Information Security Policy

Transcription

1 Infrmatin Security Plicy Last updated: 09 March 2010 Plicy Assigned t: Chief Infrmatin Officer, ICT Table f Cntents 1. Overview Backgrund Cverage Definitins Risk Assessment and treatment Organisatin f Infrmatin Security Asset Management a Infrmatin Classificatin Plicy Human Resurces Security Physical and envirnmental Security ICT Data Centre Cmmunicatins and peratins Management Access Cntrl a Passwrd Plicy Infrmatin Systems Acquisitin, Develpment and Maintenance Infrmatin Security Incident Management Business Cntinuity Management Cmpliance Exemptins Related infrmatin Prcedures Infrmatin Security Plicy Page 1

2 1. Overview The plicy prvides management directin and supprt fr infrmatin security in accrdance with peratinal requirements, relevant laws and regulatins. The plicy is directly aligned with the Infrmatin Security Industry standard AS/NZS ISO/IEC 27002:2006: Infrmatin technlgy - Security techniques - Cde f practice fr infrmatin security management. Relevant sectins frm this standard are directly referenced in this dcument. 2. Backgrund Infrmatin is an asset that, like ther imprtant peratinal assets, is essential t the University f Sydney peratins and cnsequently needs t be suitably prtected. Infrmatin can exist in many frms. It can be printed r written n paper, stred electrnically, transmitted by pst r by using electrnic means, shwn n films, r spken in cnversatin. Whatever frm the infrmatin takes, r means by which it is shared r stred, it must be adequately prtected. Infrmatin security is the prtectin f infrmatin (including systems) frm a wide range f threats in rder t ensure business cntinuity, minimise peratinal risk, and maximize return n investments and peratinal pprtunities. Infrmatin security is achieved by implementing a suitable set f cntrls (based n risk prfile), including plicies, prcesses, prcedures, rganisatinal structures and sftware and hardware functins. These cntrls need t be established, implemented, mnitred, reviewed and imprved, where necessary, t ensure that the specific security and University bjectives f the rganisatin as met. Fr each f the risks identified fllwing the risk assessment a risk treatment decisin is made. Optins fr risk treatment include: a) Applying apprpriate cntrls t reduce the risks; b) Knwingly and bjectively accepting risks, prviding they clearly satisfy the rganisatin s plicy and criteria fr risk acceptance; c) Aviding risks by nt allwing actins that wuld cause the risks t ccur; d) Transferring the assciated risks t ther parties, e.g. insurers r suppliers; e) Or a cmbinatin f the abve ptins t treat residual risk. 3. Cverage This plicy cvers all academic and general staff (including casual staff), students and affiliates. Infrmatin Security Plicy Page 2

3 4. Definitins Affiliate means a clinical title hlder, an adjunct, cnjint r hnrary appintee, a cnsultant r cntractr t the University, an ffice hlder in a University entity, a member f any University Cmmittee and any ther persn appinted r engaged by the University t perfrm duties r functins n its behalf. Asset means anything that has value t the University f Sydney. Availability means cntinuity f peratinal prcesses and recverability in the event f a disruptin. Cnfidentiality means ensuring that infrmatin is accessible nly t thse authrised t have access Cntrl means a mechanism fr managing risk. (E.g. Plicy) Data means bth raw and prcessed data, including electrnic data files, regardless f their strage media as well as infrmatin derived frm prcessed data, regardless f the strage r presentatin media. Infrmatin asset is defined as any representatin f knwledge cncerning bjects such as facts, events, things, prcesses, ideas r pinins that has a particular meaning within a certain cntext. Infrmatin prcessing facilities means any infrmatin prcessing system, service r infrastructure, including the physical lcatin husing them. Infrmatin Security means prtecting infrmatin and infrmatin systems frm unauthrised access, use, disclsure, disruptin, mdificatin, r destructin. It includes the preservatin f cnfidentiality, integrity and availability f infrmatin. Integrity means the cntext f cmpleteness, accuracy and resistance t unauthrised mdificatin r destructin ISMS means Infrmatin security management system as defined by AS/NZS :2003. Remvable media means tapes, disks, flash disks, remvable hard drives, CDs, DVDs, and printed media. Risk is the chance f an event ccurring that culd have a negative r psitive impact n the University achieving its bjectives. Risk Assessment means the prcess which cnsiders infrmatin assets, vulnerabilities, likelihd f damage, estimates f the csts f recvery, summaries f pssible defensive measures and their csts and estimated prbable savings frm better prtectin. Secure areas - is where access is limited t authrised persnnel nly. Sensitive data includes infrmatin assets classified at Internal r X-In-Cnfidence as per the Infrmatin Classificatin Plicy refer t sectin 7.2. Infrmatin Security Plicy Page 3

4 5. Risk Assessment and treatment. Security requirements are identified by a methdical assessment f security risks. Expenditure n cntrls needs t be balanced against the peratinal harm likely t result frm security failures. The results f the risk assessment will help t guide and determine the apprpriate management actin and pririties fr managing infrmatin security risks, and fr implementing cntrls selected t prtect against these risks. Risk assessment must be repeated as ften as necessary t address any changes that might influence the risk assessment results, but at least every 12 mnths. Risk assessment must be cmpleted as part f any prject, t make sure that whatever is being changed/implemented will nt have a negative impact n exiting risks r creating new nes. ICT Infrmatin security team will manage this prcess. The asset wners will ultimately decide n hw t treat (mitigate, reduce, accept, transfer) the risk. 6. Organisatin f Infrmatin Security Objective: T manage infrmatin security within the rganisatin. A management framewrk must be established by ICT t initiate and cntrl the implementatin f infrmatin security within the rganisatin Management cmmitment t Infrmatin Security Management must actively supprt security within the thrugh clear directin, demnstrated cmmitment, explicit assignment, and acknwledgement f infrmatin security respnsibilities Allcatin f infrmatin security respnsibilities All infrmatin security respnsibilities must be clearly defined. Allcatin f infrmatin security respnsibilities must be dne in accrdance with this plicy Authrisatin prcess fr infrmatin prcessing facilities A management authrisatin prcess fr all infrmatin prcessing facilities must be defined and implemented Independent review f infrmatin security The apprach t managing infrmatin security and its implementatin (i.e. cntrl bjectives, cntrls, plicies, prcesses and prcedures fr infrmatin security) must be reviewed independently at planned intervals, r when significant changes t the security implementatin ccur. Infrmatin Security Plicy Page 4

5 7. Asset Management Objective: T achieve and maintain apprpriate prtectin f al assets. The asset wner determines the classificatin f the asset. All assets classified as sensitive must be accunted fr and have a nminated wner. The nminated asset wner is respnsible fr delegating/apprving access. 7.1 Respnsibility fr assets Inventry f assets All assets classified as sensitive must be clearly identified and an inventry f all imprtant assets drawn up and maintained Acceptable use f Assets Rules fr the acceptable use f infrmatin and assets assciated with infrmatin prcessing facilities must be identified, dcumented, and implemented. See Acceptable Use Plicy. 7a Infrmatin Classificatin Plicy 7.2 Infrmatin Classificatin Plicy Objective: T ensure that infrmatin receives an apprpriate level f prtectin. Sensitive Infrmatin must be classified t indicate the need, pririties, and expected degree f prtectin when handling the infrmatin Classificatin guidelines: Infrmatin must be classified in terms f its value, legal requirements, sensitivity, and criticality t the University. Sensitive classificatin refers t Internal and X-In-Cnfidence levels. Access t this infrmatin must be via an authenticatin prcess. Default classificatin is Public. This infrmatin is freely available t bth internal and external parties withut the requirement fr any authenticatin. E.g. Infrmatin is available n the internet. There are 3 levels f classificatin: (1) Public: The infrmatin maybe freely disclsed externally. (2) Internal: Access is limited t emplyees f the University f Sydney. (3) X-In-Cnfidence: Infrmatin whse cmprmise culd cause limited damage t the University f Sydney. e.g. Cause substantial distress t individuals r private entities; Cause financial lss r lss f earning ptential t, r facilitate imprper gain r advantage fr, individuals r private entities; Prejudice an investigatin; Prejudice the integrity f any examinatin r ther frm f assessment, results r student recrds; Prejudice the cnduct f research; Facilitate the cmmissin f crime; Breach prper undertakings t maintain the cnfidence f infrmatin prvided by third parties; Impede the effective develpment r peratin f the University f Sydney plicies; Infrmatin Security Plicy Page 5

6 Breach statutry restrictins n disclsure f infrmatin; Disadvantage the University f Sydney in cmmercial r plicy negtiatins with thers; Undermine the prper management f the University f Sydney and its peratins. 8. Human Resurces Security 8.2 During emplyment r engagement Objective: T ensure that emplyees, cntractrs and third party users are aware f infrmatin security threats and cncerns, their respnsibilities and liabilities, and are equipped t supprt rganisatinal security plicy in the curse f their nrmal wrk, and t reduce the risk f human errr. Management respnsibilities must be defined t ensure that security is applied thrughut an individual s emplyment within the University. An adequate level f awareness, educatin, and training in security prcedures and the crrect use f infrmatin prcessing facilities must be prvided t all emplyees, cntractrs and third party users t minimise pssible security risks. Plicies must be in place t facilitate the investigatin f alleged breaches Apprpriate disciplinary actin must be taken in respect f security breaches. 8.3 Terminatin r change f emplyment r engagement Objective: T ensure that emplyees, cntractrs and third party users exit the University r change emplyment in an rderly manner. Prcedures must be in place t ensure that when the emplyment r engagement f an emplyee r Affiliate ends, their exit frm is managed, and that the return f all equipment and the remval f all access rights are cmpleted. Exit prcedures shuld als be fllwed as far as apprpriate where a staff member r affiliate is transferring t a new rle r wrk lcatin. Infrmatin Security Plicy Page 6

7 9. Physical and envirnmental Security ICT Data Centre Objective: T prevent unauthrised physical access, damage, and interference t the rganisatin s premises and infrmatin Physical security perimeter Infrmatin prcessing facilities managed by the rganisatin must be physically separated frm thse managed by third parties. Critical r sensitive infrmatin prcessing facilities must be hused in secure areas, prtected by defined security perimeters, with apprpriate security barriers and entry cntrls. They must be physically prtected frm unauthrised access, damage, and interference. A staffed receptin area r ther means t cntrl physical access t the site r building must be in place; access t sites and buildings must be restricted t authrised persnnel Physical entry cntrls Secure areas must be prtected by apprpriate entry cntrls t ensure that nly authrised persnnel are allwed access The date and time f entry and departure f visitrs must be recrded, and all visitrs must be supervised unless their access has been previusly apprved; they must nly be granted access fr specific, authrised purpses and must be issued with instructins n the security requirements f the area and n emergency prcedures. Access t areas where sensitive infrmatin is prcessed r stred must be cntrlled and restricted t authrised persns nly; authenticatin cntrls, e.g. access cntrl card plus PIN, must be used t authrise and validate all access; an audit trail f all access must be securely maintained; All emplyees, cntractrs and third party users and all visitrs must be required t wear sme frm f visible identificatin and must immediately ntify security persnnel if they encunter unescrted visitrs and anyne nt wearing visible identificatin; Third party supprt service persnnel must be granted restricted access t secure areas r sensitive infrmatin prcessing facilities nly when required; this access must be authrised and mnitred; Access rights t secure areas must be regularly reviewed and updated, and revked when necessary Wrking in secure areas Physical prtectin and guidelines fr wrking in secure areas must be designed and applied. Staff must nly be aware f the existence f, r activities within, a secure area n a need t knw basis; Unsupervised wrking in secure areas must be avided bth fr safety reasns and t prevent pprtunities fr malicius activities; Vacant secure areas must be physically lcked and peridically checked; Phtgraphic, vide, audi r ther recrding equipment, such as cameras in mbile devices, must nt be allwed, unless authrised; Public access, delivery, and lading areas Access pints such as delivery and lading areas and ther pints where unauthrised persns may enter the premises must be cntrlled and, if pssible, islated frm infrmatin prcessing facilities t avid unauthrised access. Access t a delivery and lading area frm utside f the building must be restricted t identified and authrised persnnel; The delivery and lading area must be designed s that supplies can be unladed withut delivery persnnel gaining access t ther parts f the building; Infrmatin Security Plicy Page 7

8 The external drs f a delivery and lading area must be secured when the internal drs are pened; Incming material must be registered in accrdance with asset management prcedures n entry t the site; Incming and utging shipments must be physically segregated, where pssible. 9.1 Equipment security Objective: T prevent lss, damage, theft r cmprmise f assets and interruptin t the rganisatin s activities Equipment siting and prtectin Equipment must be sited r prtected t reduce the risks frm envirnmental threats and hazards, and pprtunities fr unauthrised access. Equipment must be sited t minimise unnecessary access int wrk areas; Items requiring special prtectin must be islated t reduce the general level f prtectin required; Cntrls must be adpted t minimise the risk f ptential physical threats, e.g. theft, fire, explsives, smke, water (r water supply failure), dust, vibratin, chemical effects, electrical supply interference, cmmunicatins interference, electrmagnetic radiatin, and vandalism; Guidelines fr eating, drinking, and smking in prximity t infrmatin prcessing facilities must be established; Envirnmental cnditins, such as temperature and humidity, must be mnitred fr cnditins, which culd adversely affect the peratin f infrmatin prcessing facilities; Lightning prtectin must be applied t all buildings and lightning prtectin filters must be fitted t all incming pwer and cmmunicatins lines; Equipment prcessing sensitive infrmatin must be prtected t minimise the risk f infrmatin leakage due t emanatin (emitted r radiated) Supprting utilities Equipment must be prtected frm pwer failures and ther disruptins caused by failures in supprting utilities. All supprting utilities, such as electricity, water supply, sewage, heating/ventilatin, and air cnditining must be adequate fr the systems they are supprting. Supprt utilities must be regularly inspected and as apprpriate tested t ensure their prper functining and t reduce any risk frm their malfunctin r failure. A suitable electrical supply must be prvided that cnfrms t the equipment manufacturer s specificatins Secure dispsal r re-use f equipment All items f equipment cntaining strage media must be checked t ensure that any sensitive data and licensed sftware has been remved r securely verwritten prir t dispsal. Devices cntaining sensitive infrmatin must be physically destryed r the infrmatin must be destryed, deleted r verwritten using techniques t make the riginal infrmatin nn-retrievable rather than using the standard delete r frmat functin. This infrmatin must als be prtected (i.e. nt lst) as a result f this cntrl. Infrmatin Security Plicy Page 8

9 10. Cmmunicatins and peratins Management 10.1 Operatinal prcedures and respnsibilities Objective: T ensure the crrect and secure peratin f infrmatin prcessing facilities Dcumented perating prcedures Respnsibilities and prcedures fr the management and peratin f all infrmatin prcessing facilities must be established. This includes the develpment f apprpriate perating prcedures Operating prcedures must be dcumented, maintained, and made available t all users wh need them Segregatin f duties Duties and areas f respnsibility must be segregated t reduce pprtunities fr unauthrised r unintentinal mdificatin r misuse f the rganisatin s assets Separatin f develpment, test, and peratinal facilities Develpment, test, and peratinal facilities must be separated, where pssible, t reduce the risks f unauthrised access r changes t the peratinal system Cntrls against malicius cde (including viruses) Objective: T prtect the integrity f sftware and infrmatin. Detectin, preventin, and recvery cntrls t prtect against malicius cde and apprpriate user awareness prcedures must be implemented. ICT managed equipment must be maintained with the mst recent anti-virus vendr signature updates via a centrally managed cnsle. The updates must be autmatically distributed, with n manual interventin required by the end user r ICT Backup and Restre Objective: T maintain the integrity and availability f infrmatin and infrmatin prcessing facilities. Rutine prcedures must be established t implement back-ups prcesses acrss all ICT managed equipment. The backup prcesses must be thrughly tested and dcumented. Rutine restres f data must be perfrmed t cnfirm the restre capability Netwrk security management Objective: T ensure the prtectin f infrmatin in netwrks and the prtectin f the supprting infrastructure. Netwrks must be adequately managed and cntrlled, in rder t be prtected frm threats, and t maintain security fr the systems and applicatins using the netwrk, including infrmatin in transit Security f netwrk services Security features, service levels, and management requirements f all netwrk services must be identified and included in any netwrk services agreement, whether these services are prvided inhuse r utsurced Media Handling Objective: T prevent unauthrised disclsure, mdificatin, remval r destructin f assets, and interruptin t peratinal activities. Media must be cntrlled and physically prtected by the supprt teams. Infrmatin Security Plicy Page 9

10 Apprpriate perating prcedures must be established t prtect dcuments, cmputer media, input/utput data and system dcumentatin frm unauthrised disclsure, mdificatin, remval, and destructin Management f remvable media There must be prcedures in place fr the management f remvable media. Where sensitive classified infrmatin is stred n remval media, apprpriate cntrls such as passwrd prtectin and encryptin must be applied at a minimum t prtect the infrmatin Mnitring Objective: T detect unauthrised infrmatin prcessing activities where assets are classified as sensitive Mnitring system use Prcedures fr mnitring use f infrmatin prcessing facilities must be established and the results f the mnitring activities reviewed regularly. The level f mnitring required fr individual facilities must be determined by a risk assessment. Must cmply with all relevant legal requirements applicable t its mnitring activities Prtectin f lg infrmatin Lgging facilities and lg infrmatin must be prtected against tampering and unauthrised access. Cntrls must aim t prtect against unauthrised changes and peratinal prblems with the lgging facility Administratr and peratins lgs System administratr and system peratr activities must be lgged. Lgs must include: a) The time at which an event (success r failure) ccurred; b) Infrmatin abut the event (e.g. files handled) r failure (e.g. errr ccurred and crrective actin taken); c) Which accunt and which administratr r peratr was invlved; d) Which prcesses were invlved. System administratr and peratr lgs must be reviewed n a regular basis. Any abnrmalities must be reprted fr further investigatins Fault Lgging Faults must be lgged, analysed, and apprpriate actin taken. Faults reprted by users r by system prgrams related t prblems with infrmatin prcessing r cmmunicatins systems must be lgged. There must be clear rules fr handling reprted faults including: Review f fault lgs t ensure that faults have been satisfactrily reslved; Review f crrective measures t ensure that cntrls have nt been cmprmised, and that the actin taken is fully authrised. It must be ensured that errr lgging is enabled, if this system functin is available. Infrmatin Security Plicy Page 10

11 Clck synchrnisatin The clcks f all relevant infrmatin prcessing systems within an rganisatin r security dmain must be synchrnised with an agreed accurate time surce. Where a cmputer r cmmunicatins device has the capability t perate a real-time clck, this clck must be set t an agreed standard, e.g. Crdinated Universal Time (UTC). As sme clcks are knwn t drift with time, there must be a prcedure that checks fr and crrects any significant variatin. The crrect interpretatin f the date/time frmat is imprtant t ensure that the timestamp reflects the real date/time. Lcal specifics (e.g. daylight savings) must be taken int accunt. Infrmatin Security Plicy Page 11

12 11 Access Cntrl 11.1 Operatinal requirement fr access cntrl Objective: T cntrl access t infrmatin. Access t infrmatin, infrmatin prcessing facilities, and peratinal prcesses must be apprved n the basis f peratinal and security requirements by the nminated wner. Annymus access is nt permitted t assets classified as sensitive. Access cntrl rules and rights fr each user r grup f users must be clearly stated User Access Management Objective: T ensure authrised user access and t prevent unauthrised access t infrmatin systems. Frmal prcedures must be in place t cntrl the allcatin f access rights t infrmatin systems and services. The prcedures must cver all stages in the life-cycle f user access, frm the initial registratin f new users t the final de-registratin f users wh n lnger require access t infrmatin systems and services. Special attentin must be given, where apprpriate, t the need t cntrl the allcatin f privileged access rights, which allw users t verride system cntrls User registratin There must be a frmal user registratin and de-registratin prcedure (user registratin frm) in place fr granting and revking access t all infrmatin systems and services. The access cntrl prcedure fr user registratin and de-registratin must include: Privilege Management Using unique user IDs t enable users t be linked t and held respnsible fr their actins; the use f grup IDs (rle based accunts) must nly be permitted where they are necessary fr peratinal reasns, and must be apprved and dcumented; Ensuring service prviders d nt prvide access until authrizatin prcedures have been cmpleted; Maintaining a frmal recrd f all persns registered t use the service; Immediately remving r blcking access rights f users wh have changed rles r jbs r left the rganisatin; Peridically checking fr, and remving r blcking, redundant user IDs and accunts after inactivity fr 90 days, deletin after 180 days; Redundant user IDs are nt t be issued t ther users. The allcatin and use f privileges must be restricted and cntrlled. The principle f least privilege must be applied. Apprved access by the asset wner must nly be granted if it is deemed necessary t supprt a legitimate peratinal requirement. Privileges must be assigned t a different user ID frm thse used fr nrmal peratinal activity. Infrmatin Security Plicy Page 12

13 11a Passwrd Plicy Passwrd Plicy: The fllwing cntrls must be applied: User-level passwrds must be kept cnfidential. If yur passwrd has been cmprmised change yur passwrd immediately. User accunts that have system-level privileges granted thrugh grup memberships r prgrams such as "sud" must have a unique passwrd frm all ther accunts held by that user. Passwrds must nt be inserted int messages r ther frms f electrnic cmmunicatin. Passwrds must never be written dwn r stred nline. Passwrds must never be included in scripts. Initial passwrds must be change n first time use. Prcedures t verify the identity f the requesting a new, replacement r temprary passwrd must be fllwed by the persns perfrming the change. Default vendr passwrds must be altered fllwing installatin f systems r sftware. Where pssible, accunt must be disabled after 5 unsuccessful lgin attempts fr accunt that access sensitive infrmatin. Where pssible, the last 9 passwrds must nt be re-used. Maintain separate passwrds frm internal and external system access. Fr example, d nt use yur nline banking passwrd within the University f Sydney. A keyed hash must be used where available. E.g. SNMP All user-level and system-level strng passwrds must cnfrm t the fllwing minimum f three f the fllwing criteria, where pssible: Cntain bth upper and lwer case characters (e.g., a-z, A-Z); Have digits and punctuatin characters as well as letters e.g.,$%^&; Is at least eight characters lng; Is nt a wrd in any language, slang, dialect, jargn, etc. Is nt based n persnal infrmatin, names f family, etc. Create a strng passwrd that is easy t remember. Think f a phrase that yu can easily remember. E.g. "This May Be One Way T Remember" and the passwrd culd be: "TmB1w2R!" User Respnsibilities Objective: T prevent unauthrised user access, and cmprmise r theft f infrmatin and infrmatin prcessing facilities. A clear desk and clear screen plicy must be implemented t reduce the risk f unauthrised access r damage t papers, media, and infrmatin prcessing facilities fr infrmatin classified as sensitive Netwrk Access Cntrl Objective: T prevent unauthrised access t netwrked services. Access t bth internal and external netwrked services must be cntrlled Plicy n use f netwrk services Infrmatin Security Plicy Page 13

14 Users will nly be prvided with access t the services that they have been specifically authrised t use User authenticatin fr external cnnectins Apprpriate authenticatin methds are required t cntrl access fr remte users Equipment identificatin in netwrks Autmatic equipment identificatin must be cnsidered as a means t authenticate cnnectins frm specific lcatins and equipment Remte diagnstic and cnfiguratin prt prtectin Physical and lgical access t diagnstic and cnfiguratin prts must be cntrlled Segregatin in netwrks Grups f infrmatin services, users, and infrmatin systems must be segregated n netwrks <as per the Netwrk Strategy> Netwrk cnnectin cntrl Fr shared netwrks, especially thse extending acrss the rganisatin s bundaries, the capability f users t cnnect t the netwrk must be restricted, in line with the access cntrl plicy and requirements f the business applicatins Netwrk ruting cntrl Ruting cntrls are essential t ensure that cmputer cnnectins and infrmatin flws d nt breach the access cntrl plicy f the business applicatins. Infrmatin Security Plicy Page 14

15 12. Infrmatin Systems Acquisitin, Develpment and Maintenance Crrect prcessing in applicatins Objective: T prevent errrs, lss, unauthrised mdificatin r misuse f infrmatin in applicatins Input data validatin Data input t applicatins must be validated t ensure that this data is crrect and apprpriate Message integrity Requirements fr ensuring authenticity and prtecting message integrity in applicatins must be identified, and apprpriate cntrls identified and implemented where classified as sensitive Cryptgraphic cntrls Objective: T prtect the cnfidentiality, authenticity r integrity f infrmatin by cryptgraphic means Key management Key management must be in place t supprt the rganisatin s use f cryptgraphic techniques. All cryptgraphic keys must be prtected against mdificatin, lss, and destructin. In additin, secret and private keys need prtectin against unauthrised disclsure. Equipment used t generate, stre and archive keys must be physically prtected. A key management system must be based n an agreed set f standards, prcedures, and secure methds fr: Generating keys fr different cryptgraphic systems and different applicatins; Generating and btaining public key certificates; distributing keys t intended users, including hw keys must be activated when received; String keys, including hw authrised users btain access t keys; Changing r updating keys including rules n when keys must be changed and hw this will be dne; Dealing with cmprmised keys; Revking keys including hw keys must be withdrawn r deactivated, e.g. when keys have been cmprmised r when a user leaves an rganisatin (in which case keys must als be archived); Recvering keys that are lst r crrupted as part f peratinal cntinuity management, e.g. fr recvery f encrypted infrmatin; Archiving keys, e.g. fr infrmatin archived r backed up; Destrying keys; Lgging and auditing f key management related activities; Practive renewal f expired keys, prir t expiratin date Security f system files Objective: T ensure the security f system files Cntrl f peratinal sftware There must be prcedures in place t cntrl the installatin f sftware n peratinal systems Access cntrl t prgram surce cde Access t prgram surce cde must be restricted Security in develpment and supprt prcesses Objective: T maintain the security f applicatin system sftware and infrmatin. Infrmatin Security Plicy Page 15

16 Change cntrl prcedures The implementatin f changes must be cntrlled by the use f ICT change cntrl prcedures Technical review f applicatins after perating system changes When perating systems are changed, critical applicatins must be reviewed and tested t ensure there is n adverse impact n rganisatinal peratins r security as part f ICT change cntrl prcess Restrictins n changes t sftware packages Mdificatins t sftware packages must be discuraged, limited t necessary changes, and all changes must be strictly cntrlled as part f the ICT change cntrl prcess Outsurced sftware develpment Outsurced sftware develpment must be supervised and mnitred by the rganisatin Technical vulnerability management Objective: T reduce risks resulting frm explitatin f published technical vulnerabilities. Technical vulnerability management must be implemented in an effective, systematic, and repeatable way with measurements taken t cnfirm its effectiveness Cntrl f technical vulnerabilities A centralised vulnerability management prcess must be established. All infrmatin abut technical vulnerabilities f infrmatin systems being used must be btained frm external authrities such as AUSCERT t a central pint f cntrl The ICT Security team. Vendr ratings will be adpted. The rganisatin's expsure t such vulnerabilities will be evaluated. An agreed timeline must be defined t react t ntificatins f ptentially relevant technical vulnerabilities. The apprpriate measures in cnjunctin with the asset wner must be taken t address the assciated risk. A patch management prcess must be established, implemented and mnitred fr all systems, maintaining a minimum patch level f n-1. This prcess will be managed by the ICT change management prcess. This will include an agreed (with ICT Relatinship Managers) patch schedule fr all ICT managed servers. Infrmatin Security Plicy Page 16

17 13. Infrmatin Security Incident Management 13.1 Reprting infrmatin security events and weaknesses Objective: T ensure infrmatin security events and weaknesses assciated with infrmatin systems are cmmunicated in a manner allwing timely crrective actin t be taken. All emplyees, cntractrs and third party users must be made aware f the prcedures fr reprting the different types f event and weakness that might have an impact n the security f rganisatinal assets. They must reprt any infrmatin security events and weaknesses as quickly as pssible t the designated pint f cntact Reprting and management f infrmatin security events A frmal infrmatin security event reprting prcedure must be established, tgether with an incident respnse and escalatin prcedure, setting ut the actin t be taken n receipt f a reprt f an infrmatin security event. Respnsibilities and prcedures must be in place t handle infrmatin security events and weaknesses effectively nce they have been reprted, (as per the ICT Incident Respnse prcess). The first pint f cntact will be the ICT Helpdesk fr all Infrmatin Security related events. Tickets will be generated fr the ICT Security team. The ICT security team will evaluate the infrmatin and determine the apprpriate curse f actin. Any nn-authrised investigatin utside the apprval f the ICT Security team will be managed by disciplinary prcesses as per The Cde f Cnduct. The existing ICT incident management prcess will be adpted. A prcess f cntinual imprvement will be applied t the respnse t, mnitring, evaluating, and verall management f infrmatin security incidents. Where evidence is required, it must be cllected t ensure cmpliance with legal requirements. 14. Business Cntinuity Management 14.1 Infrmatin Security Aspects f business cntinuity management Objective: T cunteract interruptins t peratinal activities and t prtect critical prcesses frm the effects f majr failures f infrmatin systems r disasters and t ensure their timely resumptin. A business cntinuity management prcess must be implemented t minimise the impact n the rganisatin and recver frm lss f infrmatin assets (which may be the result f, fr example, natural disasters, accidents, equipment failures, and deliberate actins) t an acceptable level thrugh a cmbinatin f preventive and recvery cntrls. This prcess must identify the critical prcesses and integrate the infrmatin security management requirements f business cntinuity with ther cntinuity requirements relating t such aspects as peratins, staffing, materials, transprt and facilities. The cnsequences f disasters, security failures, lss f service, and service availability must be subject t a business impact analysis. Business cntinuity plans must be develped and implemented t ensure timely resumptin f essential peratins. Infrmatin security must be an integral part f the verall business cntinuity prcess, and ther management prcesses within the rganisatin. Business cntinuity management must include cntrls t identify and reduce risks, in additin t the general risks assessment prcess, limit the cnsequences f damaging incidents, and ensure that infrmatin required fr peratinal prcesses is readily available. Infrmatin Security Plicy Page 17

18 15. Cmpliance 15.3 Infrmatin systems audit cnsideratins Objective: T maximize the effectiveness f and t minimise interference t/frm the infrmatin systems audit prcess. There must be cntrls t safeguard peratinal systems and audit tls during infrmatin systems audits. Prtectin is als required t safeguard the integrity and prevent misuse f audit tls Prtectin f infrmatin systems audit tls. Access t infrmatin systems audit tls must be prtected t prevent any pssible misuse r cmprmise. Access t such applicatins must be via an authenticatin prcess. Use f such tls must be authrised by the ICT Security Manager prir t installatin/use. 16. Exemptins Fr any exemptins t this plicy, please cmplete the Security Exemptin frm fr subsequent review/apprval by the ICT Security Manager. 17. Related infrmatin (1) Related University legislatin, reslutins, plicies and prcedures include: (a) Cmmnwealth Legislatin: Crimes Act 1914, Cybercrime Act 2001, Electrnic Transactins Act 1999, Crpratins Act 2001, Trade Practices Act 1974, Trade Practices Amendment Act 2001, Sex Discriminatin Act 1984, Racial Discriminatin Act 1975, and Disability Discriminatin Act 1992 (b) NSW Legislatin: NSW University f Sydney Act 1989, NSW State Recrds Act 1998, NSW Privacy and Persnal Infrmatin Prtectin Act 1998, NSW Health Recrds and Infrmatin Privacy Act 2002, NSW Freedm f Infrmatin Act 1989, NSW Wrkplace Surveillance Act 2005 (c) Sydney University Plicies ( such as: (i) Cde f Cnduct Staff (ii) Student Cde f Cnduct (iii) Use f University Infrmatin and Cmmunicatin Technlgy Resurces (ICT Resurces) Plicy (iv) University Privacy Plicy (v) University Web Sites Privacy Statement (vi) University Recrdkeeping Plicy (vii) University Recrd Keeping Manual (viii) University Freedm f Infrmatin Plicy (ix) Risk Management Plicy Infrmatin Security Plicy Page 18

19 18 Prcedures Implementatin Actin plans: 1. High Level Executive - see Attachment 7 - Seven key implementatin activities.dcx. 2. Implementatin Level Dcumentatin see Attachment 6 - ICT Infrmatin Security Plicy Implementatin Guide.dcx Infrmatin Security Plicy Page 19

20 Administratin 1. Backgrund Fr cnsultatin and review prcess see Attachment 4 - Cnslidated feedback lg.dcx, and wh was respnsible fr develping the plicy. The plicy was develped by: Luise Schuster Manager, Infrmatin Security Infrmatin and Cmmunicatins Technlgy The University f Sydney 2. Plicies, prcedures etc which are nw superseded by this dcument and its attachments ICT Infrmatin Security Plicy at plicy/ict-infrmatin-security-plicy pdf 3. Management Respnsibility Bruce Meikle Chief Infrmatin Officer, Infrmatin and Cmmunicatins Technlgy The University f Sydney 4. Implementatin Respnsibility Manager, Infrmatin Security Infrmatin and Cmmunicatins Technlgy The University f Sydney 5. Dates Apprval (versin 1) Effect Review Apprval (versin 2) Effect 6. Apprval Versin 1 Versin 2 7. Signatures Apprved by: Infrmatin Security Plicy Page 20

21 Name Dr Michael Spence Psitin Vice-Chancellr and Principal Date Signature Infrmatin Security Plicy Page 21