileged users should not access user data under any circumstances, unless expressly authorized by the university or the asset owner. 7. Each individual that uses Administrative/Special access accounts must use the account privilege most appropriate for the work being performed 8. Access granted to vendors, sub-contractor and to other non-qu employees or workers shall be revoked when their association with QU end. Access Control and Privileges 34

35 9 PL-ITS-ISO-009: Software Security Contents: Policy Description Who Should Know This Policy Scope Policy Guidelines Non-Compliance and Exceptions References Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 9.1 Policy Description The purpose of this policy is to ensure that the appropriate information security controls are implemented for all of the QU In-house \ Outsourced and Contracted application development. 9.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Software Security 35

36 9.3 Scope This standard applies to all software applications being developed or administered by faculty, staff, student employees, contractors and vendors that are designed to handle or manage university data and that are running on devices, physical or virtual. Adherence to this standard will increase the security of applications and help safeguard university resources. 9.4 Policy To keep risk to an acceptable level, the Information Security Office shall ensure that the proper security controls will be implemented for each application developed. These controls will vary in accordance with the sensitivity and criticality of each application. 9.5 Guidelines Minimum Security Standards The minimum standards applicable to the development of applications designed to handle or manage university data are listed below. All listed standards are generally required for applications designed to handle or manage confidential university data and are either required or recommended for all other applications. Standard Practice Classify the university data handled or managed by the application Prominently display a Confidential Record banner to the screen or interface in use by the application, depending on the type of data being accessed Display no data that have been specifically restricted by external law or policy. Confidential University Data Required All Other Data Required Recommended Recommended Required 4 Ensure applications Required Recommended Software Security 36

37 validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to, cross-site scripting, buffer overflow errors, and injection flaws Ensure applications execute proper error handling so that errors will not provide detailed system information, deny service, impair security mechanisms, or crash the system. Ensure applications processing data properly authenticate users through central authentication systems (Active Directory, LDAP, RADIUS), where possible. Establish authorizations for applications by affiliation, membership, or employment, rather than by individual, where possible. Use central authorization tools (Enterprise Directory Service or Active Directory for rudimentary authorization decisions with appropriate configuration) where possible, and if additional functionality (such as attribute or grouping) is needed, coordinate development with the Required Required Required Required Recommended Recommended Recommended Recommended Software Security 37

38 Information Security Office. Provide automated review of authorizations where possible. Set any individual authorizations to expire and require their renewal on a periodic basis, at least annually. Ensure applications make use of secure storage for university data as required by confidentiality, integrity and availability needs. Personal information must be encrypted. Security for all other data can be provided by means such as, but not limited to, encryption, access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate. Implement encrypted communications for services or applications, as required by confidentiality and integrity needs. Implement the use of application logs to the extent practical, given the limitations of certain systems to store large amounts of log data. When logging access to university data, store logs of all users and times of access for at least 14 days. November 2013 Recommended Recommended Required Recommended Required Recommended Required Recommended Required Recommended Software Security 38

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

R345, Information Technology Resource Security 1

R345, Information Technology Resource Security 1 R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE: Policy No: TITLE: AP-AA-17.2 Data Classification and Data Security ADMINISTERED BY: Office of Vice President for Academic Affairs PURPOSE EFFECTIVE DATE: CANCELLATION: REVIEW DATE: August 8, 2005 Fall

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Marist College. Information Security Policy

Marist College. Information Security Policy Marist College Information Security Policy February 2005 INTRODUCTION... 3 PURPOSE OF INFORMATION SECURITY POLICY... 3 INFORMATION SECURITY - DEFINITION... 4 APPLICABILITY... 4 ROLES AND RESPONSIBILITIES...

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Rowan University Data Governance Policy

Rowan University Data Governance Policy Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data

More information

ELECTRONIC INFORMATION SECURITY A.R.

ELECTRONIC INFORMATION SECURITY A.R. A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

CREDIT CARD SECURITY POLICY PCI DSS 2.0

CREDIT CARD SECURITY POLICY PCI DSS 2.0 Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security State Fair Community College shall provide a central administrative system for use in data collection and extraction. Any system user

More information

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,

More information

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy. Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Revision Date: October 16, 2014 Effective Date: March 1, 2015. Approved by: BOR Approved on date: October 16, 2014

Revision Date: October 16, 2014 Effective Date: March 1, 2015. Approved by: BOR Approved on date: October 16, 2014 Information Security Information Technology Policy Identifier: IT-003 Revision Date: October 16, 2014 Effective Date: March 1, 2015 Approved by: BOR Approved on date: October 16, 2014 Table of Contents

More information

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

ISO 27002:2013 Version Change Summary

ISO 27002:2013 Version Change Summary Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category

More information

FedRAMP Standard Contract Language

FedRAMP Standard Contract Language FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal

More information

Does it state the management commitment and set out the organizational approach to managing information security?

Does it state the management commitment and set out the organizational approach to managing information security? Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer

Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan

More information

CITY UNIVERSITY OF HONG KONG

CITY UNIVERSITY OF HONG KONG CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification Publication

More information

ISMS Implementation Guide

ISMS Implementation Guide atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation

More information

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model--- ---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of

More information

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002 Indiana University of Pennsylvania Information Assurance Guidelines Approved by the Technology Utilities Council 27-SEP-2002 1 Purpose... 2 1.1 Introduction... 2 1.1.1 General Information...2 1.1.2 Objectives...

More information

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA 1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

New River Community College. Information Technology Policy and Procedure Manual

New River Community College. Information Technology Policy and Procedure Manual New River Community College Information Technology Policy and Procedure Manual 1 Table of Contents Asset Management Policy... 3 Authentication Policy... 4 Breach Notification Policy... 6 Change Management

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee Policy History Date Action Approved by President Mohammed Qayoumi May 27, 2013 April 9, 2013 Reviews: IT Management Advisory Committee Draft Policy Released Table of Contents Introduction and Purpose...

More information

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy I. PURPOSE To identify the requirements needed to comply with

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning 4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Information Security Policy Manual

Information Security Policy Manual Information Security Policy Manual Latest Revision: May 16, 2012 1 Table of Contents Information Security Policy Manual... 3 Contact... 4 Enforcement... 4 Policies And Related Procedures... 5 1. ACCEPTABLE

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Contact: Henry Torres, (870) 972-3033

Contact: Henry Torres, (870) 972-3033 Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures

More information

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] [Date] [Location] 1 Prepared by: [Author] [Title] Date Approved by: [Name] [Title] Date 2

More information

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY Information Security Section: General Operations Title: Information Security Number: 56.350 Index POLICY.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE DATE OF POLICY.140

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director

More information