SECTION 15 INFORMATION TECHNOLOGY

Size: px
Start display at page:

Download "SECTION 15 INFORMATION TECHNOLOGY"

Transcription

1 SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP)

2 15.1 PURPOSE The Navajo County Information Technology (IT) Policy is established to ensure that information systems and financial data are adequately safeguarded. Secure systems and data are achieved through the establishment of general and application controls. General controls apply to all IT functions and should achieve the following objectives: A. Effective management of IT resources. B. Adequate segregation of duties and responsibilities. C. Identification of hardware or system software malfunctions. D. Prevention of accidental record destruction. E. Restriction of access to IT resources, such as equipment, files, programs, documentation, and telecommunications. F. Effective systems and programs to prohibit unauthorized program change. G. Detection or prevention of accidental errors occurring during processing. H. Development and modification of IT-based accounting systems according to management and user reporting requirements. I. Consistent and reliable operation of the IT function. J. Adequate documentation and control of systems, programs, and instructions. Application controls are categorized as input, processing, and output controls and should achieve the following objectives: A. Maintain an adequate audit trail so transactions can be traced from inception to final disposition through the IT process and vice versa. B. Input date is appropriately authorized. C. Transactions are recorded accurately on the computer files. D. Data on files remains correct and current over an extended period. E. Computer-generated output is reconciled, checked for validity, and distributed to the appropriate recipients.

3 To properly prepare for a disaster policies and procedures should include the following: A. Formally assign disaster recovery coordinators from applicable departments to form a disaster recovery team. B. Require the creation and preservation of back-up data. C. Make provisions for the alternative processing of data following a disaster. D. Provide detailed procedures for restoring data files. E. Establish guidelines for the immediate aftermath of a disaster AUTHORIZATION A. Ensure security over computer systems and the data they contain to prevent or detect unauthorized use, damage, loss, or modification of programs, and misuse of information. 1. Limit logical access to authorized users of the County systems. 2. Use a standardized access request form for approval for access to the systems, and retain all access request forms with the supervisor s approval. 3. Eliminate access to computer systems promptly when an employee separates employment with the County. 4. Require users to change passwords at regular intervals, e.g., every 3 months, and to set passwords that include special characters and minimum length. 5. System controls to lock out users after more than three failed access attempts INTERNAL CONTROLS A. Internal controls support IT activities and help Navajo County to achieve the following objectives: 1. Effective management of computer resources. 2. Adequate segregation of duties and responsibilities. 3. Identification of hardware and system software malfunctions.

4 4. Restriction of access to IT resources, such as equipment, data, programs, documentation, and communication systems. 5. Effective systems and programs to prohibit unauthorized program change. 6. Adequate documentation and control of systems, programs, and instructions. 7. A periodic review of user access is conducted to ensure segregation of duties. 8. Elevated access as related to job duties is monitored electronically on an ongoing basis. B. Organization and operation controls provide segregation of functions, duties, and responsibilities so that no one individual performs incompatible duties. C. Navajo County has controls for the development and modification of each application system. IT systems are developed or modified according to management and user requirements. Requirements for systems development involve: 1. User representatives and designated management employees evaluate proposed systems at critical stages. 2. Segregation of duties for: a. Developing, implementing changes and testing. b. Authorizing and approving changes. 3. IT personnel will obtain final approval from users before placing a system into operation. 4. IT will establish procedures to authorize, test, implement, and document program changes after implementing the system to maintain its integrity. D. Maintain hardware and system software controls to identify malfunctions that occur in both the hardware and software. E. Access controls provide safeguards that allow only those individuals designed by management to use hardware, files, or programs. 1. Access to production data and program files will be controlled and limited where possible.

5 2. Management will limit computer hardware access to operators and assign hardware to specific employees. This data is maintained and verified in accordance with the capital asset policy 3. Access to hardware, files, and programs is limited and monitored through the following safeguards: a. Physical Security Devices b. Logical Security Techniques F. Data and procedural controls provide a framework for controlling daily operations and establishing safeguards against processing errors. 1. Written documentation of the various IT systems is maintained for users as applicable. 2. IT functions are reviewed and tested periodically to monitor the effectiveness of data and procedural controls. G. Contingency planning controls are designed to safeguard against the accidental loss or destruction of records, and to prevent interruption of IT operations. 1. Backup controls. Files, programs, and documentation are physically safeguarded by maintaining backup copies in an off-site storage facility. 2. Environmental controls. The storage site will be protected against safety hazards and environmental damage, as well as unauthorized access. 3. Disaster recovery controls. Navajo County has outlined disaster recovery controls extensively in the Information Technology Disaster Recovery Plan, a section in the Emergency Operations Plan COMPUTER RESOURCES A. The following general controls are implemented for personal computers, laptops, and tablets. 1. Physical security. In a personal computer environment, personal computers and equipment should be adequately protected against theft, unauthorized use, and environmental hazards. 2. Backup and recovery. Data files are mirrored daily so that at least a second copy is available for processing if the original file is lost or

6 destroyed. Backup copies of critical data files are stored in safe locations that are secure from hazards, such as fire or extreme heat. B. Virus Prevention and Detection The IT Department routinely evaluates network security and attempts to identify potential areas that are susceptible to threats NETWORK/SYSTSEMS ACCESS Network/systems access is requested, approved and granted through a formal process using the Systems Access Request Form in the appendix of this manual. This process applies to new employees or changes to access for existing employees DISASTER RECOVERY PLAN (DRP) A. Purpose. Governments provide many essential services to their citizens. The disruption of these services following a disaster could result in a significant harm or inconvenience to those whom government serves. State and local government have a duty to ensure that disruptions in the provision of essential services are minimized following a disaster. 1. Risk Assessment. All County systems are essential but are prioritized in the event of a disaster recovery. 2. Applicability. The Disaster Recovery Plan covers all essential and critical infrastructure elements, systems and networks. 3. Testing. The DRP is periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed. 4. Communication. All staff must be made aware of the disaster recovery plan and their own respective roles. Copies of the DRP are distributed to appropriate personnel. A copy is kept electronically at the Alternate Data Center. B. Objectives. The principal objective of the disaster recovery program is to develop, test and document a well-structured and easily understood plan which will help the county recover as quickly and effectively as possible from an unforeseen disaster or emergency which interrupts information systems and business operations. Additional objectives include the following: 1. The need to ensure that all employees fully understand their duties in implementing such a plan. 2. The need to ensure that operational policies are adhered to within all planned activities.

7 3. The need to ensure that proposed contingency arrangements are costeffective. 4. The need to consider implications on other county sites. C. Disaster recovery capabilities as applicable to key customers, vendors and others. Key Personnel Contact Info and the notification list are documented in the Emergency Operations Plan (EOC). D. Plan Updating. It is necessary for the DRP updating process to be properly structured and controlled. Whenever changes are made to the plan they are to be fully tested and appropriate amendments should be made to the training materials. This will involve the use of formalized change control procedures under the control of the IT Director. E. Backup Strategy. Navajo County has a fully mirrored recovery site at a remote location. The site is a fully mirrored duplicate site which will enable instantaneous switching between the live site (Holbrook Complex) and the remote backup site. F. Emergency Response. 1. Plan Triggering Events. In the event of the primary facility and/or normal operations failure the disaster recovery plan will be activated 2. Assembly Points. Where the premises need to be evacuated, the alternate data center is the assemble point G. Exercising/Testing. Plan exercising ensures that emergency teams are familiar with their assignments and that systems can be restored as planned. Random periodic testing of systems is performed and results of the testing are documented electronically.

IT Disaster Recovery Plan Template

IT Disaster Recovery Plan Template HOPONE INTERNET CORP IT Disaster Recovery Plan Template Compliments of: Tim Sexton 1/1/2015 An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned

More information

IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP IT Disaster Recovery Plan Template By Paul Kirvan, CISA, CISSP, FBCI, CBCP Revision History REVISION DATE NAME DESCRIPTION Original 1.0 2 Table of Contents Information Technology Statement

More information

Offsite Disaster Recovery Plan

Offsite Disaster Recovery Plan 1 Offsite Disaster Recovery Plan Offsite Disaster Recovery Plan Presented By: Natan Verkhovsky President Disty Portal Inc. 2 Offsite Disaster Recovery Plan Introduction This document is a comprehensive

More information

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan Revision History REVISION DATE NAME DESCRIPTION Draft 1.0 Eric Wimbish IT Backup Disaster Table of Contents Information

More information

Information Systems and Technology

Information Systems and Technology As public servants, it is our responsibility to use taxpayers dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons

More information

INFORMATION TECHNOLOGY CONTROLS

INFORMATION TECHNOLOGY CONTROLS CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,

More information

PART 10 COMPUTER SYSTEMS

PART 10 COMPUTER SYSTEMS PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board

More information

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS 11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78

More information

Disaster Recovery Planning

Disaster Recovery Planning Disaster Recovery Planning This is a brief guide, with a suggested table of contents, to help you get started with putting together your Disaster Recovery Plan (DRP) Pensar can assist you in completing

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

General IT Controls Audit Program

General IT Controls Audit Program Contributed February 5, 2002 by Paul P Shotter General IT Controls Audit Program Purpose / Scope Perform a General Controls review of Information Technology (IT). The reviews

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

NCUA LETTER TO CREDIT UNIONS

NCUA LETTER TO CREDIT UNIONS NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314 DATE: December 2001 LETTER NO.: 01-CU-21 TO: SUBJ: ENCL: All Federally Insured Credit Unions Disaster

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Correct Care Technologies Disaster Recovery (DR) Services

Correct Care Technologies Disaster Recovery (DR) Services Correct Care Technologies Disaster Recovery (DR) Services Correct Care DR Plan Revised for Correct Care May, 2015 Version 2.0 Revised by Ravi Krishnan Document Controls Document Control Information Title

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Internal Control Guide & Resources

Internal Control Guide & Resources Internal Control Guide & Resources Section 5- Internal Control Activities & Best Practices Managers must establish internal control activities that support the five internal control components discussed

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) 591-5553 Email: bronackt@dcag.com Fax: (718) 380-7322

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) 591-5553 Email: bronackt@dcag.com Fax: (718) 380-7322 Business Continuity and Disaster Recovery Job Descriptions Table of Contents Business Continuity Services Organization Chart... 2 Director Business Continuity Services Group... 3 Manager of Business Recovery

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

DETAIL AUDIT PROGRAM Information Systems General Controls Review

DETAIL AUDIT PROGRAM Information Systems General Controls Review Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com DETAIL AUDIT PROGRAM Information Systems General Controls Review 1.0 Introduction The objectives of this audit are to review policies, procedures,

More information

Circular to All Licensed Corporations on Information Technology Management

Circular to All Licensed Corporations on Information Technology Management Circular 16 March 2010 Circular to All Licensed Corporations on Information Technology Management In the course of our supervision, it has recently come to our attention that certain deficiencies in information

More information

Information Systems Security Assessment

Information Systems Security Assessment Physical Security Information Systems Security Assessment 1. Is the server protected from environmental damage (fire, water, etc.)? Ideal Answer: YES. All servers must be housed in such a way as to protect

More information

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Disaster Preparedness & Response

Disaster Preparedness & Response 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B C E INTRODUCTION AND PURPOSE REVIEW ELEMENTS ABBREVIATIONS NCUA REFERENCES EXTERNAL REFERENCES Planning - Ensuring

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

SUSD IT Disaster Recovery Plan. Tom Clark, Chief Technology Officer

SUSD IT Disaster Recovery Plan. Tom Clark, Chief Technology Officer SUSD IT Disaster Recovery Plan Tom Clark, Chief Technology Officer Rationale for a Disaster Recovery Plan Need for DRP Identified in the District s Auditor General Report Best practice for IT organizations

More information

U.S. Department of the Interior Office of Inspector General AUDIT REPORT

U.S. Department of the Interior Office of Inspector General AUDIT REPORT U.S. Department of the Interior Office of Inspector General AUDIT REPORT GENERAL CONTROL ENVIRONMENT OF THE FEDERAL FINANCIAL SYSTEM AT THE RESTON GENERAL PURPOSE COMPUTER CENTER, U.S. GEOLOGICAL SURVEY

More information

Volume UC DAVIS HEALTH SYSTEM. HIPAA Security Compliance Workbook. Multi User Guide

Volume UC DAVIS HEALTH SYSTEM. HIPAA Security Compliance Workbook. Multi User Guide Volume 1 UC DAVIS HEALTH SYSTEM HIPAA Security Compliance Workbook Multi User Guide UC DAVIS HEALTH SYSTEM HIPAA Security Compliance Workbook Guide Table of Contents Introduction General Instructions SECTION

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Disaster Recovery Plan Checklist

Disaster Recovery Plan Checklist Disaster Recovery Plan Checklist Your guide for setting up or updating a Disaster Recovery Plan for your business. ArcSource Disaster Recovery Plan Checklist 1. Compile Your Internal Contacts Information

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

Appendix VIII SAS 70 Examinations of EBT Service Organizations

Appendix VIII SAS 70 Examinations of EBT Service Organizations Appendix VIII SAS 70 Examinations of EBT Service Organizations Background States must obtain an examination by an independent auditor of the State electronic benefits transfer (EBT) service providers (service

More information

State HIPAA Security Policy State of Connecticut

State HIPAA Security Policy State of Connecticut Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Hong Kong Baptist University

Hong Kong Baptist University Hong Kong Baptist University Disaster Recovery Standard FOR INTERNAL USE ONLY Date of Issue: JULY 2012 Revision History Version Author Date Revision 1.0 Information Security Subcommittee (ISSC) July 2012

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Meaningful Use and Core Requirement 15

Meaningful Use and Core Requirement 15 Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information

More information

MARQUIS DISASTER RECOVERY PLAN (DRP)

MARQUIS DISASTER RECOVERY PLAN (DRP) MARQUIS DISASTER RECOVERY PLAN (DRP) Disaster Recovery is an ongoing process to plan, develop, test and implement changes, processes and procedures supporting the recovery of the critical functions in

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Business Continuity Planning in IT

Business Continuity Planning in IT Introduction: Business Continuity Planning in IT The more your business relies on its IT systems, the more you need to consider how unexpected disruptions might affect your business. These disruptions

More information

The Ministry of Information & Communication Technology MICT

The Ministry of Information & Communication Technology MICT The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.

More information

California State University, Chico. Information Security Incident Management Plan

California State University, Chico. Information Security Incident Management Plan Information Security Incident Management Plan Version 0.8 January 5, 2009 Table of Contents Introduction... 3 Scope... 3 Objectives... 3 Incident Management Procedures... 4 Roles and Responsibilities...

More information

Birkenhead Sixth Form College IT Disaster Recovery Plan

Birkenhead Sixth Form College IT Disaster Recovery Plan Author: Role: Mal Blackburne College Learning Manager Page 1 of 14 Introduction...3 Objectives/Constraints...3 Assumptions...4 Incidents Requiring Action...4 Physical Safeguards...5 Types of Computer Service

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

Continuity Planning and Disaster Recovery

Continuity Planning and Disaster Recovery Responsible Officer: AVP - Information Technology Services & UC Chief Information Officer Responsible Office: IT - Information Technology Services Issuance Date: 7/27/2007 Effective Date: 7/27/2007 Scope:

More information

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

More information

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity s electronic information

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

INFORMATION SECURITY PROGRAM

INFORMATION SECURITY PROGRAM Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security

More information

Mille Lacs Band of Ojibwe Indians Gaming Regulatory Authority Detailed Gaming Regulations

Mille Lacs Band of Ojibwe Indians Gaming Regulatory Authority Detailed Gaming Regulations I. SCOPE. This document includes the for Information Technology to be regulated and played in compliance with Title 15 of the Mille Lacs Band Statutes Annotated. II. REGULATIONS APPLICABLE TO INFORMATION

More information

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS Appendix L DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS I. GETTING READY A. Obtain written commitment from top management of support for contingency planning objectives. B. Assemble

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

Administrators Guide Multi User Systems. Calendar Year

Administrators Guide Multi User Systems. Calendar Year Calendar Year 2012 Enter Facility Name Here HIPAA Security Compliance Workbook For Core Measure 15 of Meaningful Use Requirements Annual Risk Analysis Administrators Guide Multi User Systems 1 HIPPA Compliance

More information

General Computer Controls

General Computer Controls 1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006 Department of Information Technology Data Center Disaster Recovery Audit Report Final Report September 2006 promoting efficient & effective local government Executive Summary Our audit found that a comprehensive

More information

Final Audit Report -- CAUTION --

Final Audit Report -- CAUTION -- U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of Information Systems General and Application Controls and Administrative Expense Review at

More information

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014 The Practice of Internal Controls Cornell Municipal Clerks School July 16, 2014 Page 1 July 18, 2014 Cash Receipts (Collection procedures) Centralize cash collections within a department or for the local

More information

Business Unit CONTINGENCY PLAN

Business Unit CONTINGENCY PLAN Contingency Plan Template Business Unit CONTINGENCY PLAN Version 1.0 (Date submitted) Submitted By: Business Unit Date Version 1.0 Page 1 1 Plan Review and Updates... 3 2 Introduction... 3 2.1 Purpose...

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

DHHIT Network Security Standards and Procedures

DHHIT Network Security Standards and Procedures DHHIT Network Security Standards and Procedures Contents 1. Introduction 2 2. Scope 2 3. Definitions 2 4 Employment practices 2 5 Employee responsibility 3 6 Physical security 3 7 Network and Systems Security

More information

DRAFT Disaster Recovery Policy Template

DRAFT Disaster Recovery Policy Template DRAFT Disaster Recovery Policy Template NOTE: This is a boiler plate template much information is needed from to finalizeconsider this document pre-draft FOREWARD... 3 Policy Overview...

More information

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery Disaster Recovery 1.1 Introduction Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and

More information

ICT & Communications Services Disaster & Recovery Plan

ICT & Communications Services Disaster & Recovery Plan ICT & Communications Services Disaster & Recovery Plan Advanced IT Services with George Spencer Academy www.aitn.co.uk Advanced IT Services - Arthur Mee Road, Stapleford, Nottingham. NG9 7EW Email: info@advanceditservices.co.uk

More information

TECHNICAL SECURITY AND DATA BACKUP POLICY

TECHNICAL SECURITY AND DATA BACKUP POLICY TECHNICAL SECURITY AND DATA BACKUP POLICY PURPOSE Effective technical security depends not only on technical measures, but also on appropriate policies and procedures and on good user education and training.

More information

BME CLEARING s Business Continuity Policy

BME CLEARING s Business Continuity Policy BME CLEARING s Business Continuity Policy Contents 1. Introduction 1 2. General goals of the Continuity Policy 1 3. Scope of BME CLEARING s Business Continuity Policy 1 4. Recovery strategies 2 5. Distribution

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

CUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 OFFICE OF INFORMATION TECHNOLOGY

CUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 OFFICE OF INFORMATION TECHNOLOGY IT-1 Contracts/ Software Licenses/ Use Agreements General 6[6] IT-2 CUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 CUNY-CIS Information Security Procedures Attestation Forms

More information

Service Level Standard

Service Level Standard Service Level Standard Personal Devices Revision History Date Version Changes 2/17/2012 1.00 Initial Draft Special Note: Service Level Standards will be reviewed and updated following the end of the spring

More information

Union County. Electronic Records and Document Imaging Policy

Union County. Electronic Records and Document Imaging Policy Union County Electronic Records and Document Imaging Policy Adopted by the Union County Board of Commissioners December 2, 2013 1 Table of Contents 1. Purpose... 3 2. Responsible Parties... 3 3. Availability

More information

University of San Diego University Audit Office Self-Audit Tool. A - General

University of San Diego University Audit Office Self-Audit Tool. A - General University of San Diego University Audit Office Self-Audit Tool Department: Budget Officer: Completed by: Date: The Self-Audit Tool is a guide and is not all-inclusive. Yes indicates a needed control is

More information

GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE

GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE (CLAIMS MADE BASIS) APPLICANT S INSTRUCTIONS: 1. Answer all questions. If the answer requires detail, please attach a separate

More information

Disaster Recovery Planning Process

Disaster Recovery Planning Process Disaster Recovery Planning Process By Geoffrey H. Wold Part I of III This is the first of a three-part series that describes the planning process related to disaster recovery. Based on the various considerations

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

PBGC Information Security Policy

PBGC Information Security Policy PBGC Information Security Policy 1. Purpose. The Pension Benefit Guaranty Corporation (PBGC) Information Security Policy (ISP) defines the security and protection of PBGC information resources. 2. Reference.

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information