Information Security Policy

Transcription

1 Information Security Policy Vision for the Future: Casey Creating the most Caring, Safe, Innovative and Sustainable City Information Security Policy (Version 2.3) Page 1 of 6

2 Document Control Council policy documents change from time to time and it is recommended that you consult the electronic reference copy at to ensure that you have the current version. Alternatively you may contact Customer Service on Responsible Department Administration This version includes all amendments and administrative updates to 24 August Electronic reference library version 2.3 Preamble In accordance with a resolution of Council on 21 June 2005 to include definitions of Council, Councillors and Council officers in all Council policy documents, the following definitions are provided: Council means Casey City Council, being a body corporate constituted as a municipal Council under the Local Government Act 1989 Councillors means the individuals holding the office of a member of Casey City Council Council officers means the Chief Executive Officer and staff of Council appointed by the Chief Executive Officer. Information Security Policy (Version 2.3) Page 2 of 6

3 1. Purpose This document defines the Information Security Policy of the City of Casey. Information security is achieved by implementing a suitable set of controls including policies, practices, procedures, organisational structures and software functionality. A critical factor in the implementation of any Information Technology (IT) Security Policy is that some of the greatest threats to IT security are people and processes. Effective security is a team effort involving the participation and support of every user of Council information and/or information systems. 2. Definitions Availability Confidentiality Integrity Ensuring that authorised users have access to information and associated systems when required. Ensuring that information is accessible only to those authorised to have access. Safeguarding the accuracy and completeness of information and information processing activities. 3. Scope This policy covers all users of Council s IT facilities. 4. Context Information security standards are required for the organisation and are based upon and audited against the current version of the Australian Standards/New Zealand Standards ISO/IEC 17799:2001 Code of Practice for Information Security Management. The Public Records Act 1973 must also be consulted in regard to retention and destruction of information 5. Policy 5.1 Policy Objectives Information and the equipment used to process IT are important business assets. Confidentiality, integrity and availability are required in order for Council to maintain both its services and its legal obligations. This dependence on information equipment and processes within Council creates a high level of vulnerability to security threats. The open nature of local government and the connection of Council s information systems to external networks increase the potential for security breaches or other incidents. Information Security Policy (Version 2.3) Page 3 of 6

4 The primary objective of this policy is to help secure the information assets of the Council. This includes both the operational and legal requirements for information security. 5.2 Information Security Controls Ultimately information security controls are to be selected based on risk assessment however the following are to be considered when selecting specific controls Intellectual property rights Safeguarding of organisational records Information Privacy Act 2000 Security Policies Council s Fraud Policy Business Continuity Planning 5.3 Requirements Reporting of security incidents Creation of a security culture Public Records Act 1973 and other legislative requirements Password Controls The username and password used for access to the Council Network is one of the critical components of IT security protection and should accord with Council s password standards Virus Protection Council must ensure appropriate firewall, server and antivirus software configurations are maintained and kept up to date to protect Council information Network PCs and Notebook Computers To ensure computer systems are protected at all times, Council runs virus scanning software on all PCs and notebook computers. The virus scanning software on PCs and notebook computers must never be turned off Virus Protection Servers To ensure our computer systems are protected at all times Council runs virus scanning software on all servers. The virus scanning software on a server must never be turned off unless directed to do so by the Manager Information Technology or delegate Virus Updates The Information Technology Department will ensure that the virus software installed on all active PCs and Servers is current and is kept up to date in an automated manner. Information Security Policy (Version 2.3) Page 4 of 6

5 5.4 Standard Operating Environment The Information Technology Department will routinely run audits on all PCs / Peripheral Devices and servers to ensure compliance with Council s policies and procedures. Breaches will be reported to the Director Corporate Services Installing Software Software is not permitted to be installed or downloaded onto any Council PC / Device unless authorised to do so by the Manager Information Technology. The use of unlicensed and pirated software is strictly forbidden Desktop Lock Down A Standard Operating System must be in place to provide: Service Packs 5.5 Physical Security Access to licensed software; Common Operating System; Limited ability to change the PC configuration. The latest Service Packs and post Service Pack Hot Fixes (for both Operating Systems and Applications) will be installed and configured in accordance with the latest vendor notices Server/Communication Rooms All server/communications rooms must be environmentally controlled where appropriate and access limited to authorised Council officers and contractors. 5.6 Operational Procedures From time to time specific Operating Procedures will be created to cover particular issues that have security implications. These will be notified to users. 6. Administrative updates It is recognised that, from time to time, circumstances may change leading to the need for minor administrative changes to this document. Where an update does not materially alter this document, such a change may be made administratively. Examples include a change to the name of a Council department, a change to the name of a Federal or State Government department, and a minor update to legislation which does not have a material impact. However, any change or update which materially alters this document must be by resolution of Council. 7. Review The next biennial review of this document is scheduled for completion by 31 August Information Security Policy (Version 2.3) Page 5 of 6

6 8. Breaches of legislation clause Breaches will be dealt with under the provisions of the following: Councillors Code of Conduct Code of Conduct for staff and Volunteers Section 76B of the Local Government Act 1989 Section 76BA of the Local Government Act 1989 Section 76D of the Local Government Act 1989 Section 76E of the Local Government Act 1989 Section 77 of the Local Government Act 1989 G:\Organisational Strategy Projects\Policy Documents\Council adopted\information Security Policy (Version 2.3).doc Information Security Policy (Version 2.3) Page 6 of 6