Third Party Security Guidelines. e-governance
|
|
- Primrose Franklin
- 8 years ago
- Views:
Transcription
1 for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
2 Document Control S/L Type of Information Document Data 1. Document Title 2. Document Code 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner 7. Document Author(s) 8. Document Reference Document Approval Sr. No. Document Approver Approver Designation Approver ID Document Change History Version Revision Date Nature of Change Date of Approval No. For Internal Use Only Page 2 of 11
3 Tablle off Conttentts 1. INTRODUCTION SCOPE PURPOSE THIRD PARTY RISK MANAGEMENT FRAMEWORK MANAGEMENT OF THIRD PARTY EXCHANGE OF INFORMATION HIRING AND TRAINING OF EMPLOYEES ACCESS CONTROL REPORTING AND INVESTIGATING SECURITY INCIDENTS CHANGES IN SERVICES THIRD PARTY RISK ASSESSMENT DISCIPLINARY MEASURES FOR NON-COMPLIANCE REFERENCES ANNEXURE For Internal Use Only Page 3 of 11
4 1. INTRODUCTION Third Parties can assist management in attaining strategic objectives by increasing revenues or reducing costs. The use of a third party also commonly serves as a vehicle for management to access greater expertise or efficiency for a particular activity. However the use of third parties in no way diminishes the responsibility of e-gov service delivery to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws, regulations, and internal policies. This recognises the close cooperation between e-gov service delivery and third parties particularly in the area of information security. The use of third party services depends on the fundamental observation that the services provided by the third party will be trusted. This trust results from the confidence that the third party is managed correctly and its services are operated securely. To build such trust third parties can communicate the effectiveness of their information security controls by obtaining security certifications such as ISO and/or by having an independent body review of their information security and privacy practices. 2. SCOPE These guidelines are applicable across all geographies where information of e-gov service delivery is processed and/or stored by third-party. These are is applicable to all third-parties, sub-contractors and/or representatives of the third-party providing services to e-gov service delivery. 3. PURPOSE The purpose of these guidelines is: Ensure appropriate level of security controls are implemented by third parties to protect information processing facilities of e-gov service delivery, assets accessed by any third For Internal Use Only Page 4 of 11
5 party entity and maintain security of information when the responsibility for information processing has been outsourced. Ensure that regular reviews of third party are conducted towards adherence of this policy and any contractual or regulatory requirement; and Provide the third-party with an approach and directives for implementing information security controls for all information assets used by them for providing services to e-gov service delivery. 4. THIRD PARTY RISK MANAGEMENT FRAMEWORK Due Dilligence Contract Structuring Post Association Assessment Vendor Evaluation criteria will be used which will consider the Financial Status, Process Maturity, Information Security etc. Will have defines guidelines (with clause on information security) to be followed as part of contract Risk Profiling/ Assessment Self Assessment Onsite Review Due Diligence (Selecting a third-party) Criteria for selecting a vendor shall be defined and documented, taking into account the: Information Security; Government Fitment with respect to e-gov service delivery; Financial; Technology and Infrastructure; Process Maturity; Customer Satisfaction. For Internal Use Only Page 5 of 11
6 Based on the weighted average scores obtained on the above mentioned criteria and as per the best fit, vendor may be shortlisted/ selected. Contract Structuring (Contracts and confidentiality agreements) A formal contract between government department and third-party shall exist to protect both the parties. Person responsible shall ensure that while entering in an agreement with the outsourcing party, the security requirements are clearly communicated to the third-party. The following should be, as a minimum, included in the agreement. Information shared shall be classified, labelled and controlled in accordance with the e-gov security policy. If the information being exchanged is non-public, a binding confidentiality agreement shall be in place between e-gov service delivery and the third-party, whether as part of the service contract itself or a separate non-disclosure agreement (which may be required before the main contract is negotiated). The security responsibilities for third party staff should be incorporated in the contract with the third parties. Provision shall be there for acceptable use of the information processed by the outsourced function or service including breach of information security. Contract should explicitly state the right to access and right to audit third party and their sub-contractors. The third-party should not only understand the rationale for audit but also provide all support necessary to conduct the audits. If the third party, sub contracts any of the part of work, then the sub contracted parties shall also ensure the adherence to e-gov Security Policy. Contract shall provide detail of legal, regulatory and other third party obligations such as data protection/privacy laws, etc. For Internal Use Only Page 6 of 11
7 Upon termination of the contract, the confidentiality arrangements shall be revisited to determine whether confidentiality has to be extended beyond the tenure of the contract. Post Association Assessment If a third-party is performing its activities based at a location other than e-gov service delivery premises or the third-party is operating both from service delivery and outside locations, the auditor may audit the third-party s physical premises and applicable security controls periodically for compliance to e-gov Security policies, ensuring that it meets the requirements identified in the contract. Additionally, third party may go ahead with risk/self-assessments or audits as applicable. 5. MANAGEMENT OF THIRD PARTY 5.1 EXCHANGE OF INFORMATION While entering in any kind of outsourcing agreement, transition of information and information processing facilities should be planned, similarly at the time of termination of contract it should be ensured that such assets are returned as required. Information security shall be ensured throughout the transition period. In cases where the third-party is requested to perform the deletion of given data previously used in the outsourced service, mechanisms such as reports or logs should be produced to verify that proper data deletion had been securely and properly carried out. 5.2HIRING AND TRAINING OF EMPLOYEES Third-party or sub-contractor employees shall be subjected to background checks. Such screening shall take into consideration the level of trust and responsibility associated with the position: Proof of the person s identity; For Internal Use Only Page 7 of 11
8 Proof of their academic qualifications; Proof of their work experience; Criminal record check; Credit check. Suitable information security awareness, training and education shall be provided to all employees and third parties working on the contract, clarifying their responsibilities relating to e-gov security policies, standards, procedures and guidelines and all relevant obligations defined in the contract. 5.3ACCESS CONTROL The concerned department/ asset owner will ensure: A risk assessment to identify the security implications while providing such access to third party. The risk assessment shall be approved by Head IT Security. Third party staff shall be provided access to information assets as per User Access Management Procedure. However, following shall be analysed and documented by the IT Helpdesk prior to providing access to critical information systems. A report for the same shall be submitted to Head IT Security for review. Type of access required Duration of access required Mode of access required Criticality of the systems on which access is being provided In case third party staff has higher privileges (e.g. administrator, power user, etc.), appropriate clauses relating to non-disclosure agreement shall be included into the contract. For Internal Use Only Page 8 of 11
9 The asset owner is responsible for accepting the risk related to third party access to information assets before access to information asset is actually provided to third party. Datacenter head shall ensure that prior to providing access, security guidelines are issued to third party staff and an acceptance on the same is obtained from them. Access to all classified information shall be documented and carried out in a controlled fashion. A list of personnel is to be maintained to ensure that only the listed personnel have legitimate access to the Information System areas. All third party personnel shall be given the access cards/identification badges based on need. The access cards/identification badges given to the personnel shall be marked as nontransferable and returnable on termination of contract. At the time of disengagement, all user accounts and access rights assigned to the thirdparty employees shall be revoked in a timely manner. 5.4REPORTING AND INVESTIGATING SECURITY INCIDENTS Third party shall educate its employees and establish formal reporting and feedback procedures as well as incidence response procedures for all security incidents and system weaknesses. Third party shall promptly investigate and mitigate the risk arising from any security incident or system weakness, and shall inform datacenter head about such instances, investigations, remedial plan and a timetable for achievement of the planned improvements. 5.5CHANGES IN SERVICES Changes to provision of third party services should be re-assessed considering the current service delivery systems and the processes involved. For Internal Use Only Page 9 of 11
10 5.6THIRD PARTY RISK ASSESSMENT The access to information assets of e-gov Service Delivery should be provided on need-toknow and need-to-have basis to third parties. The access provided could be physical, logical and even remote logical access. The Third-party access should be provided as per the business requirement s and after analysing the risk(s) associated with such access. Therefore, it is important to identify and address such risks through comprehensive Risk Assessment (hereinafter referred to as RA in this document) exercise. This kind of RA ensures the following: Third party access where there is a valid business justification is only provided; and Mitigation controls are implemented to reduce the risk(s) due to such access. This procedure intends to cover RA in sufficient depth to understand and manage the risks arising due to Third-parties access in information assets of e-gov Service Delivery. The objectives of conducting a RA for Third-party access are as follows: To Identify, understand and manage the Risks applicable and associated with Thirdparty Access to information assets of e-gov Service delivery To provide a fair and reasonable amount of assurance to stakeholders about the security controls in place for Third-party access to address the risks; To ensure that access is provided to the Third -party only on need-to-know or need-tohave basis; and To ensure that the Third-party access controls are appropriately designed and implemented with reasonable effectiveness. Procedure for Third-party Access Risk Assessment The RA for Third-party access is done in 4 phases: For Internal Use Only Page 10 of 11
11 Risk Identification- IT/ Networks function should identify the risks due to providing the required access to the identified information assets and/ or facilities. Risk Treatment Plan- For each identified risk, a Risk Treatment plan should be developed. This should be reviewed and approved by the Composite team - Security or IT/ Networks function or CISO. Also, for each risk identified, a Risk owner should be identified. Implementation strategy- The CISO may be required to discuss the risks identified by the IT/ Networks functions. The CISO should provide his/ her inputs on whether to implement the additional controls or choose to accept the risk. Audit of Third-party Access- The CISO or designated personnel from Composite team- Security should conduct an audit for third- party access and implemented mitigation controls to examine their effectiveness. The audit team should review the implementation of controls against each access provided to Third-party. 6. DISCIPLINARY MEASURES FOR NON-COMPLIANCE Non-compliance with the Third Party Security Guidelines is ground for disciplinary actions up to and including termination of the contract. 7. REFERENCES e-gov Security Policy User access management 8. ANNEXURE Third Party - Risk Management Third party- Risk management.doc For Internal Use Only Page 11 of 11
Proposed guidance for firms outsourcing to the cloud and other third-party IT services
Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is
More informationSecurity Testing and Vulnerability Management Process. e-governance
Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationRemote Access Procedure. e-governance
for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document
More informationIT OUTSOURCING SECURITY
IT OUTSOURCING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationAcceptable Usage Guidelines. e-governance
Acceptable Usage Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationCompliance Management Systems
Certification Scheme Y03 Compliance Management Systems ISO 19600 ONR 192050 Issue V2.1:2015-01-08 Austrian Standards plus GmbH Dr. Peter Jonas Heinestraße 38 A-1020 Vienna, Austria E-Mail: p.jonas@austrian-standards.at
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationINSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES
SD 0880/10 INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES Laid before Tynwald 16 November 2010 Coming into operation 1 October 2010 The Supervisor, after consulting
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationClient information note Assessment process Management systems service outline
Client information note Assessment process Management systems service outline Overview The accreditation requirements define that there are four elements to the assessment process: assessment of the system
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationInformation Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
More informationOUTSOURCING DUE DILIGENCE FORM
OUTSOURCING DUE DILIGENCE FORM SERVICE TO BE OUTSOURCED 1. Type of service to be outsourced: Accounting/Finance: Compliance Consulting: Legal Services: Administrative Functions: Information Technology:
More informationTranslation Service Provider according to ISO 17100
www.lics-certification.org Certification Scheme S06 Translation Service Provider according to ISO 17100 Date of issue: V2.0, 2015-11-15 Austrian Standards plus GmbH Dr. Peter Jonas Heinestraße 38 1020
More informationCertification Process Requirements
SAAS Certification Process Requirements SAAS Procedure 200 and ISO/IEC 17021 Social Accountability Accreditation Services, June 2010 Accreditation Process and Policies SAAS Normative Requirements SAAS
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationTG 47-01. TRANSITIONAL GUIDELINES FOR ISO/IEC 17021-1:2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES
TRANSITIONAL GUIDELINES FOR ISO/IEC 17021-1:2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES Approved By: Senior Manager: Mpho Phaloane Created By: Field Manager: John Ndalamo Date of Approval:
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationFINAL DOCUMENT. Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 1: General Requirements
GHTF/SG4/N28R4:2008 FINAL DOCUMENT Title: Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Authoring Group: GHTF Study Group 4 Endorsed by: The Global Harmonization
More informationCustomer-Facing Information Security Policy
Customer-Facing Information Security Policy Global Security Office (GSO) Version 2.6 Last Updated: 03/23/2015 Symantec Corporation Table of Contents Compliance Framework... 1 High-Level Information Security
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationIdentifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationKLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT
1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security
More informationThird-Party Access and Management Policy
Third-Party Access and Management Policy Version Date Change/s Author/s Approver/s Dean of Information Services 1.0 01/01/2013 Initial written policy. Kyle Johnson Executive Director for Compliance and
More informationOutsourcing Risk Guidance Note for Banks
Outsourcing Risk Guidance Note for Banks Part 1: Definitions Guideline 1 For the purposes of these guidelines, the following is meant by: a) outsourcing: an authorised entity s use of a third party (the
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More information9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99
20/20 Vision for Vendor Management & Oversight 2013 WBA Technology Conference September 17, 2013 Ken M. Shaurette, CISSP, CISA, CISM, CRISC, IAM Director IT Services Disclaimer The views set forth are
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informatione-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
More information14 December 2006 GUIDELINES ON OUTSOURCING
14 December 2006 GUIDELINES ON OUTSOURCING CEBS presents its Guidelines on Outsourcing. The proposed guidelines are based on current practices and also take into account international, such as the Joint
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS)
ICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS) TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIMS OF THE POLICY...
More informationINVESTIGATION REPORT 173-2015
Saskatchewan Government Insurance November 12, 2015 Summary: Saskatchewan Government Insurance (SGI) proactively reported to the Office of the Information and Privacy Commissioner (OIPC) that it had received
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationSolvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3)
Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3) Governance, Risk Management, and Internal Controls INTERIM REQUIREMENTS CONTENTS 1. INTRODUCTION
More informationNew York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers
New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers April 2015 Update on Cyber Security in Banking Sector: Third-Party Service
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationCITY UNIVERSITY OF HONG KONG
CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification Publication
More informationE-gov Asset Handling and Labelling Guidelines
Asset Handling Labeling guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control
More informationAnatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault
Anatomy of an IT Outsourcing Deal Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault 3656867 Agenda Key Considerations for IT Outsourcing Decision Anatomy of an Outsourcing
More informationWestern Australian Auditor General s Report. Information Systems Audit Report
Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationHIPAA Privacy Rule Policies
DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationBank of Israel. 1. Background. In recent years, cloud. environmentally. from. aspects in. these. 2. Applicability. Directive ). 3.
Bank of Israel Supervisor of Banks Jerusalem, 12 Tammuz 5775 June 29, 2015 15LM2087 To: The Banking Corporations Attn: Chief Executive Officer Re: Risk management in a cloud computing environment 1. Background
More informationAsset Management Systems Scheme (AMS Scheme)
Joint Accreditation System of Australia and New Zealand Scheme (AMS Scheme) Requirements for bodies providing audit and certification of 13 April 2015 Authority to Issue Dr James Galloway Chief Executive
More informationISO 27002:2013 Version Change Summary
Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category
More information-17 2015 OUTSOURCING POLICY
Outsourcing Policy TABLE OF CONTENTS EXECUTIVE SUMMARY... 3 Aim & Introduction... 3 POLICY PARAMETERS... 4 Key Terms... 4 Outsourcing Agreement Requirements... 5 MATERIAL OUTSOURCING AGREEMENTS... 6 Board
More informationGUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES
Level 37, 2 Lonsdale Street Melbourne 3000, Australia Telephone.+61 3 9302 1300 +61 1300 664 969 Facsimile +61 3 9302 1303 GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES ENERGY INDUSTRIES JANUARY
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationPersonal data and cloud computing, the cloud now has a standard. by Luca Bolognini
Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last
More informationDoes it state the management commitment and set out the organizational approach to managing information security?
Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated
More informationTRANSPORT FOR LONDON (TfL) LOW EMISSIONS CERTIFICATE (LEC) GUIDANCE NOTES FOR THE COMPANY AUDIT PROCESS. LEC (Company Audit) Guidance Notes
TRANSPORT FOR LONDON (TfL) LOW EMISSIONS CERTIFICATE (LEC) GUIDANCE NOTES FOR THE COMPANY AUDIT PROCESS LEC (Company Audit) Guidance Notes Glossary of Terms Transport for London (TfL) London Low Emission
More informationInformation Technology Services Guidelines
Page 1 of 10 Table of Contents 1. Purpose... 2 2. Entities Affected by This Guideline... 2 3. Definitions... 2 4. Guidelines... 3 4.1 Requesting Data Center or... 3 4.2 Requirements for Data Center or...
More informationBANK OF RUSSIA RECOMMENDATIONS ON STANDARDISATION MAINTENANCE OF INFORMATION SECURITY OF THE RUSSIAN BANKING SYSTEM ORGANISATIONS
BANK OF RUSSIA RECOMMENDATIONS ON STANDARDISATION RS BR IBBS-2.1-2007 MAINTENANCE OF INFORMATION SECURITY OF THE RUSSIAN BANKING SYSTEM ORGANISATIONS GUIDELINES FOR SELF-ASSESSMENT OF CONFORMITY OF INFORMATION
More informationThird Party Relationships
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B D INTRODUCTION AND PURPOSE Background Yes/No Comments 1. Does the credit union maintain a list of the third party
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core
More informationDomestic Actuarial Regime and Related Governance Requirements under Solvency II
Domestic Actuarial Regime and Related Governance Requirements under Solvency II Response to Central Bank of Ireland Consultation Paper (CP 92) May 2015 1 Section 1: Introduction 1.1 Towers Watson is a
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationvalueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny
valueoutcome July 2014 Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny Highlights 1. In preparation for Phase 2 audits, covered
More informationWHITE PAPER Third-Party Risk Management Lifecycle Guide
WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third
More informationPatch Management Procedure. e-governance
for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document
More informationInformation Shield Solution Matrix for CIP Security Standards
Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationShared service centres
Report by the Comptroller and Auditor General Cabinet Office Shared service centres HC 16 SESSION 2016-17 20 MAY 2016 4 Key facts Shared service centres Key facts 90m estimated savings made to date by
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationSeven Requirements for Successfully Implementing Information Security Policies and Standards
Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information
More informationThis Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment
More informationHow to Protect Intellectual Property While Offshore Outsourcing?
WHITE PAPER [Type text] How to Protect Intellectual Property While Offshore Outsourcing? In an era of increasing data theft, it is important for organizations to ensure that the Intellectual Property related
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationThird-Party Cybersecurity and Data Loss Prevention
Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management
More informationSmart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)
Smart Meters Programme Schedule 2.5 (Security Management Plan) (CSP South version) Schedule 2.5 (Security Management Plan) (CSP South version) Amendment History Version Date Author Status v.1 Signature
More informationISO 9001:2015 Overview of the Revised International Standard
ISO 9001:2015 Overview of the Revised International Standard Introduction This document provides: a summary of the new ISO 9001:2015 structure. an overview of the new and revised ISO 9001:2015 requirements
More informationIAF Mandatory Document. Witnessing Activities for the Accreditation of Management Systems Certification Bodies. Issue 1, Version 2 (IAF MD 17:2015)
IAF Mandatory Document Witnessing Activities for the Accreditation of Management Systems Certification Bodies (IAF MD 17:2015) Witnessing Activities for the Accreditation Page 2 of 18 The (IAF) facilitates
More informationStatement of Guidance: Outsourcing All Regulated Entities
Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on
More informationThe CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).
Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More information¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ Ã
CIRCULAR CIR/MIRSD/24/2011 December 15, 2011 All intermediaries registered with SEBI Merchant Bankers/Registrars to An issue and Share Transfer Agents/Debenture Trustees/Bankers to An Issue/Underwriters/Credit
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES
More informationAdopting Cloud Computing with a RISK Mitigation Strategy
Adopting Cloud Computing with a RISK Mitigation Strategy TS Yu, OGCIO 21 March 2013 1. Introduction 2. Security Challenges Agenda 3. Risk Mitigation Strategy Before start using When using 4. Policy & Guidelines
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More information