Information Security Policy. Policy and Procedures
|
|
- Juliana Perry
- 8 years ago
- Views:
Transcription
1 Information Security Policy Policy and Procedures Issue Date February 2013 Revision Date February 2014 Responsibility/ Main Point of Contact Neil Smedley Approved by/date Associated Documents Acceptable Use Agreement Anti-virus Procedure Change Control Procedure College Network and Systems Access Policy College Server Backup Procedure Computer Disposal Procedure Data Protection Act 1998 Information Security Incident Reporting Procedure Version number 2.1 This policy has undergone an Equality Impact Assessment (EQIA) confirming that there are no negative consequences in the case of this policy. EQIA completed on 29 Aug 14 By CJ
2 Introduction Electronic information is a valuable resource of which the college takes great care to protect from loss, corruption and unauthorised use or misuse. Although much of the information held and processed by the College is intended for general use, certain information (key data and information) has to be handled and managed securely and with accountability. In addition such information and the way it may be processed is subject to UK law and the Data Protection Act Purpose and Policy Statement This document provides the policy framework, through which the College will apply information security controls throughout the college. It is based upon the International Standard ISO (BS 7799) and includes the following: - information classification access control operations incident management physical security third-party access business continuity management Supporting Policies containing detailed Information Security requirements will be developed in support of the Information Security Policy. Reference to supporting policies will be made in bold italic text throughout the remainder of the document Definition: what is Information Security Information Security is a means of protecting key data, information and information systems from unauthorized access, use and misuse, inspection, disclosure, disruption, modification or destruction.
3 Scope The Information Security Policy covers the following: - The College s IT/IS infrastructure key data and information those who have access to or who administer IT/IS facilities Individuals who process or handle key data and information The Policy is designed to provide protection from internal and external security threats, whether deliberate or accidental. Responsibilities The College has a responsibility to ensure that information security is properly managed. The IT Manager is responsible for: the development and upkeep of this policy ensuring this policy is implemented and supported by appropriate documentation, such as procedures ensuring that documentation is relevant and kept up-to-date ensuring this policy and subsequent updates are communicated to relevant staff ensuring that serious breach Individual members of staff have a responsibility to: Adhere to this policy, and for reporting any security breaches or incidents to the IT Manager, as soon as practicable using Information Security Incident Reporting Procedure 1. ICT Assets IT Services will maintain an inventory, subject to audit, of all ICT assets. This will be in two categories: - Hardware Software This asset inventory is in addition to the fixed asset register used for College financial accounting. Hardware that is obsolete/beyond economical repair shall be disposed of using an approved company. The company should meet legislation introduced in the Waste Electrical and Electronic Equipment Directive (WEEE Directive) which was introduced into UK law in January 2007 by the Waste Electronic and
4 Electrical Equipment Regulations This legislation sets strict guidelines with regard to computer disposal and other waste electrical and electronic equipment. The company should also be able to demonstrate that they have secure destruction facilities for data contained on hardware. Further information is contained in the Computer Disposal Procedure 2. User Accounts It is the responsibility of IT Services to maintain a directory of users authorised to use College ICT resources. Staff, students, temporary guest users and external users are subject to College Acceptable Use Agreement, and will have different access permissions and responsibilities. For the purposes of this policy the following guidelines are used to distinguish between the different types of user: - Staff - are those registered on the College HR/Payroll systems Students - are those registered in the College MIS system Guest users - are users permitted to temporarily access College ICT facilities External users - are all other users permitted access to College ICT facilities 2.1. Staff All staff whether permanent, temporary or agency staff must abide by the terms and conditions covering the use of ICT at the College. The staff agreement form and terms and conditions are available from IT Services. The completed agreement forms will be kept by IT Services, in written or electronic form. Temporary staff accounts should be set with an expiry date for the end of their contract period. Staff may have access to College ICT systems withdrawn if they are found to be in breach of this policy or Acceptable Use Agreement Students All students must abide by the terms and conditions covering the use of ICT at the College. The student agreement form and terms and conditions are available from IT Services. The completed agreement forms will be kept by IT Services in written or electronic form. Students may have access to College ICT systems withdrawn if they are found to be in breach of this policy or Acceptable Use Agreement.
5 2.3. Guest Users Guest user accounts allow limited access to College resources and will be provided on a limited time period with specific access hours. These user accounts do not have access External Users At present there are no requirements for external user accounts. If at future time there is a requirement then they should have limited access to College resources and should only be enabled on a daily basis. 3. Physical & Environmental Security Controls will be implemented to prevent unauthorised access to computer and information systems Physical Security Server rooms, IT Services computer suite, telecoms cabinets and communications cabinets shall be protected to provide suitable physical security and environmental controls. Servers used for storing and/or processing data shall be located in physically secured areas. Server rooms shall be inspected twice a week to ensure integrity of physical security 4. Communications and Operations Management Controls will be implemented to enable the correct and secure operation of information processing facilities Operating Procedures Design, build, configuration and operating documents will be produced for all servers and system applications, these documents are to be kept in secure areas with access only available to IT Services staff and where relevant MIS staff Change Control All changes to live critical systems will follow a change management process detailed in the Change Control Procedure
6 4.3. Protection Against Malicious Software Protection will be provided using a multi-level defence using the following:- Router Firewall Web Content Management with malware protection Anti-virus Software Scanning Virus scanning shall be enabled on all servers, desktops and laptops; this shall be automatically updated to ensure the signatures files are up to date, and shall not allow users to switch off the antivirus software -.See attached Antivirus Procedure in Procedures Section 4.4. Information Security Incidents Information security breaches should be reported to IT Services as soon as practicable. Any events that are regarded as security incidents will be defined, and processes implemented to investigate, control, manage and review such events in accordance with the using Information Security Incident Reporting Procedure 4.5. Security Patches Critical security patches shall be installed automatically when made available by Microsoft, Apple or and other system software vendor Housekeeping All critical data and applications are to be backed up in accordance with the College Server Backup Procedure; this includes the handling, storage and disposal of media. In the event of restoration of data follow the College Server Restore Procedure. College Server Backup Procedure 4.7. Network Management Controls will be implemented to achieve, maintain, and control access to internal/external computer networks including wireless LANs, in accordance with the College Network and Systems Access Policy
7 5. Access Control Access to College data and resources is dependent upon the type of user, whether they are staff, student, guest or external user. Users shall only be given access to resources in relation to their role. The procedure for determining and administering the different types of user can be found in the Network and Systems Access Policy. 6. Username and Password Control Access to College ICT resources is controlled by use of a network username and password. Control of network username and passwords is the responsibility of IT Services. See attached Password Procedure in Procedures Section 7. Remote Access Controls will be implemented to manage and control remote access to the College s ICT resources, see Network and Systems Access Policy. 8. Business Continuity Planning Business Continuity Planning is working out how to continue operations under adverse conditions that include local events like building fires, theft, and vandalism, regional incidents like earthquakes and floods, and national incidents like pandemic illnesses. In fact, any event that could impact operations should be considered, such as interruption, loss of or damage to critical infrastructure (computing/network resource). As such, risk management must be incorporated as part of Business Continuity Planning. 9. Encryption To ensure compliance with data protection regulations the best solution is that all data remains on college servers/system. If personal data has to be taken away from the college it should be encrypted. Laptops shall use full disk encryption using Microsoft Bit Locker technology; full disk encryption will be installed by IT Services team. USB flash drives and USB external drives shall be encrypted using Microsoft Bit Locker technology, see guidance notes for instruction If personal details to be ed or sent by any other media (i.e. CDROM) it shall be stored in an encrypted archive which uses AES encryption, third party product 7-Zip is to be used, see guidance notes for instruction
8 Procedures Anti-virus Procedure Purpose All New College Telford computers/laptops must have the college s standard; supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus signatures must be automatically kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. IT Services are responsible for creating processes that ensure antivirus software is run at regular intervals, and computers are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into the college's networks (e.g., viruses, worms, Trojan horses, bombs, etc.) are prohibited, in accordance with the Acceptable Use Agreement. Any employee or student found to have violated this procedure may be subject to account removal and or disciplinary action Anti-virus Process Recommended processes for users to prevent virus problems: Always use the supported anti-virus software available on college systems. NEVER open any files or macros attached to an from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your rubbish bin. Delete spam, chain, and other junk without forwarding. Never download files from unknown or suspicious sources. Avoid direct CDROM/DVDROM or USB memory stick sharing with read/write access unless there is absolutely a business requirement to do so. Always scan CDROM/DVDROM or USB memory stick from an unknown source for viruses before using it. If you suspect that you have got a virus or malware on your computer contact IT Services immediately using address its@nct.ac.uk
9 Processes for IT Services Staff Automatically apply critical updates for college standard anti-virus system,to all college computer systems as soon as they become available. Check Windows Server Update Services log to identify any failures. Automatically apply virus signatures updates on all college computer systems as soon as they become available. Check Windows Server Update Services log to identify any failures. Setup automatic reporting to IT Services team for any computer where a virus has been detected. Ensure that any virus detected has been removed automatically or quarantined, in the event of failure to automatically remove or quarantine virus, remove the computer from the network and manually remove virus or reimage the computer. Setup automatic daily anti-virus scan of hard drives for all college desktop and laptop computers. Setup automatic anti-virus scan of hard drives for all college server computers Set anti-virus real time detection for all college computer systems
10 Password Procedure Purpose Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the college s entire corporate network. As such, all New College Telford employees and students (including contractors and vendors with access to college systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any College facility, has access to the network, or stores any information. Password Requirement Passwords will subject to the following rules. Minimum password length 5 characters Passwords will be subject to expiry limit of 42 days Password history to prevent reuse of passwords 5 Accounts will be locked out after 3 incorrect attempts for a period of 15 minutes to prevent password cracking software General Password Construction Guidelines Passwords are used for various purposes at New College Telford. Some of the more common uses include: user level accounts, web accounts, accounts,, voic password, and system logins. Since very few systems have support for one-time tokens (ie. dynamic passwords (which are only used once)), everyone should be aware of how to select strong passwords. Poor, weak passwords have the following characteristics: The password contains less than five characters The password is a word found in a dictionary (English or foreign) The password is a common usage word such as: o Names of family, pets, friends, colleagues, fantasy characters, etc. o Computer terms and names, commands, sites, companies, hardware, software. o The words New College, NewCol, NCT or any derivation. o Birthdays and other personal information such as addresses and phone numbers.
11 o Word or number patterns like aaabbb, qwerty, zyxwvuts, , etc. o Any of the above spelled backwards. o Any of the above preceded or followed by a digit (e.g., secret1, 1secret) Strong passwords have the following characteristics: Contain both upper and lower case characters (e.g., a-z, A-Z) Have digits and punctuation characters as well as letters e.g., 0-9,!@#$%^&*()_+ ~-=\`{}[]:";'<>?,./) Are at least eight alphanumeric characters long. Are not a word in any language, slang, dialect, jargon, etc. Are not based on personal information, names of family, etc. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered.. NOTE: Do not use either of these examples as passwords! Password Change In the event of password being forgotten the staff/student can get password reset by IT Services, after displaying their id card. Staff Account Process When Staff Member Resigns Human Resources must inform IT Services when a member of staff has resigned so the network user account can be disabled and archived. After receiving the notification of a member of staff leaving, the expiry date on the network user account is set for the end of the day of leaving employment. After the leaving date the staff network user account is disabled permanently and moved to the OU=Archived_Accounts under OU=Staff_Admin,DC=nct,DC=ads. The user s personal data is moved to \\athena\staffhomes\ Archive. At the end of the month, after a full monthly backup a script is run automatically to remove the Active Directory network user account, Exchange Mailbox, and the archived personal data. The majority of applications use the network user account to allow access to applications, any application with their own user account controls such as Resource should also have the user account removed when employment ceases. MIS must inform IT Services when a student leaves so the accounts can be disabled and archived in accordance with the Network and Systems Access Policy.
12 IT Services will maintain a database of all system passwords and this must be kept in a secure manner. System passwords should be changed regularly. Enforcement Any employee found to have violated this policy may be subject to account removal and or disciplinary action.
13 Guidance Notes USB flash drive and USB external drive Encryption Launch the Bitlocker utility by typing in bit locker into the Start Search menu. Enable the drive encryption on the USB drive by clicking Turn on BitLocker
14 Enable the check box Use a password to unlock the drive and enter a complex password to use when using your external USB drive. Click the Save the recovery key to a file button and choose a safe location for the file. The location cannot be the USB drive you are encrypting.
15 The USB drive will begin encrypting. It may take a long time depending on the size of the drive. If needed the process can be paused and restarted at a later date with no issues. When encryption is complete the following dialogue box will be displayed. When attempting to use the drive you will be prompted to enter the password you specified earlier.
16 Encrypted Archive Using 7-Zip Right click on the file(s) to archive and go to the 7-zip menu, then select Add to archive Change the Archive format to zip by clicking the drop down menu and selecting zip
17 Change the Encryption method to AES-256 by clicking the drop down menu and selecting AES-256 Enter the password for the archive in the Encryption area and then click okay to archive the selected file(s). Once encrypted zip file has been created this can be ed or put onto other medium such as CDROM etc.
ICT Password Protection Policy
SH IG 30 Information Security Suite of Policies ICT Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This document describes the information security
More informationCAPITAL UNIVERSITY PASSWORD POLICY
1.0 Overview Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Capital University's
More informationUMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY
UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY Antivirus Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Originator Recommended by Director
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationBoston University Security Awareness. What you need to know to keep information safe and secure
What you need to know to keep information safe and secure Introduction Welcome to Boston University s Security Awareness training. Depending on your reading speed, this presentation will take approximately
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationA Guide to Information Technology Security in Trinity College Dublin
A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationICT OPERATING SYSTEM SECURITY CONTROLS POLICY
ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationTHE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY
THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY 1.0 Purpose The purpose of this policy is to establish Office of Human Resources (OHR) standards for creation of strong
More informationTECHNICAL SECURITY AND DATA BACKUP POLICY
TECHNICAL SECURITY AND DATA BACKUP POLICY PURPOSE Effective technical security depends not only on technical measures, but also on appropriate policies and procedures and on good user education and training.
More informationInformation Technology Cyber Security Policy
Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More informationCITY OF BOULDER *** POLICIES AND PROCEDURES
CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of
More informationNETWORK AND INTERNET SECURITY POLICY STATEMENT
TADCASTER GRAMMAR SCHOOL Toulston, Tadcaster, North Yorkshire. LS24 9NB NETWORK AND INTERNET SECURITY POLICY STATEMENT Written by Steve South November 2003 Discussed with ICT Strategy Group January 2004
More informationNetwork and Workstation Acceptable Use Policy
CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationCYBERSECURITY POLICY
* CYBERSECURITY POLICY THE CYBERSECURITY POLICY DEFINES THE DUTIES EMPLOYEES AND CONTRACTORS OF CU*ANSWERS MUST FULFILL IN SECURING SENSITIVE INFORMATION. THE CYBERSECURITY POLICY IS PART OF AND INCORPORATED
More informationOffice of Information Technology Desktop Security and Best Practices
2013.06 All computer operating systems have vulnerabilities that are targeted by are subject to security risks. In a networked environment, such as a college campus, a compromised computer can affect other
More informationNetwork Password Management Policy & Procedures
Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL
More informationConsensus Policy Resource Community. Lab Security Policy
Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
More informationNetwork Security Policy
KILMARNOCK COLLEGE Network Security Policy Policy Number: KC/QM/048 Date of First Issue: October 2009 Revision Number: 3 Date of Last Review: October 2011 Date of Approval \ Issue May 2012 Responsibility
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationAcceptable Usage Guidelines. e-governance
Acceptable Usage Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationCal State Fullerton Account and Password Guidelines
Cal State Fullerton Account and Password Guidelines Purpose The purpose of this guideline is to establish a standard for account use and creation of strong passwords which adheres to CSU policy and conforms
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationLSE PCI-DSS Cardholder Data Environments Information Security Policy
LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationTHE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE
THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationCITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT
CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION AP 3721 COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT 1.0 Purpose The purpose of this procedure is to establish a standard for the administration
More informationGuide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR
Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific
More informationResponsible Access and Use of Information Technology Resources and Services Policy
Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong
More informationSUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices
SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices 8-27-2015 4-007.1 Supersedes 4-007 Page Of 1 5 Responsible Authority Vice Provost for Information
More informationAll Users of DCRI Computing Equipment and Network Resources
July 21, 2015 MEMORANDUM To: From Subject: All Users of DCRI Computing Equipment and Network Resources Eric Peterson, MD, MPH, Director, DCRI Secure System Usage The purpose of this memorandum is to inform
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationCyber Security Best Practices
Cyber Security Best Practices 1. Set strong passwords; Do not share them with anyone: They should contain at least three of the five following character classes: o Lower case letters o Upper case letters
More information1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...
Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless
More informationNHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction
NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers
More informationNETWORK INFRASTRUCTURE USE
NETWORK INFRASTRUCTURE USE Information Technology Responsible Office: Information Security Office http://ooc.usc.edu infosec@usc.edu (213) 743-4900 1.0 Purpose The (USC) provides its faculty, staff and
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationAuthorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together
Groby Community College Achieving Excellence Together Authorised Acceptable Use Policy 2015-2016 Reviewed: Lee Shellard, ICT Manager: May 2015 Agreed: Leadership & Management Committee: May 2015 Next review:
More informationState of Vermont. User Password Policy and Guidelines
State of Vermont User Password Policy and Guidelines Date of Rewrite Approval: 10/2009 Originally Approved: 4/08/2005 Approved by: Neale F. Lunderville Policy Number: fib lleul~ 1.0 Introduction... 3 1.1
More informationMicrosoft Windows Client Security Policy. Version 2.1 POL 033
Microsoft Windows Client Security Policy Version 2.1 POL 033 Ownership Policy Owner: Information Security Manager Revision History Next Review Date: 2 nd April 2015 Approvals This document requires the
More informationCourse: Information Security Management in e-governance
Course: Information Security Management in e-governance Day 2 Session 2: Security in end user environment Agenda Introduction to IT Infrastructure elements in end user environment Information security
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationPassword Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.
DRAFT 6.1 Information Systems Passwords OVERVIEW Passwords are an important aspect of information security. They are the front line of protection for user accounts. A poorly chosen password may result
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationDublin Institute of Technology IT Security Policy
Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David
More informationSTRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS
Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level
More informationInformation Security Policy Manual
Information Security Policy Manual Latest Revision: May 16, 2012 1 Table of Contents Information Security Policy Manual... 3 Contact... 4 Enforcement... 4 Policies And Related Procedures... 5 1. ACCEPTABLE
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationADMINISTRATION COMPUTER NETWORK
ADMINISTRATION COMPUTER NETWORK School Administrative Computer Network The Cumberland School operates a network of computers specifically for administrative purposes in the school. This network is electronically
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationFranciscan University of Steubenville Information Security Policy
Franciscan University of Steubenville Information Security Policy Scope This policy is intended for use by all personnel, contractors, and third parties assisting in the direct implementation, support,
More informationAntivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)
Below you will find the following sample policies: Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) *Log in to erisk Hub for
More informationANTI-VIRUS POLICY OCIO-6006-09 TABLE OF CONTENTS
OCIO-6006-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. Purpose II. Authority III. Scope IV. Definitions V. Policy VI. Roles and Responsibilities VII. Exceptions
More informationCOVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationYMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY
YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September
More informationStep-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses
Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses 2004 Microsoft Corporation. All rights reserved. This document is for informational purposes only.
More informationHow to Practice Safely in an era of Cybercrime and Privacy Fears
How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationIT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST
INFORMATION TECHNOLOGY & MANAGEMENT IT Checklist INTRODUCTION A small business is unlikely to have a dedicated IT Department or Help Desk. But all the tasks that a large organization requires of its IT
More informationRemote Access and Network Security Statement For Apple
Remote Access and Mobile Working Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Remote Access and
More informationSection 12 MUST BE COMPLETED BY: 4/22
Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege
More informationNC DPH: Computer Security Basic Awareness Training
NC DPH: Computer Security Basic Awareness Training Introduction and Training Objective Our roles in the Division of Public Health (DPH) require us to utilize our computer resources in a manner that protects
More informationMCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationCommon Cyber Threats. Common cyber threats include:
Common Cyber Threats: and Common Cyber Threats... 2 Phishing and Spear Phishing... 3... 3... 4 Malicious Code... 5... 5... 5 Weak and Default Passwords... 6... 6... 6 Unpatched or Outdated Software Vulnerabilities...
More informationInformation Security Policy
Information Security Policy The purpose of this Policy is to describe the procedures and processes in place to ensure the secure and safe use of the federation s network and its resources and to protect
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationOdessa College Use of Computer Resources Policy Policy Date: November 2010
Odessa College Use of Computer Resources Policy Policy Date: November 2010 1.0 Overview Odessa College acquires, develops, and utilizes computer resources as an important part of its physical and educational
More informationInformation Technology Acceptable Usage Policy
Information Technology Acceptable Usage Policy Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly
More informationAdministrator's Guide
Administrator's Guide Copyright SecureAnywhere Mobile Protection Administrator's Guide November, 2012 2012 Webroot Software, Inc. All rights reserved. Webroot is a registered trademark and SecureAnywhere
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationBCS IT User Syllabus IT Security for Users Level 2. Version 1.0
BCS IT User Syllabus IT for Users Level 2 Version 1.0 June 2009 ITS2.1 System Performance ITS2.1.1 Unwanted messages ITS2.1.2 Malicious ITS2.1.1.1 ITS2.1.1.2 ITS2.1.2.1 ITS2.1.2.2 ITS2.1.2.3 ITS2.1.2.4
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationVersion: 2.0. Effective From: 28/11/2014
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationHengtian Information Security White Paper
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationElectronic Information Security Policy
Introduction Electronic Information Security Policy 1.1. Background This Information Security Policy is based upon the International Standard ISEC/ISO 270001 the Code of Practice for Information Security
More informationInfocomm Sec rity is incomplete without U Be aware,
Infocomm Sec rity is incomplete without U Be aware, responsible secure! HACKER Smack that What you can do with these five online security measures... ANTI-VIRUS SCAMS UPDATE FIREWALL PASSWORD [ 2 ] FASTEN
More informationBusiness Internet Banking / Cash Management Fraud Prevention Best Practices
Business Internet Banking / Cash Management Fraud Prevention Best Practices This document provides fraud prevention best practices that can be used as a training tool to educate new Users within your organization
More informationSecondary DMZ: DMZ (2)
Secondary DMZ: DMZ (2) Demilitarized zone (DMZ): From a computer security perspective DMZ is a physical and/ or logical sub-network that resides on the perimeter network, facing an un-trusted network or
More information