Information Security Policy. Policy and Procedures

Size: px
Start display at page:

Download "Information Security Policy. Policy and Procedures"

Transcription

1 Information Security Policy Policy and Procedures Issue Date February 2013 Revision Date February 2014 Responsibility/ Main Point of Contact Neil Smedley Approved by/date Associated Documents Acceptable Use Agreement Anti-virus Procedure Change Control Procedure College Network and Systems Access Policy College Server Backup Procedure Computer Disposal Procedure Data Protection Act 1998 Information Security Incident Reporting Procedure Version number 2.1 This policy has undergone an Equality Impact Assessment (EQIA) confirming that there are no negative consequences in the case of this policy. EQIA completed on 29 Aug 14 By CJ

2 Introduction Electronic information is a valuable resource of which the college takes great care to protect from loss, corruption and unauthorised use or misuse. Although much of the information held and processed by the College is intended for general use, certain information (key data and information) has to be handled and managed securely and with accountability. In addition such information and the way it may be processed is subject to UK law and the Data Protection Act Purpose and Policy Statement This document provides the policy framework, through which the College will apply information security controls throughout the college. It is based upon the International Standard ISO (BS 7799) and includes the following: - information classification access control operations incident management physical security third-party access business continuity management Supporting Policies containing detailed Information Security requirements will be developed in support of the Information Security Policy. Reference to supporting policies will be made in bold italic text throughout the remainder of the document Definition: what is Information Security Information Security is a means of protecting key data, information and information systems from unauthorized access, use and misuse, inspection, disclosure, disruption, modification or destruction.

3 Scope The Information Security Policy covers the following: - The College s IT/IS infrastructure key data and information those who have access to or who administer IT/IS facilities Individuals who process or handle key data and information The Policy is designed to provide protection from internal and external security threats, whether deliberate or accidental. Responsibilities The College has a responsibility to ensure that information security is properly managed. The IT Manager is responsible for: the development and upkeep of this policy ensuring this policy is implemented and supported by appropriate documentation, such as procedures ensuring that documentation is relevant and kept up-to-date ensuring this policy and subsequent updates are communicated to relevant staff ensuring that serious breach Individual members of staff have a responsibility to: Adhere to this policy, and for reporting any security breaches or incidents to the IT Manager, as soon as practicable using Information Security Incident Reporting Procedure 1. ICT Assets IT Services will maintain an inventory, subject to audit, of all ICT assets. This will be in two categories: - Hardware Software This asset inventory is in addition to the fixed asset register used for College financial accounting. Hardware that is obsolete/beyond economical repair shall be disposed of using an approved company. The company should meet legislation introduced in the Waste Electrical and Electronic Equipment Directive (WEEE Directive) which was introduced into UK law in January 2007 by the Waste Electronic and

4 Electrical Equipment Regulations This legislation sets strict guidelines with regard to computer disposal and other waste electrical and electronic equipment. The company should also be able to demonstrate that they have secure destruction facilities for data contained on hardware. Further information is contained in the Computer Disposal Procedure 2. User Accounts It is the responsibility of IT Services to maintain a directory of users authorised to use College ICT resources. Staff, students, temporary guest users and external users are subject to College Acceptable Use Agreement, and will have different access permissions and responsibilities. For the purposes of this policy the following guidelines are used to distinguish between the different types of user: - Staff - are those registered on the College HR/Payroll systems Students - are those registered in the College MIS system Guest users - are users permitted to temporarily access College ICT facilities External users - are all other users permitted access to College ICT facilities 2.1. Staff All staff whether permanent, temporary or agency staff must abide by the terms and conditions covering the use of ICT at the College. The staff agreement form and terms and conditions are available from IT Services. The completed agreement forms will be kept by IT Services, in written or electronic form. Temporary staff accounts should be set with an expiry date for the end of their contract period. Staff may have access to College ICT systems withdrawn if they are found to be in breach of this policy or Acceptable Use Agreement Students All students must abide by the terms and conditions covering the use of ICT at the College. The student agreement form and terms and conditions are available from IT Services. The completed agreement forms will be kept by IT Services in written or electronic form. Students may have access to College ICT systems withdrawn if they are found to be in breach of this policy or Acceptable Use Agreement.

5 2.3. Guest Users Guest user accounts allow limited access to College resources and will be provided on a limited time period with specific access hours. These user accounts do not have access External Users At present there are no requirements for external user accounts. If at future time there is a requirement then they should have limited access to College resources and should only be enabled on a daily basis. 3. Physical & Environmental Security Controls will be implemented to prevent unauthorised access to computer and information systems Physical Security Server rooms, IT Services computer suite, telecoms cabinets and communications cabinets shall be protected to provide suitable physical security and environmental controls. Servers used for storing and/or processing data shall be located in physically secured areas. Server rooms shall be inspected twice a week to ensure integrity of physical security 4. Communications and Operations Management Controls will be implemented to enable the correct and secure operation of information processing facilities Operating Procedures Design, build, configuration and operating documents will be produced for all servers and system applications, these documents are to be kept in secure areas with access only available to IT Services staff and where relevant MIS staff Change Control All changes to live critical systems will follow a change management process detailed in the Change Control Procedure

6 4.3. Protection Against Malicious Software Protection will be provided using a multi-level defence using the following:- Router Firewall Web Content Management with malware protection Anti-virus Software Scanning Virus scanning shall be enabled on all servers, desktops and laptops; this shall be automatically updated to ensure the signatures files are up to date, and shall not allow users to switch off the antivirus software -.See attached Antivirus Procedure in Procedures Section 4.4. Information Security Incidents Information security breaches should be reported to IT Services as soon as practicable. Any events that are regarded as security incidents will be defined, and processes implemented to investigate, control, manage and review such events in accordance with the using Information Security Incident Reporting Procedure 4.5. Security Patches Critical security patches shall be installed automatically when made available by Microsoft, Apple or and other system software vendor Housekeeping All critical data and applications are to be backed up in accordance with the College Server Backup Procedure; this includes the handling, storage and disposal of media. In the event of restoration of data follow the College Server Restore Procedure. College Server Backup Procedure 4.7. Network Management Controls will be implemented to achieve, maintain, and control access to internal/external computer networks including wireless LANs, in accordance with the College Network and Systems Access Policy

7 5. Access Control Access to College data and resources is dependent upon the type of user, whether they are staff, student, guest or external user. Users shall only be given access to resources in relation to their role. The procedure for determining and administering the different types of user can be found in the Network and Systems Access Policy. 6. Username and Password Control Access to College ICT resources is controlled by use of a network username and password. Control of network username and passwords is the responsibility of IT Services. See attached Password Procedure in Procedures Section 7. Remote Access Controls will be implemented to manage and control remote access to the College s ICT resources, see Network and Systems Access Policy. 8. Business Continuity Planning Business Continuity Planning is working out how to continue operations under adverse conditions that include local events like building fires, theft, and vandalism, regional incidents like earthquakes and floods, and national incidents like pandemic illnesses. In fact, any event that could impact operations should be considered, such as interruption, loss of or damage to critical infrastructure (computing/network resource). As such, risk management must be incorporated as part of Business Continuity Planning. 9. Encryption To ensure compliance with data protection regulations the best solution is that all data remains on college servers/system. If personal data has to be taken away from the college it should be encrypted. Laptops shall use full disk encryption using Microsoft Bit Locker technology; full disk encryption will be installed by IT Services team. USB flash drives and USB external drives shall be encrypted using Microsoft Bit Locker technology, see guidance notes for instruction If personal details to be ed or sent by any other media (i.e. CDROM) it shall be stored in an encrypted archive which uses AES encryption, third party product 7-Zip is to be used, see guidance notes for instruction

8 Procedures Anti-virus Procedure Purpose All New College Telford computers/laptops must have the college s standard; supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus signatures must be automatically kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. IT Services are responsible for creating processes that ensure antivirus software is run at regular intervals, and computers are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into the college's networks (e.g., viruses, worms, Trojan horses, bombs, etc.) are prohibited, in accordance with the Acceptable Use Agreement. Any employee or student found to have violated this procedure may be subject to account removal and or disciplinary action Anti-virus Process Recommended processes for users to prevent virus problems: Always use the supported anti-virus software available on college systems. NEVER open any files or macros attached to an from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your rubbish bin. Delete spam, chain, and other junk without forwarding. Never download files from unknown or suspicious sources. Avoid direct CDROM/DVDROM or USB memory stick sharing with read/write access unless there is absolutely a business requirement to do so. Always scan CDROM/DVDROM or USB memory stick from an unknown source for viruses before using it. If you suspect that you have got a virus or malware on your computer contact IT Services immediately using address

9 Processes for IT Services Staff Automatically apply critical updates for college standard anti-virus system,to all college computer systems as soon as they become available. Check Windows Server Update Services log to identify any failures. Automatically apply virus signatures updates on all college computer systems as soon as they become available. Check Windows Server Update Services log to identify any failures. Setup automatic reporting to IT Services team for any computer where a virus has been detected. Ensure that any virus detected has been removed automatically or quarantined, in the event of failure to automatically remove or quarantine virus, remove the computer from the network and manually remove virus or reimage the computer. Setup automatic daily anti-virus scan of hard drives for all college desktop and laptop computers. Setup automatic anti-virus scan of hard drives for all college server computers Set anti-virus real time detection for all college computer systems

10 Password Procedure Purpose Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the college s entire corporate network. As such, all New College Telford employees and students (including contractors and vendors with access to college systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any College facility, has access to the network, or stores any information. Password Requirement Passwords will subject to the following rules. Minimum password length 5 characters Passwords will be subject to expiry limit of 42 days Password history to prevent reuse of passwords 5 Accounts will be locked out after 3 incorrect attempts for a period of 15 minutes to prevent password cracking software General Password Construction Guidelines Passwords are used for various purposes at New College Telford. Some of the more common uses include: user level accounts, web accounts, accounts,, voic password, and system logins. Since very few systems have support for one-time tokens (ie. dynamic passwords (which are only used once)), everyone should be aware of how to select strong passwords. Poor, weak passwords have the following characteristics: The password contains less than five characters The password is a word found in a dictionary (English or foreign) The password is a common usage word such as: o Names of family, pets, friends, colleagues, fantasy characters, etc. o Computer terms and names, commands, sites, companies, hardware, software. o The words New College, NewCol, NCT or any derivation. o Birthdays and other personal information such as addresses and phone numbers.

11 o Word or number patterns like aaabbb, qwerty, zyxwvuts, , etc. o Any of the above spelled backwards. o Any of the above preceded or followed by a digit (e.g., secret1, 1secret) Strong passwords have the following characteristics: Contain both upper and lower case characters (e.g., a-z, A-Z) Have digits and punctuation characters as well as letters e.g., ~-=\`{}[]:";'<>?,./) Are at least eight alphanumeric characters long. Are not a word in any language, slang, dialect, jargon, etc. Are not based on personal information, names of family, etc. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered.. NOTE: Do not use either of these examples as passwords! Password Change In the event of password being forgotten the staff/student can get password reset by IT Services, after displaying their id card. Staff Account Process When Staff Member Resigns Human Resources must inform IT Services when a member of staff has resigned so the network user account can be disabled and archived. After receiving the notification of a member of staff leaving, the expiry date on the network user account is set for the end of the day of leaving employment. After the leaving date the staff network user account is disabled permanently and moved to the OU=Archived_Accounts under OU=Staff_Admin,DC=nct,DC=ads. The user s personal data is moved to \\athena\staffhomes\ Archive. At the end of the month, after a full monthly backup a script is run automatically to remove the Active Directory network user account, Exchange Mailbox, and the archived personal data. The majority of applications use the network user account to allow access to applications, any application with their own user account controls such as Resource should also have the user account removed when employment ceases. MIS must inform IT Services when a student leaves so the accounts can be disabled and archived in accordance with the Network and Systems Access Policy.

12 IT Services will maintain a database of all system passwords and this must be kept in a secure manner. System passwords should be changed regularly. Enforcement Any employee found to have violated this policy may be subject to account removal and or disciplinary action.

13 Guidance Notes USB flash drive and USB external drive Encryption Launch the Bitlocker utility by typing in bit locker into the Start Search menu. Enable the drive encryption on the USB drive by clicking Turn on BitLocker

14 Enable the check box Use a password to unlock the drive and enter a complex password to use when using your external USB drive. Click the Save the recovery key to a file button and choose a safe location for the file. The location cannot be the USB drive you are encrypting.

15 The USB drive will begin encrypting. It may take a long time depending on the size of the drive. If needed the process can be paused and restarted at a later date with no issues. When encryption is complete the following dialogue box will be displayed. When attempting to use the drive you will be prompted to enter the password you specified earlier.

16 Encrypted Archive Using 7-Zip Right click on the file(s) to archive and go to the 7-zip menu, then select Add to archive Change the Archive format to zip by clicking the drop down menu and selecting zip

17 Change the Encryption method to AES-256 by clicking the drop down menu and selecting AES-256 Enter the password for the archive in the Encryption area and then click okay to archive the selected file(s). Once encrypted zip file has been created this can be ed or put onto other medium such as CDROM etc.

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

A Guide to Information Technology Security in Trinity College Dublin

A Guide to Information Technology Security in Trinity College Dublin A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2

More information

NETWORK AND INTERNET SECURITY POLICY STATEMENT

NETWORK AND INTERNET SECURITY POLICY STATEMENT TADCASTER GRAMMAR SCHOOL Toulston, Tadcaster, North Yorkshire. LS24 9NB NETWORK AND INTERNET SECURITY POLICY STATEMENT Written by Steve South November 2003 Discussed with ICT Strategy Group January 2004

More information

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by: Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

More information

TECHNICAL SECURITY AND DATA BACKUP POLICY

TECHNICAL SECURITY AND DATA BACKUP POLICY TECHNICAL SECURITY AND DATA BACKUP POLICY PURPOSE Effective technical security depends not only on technical measures, but also on appropriate policies and procedures and on good user education and training.

More information

Consensus Policy Resource Community. Lab Security Policy

Consensus Policy Resource Community. Lab Security Policy Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is

More information

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific

More information

NC DPH: Computer Security Basic Awareness Training

NC DPH: Computer Security Basic Awareness Training NC DPH: Computer Security Basic Awareness Training Introduction and Training Objective Our roles in the Division of Public Health (DPH) require us to utilize our computer resources in a manner that protects

More information

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices 8-27-2015 4-007.1 Supersedes 4-007 Page Of 1 5 Responsible Authority Vice Provost for Information

More information

Information Security Policy

Information Security Policy Information Security Policy The purpose of this Policy is to describe the procedures and processes in place to ensure the secure and safe use of the federation s network and its resources and to protect

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Century Commons' Internet Use

Century Commons' Internet Use Century Commons' Internet Use Please Note: Even though you are unable to access the Internet, the sites below are always available. Open up Internet Explorer and type any of these in your address bar to

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Business Internet Banking / Cash Management Fraud Prevention Best Practices Business Internet Banking / Cash Management Fraud Prevention Best Practices This document provides fraud prevention best practices that can be used as a training tool to educate new Users within your organization

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

Odessa College Use of Computer Resources Policy Policy Date: November 2010

Odessa College Use of Computer Resources Policy Policy Date: November 2010 Odessa College Use of Computer Resources Policy Policy Date: November 2010 1.0 Overview Odessa College acquires, develops, and utilizes computer resources as an important part of its physical and educational

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

Infocomm Sec rity is incomplete without U Be aware,

Infocomm Sec rity is incomplete without U Be aware, Infocomm Sec rity is incomplete without U Be aware, responsible secure! HACKER Smack that What you can do with these five online security measures... ANTI-VIRUS SCAMS UPDATE FIREWALL PASSWORD [ 2 ] FASTEN

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Physical Protection Policy Sample (Required Written Policy)

Physical Protection Policy Sample (Required Written Policy) Physical Protection Policy Sample (Required Written Policy) 1.0 Purpose: The purpose of this policy is to provide guidance for agency personnel, support personnel, and private contractors/vendors for the

More information

Egress Switch Best Practice Security Guide V4.x

Egress Switch Best Practice Security Guide V4.x Egress Switch Best Practice Security Guide V4.x www.egress.com 2007-2013 Egress Software Technologies Ltd Table of Contents Introduction... 4 Best Practice Installation... 4 System Administrators... 5

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

Administrative Procedures Manual. Management Information Services

Administrative Procedures Manual. Management Information Services I-23.10 Management Information Services The College owns and operates a local area network (LAN) that connects the College's computing hardware and services. Computing hardware refers to any device that

More information

INFORMATION SECURITY GUIDE. Employee Teleworking. Information Security Unit. Information Technology Services (ITS) July 2013

INFORMATION SECURITY GUIDE. Employee Teleworking. Information Security Unit. Information Technology Services (ITS) July 2013 INFORMATION SECURITY GUIDE Employee Teleworking Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Introduction... 2 2. Teleworking Risks... 3 3. Safeguards for College

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Information Technology Policy and Procedures

Information Technology Policy and Procedures Information Technology Policy and Procedures Responsible Officer Author Ben Bennett, Business Planning & Resources Director Policy Development Group Date effective from April 2005 Date last amended February

More information

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users Table of Contents... 1 A. Accountability... 1 B. System Use Notification (Login Banner)... 1 C. Non-... 1 D. System Access... 2 E. User IDs... 2 F. Passwords... 2 G. Electronic Information... 3 H. Agency

More information

Encrypting Personal Health Information on Mobile Devices

Encrypting Personal Health Information on Mobile Devices Ann Cavoukian, Ph.D. Information and Privacy Commissioner/Ontario Number 12 May 2007 Encrypting Personal Health Information on Mobile Devices Section 12 (1) of the Personal Health Information Protection

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Online Banking Security Guide Internet-based version

Online Banking Security Guide Internet-based version Online Banking Security Guide Internet-based version Contents Introduction to the Security Guide... 2 Security Guide... 2 Using the internet securely... 2 Security solutions in Online Banking... 3 What

More information

COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT STANDARD POLICY AND PROCEDURE. Remote Access and Security I. PURPOSE.2 II. BACKGROUND.

COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT STANDARD POLICY AND PROCEDURE. Remote Access and Security I. PURPOSE.2 II. BACKGROUND. COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT STANDARD POLICY AND PROCEDURE S T A N D A R D P O L I C Y A N D P R O C E D U R E COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT 1515 Arapahoe Street Denver Colorado

More information

Welcome to Information Security Training

Welcome to Information Security Training Welcome to Information Security Training Welcome to Georgia Perimeter College s Information Security Training. Information security consists of processes, measures, and technologies employed to protect

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious programs,

More information

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette

More information

School Information Security Policy

School Information Security Policy School Information Security Policy Created By: Newport Education Service Date Created: 22 December 2009 Version: V1.0 Contents Background... 3 IT Infrastructure... 3 IT Access... 3 Acceptable use policy...

More information

Security and Network Use at Junction City School District

Security and Network Use at Junction City School District Security and Network Use at Junction City School District Why do we need to secure our information? Doesn t the state do that for us? The Department of Information Systems does secure our student and personal

More information

Information Technology Security Policies

Information Technology Security Policies Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

For All HIPAA Workforce Members Revised April 2013

For All HIPAA Workforce Members Revised April 2013 For All HIPAA Workforce Members Revised April 2013 1 } ephi = Electronic Protected Health Information Medical record number, account number or SSN Patient demographic data, e.g., address, date of birth,

More information

Dene Community School of Technology Staff Acceptable Use Policy

Dene Community School of Technology Staff Acceptable Use Policy Policy Overview Dene Community School of Technology The school provides computers for use by staff as an important tool for teaching, learning, and administration of the school. Use of school computers,

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

The Ministry of Information & Communication Technology MICT

The Ministry of Information & Communication Technology MICT The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.

More information

Risk Assessment Guide

Risk Assessment Guide KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment

More information

Information Security Policy for Associates and Contractors

Information Security Policy for Associates and Contractors Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Information Technology Policies and Procedures. Wakulla County School District. March 2014

Information Technology Policies and Procedures. Wakulla County School District. March 2014 Information Technology Policies and Procedures Wakulla County School District March 2014 Table of contents TABLE OF CONTENTS... 1 1.0 OVERVIEW... 2 2.0 PURPOSE... 2 3.0 SCOPE... 2 4.0 ACCEPTABLE USE POLICY...

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

Computing Services Information Security Office. Security 101

Computing Services Information Security Office. Security 101 Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification,

More information

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2 Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls

More information

Birkenhead Sixth Form College IT Disaster Recovery Plan

Birkenhead Sixth Form College IT Disaster Recovery Plan Author: Role: Mal Blackburne College Learning Manager Page 1 of 14 Introduction...3 Objectives/Constraints...3 Assumptions...4 Incidents Requiring Action...4 Physical Safeguards...5 Types of Computer Service

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

U.S. Cellular Mobile Data Security. User Guide Version 00.01

U.S. Cellular Mobile Data Security. User Guide Version 00.01 U.S. Cellular Mobile Data Security User Guide Version 00.01 Table of Contents Install U.S. Cellular Mobile Data Security...3 Activate U.S. Cellular Mobile Data Security...3 Main Interface...3 Checkup...4

More information

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy 1.0 BACKGROUND AND PURPOSE Information Technology ( IT ) includes a vast and growing array of computing, electronic and voice communications facilities and services. At the Colorado School of Mines ( Mines

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

On-Site Computer Solutions values these technologies as part of an overall security plan:

On-Site Computer Solutions values these technologies as part of an overall security plan: Network Security Best Practices On-Site Computer Solutions Brian McMurtry Version 1.2 Revised June 23, 2008 In a business world where data privacy, integrity, and security are paramount, the small and

More information

BACKUP STRATEGY AND DISASTER RECOVERY POLICY STATEMENT

BACKUP STRATEGY AND DISASTER RECOVERY POLICY STATEMENT TADCASTER GRAMMAR SCHOOL Toulston, Tadcaster, North Yorkshire. LS24 9NB BACKUP STRATEGY AND DISASTER RECOVERY POLICY STATEMENT Written by Steve South November 2003 Discussed with ICT Strategy Group January

More information

Barracuda Spam Firewall User s Guide

Barracuda Spam Firewall User s Guide Barracuda Spam Firewall User s Guide 1 Copyright Copyright 2005, Barracuda Networks www.barracudanetworks.com v3.2.22 All rights reserved. Use of this product and this manual is subject to license. Information

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Physical Security Policy

Physical Security Policy Physical Security Policy Author: Policy & Strategy Team Version: 0.8 Date: January 2008 Version 0.8 Page 1 of 7 Document Control Information Document ID Document title Sefton Council Physical Security

More information

Working Together Aiming High!

Working Together Aiming High! Poplar Street Primary School ICT Security and Acceptable Use Policy E-Safety policy 2013/14 Working Together Aiming High! 1 Contents 1. Introduction... 3 2. Policy Objectives... 3 3. Application... 3 4.

More information

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

SafeGuard Enterprise Web Helpdesk. Product version: 6.1 SafeGuard Enterprise Web Helpdesk Product version: 6.1 Document date: February 2014 Contents 1 SafeGuard web-based Challenge/Response...3 2 Scope of Web Helpdesk...4 3 Installation...5 4 Allow Web Helpdesk

More information

University of Cincinnati HIPAA Administrative, Physical and Technical Safeguards

University of Cincinnati HIPAA Administrative, Physical and Technical Safeguards HIPAA Administrative, Physical and Technical Safeguards Your information security role in protecting HIPAA information Effective Date: 7/1/2014 Prior Effective Date: 10/1/2013 HIPAA Administrative, Physical

More information

Office of Inspector General

Office of Inspector General Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

New River Community College. Information Technology Policy and Procedure Manual

New River Community College. Information Technology Policy and Procedure Manual New River Community College Information Technology Policy and Procedure Manual 1 Table of Contents Asset Management Policy... 3 Authentication Policy... 4 Breach Notification Policy... 6 Change Management

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

NETWORK SECURITY GUIDELINES

NETWORK SECURITY GUIDELINES NETWORK SECURITY GUIDELINES VIRUS PROTECTION STANDARDS All networked computers and networked laptop computers are protected by GST BOCES or district standard anti-virus protection software. The anti-virus

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Schedule 2Z Virtual Servers, Firewalls and Load Balancers

Schedule 2Z Virtual Servers, Firewalls and Load Balancers Schedule 2Z Virtual Servers, Firewalls and Load Balancers Definitions Additional Charges means the charges payable in accordance with this schedule. Customer Contact Centre means Interoute s Incident management

More information

User's Manual. Intego VirusBarrier Server 2 / VirusBarrier Mail Gateway 2 User's Manual Page 1

User's Manual. Intego VirusBarrier Server 2 / VirusBarrier Mail Gateway 2 User's Manual Page 1 User's Manual Intego VirusBarrier Server 2 / VirusBarrier Mail Gateway 2 User's Manual Page 1 VirusBarrier Server 2 and VirusBarrier Mail Gateway 2 for Macintosh 2008 Intego. All Rights Reserved Intego

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is

More information

Countering and reducing ICT security risks 1. Physical and environmental risks

Countering and reducing ICT security risks 1. Physical and environmental risks Countering and reducing ICT security risks 1. Physical and environmental risks 1. Physical and environmental risks Theft of equipment from staff areas and Theft of equipment from public areas Theft of

More information

Jefferson County School District Information Technology Policies and Procedures

Jefferson County School District Information Technology Policies and Procedures Jefferson County School District Information Technology Policies and Procedures 575 S. Water Street Monticello, FL 32344 (850) 342-0100 www.jeffersonschooldistrict.org June 2014 Table of Contents 1.0 Overview...

More information

Sophos Enterprise Console Help

Sophos Enterprise Console Help Sophos Enterprise Console Help Product version: 5.2.1, 5.2.2 Document date: September 2014 Contents 1 About Enterprise Console...6 2 Guide to the Enterprise Console interface...7 2.1 User interface layout...7

More information

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. - 1. Policy Statement All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must

More information

Cyber Security Awareness

Cyber Security Awareness Cyber Security Awareness William F. Pelgrin Chair Page 1 Introduction Information is a critical asset. Therefore, it must be protected from unauthorized modification, destruction and disclosure. This brochure

More information

Barracuda Spam Firewall User s Guide

Barracuda Spam Firewall User s Guide Barracuda Spam Firewall User s Guide 1 Copyright Copyright 2005, Barracuda Networks www.barracudanetworks.com v3.2.22 All rights reserved. Use of this product and this manual is subject to license. Information

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Connecting to the Remote Desktop Service

Connecting to the Remote Desktop Service Connecting to the Remote Desktop Service What is the Remote Desktop Service? Connecting to a University of Greenwich Remote Desktop allows you to work securely on documents and files held on the University's

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

CONSIDERATIONS BEFORE MOVING TO THE CLOUD CONSIDERATIONS BEFORE MOVING TO THE CLOUD What Management Needs to Know Part II By Debbie C. Sasso Principal In part I, we discussed organizational compliance related to information technology and what

More information

Workstation Management

Workstation Management Workstation Management Service Description Version 1.00 Effective Date: 07/01/2012 Purpose This Service Description is applicable to Workstation Management services offered by MN.IT Services and described

More information

BERKELEY COLLEGE DATA SECURITY POLICY

BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data

More information

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse

More information

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C. Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.

More information

SITECATALYST SECURITY

SITECATALYST SECURITY SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance

More information