Information Security Baseline (minimal measures)

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Information Security Baseline (minimal measures)"

Transcription

1 Information Security Baseline (minimal measures) 1

2 Version management Version September st draft Version September nd draft after review by Erik Adriaens Version October th draft after input from Maritta de Vries Version November th draft after review by information managers and ISSC Version December 2013 Draft after incorporating remarks from Consultation of the Directors of Administration Version February 2014 Adopted by the Board (same as 0.5) 2

3 Executive summary The information security baseline (Minimum Measures) constitutes an elaboration of Leiden University s information security policy and contains measures concerning the organisation and development of information services and the management and maintenance of these services. Additionally, a number of measures are listed that provide a basic level of security for university information systems. With the adoption and introduction of this Baseline, the strategic policy assumptions set forth in the information security policy are given a concrete implementation. Both the information security policy and the baseline concern all individuals, procedures and processes and information and information systems (whether managed by the university or subcontracted). Information systems includes the basic infrastructure (including other networks, workplaces and storage), concern systems (institution-wide systems) and the specific systems of units. The baseline encompasses measures that must be implemented on systems belonging to risk category 3. As for systems belonging to a higher category, such as categories 2 and 1, additional requirements are set, along with supplementary measures. 3

4 Contents 1. Introduction Motivation Vision on security Standards Baseline scope of activity Responsibility for the baseline Baseline objective 6 2. Basic security level The basic security level Supplementary measures 8 3. The baseline (set of minimum measures) 10 4

5 1. Introduction 1.1 Motivation Information security (IS) is a current topic. Every day there are reports in the media concerning things such as botnets, information siphoned off by (foreign) governments, DDoS attacks on banks, educational institutions, viruses that make charges to one s bank account, spam and phishing, etc. This makes it clear that more attention needs to be given to the issue and that countermeasures need to be identified and implemented to ward off such attacks. This Information Security Baseline (Minimal Measures) document constitutes an elaboration of Leiden University s information security policy and contains measures concerning the organisation and development of information services and the management and maintenance thereof. Additionally, a number of measures are listed that provide a basic level of security for university information systems. The adoption and introduction of this Baseline represent the implementation of the strategic policy assumptions established in the information security policy (separate document). 1.2 Vision for security The vision is discussed in the information security policy. In brief, what it boils down to is that Leiden University wants to actively contribute to the security and perceived security of all university employees and students and of all its guests. Not because the environment is currently insecure, but in order to continue to safeguard a secure environment. Security is a precondition for a good academic climate in which those involved can flourish without hindrance. As a research institution, the University also wishes to contribute to the development and improvement of security within society. Summarised in a few points this means: Information security is and will continue to be a responsibility for the line management. The primary assumption for information security continues to be risk management. The classic IS approach, characterised by limiting possibilities, is making way for safe facilitation. The focus is shifting from securing the network to securing data. Responsible and deliberate behaviour on the part of individuals is essential for good information security. Information security requires an integrated approach. 1.3 Standards The framework of standards for the information security policy and the baseline of measures is based on the Information Security Code: NEN 27001:2005 and NEN 27002:

6 1.4 Baseline scope of activity Both the information security policy and the baseline concern all individuals, procedures and processes and information and information systems (whether managed by the university or subcontracted). Information systems includes the basic infrastructure (including other networks, workplaces and storage), concern systems (institution-wide systems) and the specific systems of units. The baseline includes measures that must be implemented on systems belonging to category 3. As for systems belonging to a higher category, such as categories 2 and 1, additional requirements are set, along with supplementary measures. 1.5 Responsibility for the baseline The Executive Board is ultimately responsible for the baseline, and adopted it on [date]. The security manager is responsible for maintaining this baseline. The information or system owner is responsible for applying the baseline. The responsibilities are further elaborated in the information security policy. 1.6 Baseline objective The goal of the baseline is to safeguard the continuity of business operations and to minimise damage by preventing security incidents and minimising possible consequences. 6

7 2. Basic security level 2.1 The basic security level All data in systems to which this information security policy is applicable gets classified. The level of the security measures depends on the category. The category to which information is assigned depends on the data in information systems and is determined on the basis of risk analyses. In this regard the following aspects are significant: a. availability b. integrity c. confidentiality Availability is the degree to which data or functionality is available for users at the appropriate times. Integrity is the degree to which data or functionality are input correctly. Confidentiality is the degree to which access to data or functionality is limited to those who are authorised. Aspects and characteristics of information security and related threats: Aspect Characteristic Threat Examples of threat Availability Timeliness Delay Infrastructure overload Continuity Outage Faulty infrastructure Integrity Correctness Modification Unauthorised changes to data; virus infection; typographical error Completeness Removal Unauthorised deletion of data Addition Unauthorised addition of data Validity Obsolescence Failure to keep data up to date Authenticity Falsification Fraudulent transaction Irrefutability Denial Denying having sent a particular message Confidentiality Exclusivity Disclosure Listening in on the network; hacking Misuse Large-scale private use The basic security level consists of the following: Category Description Measure Level 3 Breach in availability, exclusivity and integrity of the system does not cause a (major) disruption. The system must meet the minimum measures (IS baseline). 7

8 The valuation of the three aspects of IS looks like this: IS aspects Availability Confidentiality Integrity Valuation (Low, Mid, High) L L L The baseline level is the level of basic risk. This means that a risk classification has been carried out and the availability, confidentiality and integrity are at the level of low. For this level, measures have been drawn up which every system must meet. If the system has an increased or high risk, extra (supplementary) measures must be taken. 2.2 Supplementary measures If the data category is designated as level 2 or level 1, a high level of security is necessary. A higher level is needed in situations where, for instance, confidential information is worked with and a higher availability of the system or (high) integrity of information is required. Supplementary measures can also concern protecting privacy. This is the case, for example, when loss or unlawful/careless use of personal information causes additional adverse consequences for the individual involved. The following measures must be taken if the risk analysis makes it apparent that the system has an increased or high risk: IS aspects Availability Confidentiality Integrity Selection from the supplementary measures Redundancy Emergency power supply Fail-over provision Continuous monitoring and follow-up Secure storage of source software Data transport encryption Hard authentication Authorisation according to role Clear desk Monitoring removal Monitoring input Authorisation according to role Training (core) users Licence servers Combating shadow files 8

9 After completion of the risk analysis, the security manager draws up a report with the classification. This report is issued to the system owner so that he/she knows what shape the security of the system is in and what measures should be taken. Recommendations are also made. If the owner deviates from this advice, this must be submitted to the security manager. Each year a check will be made whether any incidents have occurred that call for modifying a risk analysis. 9

10 3. The baseline (set of minimum measures) The standard set of minimum measures below is based on the Information Security Code. The measures are described as an end result that can be tested for. It is the responsibility of either the system owner or the management of the faculty or unit to safeguard the measures. Organisation 1. The various roles as defined in the information security policy are assigned. 2. Nobody in an organisation may have the permissions at operational level to have control over an entire cycle of actions in a critical information system. This is due to the risk that he/she may wrongfully favour him/herself or others, or may inflict damage on the organisations. This applies both to information processing and to management actions. Classification and management of assets 3. An up-to-dated register will be kept of assets (with purpose and owner) that represent an interest for the organisation, such as (collections of) information, software, hardware and services. 4. A responsible line manager will be designated for each business process, application and data collection. 5. Categorisation guidelines have been drawn up for classifying information. 6. All software must be licensed, either by the faculty/unit itself or the ISSC. Illegal software is not allowed. 7. Real Estate is responsible for the blueprints of buildings, with all relevant details. 8. The existence and consequences of the Code of Conduct for ICT facilities and services will be regularly brought to the attention of all users of Leiden University information services, in any case whenever employees are hired and when students begin a degree programme at Leiden University. 9. The system owner will ensure there is an exit procedure whereby access rights to information services can be revoked for staff and students leaving the university/faculty/department. 10. Security measures have been taken concerning (sensitive) equipment and files in a computer area. 10

11 Management of communications and operational processes 11. ISSC has operational procedures that include information about booting up, shutting down, backup and restoration steps, handing errors, managing logs, contact people, emergency procedures and special measures for security. 12. There are logically separate systems for Development, Testing and/or Accepting and Production (DTAP). The systems and applications in these zones do not influence systems and applications in other zones. 13. The ICT services will meet the level of availability agreed upon for the services. 14. Measures have been taken for detection, prevention and restoration to protect against malware (viruses, Trojan horses, spam, etc.) on infrastructure. 15. There is a data backup policy that is defined in service level agreements (SLOs). 16. Back-up media with a storage duration of longer than 1 year will be checked for readability at least once a year. If there are doubts regarding the quality of the media, the media will be duplicated in order to obtain a good-quality copy. 17. At least the monthly backups will be stored off-site. Other backups will be kept in a space that is not located in the vicinity of the computer area(s). 18. When confidential data is exchanged between two systems, whereby a connection is used that is not property of the University, this data must be encrypted prior to being sent. 19. Changes to IT systems will be planned according to ITIL and approved through a change procedure. Access security 20. Formal procedures have been established for registering and deregistering users, for granting and revoking access rights to all information systems and services. 21. Non-employees of the ICT department involved will only be allowed access to server spaces accompanied by an ICT department employee. 22. All default passwords must be replaced with non-default passwords on all systems. Passwords will be stored on a system in unilaterally encrypted form. 23. Networks must be secured against unauthorised access. 24. A password must consist of at least 8 and at most 13 characters, contain at least 1 lower case letter, 1 upper case letter and 1 numeral and be valid for a maximum of 182 days. This part is currently undergoing a change in the new policy. Once the change is determined, this text will be replaced. 25. Encrypted network protocols (HTTPS, IMAPS, POP3S) are always used for the login procedure. 11

12 26. Users will observe good security habits such as not writing down one s passwords, never sharing a password with others, changing one s password if there is a suspicion that it has become known to a third party and locking down one s workspace when absent. 27. There is a policy concerning the use of networks and network services. Users will only be granted access to network services that are necessary for their work. 28. BYOD (or private) devices will only gain access using secured interfaces designed especially for that purpose. 29. If remote access to (critical) applications is granted by the system owner, for (functional) managers this shall take place on the basis of two-factor authentication. 30. Employees mobile devices (such as a handheld computer, tablet, smartphone or laptop) on which business information is stored will be equipped with a password, encryption and anti-malware. Wherever possible, this will be enforced by technical means. Wherever possible, opening business information on mobile devices will take place on the basis of zero footprint (with online access, but with no data on the device). If a zero footprint is not (yet) feasible or is undesirable from a functional standpoint, data will be stored in encrypted form. Upon loss or theft, the relevant passwords will be changed immediately. Development and maintenance of systems 31. All information systems shall have an owner, a functional manager and a technical manager. 32. Before a new information system is introduced, a risk analysis will be used to determine which risk category the information processed by this system belongs to and how this new system impacts the existing environment. The methodology and the three categories basic risk, increased risk and high risk apply here. 33. Systems belonging to the basic risk category must meet the minimum measures. For systems belonging to the increased risk and high risk categories, a supplemental risk analysis will be conducted, which may result in supplemental measures. 34. An information system will only become part of the operational IT environment after being formally approved and accepted by the system owner and the ICT department. 35. For all components in the entire information service a procedure will be put into place that ensures that security updates on systems are applied in a timely and correct fashion. Critical patches (as classified by the software provider such as Microsoft, Oracle (including Sun), etc.) must be installed at least on a monthly basis. Non-critical security patches need to be installed at least on a quarterly basis. 12

13 36. The log files of all workstation, server and network systems will be assembled at a central point and undergo automated checks for irregularities. Irregularities having no clear (innocent) explanation will be designated, registered and investigated as security incidents. All clocks on the network must be synchronised with each other in view of the need to be able to compare the time stamps (log books). 37. Security incidents shall be recorded in a system. A report can be generated upon request that gives an overview of the security incidents. 38. A person has been designated as responsible for the handling these security incidents. 39. There shall be a disaster plan in which activities are described such as preventing the interruption of business activities and protecting critical business processes from the consequences of major disruptions in information systems or disasters and in order to achieve timely restoration. Monitoring and compliance 40. Periodically, at least once per year, the entire ICT (network) environment will be scanned by ISSC to identify weak spots using a vulnerability scanner. The security manager will be informed of the results. 41. The system owner or the security manager can in consultation with the ISSC have penetration tests conducted on the entire ICT (network) environment. 13

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Data Access Request Service

Data Access Request Service Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Introduction. The steps involved in using this tool

Introduction. The steps involved in using this tool Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0 NOS for IT User and Application Specialist IT Security (ESKITU04) November 2014 V1.0 NOS Reference ESKITU040 ESKITU041 ESKITU042 Level 3 not defined Use digital systems NOS Title Set up and use security

More information

Microsoft Windows Client Security Policy. Version 2.1 POL 033

Microsoft Windows Client Security Policy. Version 2.1 POL 033 Microsoft Windows Client Security Policy Version 2.1 POL 033 Ownership Policy Owner: Information Security Manager Revision History Next Review Date: 2 nd April 2015 Approvals This document requires the

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

InsightCloud. www.insightcloud.com. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

InsightCloud. www.insightcloud.com. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS? What is InsightCloud? InsightCloud is a web portal enabling Insight customers to purchase and provision a wide range of Cloud services in a straightforward and convenient manner. What is SaaS? Software

More information

Guidelines for smart phones, tablets and other mobile devices

Guidelines for smart phones, tablets and other mobile devices Guidelines for smart phones, tablets and other mobile devices Summary Smart phones, tablets and other similar mobile devices are being used increasingly both privately and in organisations. Another emerging

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

RL Solutions Hosting Service Level Agreement

RL Solutions Hosting Service Level Agreement RL Solutions Hosting Service Level Agreement April 2012 Table of Contents I. Context and Scope... 1 II. Defined Terms... 1 III. RL Solutions Responsibilities... 2 IV. Client Responsibilities... 4 V. The

More information

Dublin Institute of Technology IT Security Policy

Dublin Institute of Technology IT Security Policy Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

EXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam

EXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam EXIN Information Security Foundation based on ISO/IEC 27002 Sample Exam Edition June 2016 Copyright 2016 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by: Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

More information

Wellesley College Written Information Security Program

Wellesley College Written Information Security Program Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Technical Standards for Information Security Measures for the Central Government Computer Systems

Technical Standards for Information Security Measures for the Central Government Computer Systems Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0 BCS IT User Syllabus IT for Users Level 2 Version 1.0 June 2009 ITS2.1 System Performance ITS2.1.1 Unwanted messages ITS2.1.2 Malicious ITS2.1.1.1 ITS2.1.1.2 ITS2.1.2.1 ITS2.1.2.2 ITS2.1.2.3 ITS2.1.2.4

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

Data Protection Act 1998. Bring your own device (BYOD)

Data Protection Act 1998. Bring your own device (BYOD) Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

More information

Information Security Policy Manual

Information Security Policy Manual Information Security Policy Manual Latest Revision: May 16, 2012 1 Table of Contents Information Security Policy Manual... 3 Contact... 4 Enforcement... 4 Policies And Related Procedures... 5 1. ACCEPTABLE

More information

This Time. Safety & Security in ICT Systems INFO 2. Threats to ICT systems. Hacking

This Time. Safety & Security in ICT Systems INFO 2. Threats to ICT systems. Hacking This Time Safety & Security in ICT Systems INFO 2 Oliver Boorman-Humphrey www.oliverboorman.biz This time we look at the need to protect data in ICT systems and the subsequent threats if these measures

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

INFORMATION SECURITY FOR YOUR AGENCY

INFORMATION SECURITY FOR YOUR AGENCY INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection

More information

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES Network Security 6-005 INFORMATION TECHNOLOGIES July 2013 INTRODUCTION 1.01 OSU Institute of Technology (OSUIT) s network exists to facilitate the education, research, administration, communication, and

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

OCR LEVEL 3 CAMBRIDGE TECHNICAL

OCR LEVEL 3 CAMBRIDGE TECHNICAL Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY

More information

OCR Level 2 CAMBRIDGE TECHNICAL

OCR Level 2 CAMBRIDGE TECHNICAL Cambridge TECHNICALS OCR Level 2 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT IT security J/601/4057 LEVEL 2 UNIT 18 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 IT SECURITY J/601/4057 LEVEL 2 Aim

More information

Guardian365. Managed IT Support Services Suite

Guardian365. Managed IT Support Services Suite Guardian365 Managed IT Support Services Suite What will you get from us? Award Winning Team Deloitte Best Managed Company in 2015. Ranked in the Top 3 globally for Best Managed Service Desk by the Service

More information

1 Introduction 2. 2 Document Disclaimer 2

1 Introduction 2. 2 Document Disclaimer 2 Important: We take great care to ensure that all parties understand and appreciate the respective responsibilities relating to an infrastructure-as-a-service or self-managed environment. This document

More information

Level 3 Cambridge Technical in IT 05839/ 05840/ 05841/ 05842 Unit 3 Cyber security. Date Morning/Afternoon Time Allowed: 1 hour

Level 3 Cambridge Technical in IT 05839/ 05840/ 05841/ 05842 Unit 3 Cyber security. Date Morning/Afternoon Time Allowed: 1 hour SAMPLE ASSESSMENT MATERIAL Level 3 Cambridge Technical in IT 05839/ 05840/ 05841/ 05842 Unit 3 Cyber security Date Morning/Afternoon Time Allowed: 1 hour You must have: The Insert (clean copy case study)

More information

STANDARD ON CONTROLS AGAINST MALICIOUS CODE

STANDARD ON CONTROLS AGAINST MALICIOUS CODE EUROPEAN COMMISSION DIRECTORATE-GENERAL HUMAN RESOURCES AND SECURITY Directorate HR.DS - Security Informatics Security Brussels, 21/06/2011 HR.DS5/GV/ac ARES (2011) 663475 SEC20.10.05/04 - Standards European

More information

MAXIMUM PROTECTION, MINIMUM DOWNTIME

MAXIMUM PROTECTION, MINIMUM DOWNTIME MANAGED SERVICES MAXIMUM PROTECTION, MINIMUM DOWNTIME Get peace of mind with proactive IT support Designed to protect your business, save you money and give you peace of mind, Talon Managed Services is

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

WHAT ARE THE BIGGEST THREATS TO BUSINESS DATA SECURITY?

WHAT ARE THE BIGGEST THREATS TO BUSINESS DATA SECURITY? WHAT ARE THE BIGGEST THREATS TO BUSINESS DATA SECURITY? Contents Introduction... 3 Primary Sources of Security Threats... 3 Instant Messaging... 3 Email... 4 Optical and Flash Media... 4 Social Media...

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

Enterprise K12 Network Security Policy

Enterprise K12 Network Security Policy Enterprise K12 Network Security Policy I. Introduction The K12 State Wide Network was established by MDE and ITS to provide a private network infrastructure for the public K12 educational community. Therefore,

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

NETWORK SECURITY GUIDELINES

NETWORK SECURITY GUIDELINES NETWORK SECURITY GUIDELINES VIRUS PROTECTION STANDARDS All networked computers and networked laptop computers are protected by GST BOCES or district standard anti-virus protection software. The anti-virus

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

Securing the Service Desk in the Cloud

Securing the Service Desk in the Cloud TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

RS Official Gazette, No 23/2013 and 113/2013

RS Official Gazette, No 23/2013 and 113/2013 RS Official Gazette, No 23/2013 and 113/2013 Pursuant to Article 15, paragraph 1 and Article 63, paragraph 2 of the Law on the National Bank of Serbia (RS Official Gazette, Nos 72/2003, 55/2004, 85/2005

More information

How to Practice Safely in an era of Cybercrime and Privacy Fears

How to Practice Safely in an era of Cybercrime and Privacy Fears How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,

More information

WORKSTATION SECURITY STANDARD

WORKSTATION SECURITY STANDARD WORKSTATION SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Standard Improperly configured computer systems

More information

New Systems and Services Security Guidance

New Systems and Services Security Guidance New Systems and Services Security Guidance Version Version Number Date Author Type of modification / Notes 0.1 29/05/2012 Donna Waymouth First draft 0.2 21/06/2012 Donna Waymouth Update re certificates

More information

Information Security Policy

Information Security Policy Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

More information

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

Incident Reporting Guidelines for Constituents (Public)

Incident Reporting Guidelines for Constituents (Public) Incident Reporting Guidelines for Constituents (Public) Version 3.0-2016.01.19 (Final) Procedure (PRO 301) Department: GOVCERT.LU Classification: PUBLIC Contents 1 Introduction 3 1.1 Overview.................................................

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

Cybersecurity Health Check At A Glance

Cybersecurity Health Check At A Glance This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not

More information

Quick Guide To Information Governance Policies

Quick Guide To Information Governance Policies Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities Agenda Information Security Management in Universities Recent

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Cyber Security Incident Handling Policy Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Oct 9, 2015 i Document Control Document Owner Classification

More information

IT OUTSOURCING SECURITY

IT OUTSOURCING SECURITY IT OUTSOURCING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Information and Communication Technology. Information Security Policy

Information and Communication Technology. Information Security Policy BELA-BELA LOCAL MUNICIPALITY - - Chris Hani Drive, Bela- Bela, Limpopo. Private Bag x 1609 - BELA-BELA 0480 - Tel: 014 736 8000 Fax: 014 736 3288 - Website: www.belabela.gov.za - - OFFICE OF THE MUNICIPAL

More information

AN OVERVIEW OF VULNERABILITY SCANNERS

AN OVERVIEW OF VULNERABILITY SCANNERS AN OVERVIEW OF VULNERABILITY SCANNERS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS Effective Date June 9, 2014 INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS OF THE HELLER SCHOOL FOR SOCIAL POLICY AND MANAGEMENT Table of Contents 1.

More information

Unit 3 Cyber security

Unit 3 Cyber security 2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 1 September 2015 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning hours:

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

SNAP WEBHOST SECURITY POLICY

SNAP WEBHOST SECURITY POLICY SNAP WEBHOST SECURITY POLICY Should you require any technical support for the Snap survey software or any assistance with software licenses, training and Snap research services please contact us at one

More information

Information Security It s Everyone s Responsibility

Information Security It s Everyone s Responsibility Information Security It s Everyone s Responsibility Developed By The University of Texas at Dallas (ISO) Purpose of Training As an employee, you are often the first line of defense protecting valuable

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Decision on adequate information system management. (Official Gazette 37/2010)

Decision on adequate information system management. (Official Gazette 37/2010) Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)

More information

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers 2012. Your Interactive Guide to the Digital World

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers 2012. Your Interactive Guide to the Digital World Chapter 11 Manage Computing Securely, Safely and Ethically Discovering Computers 2012 Your Interactive Guide to the Digital World Objectives Overview Define the term, computer security risks, and briefly

More information

ELECTRONIC INFORMATION SECURITY A.R.

ELECTRONIC INFORMATION SECURITY A.R. A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy

More information

Information Security Policy

Information Security Policy Information Security Policy Revised: September 2015 Review Date: September 2020 New College Durham is committed to safeguarding and promoting the welfare of children and young people, as well as vulnerable

More information

TECHNICAL SECURITY AND DATA BACKUP POLICY

TECHNICAL SECURITY AND DATA BACKUP POLICY TECHNICAL SECURITY AND DATA BACKUP POLICY PURPOSE Effective technical security depends not only on technical measures, but also on appropriate policies and procedures and on good user education and training.

More information

UBC Incident Response Plan

UBC Incident Response Plan UBC Incident Response Plan Contents 1. Rationale... 1 2. Objective... 1 3. Application... 1 4. Definitions... 1 4.1 Types of Incidents... 1 4.2 Incident Severity... 2 4.3 Information Security Unit... 2

More information

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette

More information