Information Security Policy. Policy and Procedures

Size: px
Start display at page:

Download "Information Security Policy. Policy and Procedures"

Transcription

1 Information Security Policy Policy and Procedures Issue Date February 2013 Revision Date February 2014 Responsibility/ Main Point of Contact Neil Smedley Approved by/date Associated Documents Acceptable Use Agreement Anti-virus Procedure Change Control Procedure College Network and Systems Access Policy College Server Backup Procedure Computer Disposal Procedure Data Protection Act 1998 Information Security Incident Reporting Procedure Version number 2.1 This policy has undergone an Equality Impact Assessment (EQIA) confirming that there are no negative consequences in the case of this policy. EQIA completed on 29 Aug 14 By CJ

2 Introduction Electronic information is a valuable resource of which the college takes great care to protect from loss, corruption and unauthorised use or misuse. Although much of the information held and processed by the College is intended for general use, certain information (key data and information) has to be handled and managed securely and with accountability. In addition such information and the way it may be processed is subject to UK law and the Data Protection Act Purpose and Policy Statement This document provides the policy framework, through which the College will apply information security controls throughout the college. It is based upon the International Standard ISO (BS 7799) and includes the following: - information classification access control operations incident management physical security third-party access business continuity management Supporting Policies containing detailed Information Security requirements will be developed in support of the Information Security Policy. Reference to supporting policies will be made in bold italic text throughout the remainder of the document Definition: what is Information Security Information Security is a means of protecting key data, information and information systems from unauthorized access, use and misuse, inspection, disclosure, disruption, modification or destruction.

3 Scope The Information Security Policy covers the following: - The College s IT/IS infrastructure key data and information those who have access to or who administer IT/IS facilities Individuals who process or handle key data and information The Policy is designed to provide protection from internal and external security threats, whether deliberate or accidental. Responsibilities The College has a responsibility to ensure that information security is properly managed. The IT Manager is responsible for: the development and upkeep of this policy ensuring this policy is implemented and supported by appropriate documentation, such as procedures ensuring that documentation is relevant and kept up-to-date ensuring this policy and subsequent updates are communicated to relevant staff ensuring that serious breach Individual members of staff have a responsibility to: Adhere to this policy, and for reporting any security breaches or incidents to the IT Manager, as soon as practicable using Information Security Incident Reporting Procedure 1. ICT Assets IT Services will maintain an inventory, subject to audit, of all ICT assets. This will be in two categories: - Hardware Software This asset inventory is in addition to the fixed asset register used for College financial accounting. Hardware that is obsolete/beyond economical repair shall be disposed of using an approved company. The company should meet legislation introduced in the Waste Electrical and Electronic Equipment Directive (WEEE Directive) which was introduced into UK law in January 2007 by the Waste Electronic and

4 Electrical Equipment Regulations This legislation sets strict guidelines with regard to computer disposal and other waste electrical and electronic equipment. The company should also be able to demonstrate that they have secure destruction facilities for data contained on hardware. Further information is contained in the Computer Disposal Procedure 2. User Accounts It is the responsibility of IT Services to maintain a directory of users authorised to use College ICT resources. Staff, students, temporary guest users and external users are subject to College Acceptable Use Agreement, and will have different access permissions and responsibilities. For the purposes of this policy the following guidelines are used to distinguish between the different types of user: - Staff - are those registered on the College HR/Payroll systems Students - are those registered in the College MIS system Guest users - are users permitted to temporarily access College ICT facilities External users - are all other users permitted access to College ICT facilities 2.1. Staff All staff whether permanent, temporary or agency staff must abide by the terms and conditions covering the use of ICT at the College. The staff agreement form and terms and conditions are available from IT Services. The completed agreement forms will be kept by IT Services, in written or electronic form. Temporary staff accounts should be set with an expiry date for the end of their contract period. Staff may have access to College ICT systems withdrawn if they are found to be in breach of this policy or Acceptable Use Agreement Students All students must abide by the terms and conditions covering the use of ICT at the College. The student agreement form and terms and conditions are available from IT Services. The completed agreement forms will be kept by IT Services in written or electronic form. Students may have access to College ICT systems withdrawn if they are found to be in breach of this policy or Acceptable Use Agreement.

5 2.3. Guest Users Guest user accounts allow limited access to College resources and will be provided on a limited time period with specific access hours. These user accounts do not have access External Users At present there are no requirements for external user accounts. If at future time there is a requirement then they should have limited access to College resources and should only be enabled on a daily basis. 3. Physical & Environmental Security Controls will be implemented to prevent unauthorised access to computer and information systems Physical Security Server rooms, IT Services computer suite, telecoms cabinets and communications cabinets shall be protected to provide suitable physical security and environmental controls. Servers used for storing and/or processing data shall be located in physically secured areas. Server rooms shall be inspected twice a week to ensure integrity of physical security 4. Communications and Operations Management Controls will be implemented to enable the correct and secure operation of information processing facilities Operating Procedures Design, build, configuration and operating documents will be produced for all servers and system applications, these documents are to be kept in secure areas with access only available to IT Services staff and where relevant MIS staff Change Control All changes to live critical systems will follow a change management process detailed in the Change Control Procedure

6 4.3. Protection Against Malicious Software Protection will be provided using a multi-level defence using the following:- Router Firewall Web Content Management with malware protection Anti-virus Software Scanning Virus scanning shall be enabled on all servers, desktops and laptops; this shall be automatically updated to ensure the signatures files are up to date, and shall not allow users to switch off the antivirus software -.See attached Antivirus Procedure in Procedures Section 4.4. Information Security Incidents Information security breaches should be reported to IT Services as soon as practicable. Any events that are regarded as security incidents will be defined, and processes implemented to investigate, control, manage and review such events in accordance with the using Information Security Incident Reporting Procedure 4.5. Security Patches Critical security patches shall be installed automatically when made available by Microsoft, Apple or and other system software vendor Housekeeping All critical data and applications are to be backed up in accordance with the College Server Backup Procedure; this includes the handling, storage and disposal of media. In the event of restoration of data follow the College Server Restore Procedure. College Server Backup Procedure 4.7. Network Management Controls will be implemented to achieve, maintain, and control access to internal/external computer networks including wireless LANs, in accordance with the College Network and Systems Access Policy

7 5. Access Control Access to College data and resources is dependent upon the type of user, whether they are staff, student, guest or external user. Users shall only be given access to resources in relation to their role. The procedure for determining and administering the different types of user can be found in the Network and Systems Access Policy. 6. Username and Password Control Access to College ICT resources is controlled by use of a network username and password. Control of network username and passwords is the responsibility of IT Services. See attached Password Procedure in Procedures Section 7. Remote Access Controls will be implemented to manage and control remote access to the College s ICT resources, see Network and Systems Access Policy. 8. Business Continuity Planning Business Continuity Planning is working out how to continue operations under adverse conditions that include local events like building fires, theft, and vandalism, regional incidents like earthquakes and floods, and national incidents like pandemic illnesses. In fact, any event that could impact operations should be considered, such as interruption, loss of or damage to critical infrastructure (computing/network resource). As such, risk management must be incorporated as part of Business Continuity Planning. 9. Encryption To ensure compliance with data protection regulations the best solution is that all data remains on college servers/system. If personal data has to be taken away from the college it should be encrypted. Laptops shall use full disk encryption using Microsoft Bit Locker technology; full disk encryption will be installed by IT Services team. USB flash drives and USB external drives shall be encrypted using Microsoft Bit Locker technology, see guidance notes for instruction If personal details to be ed or sent by any other media (i.e. CDROM) it shall be stored in an encrypted archive which uses AES encryption, third party product 7-Zip is to be used, see guidance notes for instruction

8 Procedures Anti-virus Procedure Purpose All New College Telford computers/laptops must have the college s standard; supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus signatures must be automatically kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. IT Services are responsible for creating processes that ensure antivirus software is run at regular intervals, and computers are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into the college's networks (e.g., viruses, worms, Trojan horses, bombs, etc.) are prohibited, in accordance with the Acceptable Use Agreement. Any employee or student found to have violated this procedure may be subject to account removal and or disciplinary action Anti-virus Process Recommended processes for users to prevent virus problems: Always use the supported anti-virus software available on college systems. NEVER open any files or macros attached to an from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your rubbish bin. Delete spam, chain, and other junk without forwarding. Never download files from unknown or suspicious sources. Avoid direct CDROM/DVDROM or USB memory stick sharing with read/write access unless there is absolutely a business requirement to do so. Always scan CDROM/DVDROM or USB memory stick from an unknown source for viruses before using it. If you suspect that you have got a virus or malware on your computer contact IT Services immediately using address

9 Processes for IT Services Staff Automatically apply critical updates for college standard anti-virus system,to all college computer systems as soon as they become available. Check Windows Server Update Services log to identify any failures. Automatically apply virus signatures updates on all college computer systems as soon as they become available. Check Windows Server Update Services log to identify any failures. Setup automatic reporting to IT Services team for any computer where a virus has been detected. Ensure that any virus detected has been removed automatically or quarantined, in the event of failure to automatically remove or quarantine virus, remove the computer from the network and manually remove virus or reimage the computer. Setup automatic daily anti-virus scan of hard drives for all college desktop and laptop computers. Setup automatic anti-virus scan of hard drives for all college server computers Set anti-virus real time detection for all college computer systems

10 Password Procedure Purpose Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the college s entire corporate network. As such, all New College Telford employees and students (including contractors and vendors with access to college systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any College facility, has access to the network, or stores any information. Password Requirement Passwords will subject to the following rules. Minimum password length 5 characters Passwords will be subject to expiry limit of 42 days Password history to prevent reuse of passwords 5 Accounts will be locked out after 3 incorrect attempts for a period of 15 minutes to prevent password cracking software General Password Construction Guidelines Passwords are used for various purposes at New College Telford. Some of the more common uses include: user level accounts, web accounts, accounts,, voic password, and system logins. Since very few systems have support for one-time tokens (ie. dynamic passwords (which are only used once)), everyone should be aware of how to select strong passwords. Poor, weak passwords have the following characteristics: The password contains less than five characters The password is a word found in a dictionary (English or foreign) The password is a common usage word such as: o Names of family, pets, friends, colleagues, fantasy characters, etc. o Computer terms and names, commands, sites, companies, hardware, software. o The words New College, NewCol, NCT or any derivation. o Birthdays and other personal information such as addresses and phone numbers.

11 o Word or number patterns like aaabbb, qwerty, zyxwvuts, , etc. o Any of the above spelled backwards. o Any of the above preceded or followed by a digit (e.g., secret1, 1secret) Strong passwords have the following characteristics: Contain both upper and lower case characters (e.g., a-z, A-Z) Have digits and punctuation characters as well as letters e.g., ~-=\`{}[]:";'<>?,./) Are at least eight alphanumeric characters long. Are not a word in any language, slang, dialect, jargon, etc. Are not based on personal information, names of family, etc. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered.. NOTE: Do not use either of these examples as passwords! Password Change In the event of password being forgotten the staff/student can get password reset by IT Services, after displaying their id card. Staff Account Process When Staff Member Resigns Human Resources must inform IT Services when a member of staff has resigned so the network user account can be disabled and archived. After receiving the notification of a member of staff leaving, the expiry date on the network user account is set for the end of the day of leaving employment. After the leaving date the staff network user account is disabled permanently and moved to the OU=Archived_Accounts under OU=Staff_Admin,DC=nct,DC=ads. The user s personal data is moved to \\athena\staffhomes\ Archive. At the end of the month, after a full monthly backup a script is run automatically to remove the Active Directory network user account, Exchange Mailbox, and the archived personal data. The majority of applications use the network user account to allow access to applications, any application with their own user account controls such as Resource should also have the user account removed when employment ceases. MIS must inform IT Services when a student leaves so the accounts can be disabled and archived in accordance with the Network and Systems Access Policy.

12 IT Services will maintain a database of all system passwords and this must be kept in a secure manner. System passwords should be changed regularly. Enforcement Any employee found to have violated this policy may be subject to account removal and or disciplinary action.

13 Guidance Notes USB flash drive and USB external drive Encryption Launch the Bitlocker utility by typing in bit locker into the Start Search menu. Enable the drive encryption on the USB drive by clicking Turn on BitLocker

14 Enable the check box Use a password to unlock the drive and enter a complex password to use when using your external USB drive. Click the Save the recovery key to a file button and choose a safe location for the file. The location cannot be the USB drive you are encrypting.

15 The USB drive will begin encrypting. It may take a long time depending on the size of the drive. If needed the process can be paused and restarted at a later date with no issues. When encryption is complete the following dialogue box will be displayed. When attempting to use the drive you will be prompted to enter the password you specified earlier.

16 Encrypted Archive Using 7-Zip Right click on the file(s) to archive and go to the 7-zip menu, then select Add to archive Change the Archive format to zip by clicking the drop down menu and selecting zip

17 Change the Encryption method to AES-256 by clicking the drop down menu and selecting AES-256 Enter the password for the archive in the Encryption area and then click okay to archive the selected file(s). Once encrypted zip file has been created this can be ed or put onto other medium such as CDROM etc.

ICT Password Protection Policy

ICT Password Protection Policy SH IG 30 Information Security Suite of Policies ICT Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This document describes the information security

More information

CAPITAL UNIVERSITY PASSWORD POLICY

CAPITAL UNIVERSITY PASSWORD POLICY 1.0 Overview Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Capital University's

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY Antivirus Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Originator Recommended by Director

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Boston University Security Awareness. What you need to know to keep information safe and secure

Boston University Security Awareness. What you need to know to keep information safe and secure What you need to know to keep information safe and secure Introduction Welcome to Boston University s Security Awareness training. Depending on your reading speed, this presentation will take approximately

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

A Guide to Information Technology Security in Trinity College Dublin

A Guide to Information Technology Security in Trinity College Dublin A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

Windows Operating Systems. Basic Security

Windows Operating Systems. Basic Security Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System

More information

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by: Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

TECHNICAL SECURITY AND DATA BACKUP POLICY

TECHNICAL SECURITY AND DATA BACKUP POLICY TECHNICAL SECURITY AND DATA BACKUP POLICY PURPOSE Effective technical security depends not only on technical measures, but also on appropriate policies and procedures and on good user education and training.

More information

NETWORK AND INTERNET SECURITY POLICY STATEMENT

NETWORK AND INTERNET SECURITY POLICY STATEMENT TADCASTER GRAMMAR SCHOOL Toulston, Tadcaster, North Yorkshire. LS24 9NB NETWORK AND INTERNET SECURITY POLICY STATEMENT Written by Steve South November 2003 Discussed with ICT Strategy Group January 2004

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY 1.0 Purpose The purpose of this policy is to establish Office of Human Resources (OHR) standards for creation of strong

More information

CITY OF BOULDER *** POLICIES AND PROCEDURES

CITY OF BOULDER *** POLICIES AND PROCEDURES CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of

More information

Acceptable Usage Guidelines. e-governance

Acceptable Usage Guidelines. e-governance Acceptable Usage Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type

More information

Network and Workstation Acceptable Use Policy

Network and Workstation Acceptable Use Policy CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Network Password Management Policy & Procedures

Network Password Management Policy & Procedures Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL

More information

Data Access Request Service

Data Access Request Service Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Consensus Policy Resource Community. Lab Security Policy

Consensus Policy Resource Community. Lab Security Policy Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

Network Security Policy

Network Security Policy KILMARNOCK COLLEGE Network Security Policy Policy Number: KC/QM/048 Date of First Issue: October 2009 Revision Number: 3 Date of Last Review: October 2011 Date of Approval \ Issue May 2012 Responsibility

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Office of Information Technology Desktop Security and Best Practices

Office of Information Technology Desktop Security and Best Practices 2013.06 All computer operating systems have vulnerabilities that are targeted by are subject to security risks. In a networked environment, such as a college campus, a compromised computer can affect other

More information

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers

More information

CYBERSECURITY POLICY

CYBERSECURITY POLICY * CYBERSECURITY POLICY THE CYBERSECURITY POLICY DEFINES THE DUTIES EMPLOYEES AND CONTRACTORS OF CU*ANSWERS MUST FULFILL IN SECURING SENSITIVE INFORMATION. THE CYBERSECURITY POLICY IS PART OF AND INCORPORATED

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Responsible Access and Use of Information Technology Resources and Services Policy

Responsible Access and Use of Information Technology Resources and Services Policy Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices 8-27-2015 4-007.1 Supersedes 4-007 Page Of 1 5 Responsible Authority Vice Provost for Information

More information

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION AP 3721 COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT 1.0 Purpose The purpose of this procedure is to establish a standard for the administration

More information

Microsoft Windows Client Security Policy. Version 2.1 POL 033

Microsoft Windows Client Security Policy. Version 2.1 POL 033 Microsoft Windows Client Security Policy Version 2.1 POL 033 Ownership Policy Owner: Information Security Manager Revision History Next Review Date: 2 nd April 2015 Approvals This document requires the

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

NETWORK INFRASTRUCTURE USE

NETWORK INFRASTRUCTURE USE NETWORK INFRASTRUCTURE USE Information Technology Responsible Office: Information Security Office http://ooc.usc.edu infosec@usc.edu (213) 743-4900 1.0 Purpose The (USC) provides its faculty, staff and

More information

University of Northern Colorado. Data Security Policy for Research Projects

University of Northern Colorado. Data Security Policy for Research Projects University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

Cal State Fullerton Account and Password Guidelines

Cal State Fullerton Account and Password Guidelines Cal State Fullerton Account and Password Guidelines Purpose The purpose of this guideline is to establish a standard for account use and creation of strong passwords which adheres to CSU policy and conforms

More information

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific

More information

All Users of DCRI Computing Equipment and Network Resources

All Users of DCRI Computing Equipment and Network Resources July 21, 2015 MEMORANDUM To: From Subject: All Users of DCRI Computing Equipment and Network Resources Eric Peterson, MD, MPH, Director, DCRI Secure System Usage The purpose of this memorandum is to inform

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Cyber Security Best Practices

Cyber Security Best Practices Cyber Security Best Practices 1. Set strong passwords; Do not share them with anyone: They should contain at least three of the five following character classes: o Lower case letters o Upper case letters

More information

Dublin Institute of Technology IT Security Policy

Dublin Institute of Technology IT Security Policy Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David

More information

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) Below you will find the following sample policies: Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) *Log in to erisk Hub for

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses 2004 Microsoft Corporation. All rights reserved. This document is for informational purposes only.

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

ADMINISTRATION COMPUTER NETWORK

ADMINISTRATION COMPUTER NETWORK ADMINISTRATION COMPUTER NETWORK School Administrative Computer Network The Cumberland School operates a network of computers specifically for administrative purposes in the school. This network is electronically

More information

COMMERCIALISM INTEGRITY STEWARDSHIP. Remote Access and Mobile Working Policy & Guidance

COMMERCIALISM INTEGRITY STEWARDSHIP. Remote Access and Mobile Working Policy & Guidance Remote Access and Mobile Working Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Remote Access and

More information

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access

More information

Authorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together

Authorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together Groby Community College Achieving Excellence Together Authorised Acceptable Use Policy 2015-2016 Reviewed: Lee Shellard, ICT Manager: May 2015 Agreed: Leadership & Management Committee: May 2015 Next review:

More information

State of Vermont. User Password Policy and Guidelines

State of Vermont. User Password Policy and Guidelines State of Vermont User Password Policy and Guidelines Date of Rewrite Approval: 10/2009 Originally Approved: 4/08/2005 Approved by: Neale F. Lunderville Policy Number: fib lleul~ 1.0 Introduction... 3 1.1

More information

Franciscan University of Steubenville Information Security Policy

Franciscan University of Steubenville Information Security Policy Franciscan University of Steubenville Information Security Policy Scope This policy is intended for use by all personnel, contractors, and third parties assisting in the direct implementation, support,

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security

More information

Course: Information Security Management in e-governance

Course: Information Security Management in e-governance Course: Information Security Management in e-governance Day 2 Session 2: Security in end user environment Agenda Introduction to IT Infrastructure elements in end user environment Information security

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY

YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

SERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0

SERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0 SERVER, DESKTOP AND PORTABLE SECURITY September 2014 Version 3.0 Western Health and Social Care Trust Page 1 of 6 Server, Desktop and Portable Policy Title SERVER, DESKTOP AND PORTABLE SECURITY POLICY

More information

Section 12 MUST BE COMPLETED BY: 4/22

Section 12 MUST BE COMPLETED BY: 4/22 Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege

More information

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST INFORMATION TECHNOLOGY & MANAGEMENT IT Checklist INTRODUCTION A small business is unlikely to have a dedicated IT Department or Help Desk. But all the tasks that a large organization requires of its IT

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Working Practices for Protecting Electronic Information

Working Practices for Protecting Electronic Information Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that

More information

DEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE

DEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE 2 of 10 2.5 Failure to comply with this policy, in whole or in part, if grounds for disciplinary actions, up to and including discharge. ADMINISTRATIVE CONTROL 3.1 The CIO Bureau s Information Technology

More information

Information Security Policy Manual

Information Security Policy Manual Information Security Policy Manual Latest Revision: May 16, 2012 1 Table of Contents Information Security Policy Manual... 3 Contact... 4 Enforcement... 4 Policies And Related Procedures... 5 1. ACCEPTABLE

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

Administrator's Guide

Administrator's Guide Administrator's Guide Copyright SecureAnywhere Mobile Protection Administrator's Guide November, 2012 2012 Webroot Software, Inc. All rights reserved. Webroot is a registered trademark and SecureAnywhere

More information

ANTI-VIRUS POLICY OCIO-6006-09 TABLE OF CONTENTS

ANTI-VIRUS POLICY OCIO-6006-09 TABLE OF CONTENTS OCIO-6006-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. Purpose II. Authority III. Scope IV. Definitions V. Policy VI. Roles and Responsibilities VII. Exceptions

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

Version: 2.0. Effective From: 28/11/2014

Version: 2.0. Effective From: 28/11/2014 Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director

More information

MSD IT High Compliance system Fact sheet

MSD IT High Compliance system Fact sheet MSD IT High Compliance system Fact sheet The MSD IT High Compliance system is a service for Clinical Trials Units (CTUs) and Medical Division Departments or Units who need to securely access critical applications,

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

How to Practice Safely in an era of Cybercrime and Privacy Fears

How to Practice Safely in an era of Cybercrime and Privacy Fears How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

EMMANUEL CE VA MIDDLE SCHOOL. IT Security Standards

EMMANUEL CE VA MIDDLE SCHOOL. IT Security Standards EMMANUEL CE VA MIDDLE SCHOOL IT Security Standards 1. Policy Statement The work of Schools and the County Council is increasingly reliant upon Information & Communication Technology (ICT) and the data

More information

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Business Internet Banking / Cash Management Fraud Prevention Best Practices Business Internet Banking / Cash Management Fraud Prevention Best Practices This document provides fraud prevention best practices that can be used as a training tool to educate new Users within your organization

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused. DRAFT 6.1 Information Systems Passwords OVERVIEW Passwords are an important aspect of information security. They are the front line of protection for user accounts. A poorly chosen password may result

More information

Information Technology Acceptable Usage Policy

Information Technology Acceptable Usage Policy Information Technology Acceptable Usage Policy Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly

More information

Infocomm Sec rity is incomplete without U Be aware,

Infocomm Sec rity is incomplete without U Be aware, Infocomm Sec rity is incomplete without U Be aware, responsible secure! HACKER Smack that What you can do with these five online security measures... ANTI-VIRUS SCAMS UPDATE FIREWALL PASSWORD [ 2 ] FASTEN

More information

TIME SYSTEM SECURITY AWARENESS HANDOUT

TIME SYSTEM SECURITY AWARENESS HANDOUT WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/21/13 2014 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Student Halls Network. Connection Guide

Student Halls Network. Connection Guide Student Halls Network Connection Guide Contents: Page 3 Page 4 Page 6 Page 10 Page 17 Page 18 Page 19 Page 20 Introduction Network Connection Policy Connecting to the Student Halls Network Connecting to

More information

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange The responsibility of safeguarding your personal information starts with you. Your information is critical and it must be protected from unauthorised disclosure, modification or destruction. Here we are

More information

Information Security Code of Conduct

Information Security Code of Conduct Information Security Code of Conduct IT s up to us >Passwords > Anti-Virus > Security Locks >Email & Internet >Software >Aon Information >Data Protection >ID Badges > Contents Aon Information Security

More information