HIGH LEVEL COMPLIANCE REVIEW PHYSICAL SECURITY. Standards of the Standards for Victoria Police Law Enforcement Data Security.

Size: px
Start display at page:

Download "HIGH LEVEL COMPLIANCE REVIEW PHYSICAL SECURITY. Standards 14 19 of the Standards for Victoria Police Law Enforcement Data Security."

Transcription

1 HIGH LEVEL COMPLIANCE REVIEW PHYSICAL SECURITY Standards of the Standards for Victoria Police Law Enforcement Data Security June 2008

2 Acknowledgement This report was prepared for the Commissioner by Alan Roberts, Senior Information Security Auditor and Kim Lajoie, Technical Project Officer, of the Office of the, in consultation with relevant areas and employees of Victoria Police. Appreciation is expressed for the assistance and cooperation of Victoria Police members during the conduct of this compliance review. Published by The PO Box 281 World Trade Centre Melbourne Victoria 8005 September 2008 Copyright State of Victoria,

3 Table of Contents Executive Summary 4 1. Introduction Purpose and Scope Approach Definitions and Abbreviations Management Response to Findings and Recommendations Compliance Assessment Rating 9 2. Physical Security CLEDS Physical Security Standards Policy and Process Roles and Responsibilities Site Visits Observations and Findings Standard Standard Standard Standard Standard Standard Conclusions Recommendations 29 Appendix A Statement of relevant Standards and Protocols 30 Appendix B Persons interviewed and documents reviewed 34 Appendix C Glossary 35 Appendix D Response to report by Chief Commissioner of Police 36 3

4 Executive Summary Background Under the Act 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. An annual program of high level compliance reviews, as well as detailed risk based audits, has been established and commenced. The objective of a high level review is to identify whether documented policies and monitoring frameworks have been implemented by Victoria Police to meet the requirements and intent of CLEDS Standards and Protocols. The Review A high level compliance review of the Physical Security law enforcement data security standards (Standards 14 to 19) and associated protocols has been undertaken. In order to assess physical security within Victoria Police the high level review examined policy and operational issues involving facilities (office complex and police station) maintenance and management, evidence and exhibits management, and information technology and hard copy records storage and management. An assessment rating of Compliant (where existing security controls meet the requirements and intent of the standards and protocols), Partially Compliant (where existing security controls partially or inconsistently meet the requirements and intent of the standards and protocols) or Non Compliant (where existing security controls are consistently inadequate in meeting the requirements and intent of the standards and protocols) has been assigned as a result of the review. Results of Review Overall, Victoria Police have implemented an appropriate level of physical security controls, where such controls are either physical (through building design) or technical. Major facilities are suitably protected from unauthorised physical access and external and environmental threats. In these cases the threats and countermeasures are tangible and benefit from Victoria Police s expertise in crime prevention. Victoria Police s wired data infrastructure and metropolitan digital radio networks are well protected from interception and loss of service. Wired data infrastructure benefits from the existing physical protection offered by Victoria Police facilities. The metropolitan digital radio networks encrypt all communications and offer modern features such as remote deactivation of terminals. 4

5 Suitable implementation of technical controls also extends to clear screen policy and protection of portable devices. The default time-out for computers limits the risk of data being inappropriately accessed while a computer is unattended and some suitable guidelines and tools are available for protecting data held on portable devices. While these broad controls go a significant way towards ensuring appropriate physical security for Law Enforcement Data, there are some significant and specific weaknesses which should be addressed. The Enterprise Information Security Policy does not provide adequate detail for the protection of portable devices, nor does it make reference to such detail. Users of portable devices are not provided with security instructions and education and training in relation to these devices is inadequate and inconsistent. The ability for unauthorised members to visit non-twenty-four hour stations out of hours raises concerns about the effective management of physical access keys and alarm access codes. The state-wide Statenet Mobile Radio (SMR) is the radio network used for voice by Victoria Police in regional areas. It is not encrypted and is able to be accessed by anyone with commercial-grade equipment. It is known that unauthorised third parties regularly intercept Police communications over this network. Additionally, there are regular incidents of unauthorised third parties transmitting on police channels, disrupting police activities. There are several significant security weaknesses at the Records Management Storage and Disposal facility. Poor physical segregation with access by the public and other Government Departments to law enforcement data, understaffing, and a lack of control over security services, increase the risk to Law Enforcement Data stored at the facility. These weaknesses warrant immediate attention, particularly given the sensitive nature of much of the information held at the facility. Some facilities are more vulnerable to external or environmental threats than others. Training and awareness of staff continues to be a concern, particularly as it relates to clear desk policy and protection of portable devices. This is a significant weakness as the effective application of physical security policy is dependant on staff actively executing their responsibilities. Agreements with Approved Third Parties do not adequately address the CLEDS physical security standards as there seems to be no process for ensuring relevant agreements contain site-specific requirements for physical security controls. With the exception of 24 hour stations, no guidelines exist to assist Victoria Police to determine the appropriate level. Agreements do not deal adequately with portable devices; carriage, use and storage of law enforcement data; disruptions to service and supporting infrastructure; or protection of electronic information from interception and loss of service. 5

6 An assessment of Victoria Police compliance with CLEDS Physical Security standards and protocols is provided in the table below. Standard S14 - Facilities protected from unauthorised access S15 - Protection of laptops and data during physical external transport S16 - Reduce risk of disruption from external (inc environmental) threats S17 - Communications infrastructure protected from interception or loss S18 - Protect data during storage, handling and transport S19 - Clear desk and screen policy CLEDS Assessment Partial Compliance Partial Compliance Compliant Partial Compliance Partial Compliance Partial Compliance As a result of these observations, an overall compliance rating of Partially Compliant, with the CLEDS physical security standards and protocols is considered appropriate at this time. Recommendations The makes the following recommendations to assist Victoria Police in addressing matters raised by the high level review. Recommendation One: That Victoria Police amend the Enterprise Information Security Policy and related documents to include a suitable level of detail for effective physical security, including the physical security of portable devices that store Law Enforcement Data. Recommendation Two: That Victoria Police implement a plan to strengthen non-24 hour facilities in the case of external risks to security and implement a suitable level of protection from unauthorised physical access. Recommendation Three: That Victoria Police remedy the security deficits at the Records Management Storage and Disposal facility as a matter of urgency. Recommendation Four: That Victoria Police upgrade the radio network used for voice in regional areas to implement encryption and ensure unauthorised interception or transmission does not occur. Recommendation Five: That Victoria Police implement training and awareness programs to ensure staff appropriately protect Law Enforcement Data on desks and in portable devices. 6

7 Recommendation Six: That Victoria Police ensure agreements with Approved Third Parties adequately protect physical security of Victoria Police Law Enforcement Data. June

8 High Level Compliance Review of Physical Security 1. Introduction The Standards for Law Enforcement Data Security were established in February and July 2007 by the (CLEDS). The Standards and associated protocols are binding on Victoria Police. Under the Act 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. An annual program of high level compliance reviews, as well as detailed risk based audits, has been established. The objective of a high level review is to identify whether documented policies and monitoring frameworks have been implemented by Victoria Police to meet requirements contained within the CLEDS standards and protocols. Physical Security is one of fifteen categories of standards and protocols issued by CLEDS Purpose and Scope The scope of this compliance review is confined to examining the existence and operation of Victoria Police policy and process involving physical security measures designed to protect law enforcement data from unauthorised access, destruction, use, modification or release Approach The high level compliance review involved discussions with key stakeholders, analysis of policy and procedures for compliance with the requirements and intent of the CLEDS Physical Security standards and protocols, and verification/testing of operational compliance and monitoring frameworks. Agreements with Approved Third Parties for authorised access to Victoria Police law enforcement data were also reviewed for compliance with the requirements and intent of the CLEDS physical security standards and protocols Definitions and Abbreviations The common definitions and abbreviations used in this report are explained in Appendix C Glossary Management Response to Findings and Recommendations A draft version of the high level Physical Security compliance review report was provided to the Chief Commissioner of Police for information, factual review and consideration of the CLEDS recommendations. The response to the report from the Chief Commissioner of Police is at Appendix D. 8

9 1.5. Compliance Assessment Rating Victoria Police s compliance with CLEDS physical security standards will be assessed in the following terms: Compliant Partially Compliant Non Compliant Existing security controls meet the requirements and intent of the Standards and Protocols Existing security controls partially or inconsistently meet the requirements and intent of the Standards and Protocols Existing security controls are consistently inadequate in meeting the requirements and intent of the Standards and Protocols Recommendations will be made where less than full compliance is identified. 9

10 2. Physical Security Physical security measures represent only one aspect of protective security, but remain an important element of the total protective security process. Maintenance of security is both an organisational and local management responsibility, with day to day implementation and monitoring of security being the responsibility of each work area. Physical security measures must also be underpinned by a high level of staff security awareness, particularly for the protection of security classified information and resources. Sensible management of security risk involves an appropriate combination of procedural and physical control measures CLEDS Physical Security Standards The s interest in physical security focuses on the physical security of Law Enforcement Data. Chapter five of the Standards for Victoria Police Law Enforcement Data Security addresses the issue of LED physical security. A total of six physical security standards and seven associated protocols have been established and issued by CLEDS. Most standards apply equally to Approved Third Parties (ATP) that have been authorised to access Victoria Police (VP) information and data. Victoria Police is therefore required to reflect and enforce CLEDS physical security requirements (standards & protocols) in all agreements involving LED. A summary of each standard (applicable to both Victoria Police and Agreements with ATP) is provided below, while further information is contained within Section 3 of the report. Standard 14: All Victoria Police (and ATP) facilities that access, store or handle law enforcement data must be physically protected against unauthorised access. (Protocols ) Standard 15: Adequate physical security measures (at VP and ATP facilities) must be established for the carriage, use and storage of law enforcement data on portable computing devices or portable data storage devices. (Protocols ) Standard 16: Physical security controls (at VP and ATP facilities) must be implemented that reduce the risk of disruptions to service caused by external or environmental threats and safeguard the provision of supporting infrastructure services. Standard 17: Electronic communications infrastructure (wired or wireless) used (at VP and ATP facilities) for law enforcement data must be protected from interception or loss of service. Standard 18: Appropriate physical security measures must be implemented (at VP and ATP facilities) to protect all forms of law enforcement data during storage, handling and transport. Standard 19: A clear desk and screen policy must be implemented (at VP and ATP facilities) for all environments that work with law enforcement data. 10

11 2.2. Policy and Process The Victoria Police Manual (VPM) is the authoritative organisation-wide policy and procedures manual. As an online publication accessible through the Victoria Police Intranet it is the central policy gateway for employees to identify and implement corporate policies and procedures. Reference to security matters and links to other policy resources and guidelines are contained within both the Operations and Administration and Management components of the VPM. (For example: Information security, Document security, Records disposal, Intelligence management, Workplace Inspections). Physical security control measures for information system resources are contained within the Victoria Police Enterprise Information Security Policy 2004 (EISP), which represents the overarching policy on information security for Victoria Police. Within the EISP, reference is made to principles of effective protective security practice being directly related to the Australian Government Protective Security Manual (PSM). The PSM represents an authoritative reference in regards to security, however, it forms the foundation for security initiatives within Victoria Police because of the mandatory requirement for workplaces exchanging information with the Australian Government to fully comply with the manual. The Victoria Police Document Security Best Practice Guideline 2007 contains procedures primarily based on those in the PSM, with supplementary information from Defence Signals Directorate s Australian Government Information and Communications Technology Security Manual (ACSI 33). The Document Security Best Practice Guideline is a non-mandatory statement of best practice and do not represent either an instruction or policy statement. In many cases Regions and Departments have also incorporated security practices into local induction programs and/or standard operating procedures Roles and Responsibilities The Victoria Police Security Committee (VPSC) is entrusted with the oversight and governance of the provision of security and development of strategies, guiding principles and standards for security at Victoria Police premises and facilities. A direction from the Chief Commissioner (2006) assigned ultimate responsibility for security to the Commander Specialist Support Department, as chair of the VPSC. The committee is responsible for all security-related policy for all Victoria Police buildings while the day to day implementation of security for Victoria Police premises is the responsibility of each work area. The creation of a new Organisational Security Committee (OSC) as a sub-committee of the Police Operations Standing Committee is likely to replace the VPSC. The new committee will have responsibility for physical security and is chaired by Deputy Commissioner Kieran Walshe. The OSC will include the Agency Security Advisor and Business Information Technology Services representatives. 1 The current version of the Australian Government Protective Security Manual was published

12 Protective Services Officers, part of Specialist Support Department (SSD), are responsible for policing the security requirements of the Victoria Police Centre and St Kilda Road complexes. The security of Crime Department areas relocated from St Kilda Road to leased accommodation in Flinders Street (2 levels from late 2007) is, however, not covered by SSD. The Business Management Department (BMD) has a key physical security role through its direct involvement with construction and maintenance of police buildings, property lodgements and storage, equipment, police and public records, and the whole of life asset strategy. Station Managers however are responsible for the proper care and maintenance of buildings, fittings and fixtures, fences, grounds, and other property in their charge, as well as the security and management of law enforcement information. Business Information Technology Services (BITS) have shared responsibility for physical security of information by way of their direct involvement with the development, management and coordination of Victoria Police information and communications systems infrastructure and security. Information security training and awareness resources (brochures/posters) have also been developed and are available from the BITS intranet. Corporate Management Review Division (CMRD), as part of its core risk management function, undertakes risk analysis and assessment of areas in order to minimise or eliminate risk in everyday policing. Physical security should be a consideration in the conduct of local workplace risk assessments, inspections and audits, however, the level of attention directly paid to the physical security of law enforcement data is largely left to the discretion of local management Site Visits In assessing the existence and operation of physical security arrangements over Victoria Police law enforcement data, Office of CLEDS staff visited a number of key areas and sites. Areas and sites for high level review were selected on the basis of the anticipated nature of the LED involved and the possible vulnerability of physical security arrangements where Victoria Police operate in a shared facility environment. Site visits considered facilities (office complex and police station) maintenance and management, evidence and exhibits management, and information technology and hard copy records storage and management. A total of 7 site visits were conducted in addition to general physical security observations in and around the VPC and public access (retail) concourse level. Information gained from site visit discussions and observations were also considered in conjunction with particulars contained in Regional and Departmental self assessment documentation (April 2008) regarding implementation of the CLEDS standards. This information provided a valuable insight into the nature and extent of actions planned (or undertaken) to review existing processes, procedures and the general management of law enforcement data security. 12

13 3. Observations and Findings 3.1. Standard 14 Victoria Police must ensure that all facilities that access, store or handle law enforcement data are physically protected against unauthorised access. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to ensure that all facilities that access, store or handle law enforcement data are physically protected against unauthorised access. The intent of this standard is to prevent unauthorised access to law enforcement data by the creation of a secure physical environment. The standard is supported by five protocols highlighting requirements which must, at a minimum, be addressed to meet the standard. Protocols cover the issues of - Assessment of security risk; Security perimeters & secure areas; External access points; Training and education program; and Agreements with Approved Third Parties Observations For this high level review, several aspects of Standard Fourteen were examined Management responsibility, implementation at sites, staff awareness and agreements with Approved Third Parties Management responsibility Victoria Police are fully aware of the need for an effective security environment to exist. This is demonstrated by acknowledgement of the need for security and/or physical security measures throughout operational and administrative policy documentation such as the VPM, EISP, and Intelligence standards and guidelines. The Victoria Police Security Committee Charter, approved by the Policing Operations Standing Committee in September 2006, clearly defines the function and responsibilities of the committee to oversight and develop best practice standards in relation to security issues. While the committee was responsible for several initiatives, such as more secure identification certificates, security assessments of police buildings and standards for parking of non-police vehicles at the VPC; its scope has mainly focused on the VPC. The establishment of the Organisational Security Committee has recently been finalised and may address these concerns. Physical security within Victoria Police is largely directed towards the protection and property maintenance of key infrastructure involving buildings (VP complexes, police stations, storage facilities etc.), major information technology systems, and the overall protection of staff and operational resources from adverse unplanned events. Evidence of security risk assessments being undertaken is not readily available, thus the frequency of these assessments is not clear. Apart from the police stations visited, management at the other sites indicated assessment of security risk is either undertaken by BMD as part of property management or generally forms a consideration as part of overall operational and contingency planning. 13

14 Physical security arrangements within individual areas and locations of Victoria Police are the responsibility of local management and are generally not standard due to the nature of accommodation (buildings and surrounds) and the overall operations involving law enforcement data. For example, the Victorian Police Forensic Services Centre utilises sophisticated perimeter sensors and CCTV surveillance to directly monitor and control access to the site, while security arrangements at the Records Management storage and disposal facility is outside the direct control of Victoria Police due to the site being administered under a shared tenancy arrangement. The generic 24 hour Police Station Specification for Security Services incorporates information involving security system/access control/security alarm requirements in both general and technical terms. This document forms the basis for all service tendering. A standard access control policy has repeatedly been approved by Victoria Police but copies are unobtainable and it has not been implemented Implementation at sites Operating within a shared accommodation environment (World Trade Centre complex comprising a number of tower blocks) impacts the implementation of a fully managed physical environment due to other public access and building tenancy requirements. Use of electronic security control systems (access cards) to gain entry to secure work units, monitoring and supervision of contractors and visitors within work areas, the presence of strategically positioned perimeter and internal CCTV surveillance cameras throughout the Victoria Police Complex, and security monitoring by Protective Services Officers and the private security firm ISS provides a relatively secure physical environment. Security assessments of the VPC and St Kilda Road police complex have been conducted by Protective Services Officers and reports submitted to executive management for information and action. Within police buildings, 24 hour police stations and specialist facilities there is evidence that physical security of premises has been considered by management and action taken to restrict or actively monitor attempts at unauthorised access. Separation of public areas from secure and authorised access areas and security over external access points was noted during site visits in both older style police stations and the more modern designed police stations and facilities. During a site visit however, the importance of being able to monitor and control after hours access to police premises, particularly when surveillance equipment is not installed, was discussed. Office of CLEDS staff were informed that instances of after hours access to an unattended 16 hour police station by members no longer working at the station had been discovered. It is understood the situation has been brought to the attention of regional management, however, the importance of effectively managing door (key lock) security and internal alarm code management has been highlighted. The practice of sworn members visiting police facilities, other than their own work location, to access corporate information is acknowledged. However it is considered that such access should be restricted to hours when the station is open to maintain the security of all law enforcement data within police facilities and prevent instances of unauthorized and unsupervised access. 14

15 A number of sites are currently undertaking renovations that incorporate upgrading and/or strengthening existing physical security arrangements. The Mounted Branch is undertaking building security improvements, the St Kilda Road complex is being refurbished and existing reception and rear car park security strengthened, and a new purpose built hanger is being built to address Air Wing security concerns. As new data information system facilities are being established/constructed BITS Technical Services & Architecture Group are requiring adherence to Australian Government (ASIOT4) Intruder Resistant Area specifications. The Agency Security Advisor is also actively involved in reviewing system security controls and levels of physical security at both Victoria Police and external service provider facilities Staff awareness Varying levels of recognition of matters of physical security within regional and departmental local operating procedures and induction documentation (posted on the Victoria Police intranet) have been noted. The Operations Coordination Department Induction Package provides a range of information involving physical security and has also incorporated awareness of the CLEDS standard and protocols into their Business Plan for national information sharing. A range of BITS information awareness guides/brochures/posters, available from their intranet web site, provides guidance on best practice information security. There is, however, limited evidence to indicate that physical security training and education requirements have been adequately examined and incorporated into business rules, induction training and/or standard operating procedures throughout the organisation. Self assessment by Victoria Police departments and regions regarding implementation of action plans involving CLEDS standards (as at April 2008) seems to support the view that further awareness and education/induction training is required. In the new CMRD electronic risk management bulletin Risky Business (June 2008) Law Enforcement Data Security has been highlighted to all risk management portfolio holders, risk champions and deputies. All Regions and Departments have been encouraged to discuss the issue at their next risk management meeting. Provision within Risky Business of the definition of Law Enforcement Data, accompanied by a link to the CLEDS web site (cleds.vic.gov.au) containing an electronic version of all standards and protocols is considered an important step in alerting the entire organisation to the importance and mandatory requirement to effectively manage LED Agreements with Approved Third Parties In relation to physical security, the Approved Third Parties of concern are service providers. In the case of outsourced data management and storage (IBM) and radio (Motorola & Telstra) services, physical security arrangements are those of the individual service provider, subjected to negotiated improvements to address Victoria Police requirements or specific security concerns. 15

16 These agreements do not sufficiently meet the requirements or intent of Standard Fourteen. Where relevant agreements include physical security requirements, they either reference organisation-wide policy or supply a requirement that physical security requirements are to be the result of negotiation and agreement. The problem with referencing organisation-wide policy is that these policy documents do not provide site-specific (or even police-specific) instructions. In these cases there appears to be no work undertaken to adapt or interpret these requirements to produce a site-specific set of physical security requirements. In some other agreements physical security requirements are specified as being the result of negotiation. In these cases Victoria Police do not have a guideline for determining an appropriate level of protective security. A lack of such a guideline substantially increases the risk of security controls being implemented inconsistently or inappropriately. The notable exception to this is the construction of twenty-four hour police stations. Corporate Support Services Division maintains a document titled Generic 24 hour Police Station Specification for Security Services. This document provides specific details of security controls to be installed as new twenty-four hour police stations are constructed. As almost all twenty-four hour stations perform similar functions, the risk of inappropriate selection of security controls is low Findings Key issues for compliance with Standard 14 are: effective management of physical access keys, alarm access codes and after hours visits by unauthorised members to smaller facilities, such as non-twentyfour hour stations needs to be implemented; and agreements with Approved Third Party service providers lack site-specific requirements for security controls. Although there is a demonstrated commitment to maintaining an appropriate physical security environment an overall assessment of partial compliance with Standard 14 is considered appropriate at this point in time as all elements of the standard and/or protocol requirements have not been sufficiently addressed or implemented throughout Victoria Police Standard 15 Appropriate physical security measures must be implemented to protect law enforcement data stored in portable computing and data storage devices or during physical transport outside of Victoria Police premises. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to apply appropriate security measures in respect of the carriage, use and storage of law enforcement data, portable computing devices or portable data storage devices that contain law enforcement data. 16

17 The intent of this standard is to ensure law enforcement data stored on portable devices or in physical transit outside of Victoria Police premises is not subjected to unauthorised access. The protocol requires appropriate business rules to support the security of data in these circumstances Observations Portable Law Enforcement Data is any Law Enforcement Data stored on portable data storage devices (including laptops and USB flash drives) or any Law Enforcement Data being physically transported. The responsibility for protection of portable Law Enforcement Data rests with individual work groups. The Victoria Police Manual states: Managers and supervisors are responsible for the physical security of all desktop computers, portable computer devices and printers located in their workplace (VPM ) Each portable computing device must have an assigned owner who is responsible for ensuring that all security requirements relating to the device are met. (VPM ) Additionally, the Enterprise Information Security Policy (EISP) states: The responsibility for the protection of each Victoria Police portable computing device (and therefore the information contained thereon) resides with the person to whom the equipment has been provided (EISP 17.3) While the Enterprise Information Security Policy (EISP) makes a general statement of the need to ensure the physical protection of portable devices, it provides no details on how to achieve an appropriate level of protection. While reference is made to a document titled Victoria Police Guidelines for the Protection of Portable Computing Devices, this document does not exist 2. Business Information Technology Services provides portable devices such as laptops and USB flash drives to other areas of Victoria Police. It also makes available some guides and tools for protecting portable computing devices but make no effort to ensure individuals and work groups across Victoria Police are aware of their security responsibilities with regard to these devices. For the physical security of non-electronic Law Enforcement Data during transport outside Victoria Police premises, the Victoria Police Manual refers to the Document Security Best Practice Guideline. While the Guideline is a useful resource with specific instructions for the protection of non-electronic information, the instructions themselves are non-mandatory. Agreements with Approved Third Parties do not adequately address the CLEDS physical security standard in relation to carriage, use and storage of Law Enforcement Data, including portable devices. 2 Confirmed by the Business Information Technology Services Technical Standards & Policy Manager 17

18 Findings Victoria Police goes some way to meeting the requirements of Standard 15 by clearly stating that individuals and local management are wholly responsible for the physical security of Law Enforcement Data stored in devices or during transport. Such an approach, however, relies on adequate support by training and instructions. Key issues regarding compliance with Standard 15 are: users of devices such as laptops and USB flash drives are not provided with security instructions on receipt of the device; coverage of security responsibilities in induction and ongoing training is inadequate and inconsistent; and the Enterprise Information Technology Security Policy does not provide adequate detail for the protection of portable devices, nor does it make reference to such detail. Without adequate support, individuals and local management cannot be reasonably expected to implement a consistent approach to physical security that is appropriate to the level of risk. An overall assessment of partial compliance with Standard 15 is considered appropriate at this point in time Standard 16 All Victoria Police facilities that access, store or handle law enforcement data must have physical security controls that reduce the risk of disruptions to service caused by external or environmental threats and safeguard the provision of supporting infrastructure services. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to ensure that all facilities that access, store or handle law enforcement data have physical security controls that reduce the risk of disruptions to service caused by external or environmental threats and safeguard the provision of supporting infrastructure services. The intent of this standard is to ensure physical protection to supporting services on which the secure infrastructure for law enforcement data relies in order to function effectively and ensure continued operation during a disaster or crisis Observations Major police facilities are protected from external and environmental threats by way of physical separation and backup power generators. The Victoria Police Design Guidelines state: 24 hour police stations - all essential lighting and power circuits shall be backed up by emergency generator; - all essential communications and building security equipment computer shall be backed up by the emergency generator as well as UPS systems. 18

19 16 hour and 8 hour police stations - provide external power inlet for the connection of a mobile generator to supply selected essential lighting and power circuits; - radio communications equipment shall be backed up by rechargeable battery system; - UPS systems usually not required. Major facilities have substantial backup power generators. New twenty-four hour stations being built are required to have backup power generators, and currently eighty-four (out of one hundred) twenty-four hour stations have such generators. Most sensitive police work areas are kept some distance from public areas. For example, the operational areas of the Forensic Lab are far from the perimeter fence. Also, work involving sensitive Law Enforcement Data at the Victoria Police Centre and the St Kilda Rd Complex are conducted some distance above ground level and away from public areas. This reduces the likely impact of an adverse event in a public place or non-police facility disrupting sensitive or critical tasks. For data processing centres and servers, Victoria Police resources are duplicated to reduce the risk of outages caused by equipment being rendered unavailable or inoperable. The Victoria Police mainframe provides the following three applications: Law Enforcement Assistance Program (LEAP), the database of incidents and other operations records; Human Resources Millennium (HR:M), the database of personnel records; and SAS, a statistical analysis system. The entire hardware, software and data of the mainframe are duplicated and physically housed at a facility in a different suburb. The data is synchronised between main site and the duplicate site to ensure a reasonably quick change-over is possible in case the main site becomes unavailable. Non-mainframe applications have various levels of High Availability, but no full Disaster Recovery capability. This means these applications have some resilience against localised server outages (such as hardware failures) but little or no ability to continue functioning following large-scale physical damage. Shared network storage (commonly called G Drives and H Drives ) for each station is physically located at the station. Standard operating procedures exist to regularly back up the data in case of loss or damage, allowing stored data to be restored in case of hardware failure. Agreements with Approved Third Parties do not adequately address the CLEDS physical security standard in respect of external disruptions to service or safeguarding supporting infrastructure services. 19

20 Findings Major police facilities appear to have suitable security controls to reduce the risk of external or environmental threats. Where weaknesses are identified, measures are taken to localise any vulnerability and reduce the risk. Nevertheless, some facilities are more vulnerable to external or environmental threats, such as many non-twentyfour hour stations. The physically separate duplication of the Victoria Police mainframe allows missioncritical Law Enforcement Data stored in the Law Enforcement Assistance Program to remain available even after a catastrophic incident. Network storage and other applications are protected to a lesser degree, but are not as widely critical to police operations. A general assessment of compliant is certainly warranted at this point in time. Maintaining full compliance will require urgent attention to the issue of Approved Third Party agreements Standard 17 Electronic communications infrastructure (wired or wireless) used for law enforcement data must be protected from interception or loss of service. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement that electronic infrastructure (wired or wireless) be protected from interception or loss of service. The intent of this standard is to ensure the continued availability, confidentiality and integrity of law enforcement data during electronic transmission Observations The majority of police communications occur over the following networks: Wired data infrastructure, used for computer-based communications; Mobile Data Network (MDN), wireless data infrastructure for metropolitan areas; Mobile Metropolitan Radio (MMR), digital voice radio for metropolitan areas; State-wide Statenet Mobile Radio (SMR), analogue voice radio for country areas; and Public telephone network. The wired data infrastructure is used for all computer-based communications. This includes: All ; Information viewed from a server or application; Data files transferred between computers or servers; and Information accessed by Approved Third Parties. 20

HIGH LEVEL COMPLIANCE REVIEW ELECTRONIC DATA STORAGE DEVICES

HIGH LEVEL COMPLIANCE REVIEW ELECTRONIC DATA STORAGE DEVICES HIGH LEVEL COMPLIANCE REVIEW ELECTRONIC DATA STORAGE DEVICES Standards for Victoria Police Law Enforcement Data Security (Standard 22) November 2008 Commissioner for Law Enforcement Data Security Acknowledgement

More information

HIGH LEVEL COMPLIANCE REVIEW SECURITY CLASSIFIED LAW ENFORCEMENT DATA

HIGH LEVEL COMPLIANCE REVIEW SECURITY CLASSIFIED LAW ENFORCEMENT DATA HIGH LEVEL COMPLIANCE REVIEW SECURITY CLASSIFIED LAW ENFORCEMENT DATA Standards for Victoria Police Law Enforcement Data Security (Standards 27, 28, 29 & 30) November 2008 Commissioner for Law Enforcement

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Review of Education and Training on Law Enforcement Data Security in Victoria Police. March 2008 Commissioner for Law Enforcement Data Security

Review of Education and Training on Law Enforcement Data Security in Victoria Police. March 2008 Commissioner for Law Enforcement Data Security Review of Education and Training on Law Enforcement Data Security in Victoria Police March 2008 Commissioner for Law Enforcement Data Security Acknowledgement This report was prepared for the Commissioner

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

Independent Auditors Report to the Commissioner for Law Enforcement Data Security -

Independent Auditors Report to the Commissioner for Law Enforcement Data Security - Commissioner for Law Enforcement Data Security Audit of Victoria Police Compliance with CLEDS standards on Access Control and Release June 2008 Reference: Version: FY07/08 Final Date of review: April -

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) (NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) 1. Approval and Authorisation Completion of the following signature blocks signifies

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

Physical Security Policy

Physical Security Policy Physical Security Policy Author: Policy & Strategy Team Version: 0.8 Date: January 2008 Version 0.8 Page 1 of 7 Document Control Information Document ID Document title Sefton Council Physical Security

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY

INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY 1. PURPOSE In respect to this policy the term physical and environmental security refers to controls taken to protect

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

University of Brighton School and Departmental Information Security Policy

University of Brighton School and Departmental Information Security Policy University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions

More information

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

POLICY TEMPLATE. Date initially approved: November 5, 2013 Date of last revision: same

POLICY TEMPLATE. Date initially approved: November 5, 2013 Date of last revision: same POLICY TEMPLATE Video Surveillance Category: Approval: Responsibility: Date: Operations PVP VP Finance and Administration Date initially approved: November 5, 2013 Date of last revision: same Definitions:

More information

Security Awareness and Training

Security Awareness and Training T h e A u d i t o r - G e n e r a l Audit Report No.25 2009 10 Performance Audit A u s t r a l i a n N a t i o n a l A u d i t O f f i c e Commonwealth of Australia 2010 ISSN 1036 7632 ISBN 0 642 81115

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Security Guidelines for Premises Storing/Handling Security Sensitive Materials (SSMs) A-1

Security Guidelines for Premises Storing/Handling Security Sensitive Materials (SSMs) A-1 Security Guidelines for Premises Storing/Handling Security Sensitive Materials (SSMs) S/N Area of Interest Description Recommended Measures 1 Perimeter Security Perimeter barriers Perimeter barriers are

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Gatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria

Gatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria Gatekeeper PKI Framework ISBN 1 921182 24 5 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright. Apart from

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004L Payment Card Industry (PCI) Physical Security (proposed) 01.1 Purpose The purpose

More information

Performance Audit E-Service Systems Security

Performance Audit E-Service Systems Security Performance Audit E-Service Systems Security October 2009 City Auditor s Office City of Kansas City, Missouri 15-2008 October 21, 2009 Honorable Mayor and Members of the City Council: This performance

More information

Scotland s Commissioner for Children and Young People Records Management Policy

Scotland s Commissioner for Children and Young People Records Management Policy Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives

More information

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY Information Security Section: General Operations Title: Information Security Number: 56.350 Index POLICY.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE DATE OF POLICY.140

More information

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14

More information

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L. Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

Records Management plan

Records Management plan Records Management plan Prepared for 31 October 2013 Audit Scotland is a statutory body set up in April 2000 under the Finance and Accountability (Scotland) Act 2000. We help the Auditor General for Scotland

More information

London River Services Security Risk Management (IA 13 013/F) Leon Daniels, Managing Director, Surface Transport. Audit Conclusion: Audit Closed

London River Services Security Risk Management (IA 13 013/F) Leon Daniels, Managing Director, Surface Transport. Audit Conclusion: Audit Closed FINAL INTERNAL AUDIT REPORT London River Services Security Risk Management (IA 13 013/F) Leon Daniels, Managing Director, Surface Transport Audit Conclusion: Audit Closed 25 June 2014 Issue categories

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

EXECUTIVE SUMMARY Audit of information and communications technology governance and security management in MINUSTAH

EXECUTIVE SUMMARY Audit of information and communications technology governance and security management in MINUSTAH EXECUTIVE SUMMARY Audit of information and communications technology governance and security management in MINUSTAH OIOS conducted an audit of information and communications technology (ICT) governance

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Portable Security Computing No: Effective: OSC-09 05/27/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication

More information

An Approach to Records Management Audit

An Approach to Records Management Audit An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION

More information

Business Continuity Policy

Business Continuity Policy Business Continuity Policy Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain its essential business functions during

More information

Walton Centre. Document History Date Version Author Changes 01/10/2004 1.0 A Cobain L Wyatt. Monitoring & Audit

Walton Centre. Document History Date Version Author Changes 01/10/2004 1.0 A Cobain L Wyatt. Monitoring & Audit Page 1 Walton Centre Monitoring & Audit Document History Date Version Author Changes 01/10/2004 1.0 A Cobain L Wyatt Page 2 Table of Contents Section Contents 1 Introduction 2 Responsibilities Within This

More information

Infrastructure Security Policy

Infrastructure Security Policy Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd ICT Infrastructure Security Policy September 2013 Version 1.0 Page 1 of 11 CONTROL SHEET FOR ICT Infrastrutcure Security

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Queensland Taxi Security Camera Program Changes

Queensland Taxi Security Camera Program Changes Queensland Taxi Security Camera Program Changes Frequently Asked Questions GENERAL INFORMATION 1. What is the taxi security camera program? It is a program administered by the Department of Transport and

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

developing your potential Cyber Security Training

developing your potential Cyber Security Training developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company

More information

06100 POLICY SECURITY AND INFORMATION ASSURANCE

06100 POLICY SECURITY AND INFORMATION ASSURANCE Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information

More information

SERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0

SERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0 SERVER, DESKTOP AND PORTABLE SECURITY September 2014 Version 3.0 Western Health and Social Care Trust Page 1 of 6 Server, Desktop and Portable Policy Title SERVER, DESKTOP AND PORTABLE SECURITY POLICY

More information

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection

More information

Physical and Environment IT Security Standards

Physical and Environment IT Security Standards Physical and Environment IT Security Standards Author s Name: Jo Brown Author s Job Title: Head of Technical Services Division: Corporate Department: Technical Services Version Number: 1.0 Ratifying Committee:

More information

System Security Plan University of Texas Health Science Center School of Public Health

System Security Plan University of Texas Health Science Center School of Public Health System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many

More information

Better secure IT equipment and systems

Better secure IT equipment and systems Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Business Continuity Management. Policy Statement and Strategy

Business Continuity Management. Policy Statement and Strategy Business Continuity Management Policy Statement and Strategy November 2011 Title Business Continuity Management Policy & Strategy Date of Publication: Cabinet Council Published by Borough Council of King

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Physical Security Assessment Form

Physical Security Assessment Form Physical Security Assessment Form Security Self-Assessment T Wake 10 February 2012 Security Assessment Contents Facility / Site Security Assessment Form... 3 Identification Details... 3 Facility Details...

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information