Information Security Standards

Size: px
Start display at page:

Download "Information Security Standards"

Transcription

1 Information Security Standards March 2015 Information & Technology Services

2 Information Security Standards Table of Contents 1.0 Common Policy Elements Introduction and Scope Authority Enforcement Exceptions Terms and Definitions Structure of the Standards Sections of this Document... 9 The security categories contained in this document: Risk Assessment and Treatment Assessing Security Risks Risk Assessments Security Policy Information Security Policy Information Security Commitment Statement Security Responsibility, Review and Evaluation User Responsibility Organizational Security Information Security Infrastructure Management Commitment to Information Security Information Security Co-ordination / Allocation of Information Security Responsibilities Authorization Process for Information Security Facilities Confidentiality Agreements Independent Review of Information Security Security of Third Party Access Identification of Risks from Third Party Access Security Requirements in Third Party Contracts Security Requirements in Outsourcing Contracts Asset Classification and Control Accountability for Assets Inventory of Assets Ownership of Assets Acceptable use of Assets Data Classification

3 7.2.1 Data Classification Guidelines Information Labeling and Handling Human Resources Security Prior to Employment Screening / Terms of Employment During Employment Management Responsibilities Information Security Education and Training Disciplinary Process Termination or Change of Employment Termination Responsibilities Return of Assets Removal of Access Rights Physical and Environmental Security Secure Areas Physical Security Perimeter Physical Entry Controls Equipment Security Equipment Location and Protection Uninterruptible Power Supplies Secure Disposal or Re-use of Equipment Removal of Property Communications and Operations Management Operational Procedures and Responsibilities Documentation of Operating Procedures Operational Change Control Segregation of Duties Separation of Development and Production Facilities Third Party Service Delivery Management Service Delivery Monitoring and Review of Third Party Services Managing Changes to Third Party Services System Planning and Acceptance Capacity Planning System Acceptance Protection Against Malicious and Mobile Code Controls Against Malicious Software Malicious Code Housekeeping Information Back-up Network Management Network Controls Security of Network Services

4 10.7 Media Handling Management of Removable Media Disposal of Media Information Handling Procedures Security of System Documentation Exchanges of Information and Software Information and Software Exchange Agreements Security of Media in Transit Electronic Commerce Security Electronic Commerce Publicly Accessible Systems Monitoring Event Monitoring Monitoring System Use Activity Logs Fault Logging Access Control Business Requirement for Access Control Access Control Policy User Access Management Access Authorization Privilege Management Password Management Systems Review of User Access Rights User Responsibilities Password Use Unattended User Equipment Clear Desk and Screen Policy Network Access Control Use of Network Services Wireless Network Access Operating System Access Control Secure Log-on User Identification and Authentication Password Management System Use of System Utilities Terminal Time-out Procedures Application Access Control Information Access Restriction Mobile Computing and Telecommuting Mobile Computing Telecommuting Systems Development and Maintenance

5 12.1 Security Requirements of Systems Security Requirements Analysis and Specification Security in Application Systems Data Validation Checks and Controls Encryption Controls Encryption Controls Security of System Files Control of Operational Software Protection of System Test Data Access Control to Program Source Libraries Security in Development and Support Process Change Control Procedures Review of Operating System Changes Restrictions on Changes to Software Packages Information Security Incident Management Reporting Information Security Events and Weaknesses Reporting Security Incidents Incident Management Procedures Management of Information Security Incidents and Improvements Responsibilities and Processes Collection of Evidence / Learning from Incidents Disaster Recovery and Business Continuity Aspects of Disaster Recovery and Business Continuity Disaster Recovery and Business Continuity Planning Compliance Compliance with Legal Requirements Identification of Compliance Areas Compliance with Security Policies and Standards, and Technical Compliance Identification of Compliance Areas

6 Revision History Standard Number Author Revision Date Revision Content MD 3/1/2005 Changed data classification parameters to include only HIPAA data as confidential. All MD 9/2005 Made major modifications based on ISO17799 June 2005 revision All RM 7/2008 Made modifications based on annual review. Page 7 RM 8/2009 Change ISO to ISO RM 8/2009 Add space before sentence RM 8/2009 Change should to must Replace County asset management procedures, with Administrative Directive RM 8/2009 PI RM 8/2009 Change Security procedures to Security awareness training RM 8/2009 Add space before sentence Remove the author, approved by the owner or accepted and approved by RM 8/2009 the change management process All RM 11/2011 Made formatting and date modifications based on annual review RM 11/2011 Deleted or in 2 nd sentence. 9.1 AO 3/2015 Modifications in accordance to internal audit recommendations. 9.2 AO 3/2015 Modifications in accordance to internal audit recommendations AO 3/2015 Modifications in accordance to internal audit recommendations. 6

7 1.0 Common Policy Elements 1.1 Introduction and Scope Information is a valuable asset that must be protected from unauthorized disclosure, modification, use or destruction. Prudent steps must be taken to ensure that its confidentiality, integrity and availability are not compromised. This document provides a uniform set of information security standards for using Hillsborough County (hereafter referred to as the County or County ) technology resources. In addition to defining roles and responsibilities, information security standards raise awareness of users to the potential risks associated with access to and use of information technology. Employee awareness through dissemination of the standards helps accelerate the development of new application systems and ensure the consistent implementation of controls for information systems. County information security standards are based upon the internationally accepted ISO information security standard framework. The standards are designed to comply with applicable laws and regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The standards should be considered minimum requirements for providing a secure environment for developing, implementing and supporting information technology and systems. Associated standards listed must be adhered to by departments unless specifically granted an exception (described below in section 1.4). Departments may develop detailed procedures to handle department-specific cases, provided they adhere to the standard that they support. 1.2 Authority Article II, Section 6(o), of the Hillsborough County Administrative Code (Ordinance 85-35), as amended, empowers the County Administrator to issue and enforce such administrative orders, rules or guidelines as necessary to give appropriate effect to the Charter, Administrative Code, and ordinances of the County; and maintain a complete compilation of all such administrative orders, rules, and regulations. 1.3 Enforcement Individual county departments will be responsible for developing detailed procedures to comply with these security standards. The standards will guide periodic security reviews by ITS, as well as audits by the Internal Audit department of the Clerk of the Circuit Courts or the County s Internal Performance Auditor. Violators of these standards may be subject to employee disciplinary procedures. Departments may impose sanctions upon their employees, within accepted County guidelines, for violations of these standards. 1.4 Exceptions Exceptions to a standard must be approved by the Assistant County Administrator, with review by the Information Security group in ITS. In each case, the department or vendor must include such items as the need for the exception, the scope and extent of the exception, the safeguards to be implemented to mitigate risks, specific timeframe for the exception, organization requesting the exception, and the management approval. 7

8 2.0 Terms and Definitions This section defines some of the terms used throughout the document. Policy A course of action or behavior that is followed; a high-level plan embracing goals and acceptable procedures. Standard A specific approach, solution, methodology, product or protocol supporting a policy that must be adhered to for establishing uniformity. While policies are intended to last for an indefinite period, standards may change more often because the manual procedures, organizational structures, business processes and information systems technologies mentioned in standards change so rapidly. Procedure A set of administrative instructions for implementation of a standard; a particular way of accomplishing something. Procedures are sometimes called standard operating procedures or department operating procedures. Procedures are specific operational steps that are used to complete a task or achieve a goal. 8

9 3.0 Structure of the Standards 3.1 Sections of this Document The security categories contained in this document: o Security Policy o Organizing Information Security o Asset Management o Human Resources Security o Physical and Environmental Security o Communications and Operations Management o Access Control o Information Systems Acquisition, Development and Maintenance o Information Security Incident Management o Business Continuity Management o Compliance 9

10 4.0 Risk Assessment and Treatment 4.1 Assessing Security Risks Risk Assessments Risk assessments should be performed periodically to address changes in the security requirements and in the risk situation, e.g. in the assets, threats, vulnerabilities, impacts, the risk evaluation, and when significant changes occur Risk assessments should be undertaken in a methodical manner capable of producing comparable and reproducible results Risk assessments should have a clearly defined scope in order to be effective. 10

11 5.0 Security Policy 5.1 Information Security Policy Information Security Commitment Statement Information is a valuable County asset and must be protected from unauthorized disclosure, modification, or destruction. Prudent information security policies, standards and procedures must be implemented to ensure that the integrity, confidentiality and availability of County information are not compromised Security Responsibility, Review and Evaluation ITS is responsible for establishing and managing the security of all systems. Periodically, ITS will review the most current best practices regarding the use of technology and will amend and/or issue new policies, standards, and/or controls to reflect the most appropriate solution for security of County information User Responsibility County information technology resources are provided to authorized users to facilitate the efficient and effective performance of their duties in a secure electronic environment. The use of such resources imposes certain responsibilities and obligations on users and is subject to County policies. It is the responsibility of users to ensure that such resources are not misused. 11

12 6.0 Organizational Security 6.1 Information Security Infrastructure Management Commitment to Information Security County management should actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities County management should: review and approve information security policy; provide clear direction and visible management support for security initiatives; provide the resources needed for information security; approve assignment of specific roles and responsibilities for information security across the County; initiate plans and programs to maintain information security awareness; ensure that the implementation of information security controls is co-coordinated across the County; Information Security Co-ordination / Allocation of Information Security Responsibilities The ITS Director will be the focal point for all IT security related matters Departments should designate a security liaison to serve as the primary point of contact to the ITS Director Departments should implement additional procedures as necessary to meet County security requirements The security liaison should be responsible for ensuring their department s implementation of the Information Security Policies and Standards approved by the County Authorization Process for Information Security Facilities When approving new information processing facilities, the following issues (at a minimum) should be addressed: assessment of the ability of the new processing facilities to conform to existing security policies evaluation of the need for additional security measures and the impact of personal computing systems. 12

13 6.1.4 Confidentiality Agreements Confidentiality or non-disclosure agreements (NDA s) address the requirement to protect confidential information using legally enforceable terms. The following elements should be considered for inclusion in an NDA: a definition of the information to be protected (e.g., confidential information); expected duration of an agreement; required actions when an agreement is terminated; the permitted use of confidential information, and rights of the signatory to use information; the right to audit and monitor activities that involve confidential information; process for notification and reporting of unauthorized disclosure of confidential information; terms for information to be returned or destroyed at agreement cessation; and expected actions to be taken in case of a breach of this agreement Requirements for confidentiality and non-disclosure agreements should be reviewed periodically Independent Review of Information Security The County s approach to managing information security and its implementation (i.e., control objectives, controls, policies, processes, and procedures for information security) should be reviewed independently at planned intervals at managements initiation Such a review should be carried out by individuals independent of the area under review, e.g., the internal audit function or a third party organization specializing in such reviews. Individuals carrying out these reviews should have the appropriate skills and experience The results of the independent review should be recorded and reported to the management who initiated the review. If the independent review identifies that the organization s approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated in the information security policy document (see 5.1.1), management should undertake corrective actions. 13

14 6.2 Security of Third Party Access Identification of Risks from Third Party Access All prospective third party agents must be provided with a copy of the County Information Security Policies and Standards by the contracting department, and be required to comply When third party agents have user accounts on County systems, they must observe the same standards as County employees When third party agents are working in a County environment without being directly supervised, County employees must be vigilant about logging off sessions, logging out or securing PC access, and keeping paper information properly discreet Stringent controls must be required on user accounts using remote login access. Where the third party access will involve a network-tonetwork connection, the use of a firewall is mandated Network connection ports should be monitored for unknown devices and unauthorized connections Security Requirements in Third Party Contracts When writing contracts with third parties to provide services that involve accessing County computing resources, the department involved bears the burden of ensuring that all relevant information security issues have been addressed Use of the Information Security Policies and Standards as a reference guide is mandatory. Provisions in the contract that require the third party to demonstrate their ability to meet the requirements of the Information Security Policies and Standards provide a basis of trust for further technical interaction When a third party service provider will be placing contract resources on County premises, the contract must reflect the acceptance by the third party of responsibility for the actions of its members When a service provider will be using a logical connection to County resources, the contract must reflect not only responsibility for the actions of the third party users, but also for the security integrity of any connected networks, systems or logons Security Requirements in Outsourcing Contracts Information security issues must be included or addressed in the contract as an expectation by the County that the provider will meet or exceed all of the policies stated within the County s Information Security Policies and Standards When engaged in agreements with outsourcing providers, wording related to security compliance verification must exist within the contract. 14

15 7.0 Asset Classification and Control 7.1 Accountability for Assets Inventory of Assets County equipment custodians must maintain perpetual inventory control, a record of the new location and new user of all equipment issued, and physical security over the equipment in their possession All County computer and communications equipment must have a unique identifier attached to it such that physical inventories can be efficiently conducted As hardware and software become out of date or no longer in use, they must be removed from the inventory lists in accordance with Administrative Directive PI All hardware and software must be procured according to Administrative Directive IT Ownership of Assets All information and assets associated with information processing facilities should be owned by a designated part of the County. The asset owner should be responsible for: ensuring that information and assets associated with information processing facilities are appropriately classified; defining and periodically reviewing access restrictions and classifications, taking into account applicable access control policies Routine tasks must be delegated, e.g., to a custodian looking after the asset on a daily basis, but the responsibility remains with the owner. 15

16 7.1.3 Acceptable use of Assets County information technology resources are provided to authorized users to facilitate the efficient and effective performance of their duties. The use of such resources imposes certain responsibilities and obligations on users and is subject to County policies. It is the responsibility of users to ensure that such resources are not misused. For details on acceptable use, refer to HR policy Departments may establish more stringent procedures consistent with this document and its associated standards The County reserves the right to retrieve and read any data composed, transmitted or received through online connections and/or stored on County equipment. 16

17 7.2 Data Classification Data Classification Guidelines All County information and information entrusted to the County from outside agencies falls into one of three sensitivity classifications: CONFIDENTIAL CONFIDENTIAL - This category includes protected health information (PHI) as defined by HIPAA, and similar information. Access to confidential information must be tightly controlled based on need to know. Except as specifically allowed by HIPAA and other federal and state laws, disclosure to other parties is not allowed, and may result in significant civil and criminal penalties. RESTRICTED This is the default classification for any information not specifically designated. Disclosure of restricted information could cause harm to the general health, safety and welfare of affected parties. This information should be disclosed to third parties only if reviewed by the appropriate body and, if approved for disclosure, a confidentiality or non-disclosure agreement has been signed. PUBLIC Examples include any data deemed applicable under the Florida Sunshine Laws. This information has been explicitly approved by the County as suitable for public dissemination Information Labeling and Handling For each data classification, labeling and handling procedures should be defined to cover the following types of activity: copying storage transmission by mail, facsimile or destruction of data Output from systems containing data classified as confidential should carry an appropriate classification label. The labeling should reflect the classification according to the rules established in

18 8.0 Human Resources Security 8.1 Prior to Employment Screening / Terms of Employment Job roles should identify the degree of access to County information systems and data in addition to normal roles and responsibilities Disciplinary or criminal procedures should follow the County s administrative regulations and criminal codes Background checks should be conducted as part of the initial employment process for employees who will be handling confidential data as described in section Managers and supervisors should develop procedures required for personnel that will be accessing confidential information Terms and conditions of employment should clearly define the employee s responsibilities for information security Employees who require access to confidential information should be required to sign a confidentiality or non-disclosure agreement when initially employed Third-party users who are not already covered by an existing agreement should also sign such agreements prior to being given access to County information. 18

19 8.2 During Employment Management Responsibilities Management should require employees and third party users to apply security in accordance with the County s Information Security Policies and Standards Management responsibilities should include ensuring that employees and third party users: are properly briefed on their information security responsibilities prior to being granted access to sensitive information or systems; are provided with guidelines to state security expectations of their role within the County; are required to fulfill the security policies of the County; achieve a level of awareness on security relevant to their roles and responsibilities within the County; comply with the terms and conditions of employment, which includes the County s information security policy Information Security Education and Training All employees should be trained in information security concepts. Each department should create procedures for training employees on securely accessing and using its information processing facilities All employees should be aware and remain vigilant for possible fraudulent activities. Well-defined procedures should be in place in order for employees to report incidents involving their personal accounts or the acts of others A process for reporting incidents and concerns should be communicated to all employees so they can communicate breaches and all other suspicious activities to the appropriate levels (see section 6.3.1) Users should be trained to be aware of security weaknesses and threats to all information processing and communications and the process to report them to the designated security liaison Users should note and report observed or suspected security weaknesses to systems and services. Users should not try to emulate the security breach or attempt to prove the threat as a test. Vendors and contractors who provide services to the County must agree to follow the applicable information security procedures of the department for which they work Disciplinary Process A formal disciplinary process should be followed to deter and discipline employees or third party agents who violate the County Information Security Policies and Standards. 19

20 8.3 Termination or Change of Employment Termination Responsibilities Responsibilities for performing employment termination or change of employment should be clearly defined and assigned Human Resources is responsible for the overall termination process and should coordinate with the manager of the person terminating to manage the security aspects of the relevant procedures Return of Assets All employees, contractors and third party users must return all of the County s assets in their possession upon termination of their employment, contract or agreement The termination process should be formalized to include the return of all previously issued software, County documents, and equipment. Other County assets such as mobile computing devices, access cards, software, manuals, and information stored on electronic media also must be returned In cases where an employee or third party user has knowledge that is important to ongoing operations, that information should be documented and transferred to the County Removal of Access Rights The access rights of all employees and third party users to information and information processing facilities must be removed upon termination of their employment, contract or agreement, or adjusted upon change Changes of employment (i.e., transfers) must be reflected in the removal of all access rights that were not approved for the new employment. 20

21 9.0 Physical and Environmental Security 9.1 Secure Areas Physical Security Perimeter A security assessment of all key information processing facilities should be performed to assess their physical security. Primary information processing facilities should be evaluated frequently, to include weekends and holidays Appropriate control mechanisms should be applied to prevent unauthorized access The preventive, detective and corrective physical security measures should be periodically tested and documented to verify the adequacy of their design and the degree of implementation and effectiveness Information processing facilities should be equipped with fire alarm systems Sections of secure facilities that provide access to input or output deliveries should be restricted with additional controls The computer center's physical address should be disclosed only to those having a need-to-know. No signs should indicate the location of an information-processing facility Directories and internal telephone books that identify locations of information processing facilities should not be readily accessible by the public To prevent unauthorized duplication and transmission of confidential information, all printers, copiers and fax machines that process such information should be located in secured areas. 21

22 9.1.2 Physical Entry Controls Where possible, and not deemed cost prohibitive, entry controls should identify, authenticate or monitor all access attempts to restricted areas within department facilities Access to any County data center, network operations center, telecommunications or other similar information processing facility should be restricted Access to any office, computer room or work area that contains confidential information should be physically restricted All visitors, including contractors and vendors, should be registered before accessing information processing facilities Visitors should be escorted by an ITS or County approved staff member when entering and exiting information processing facilities and be periodically monitored by an ITS or County approved staff member while on-site Confidential information, in either paper or electronic form, must be protected from unauthorized access and disclosure All entry logs should be secured and maintained Access rights to secure areas should be reviewed and updated regularly Obtain monthly reports OPS manager to review and update as necessary. 22

23 9.2 Equipment Security Equipment Location and Protection Production systems, including, but not limited to servers, network equipment and telephony systems should be located within a physically secured area To assure the uninterrupted service of critical production systems, management should provide security controls that monitor and alert appropriate personnel for fires, smoke, water, temperature and electrical effects Primary information processing facilities should include controls that monitor and alert appropriate personnel to humidity levels that are outside of acceptable range Management should restrict eating, drinking and smoking in the proximity of information processing equipment, except in designated areas Management should prohibit storage of stationery and other supplies posing a fire hazard inside information processing locations Equipment should be properly maintained in accordance with the manufacturer s recommended service intervals and specifications to ensure its continued availability and integrity Appropriate precautions should be taken when sending equipment offsite for maintenance, especially with regard to equipment that might contain confidential data Uninterruptible Power Supplies A risk assessment should be performed on critical equipment to determine the need for uninterruptible power supply equipment and the length of time outage protection is required UPS equipment should be monitored to ensure that it is functioning properly and has adequate capacity Back-up generators should be considered, if the risk assessment determines that processing is to continue in the event of a prolonged power failure Generators should be tested regularly in accordance with the manufacturers instructions Emergency power switches should be located near emergency exits in equipment rooms to facilitate rapid power down in case of an emergency Emergency lighting should be provided within the facility in case of a main power failure. 23

24 Lightning protection should be used where deemed appropriate following a risk assessment Secure Disposal or Re-use of Equipment Prior to disposal, media (floppy disks, CD s, DVD s, tapes, etc.) containing confidential information must be destroyed to render the information unrecoverable All hardcopy materials that contain confidential information must be shredded Removal of Property The use of any County-owned equipment outside of the County premises must be authorized by department management. The level of security provided must be at least equal to that of equipment used on-site. 24

25 10.0 Communications and Operations Management 10.1 Operational Procedures and Responsibilities Documentation of Operating Procedures Operating procedures for County information processing systems should be documented and authorized by management Documentation procedures should be prepared for the typical system maintenance activities associated with information processing and communications facilities Operational Change Control Responsibilities and procedures should be implemented to ensure satisfactory control of all changes to information processing systems, software, and procedures Segregation of Duties Care should be taken that no single person can perpetrate fraud in areas of single responsibility without being detected Separation of Development and Production Facilities When feasible, separation between production, development and test systems should be maintained to reduce the risk of unauthorized changes or access. 25

26 10.2 Third Party Service Delivery Management Service Delivery Ensure that security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party Monitoring and Review of Third Party Services Monitoring and review of third party services should ensure that the information security terms and conditions of the agreements are being adhered to, and that information security incidents and problems are managed properly Managing Changes to Third Party Services Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking into account the criticality of business systems involved. 26

27 10.3 System Planning and Acceptance Capacity Planning Information system managers should monitor resources to identify usage trends and changes to specific applications or systems Growth in system capacities should be projected to support new business requirements and to plan new applications System Acceptance Prior to the implementation of new or upgraded information systems, care should be taken to ensure that all requirements for acceptance have been met. Criteria should be clearly defined, documented and tested. 27

28 10.4 Protection Against Malicious and Mobile Code Controls Against Malicious Software Appropriate security awareness training should be utilized to ensure that users are aware of the dangers of unauthorized or malicious software Special controls that detect or prevent the introduction of malicious software should be introduced. Protection should be based on awareness, change management and system access controls Malicious Code When users are connected to the Internet, they should be educated on safe practices when using resources from the Internet Since systems are also a method of incursion for malicious code, containing binary attachments that are executable should not be opened unless the sender is known, the file is expected or the file screened through approved anti-virus software. 28

29 10.5 Housekeeping Information Back-up Routine procedures should be followed to implement back-up strategies Systems must be tested to ensure that all essential business data could be recovered following a disaster or system failure. 29

30 10.6 Network Management Network Controls Networks should be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit Network managers should implement controls to ensure the security of information in networks, and the protection of connected services from unauthorized access. In particular, the following items must be considered: operational responsibility for networks should be separated from computer operations where appropriate; responsibilities and procedures for the management of remote equipment, including equipment in user areas, should be established; special controls should be established to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks, and to protect the connected systems and applications; special controls may also be required to maintain the availability of the network services and computers connected; appropriate logging and monitoring should be applied to enable recording of security relevant actions Security of Network Services Security features, service levels, and management requirements of all network services should be identified and included in any network services agreement The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored, and the right to audit should be agreed. 30

31 10.7 Media Handling Management of Removable Media There should be procedures in place for the management of removable media. The following guidelines should be considered: if no longer required, the contents of any re-usable media that are to be removed from the organization should be made unrecoverable; where necessary and practical, authorization should be required for media removed from the County and a record of such removals should be kept in order to maintain an audit trail; all media should be stored in a safe, secure environment, in accordance with manufacturers specifications; information stored on media that needs to be available longer than the media lifetime should be also stored in order to avoid information loss due to media deterioration Disposal of Media When media is worn, damaged or otherwise no longer required, it should be disposed of in a secure manner. To prevent the compromise of confidential information through careless or inadequate disposal of computer media, formal procedures should be established for secure media disposal Information Handling Procedures Procedures for the secure handling and storage of County information are required to protect the information from unauthorized disclosure or misuse. Such procedures should be consistent with the type of information being processed Security of System Documentation Since the operational system documentation for County information systems may contain sensitive information, it should be protected from unauthorized access. 31

32 10.8 Exchanges of Information and Software Information and Software Exchange Agreements The exchange of protected or non-public information with other organizations should be based on a formal agreement that specifies the conditions and handling of the information (e.g., non-disclosure agreements) Security of Media in Transit Packaging should be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with manufacturers specifications Where necessary, special controls should be adopted to protect confidential information from unauthorized disclosure or modification. 32

33 10.9 Electronic Commerce Security Electronic Commerce The following security risks must be considered in the design of all e-commerce applications: vulnerability of messages to unauthorized access or modification potential exposure to denial of service attacks vulnerability to error impact of a change of communications media on business process legal considerations Publicly Accessible Systems The dissemination methods for County information classified as public should have, at a minimum, protection from unauthorized modification and denial of service attacks Consideration of security controls that should be applied to publicly available systems should include some or all of the following: information to be disseminated is classified in compliance with data protection legislation any information input to, and processed by, a public system, such as a request form, comment form, questionnaire, etc., should be processed completely, accurately and in a timely manner. confidential information must be protected during the collection process and when stored access to the public system does not allow unauthorized access to networks to which it is connected. County information classified as other than public should not reside on systems where public information is being served. information to be made available to restricted groups, such as employees, should be protected by appropriate security mechanisms. 33

34 10.10 Monitoring Event Monitoring All user initiated logon attempts to connect with County production information systems should be logged, whether successful or not Establish retention periods for logs. The length of retention should reflect the availability of resources and the need to track historical information Logs should be sufficient to meet the requirements of evidence collection Monitoring System Use The areas of concern for monitoring on any specific system should be established as the result of a risk assessment The log files produced by the monitoring systems should be reviewed on a periodic basis to determine if unauthorized activity has taken place The log files should be secured in such a way as to prevent unauthorized alterations Activity Logs Logs should be maintained and securely stored Logging should be used whenever possible for: system utilization system errors communication session statistics successful and unsuccessful logins Fault Logging Computer operations personnel who monitor system operations should maintain a fault log, ensuring that complete and accurate records of all system and service faults are maintained and that all faults are properly handled Where computer or network operations can be monitored by automated means, the automated fault logging capability should be enabled. 34

35 11.0 Access Control 11.1 Business Requirement for Access Control Access Control Policy All confidential information should be protected via access controls to ensure that it is not improperly disclosed, modified, deleted or rendered unavailable Information should be disclosed only to those people who have a legitimate business need for the information (i.e., "need to know") Access control procedures should control access based on the need to know A supervisor and/or manager should initiate the access approval process, and the privileges granted should remain in effect only until the employee s job function changes or the employee leaves the employment of the County All production information possessed by or used by a particular County unit should have a designated owner who is responsible for determining appropriate sensitivity classifications and criticality ratings, making decisions about who can access the information, and ensuring that appropriate controls are utilized in the storage, handling, distribution and regular usage of information The authority to grant access to County information should be provided only by the owner of the information or their designate Default access privileges should be set to deny-all prior to any specific permissions being granted Access to systems software utilities should be restricted to authorized users. For production computing resources, a change control process should be in place (See Section 10) Unless it has specifically been classified as public, all County information should be protected from disclosure. If non-public information is compromised or suspected of being compromised, the information owner and the appropriate security administration should be notified immediately. 35

36 11.2 User Access Management Access Authorization User IDs may be granted to specific users only when approved in advance by the user's management Prior to being granted to users, application system privileges should be approved by the involved application system owner Without specific written approval from the user s management, administrators should not grant system privileges to any user All users must have their identity verified with a user ID and a password issued by the appropriate authority prior to being permitted to use County computers and network resources County employees that require access to information systems and/or resources to perform their job role should be granted appropriate access based on approval Users are responsible for all activity performed with their personal user IDs User IDs must not be utilized by anyone but the individuals to whom they have been issued Users should sign (physically or electronically) a confidentiality agreement and an information system security agreement indicating that the user understands the conditions of access prior to being given a user ID that allows access to County systems All County information systems privileges must be promptly terminated at the time that a worker ceases to provide services to the County The user s immediate manager and/or supervisor should periodically reevaluate the system privileges granted to a user, to determine. whether currently enabled system privileges are still needed to perform the user's current job duties All production information system user IDs must have a linked password to ensure that only the authorized user is able to utilize the user ID User IDs should be linked to specific people, and should not be associated with computer terminals, departments, job titles, etc Anonymous user IDs (e.g., "guest") should not be allowed unless approved in advance by the application system owner Management should promptly report all significant changes in end-user duties or employment status to the appropriate security administrator handling the user IDs of the affected persons. 36

37 Privilege Management Users should be allocated privileges with the minimum access required for their job function on a need-to-use basis Management should define user privileges such that unauthorized users cannot gain access to, or otherwise interfere with, either the individual activities or the data of other users All user ID creation, deletion and privilege change activity performed by systems administrators and others with privileged user IDs should be logged and periodically reviewed Special access privileges, such as the ability to examine the files of other users, should be restricted to those directly responsible for system management and/or information security Password Management Systems Within any specific computing environment, the ability of general users to access any files containing passwords must be restricted Review of User Access Rights User access rights should be reviewed periodically (see section , Access Authorization) Authorization for special privileged access rights (see , Privilege Management) should be reviewed on a periodic basis Management and security administration should conduct periodic checks on privileges granted each user to ensure that unauthorized access has not been obtained. 37

38 11.3 User Responsibilities Password Use Users should use good security practices in the selection of use of passwords All System -level passwords (e.g., root, NT admin, application admin accounts, etc.) should be changed on at least a quarterly basis, except where the application or device has limitations which preclude the password being changed that frequently. The frequency with which those passwords are changed should take into account the risk involved should the password be compromised User accounts that have system-level privileges granted through group memberships or programs should have a unique password from other accounts held by that user Passwords should not be inserted into messages or other forms of electronic communication Where possible, users should not use the same password for different County access needs A separate password should be selected to be used for operating system accounts. The exception to this is where a Single Sign On system may control multiple systems Users must not share County passwords with anyone, including administrative assistants or tech support Users should not write passwords down and store them anywhere in their office or store passwords in a file on any computer system (including PDA s or similar devices) without encryption Users should not use the "Remember Password" feature of applications If an account or password is suspected of being compromised, the incident must be reported to the appropriate department security liaison and the user should immediately change the password Users should refuse all offers by software and/or Internet sites to automatically login the next time that they access those resources Temporary or first use passwords should be changed the first time that the authorized user accesses the system If users need to share computer resident data, they should use approved network services or any other mechanisms that do not infringe on any policies Application developers should ensure their programs contain the following security precautions: applications should support authentication of individual users, not groups applications should not store passwords in clear text or in any easily reversible form 38

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

SOA ISO Statement of Applicability

SOA ISO Statement of Applicability SOA ISO 27001 2005 Statement of Applicability A.5 Security A.5.1 Information Security A.5.1.1 A.5.1.2 Information security policy document Review of the information security policy A.6 Organisation of

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Information Security Policy

Information Security Policy Information Security Policy Revised: September 2015 Review Date: September 2020 New College Durham is committed to safeguarding and promoting the welfare of children and young people, as well as vulnerable

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 26, 2012 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Introduction. The steps involved in using this tool

Introduction. The steps involved in using this tool Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005

Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005 Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005 Introduction The new standard ISO/IEC 27001:2013 has been released officially on 1 st October 2013. Since we understand that information

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution. Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR

More information

Information Security Policy

Information Security Policy Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments

More information

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

ELECTRONIC INFORMATION SECURITY A.R.

ELECTRONIC INFORMATION SECURITY A.R. A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

R345, Information Technology Resource Security 1

R345, Information Technology Resource Security 1 R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

HIPAA Privacy & Security Health Insurance Portability and Accountability Act

HIPAA Privacy & Security Health Insurance Portability and Accountability Act HIPAA Privacy & Security Health Insurance Portability and Accountability Act ASSOCIATE EDUCATION St. Elizabeth Medical Center Origin and Purpose of HIPAA In 2003, Congress enacted new rules that would

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Security Compliance Assessment Checklist

Security Compliance Assessment Checklist Security Compliance Assessment Checklist ITO Security Services January 2011 V0.2 Intro This checklist is used to evaluate project compliance with the Government of Saskatchewan IT Security Standards 2010.

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

Recommended Security Controls for Federal Information Systems and Organizations

Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 Revision 3 Recommended Security Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE I N F O R M A T I O N S E C U R I T

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

Does it state the management commitment and set out the organizational approach to managing information security?

Does it state the management commitment and set out the organizational approach to managing information security? Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated

More information

BERKELEY COLLEGE DATA SECURITY POLICY

BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

Draft Information Technology Policy

Draft Information Technology Policy Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version November 3, 2015 1. Scope and order of precedence This agreement (the Data Processing Agreement ) applies to Oracle s Processing of Personal

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information

PHI- Protected Health Information

PHI- Protected Health Information HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

More information

Client Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00

Client Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00 Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

Third-Party Access and Management Policy

Third-Party Access and Management Policy Third-Party Access and Management Policy Version Date Change/s Author/s Approver/s Dean of Information Services 1.0 01/01/2013 Initial written policy. Kyle Johnson Executive Director for Compliance and

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

9. PRIVACY COMPLIANCE

9. PRIVACY COMPLIANCE 9. PRIVACY COMPLIANCE Overview 9.1 Privacy Compliance Reviews This chapter covers privacy compliance reviews; privacy considerations when planning or implementing new or modified programs, information

More information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014 HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

CII/SSI Policy Guide

CII/SSI Policy Guide CII/SSI Policy Guide For Employees, Vendors, Contractors or other Persons Accessing VDOT s CII/SSI An Accompanying Guide to CII/SSI Policy Version 6.0, March 2006 (Interim Revision November, 2009) Interim

More information

HIPAA Audit Risk Assessment - Risk Analysis

HIPAA Audit Risk Assessment - Risk Analysis I SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your practice at the first encounter or episode

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

HIPAA Audit Risk Assessment - Risk Factors

HIPAA Audit Risk Assessment - Risk Factors I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your

More information