INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Size: px
Start display at page:

Download "INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c"

Transcription

1 INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011

2 CONTENTS Introduction Security Policy Information Security Policy Scope 2 Security Organisation Information Security Infrastructure Management Information Security Forum Information Security Co-ordination Allocation of Information Security Responsibilities Authorisation Process for IT Facilities Specialist Information Security Advice Co-operation Between Organisations Independent Review of Information Security Security of Third Party Access Identification of risks from third party connections Security conditions in third party contracts Assets Classification and Control Accountability for Assets Inventory of Assets Information Classification Classification Guidelines Classification Labelling Personnel Security Security in Job Definition User Training Staff Movements Responding to Incidents Disciplinary Process Physical and Environmental Security Secure Areas Physical Security Perimeter Physical Entry Controls Clear Desk Policy Removal of Property Equipment Security Equipment Siting and Protection Power Supplies Page : 2 May 2013

3 5.2.3 Equipment Maintenance Security of Equipment Off-premises Secure Disposal of Equipment Computer and Network Management Operational Procedures and Responsibilities Documented Operating Procedures Incident Management Procedures Segregation of Duties Separation of Development and Operational Facilities System Planning and Acceptance Capacity Planning Protection from Malicious Software Housekeeping Data Back-up Fault Logging Network Management Network Security Controls Media Handling and Security Management of Removable Computer Media Data Handling Procedures Security of System Documentation Disposal of Media Data and Software Exchange Data and Software Exchange Agreements Security of Media in Transit EDI Security Security of Electronic Mail Security of Electronic Office Systems System Access Control Business Requirement for System Access Documented Access Control Policy User Access Management User Responsibilities Network Access Control Policy on Use of Network Services Systems Development and Maintenance Security Requirements of Systems Security Requirements Analysis and Specification Security in Application Systems Page : 3 May 2013

4 8.3 Security in Development and Support Environments Change Control Procedures Business Continuity Planning Compliance Compliance with Legal Requirements Control of Proprietary Software Copying Safeguarding of Organisational Records Data Protection Prevention of Misuse of IT facilities Security Reviews of IT Systems Compliance with Security Policy System Audit Considerations and Controls Page : 4 May 2013

5 Introduction The continuing availability of information is essential to the operation of Angus Council. Rapid and continuing technical advances in information processing have increased the dependence of the Council on information and automated systems. The value of data and software, in terms of restoration costs or losses due to unauthorised disclosure, far exceeds the value of its associated hardware. For that reason, information processed by computers and transmitted through networks must be recognised as a major Council asset and be protected accordingly. The expanded use of computers and telecommunications has resulted in more accurate, reliable, and faster information processing, with information more readily available to management and staff than ever before. As a direct result of its growing commitment to the use of information technology, the Council has achieved increased productivity in terms of improved delivery of services, enhanced administrative capabilities and reduced costs. Information technology has also brought new management concerns, challenges, and responsibilities. Information assets must be protected from natural and human hazards. Policies, standards and procedures must be established to ensure that hazards are eliminated or their effects minimised. The main focus of information security is on ensuring the continuation of Council services. Providing efficient accessibility to necessary information is the primary reason for establishing and maintaining automated information systems. Protecting that information and the investment that surrounds it is the motivation for establishing an information security and risk management program. The first step of a risk analysis is to identify the items which need to be protected. Some things are obvious, like all the various pieces of hardware. It is essential to identify all categories of things that could be affected by a security problem. A list of suggested categories follows: Hardware: workstations, laptops, servers, printers, communication lines, modems, hubs, routers etc. Software: source programs, object programs, utilities, diagnostic programs, operating systems, database management systems, communication programs, etc. Data: during execution, stored on-line, archived off-line backups, audit logs, databases, in transit over communication media, etc. People: users, operators needed to run systems, external contractors, etc. Documentation: on programs, hardware, systems, local administrative procedures, etc. Supplies: magnetic media, etc. Protecting information assets includes: Physical protection of information processing facilities and equipment; Protection against external intrusion; Maintenance of application and data integrity; Assurance that automated information systems perform their critical functions correctly, in a timely manner, and under adequate controls; Protection against unauthorised use of data or disclosure of information; Assurance of the continued availability of reliable and critical information; Many functions which were traditionally manual or partially automated are today fully dependent on the availability of automated information services to perform and support their daily functions. The interruption, disruption, or loss of information support services may adversely affect the Council s ability to provide its services. The effects of such risks must be eliminated or minimised. Additionally, information entered, processed, stored, generated, or disseminated by automated information systems must be protected from internal data or programming errors Page : 5 May 2013

6 and from misuse by individuals internal or external to the organisation. Specifically, information must be protected from unauthorised or accidental modification, destruction, or disclosure. In the case of purchased information system components, the integrity, competence, and economic stability of the vendor must be assured. Otherwise, there is a risk of compromising the integrity of Council s reputation, or violating individual rights to privacy. While it is unlikely that security risks can be eradicated, by selecting and implementing the appropriate controls we can ensure that any risks identified are reduced to an acceptable level. These controls should be selected based on the cost of implementation in relation to the reduction in risk and the potential losses if a security breach occurs while also taking into account the need to preserve the confidentiality, integrity and availability of the information being protected. Non-monetary factors such as loss of reputation should also be taken into account. Page : 6 May 2013

7 1 Security Policy 1.1 Information Security Policy This information security management system and associated operational procedures will, as far as practicable, address the Information security management principles defined within BS7799 (1999) Code of Practice for Information Security Management. As such, this Policy will enable the Council s I.T. users, suppliers and contractors to accurately address the Information Security requirements of the Council, thus avoiding ambiguity in the specification, delivery and implementation of Information systems. Operational procedures will be established to implement the corporate information security requirements outlined in this Security Management System, and appropriate mechanisms will be put in place to monitor and manage these procedures. This Information Security Management System is supplemented by an Information Security - User Guidelines document. Security Organisation A management framework will be established to initiate and control the implementation of information security within the organisation. The Council s Head of Information Technology will serve as the designated officer responsible for developing, publishing maintaining and administering the Information Security Policy. Heads of Service are deemed to be owners of their departmental information assets. They may delegate their security responsibilities to individuals or service providers. Nevertheless the owner remains ultimately responsible for the security of the asset and should be able to determine that any delegated responsibility has been discharged correctly. Implementation of the information security policy will be independently reviewed to ensure that practices laid down within the policy are feasible and effective and are being adhered to. Security of Third Party Access To maintain the security of Council I.T. facilities and information assets access to council I.T. facilities by (non-organisational) third parties will be rigorously controlled. Assets Classification and Control To ensure that information assets receive an appropriate level of protection, security classifications will be used to indicate the need and priority. The Head of Information Technology will maintain a computer based inventory register which will fully address the requirements of the Council s Audit or Inventory Procedures. This register will include all major items of I.T. hardware, software systems, applications and data owned or licensed by the Council The responsibility for classifying and declassifying departmental information assets will reside with the designated asset owners. The Head of Information Technology will be responsible for classifying and declassifying corporate information assets. Personnel Security The Council s Chief Officers will take all appropriate measures to minimise the risks of human error, theft, fraud or misuse of the Council s information assets and facilities. In addition, steps will be taken to ensure that all users of the Council s information systems are made aware of security risks and are equipped to adhere to, and support the Council s Information Security Page : 7 May 2013

8 Policy in the course of their normal duties. User Training The Council s Chief Officers will take all appropriate measures to minimise the risks of human error, theft, fraud or misuse of the Council s information assets and facilities. In addition, steps will be taken to ensure that all users of the Council s information systems are made aware of security risks and are equipped to adhere to, and support the Council s Information Security Policy in the course of their normal duties. Relevant information security issues will be included in any formal and informal training given to the users of the Council s information systems. Responding to Incidents All council staff have a responsibility to report suspected breaches of this Information Security Policy to their own departmental management. All security incidents will be reported and recorded by means of a formal logging and follow-up system and referred to the Audit, VFM and Risk Manager Unless authorised by the Head of Information Technology staff will on no account attempt to replicate or simulate any suspected security breach or incident. Council staff suspected of causing a security breach will be subject to investigation under established formal disciplinary procedures. Physical and Environmental Security Appropriate control mechanisms will be established to prevent unauthorised access, damage and interference to Council information services, including all physical information assets which support critical or sensitive departmental activities. Removal of Property Removal of property or information belonging to the Council is prohibited without prior authorisation by the departmental head. Any piece of Council computer equipment authorised for use outwith Council premises, including laptop computers, will be subject to the same guidelines for use as I.T. equipment within the workplace. Whilst off-site, such equipment will be protected by the user from the risk of theft and will not be left unattended in public places. When being transported equipment will be stored out of view. Computer and Network Management To ensure the correct and secure operation of computer and network facilities responsibilities and procedures for the management and operation of all computers and networks will be established. Protection from Malicious Software To safeguard the integrity of software and data no unlicensed or unauthorised software will be permitted on any of the Council s I.T. systems. Data files may only be downloaded from external sources, such as bulletin boards or the internet in accordance with Angus council s and Internet Usage Policy. Council employees must read and comply with Angus council s and Internet Usage Policy. Pro-active measures will be taken to safeguard the integrity of software and data by detecting Page : 8 May 2013

9 and counteracting the effects of malicious software such as computer viruses. This will include the provision of virus detection software on the Council s computer systems. Staff who use Council I.T. systems will be responsible for reporting any suspected incidents of computer virus infection to the I.T. Help Desk for further assessment and rectification. Data Back-up Adequate backup facilities will be provided to ensure that all essential business information can be backed up and recovered if necessary. Backup tapes and accurate and complete records of backup copies should be stored in a remote location, sufficient to escape any damage from a disaster at the main site. Fault Logging Faults will be reported to the IT Division Help, desk where they will be processed in accordance with the help desk procedures. Only persons authorised by the Head of Information Technology will carry out repairs and servicing of Council equipment. Network Management To ensure the safeguarding of information in networks and the protection of the supporting infrastructure data networks will be managed in such a way as to prevent unauthorised logical and physical connection, and to detect unauthorised connection should this occur. No connection to the corporate communications network will be permitted without the prior approval of the Head of Information Technology. Media Handling and Security To prevent the possibility of damage, theft or unauthorised access to council information assets and interruptions to business activities, all computer media containing valuable data will be stored securely. System Access Control It is the policy of Angus Council to restrict access to information systems to only those staff and authorised agents of the Council who require such access to enable them to undertake their duties. It is the responsibility of all Heads of Department, and Head of Information Technology to implement this policy as required. Access controls and the use and protection of passwords is set out in the Information Security User Guidelines. These guidelines will be distributed to all users of information systems within the Council. The installation and upgrade of operational systems will only be performed by arrangement with the Head of Information Technology. Business Continuity Planning To counteract interruptions to business activities and to protect critical business processes from the effects of major failures and disasters departmental business continuity management processes will be implemented. Compliance The Council s Information Security Policy is intended to fully comply with all statutory, criminal Page : 9 May 2013

10 and civil obligations to which the Council is required to adhere in relation to the implementation, management and use of Information systems and services. In addition, the Head of Information Technology will implement appropriate procedures to ensure that all procurement conforms to appropriate European Community legislative requirements in addition to the Council s Standing Orders and Financial Regulations. The copyright of all software applications systems developed by Council staff or authorised agents using Council resources will rest with the Council. The departmental owners of software applications will ensure that copies of data on magnetic media are retained for the period of time necessary for the equivalent paper copies, and that such data is regularly restored and archived to ensure their continued integrity. Important Council records will be protected from loss, destruction and falsification. Some records may need to be securely retained to meet statutory or regulatory requirements as well as to support essential business activities. Data Protection Applications handling personal data on individuals will comply with data protection legislation and principles. Prevention of Misuse of IT facilities The Councils information processing facilities are provided for business purposes. The use of departmental information processing facilities will be authorised by the departmental director. If any misuse is identified it will be subject to the appropriate disciplinary action. Compliance with Security Policy All areas within the organisation will be regularly reviewed to ensure compliance with security policies and standards. Chief Officers will ensure that all security procedures within their area of responsibility are carried out correctly. System Audit Considerations and Controls Periodic audits of working practices will be undertaken to ensure compliance with this Security Policy The Head of Information Technology will arrange a continual review of operational information systems to ensure that security controls have been properly implemented and continue to be effective. Other related documentation Data Protection Act 1998 Computer Misuse Act 1990 Copyright, Designs and Patents Act 1989 Angus Council and Internet Usage Policy Angus Council Information Security Management System Angus Council Information Security User Guidelines Information Security Incident Reporting Procedure Page : 10 May 2013

11 1.2 Scope The implementation of this Policy ensures the protection of the Council s information infrastructure, which is taken to include : All physical data communications networks and components ; All software applications resident on PC s file servers and networking equipment ; All Computer systems and accompanying operating system software; All corporate software applications ; All magnetic storage media ; All IT related system and software applications documentation; All hard copy (printer output); The rigorous implementation of this Policy will help to ensure the confidentiality, integrity and availability of all electronically stored data, systems and application software. 2 Security Organisation 2.1 Information Security Infrastructure Objective: To manage information security within the organisation. A management framework will be established to initiate and control the implementation of information security within the organisation. The Council s Head of Information Technology will serve as the designated officer responsible for developing, publishing maintaining and administering the Information Security Policy Management Information Security Forum Management direction will be provided through a suitable high level steering forum. The Information Security Group, chaired by the Head of Information Technology, will provide a focus for the implementation and development of the Information Security Policy within the Council. Meetings of the group will be convened at regular intervals to address the following objectives Ensure that the Information Security Policy is formally adopted by all of the Council s constituent departments; Provide a mechanism for reviewing, amending and monitoring adherence to the Information Security Policy; Review major information security incidents, and the exposure to major threats to the Council s information systems and infrastructure; The group will be authorised to approve initiatives to enhance information security subject to suitable funding arrangements Information Security Co-ordination It will be necessary to co-ordinate information security measures through a cross-functional forum with all user departments represented at a management level with the authority to implement necessary measures. Page : 11 May 2013

12 2.1.3 Allocation of Information Security Responsibilities Heads of Department are deemed to be owners of their departmental information assets. They may delegate their security responsibilities to individuals or service providers. Nevertheless the owner remains ultimately responsible for the security of the asset and should be able to determine that any delegated responsibility has been discharged correctly Authorisation Process for I.T. Facilities Installation of I.T. facilities will be authorised by the Head of Information Technology and carried out by contractors approved and authorised by him Specialist Information Security Advice When specialist advice on information security is required all enquiries will be directed to the Head of Information Technology Co-operation Between Organisations When necessary appropriate contacts with law enforcement authorities, regulatory bodies, and service providers will be made to ensure that appropriate action can be taken in the event of a security incident. Membership of security groups and forums will be actively considered. Exchange of security information will be restricted to ensure that confidential information is not passed to unauthorised persons Independent Review of Information Security Implementation of the information security policy will be independently reviewed to ensure that practices laid down within the policy are feasible and effective and are being adhered to. 2.2 Security of Third Party Access Objective: To maintain the security of Council I.T. facilities and information assets accessed by third parties. Access to council I.T. facilities by (non-organisational) third parties will be rigorously controlled. As appropriate, all contracts established for the purposes of external third party connection to the Council s I.T. infrastructure and systems will include the following elements : A general policy statement on Information security, including reference to this Policy and to BS7799 ; Permitted methods of access, and the control and use of unique user identifiers and passwords ; Involvement of sub-contractors ; Description of each I.T. service for which third party connection is required ; Requirement to maintain a register of authorised third party users and associated authorisation processes ; Times and dates of availability ; Respective liabilities, and rights to revoke the contract ; Page : 12 May 2013

13 Responsibilities for user training, equipment installation, physical and data protection ; Measures to ensure the return, or destruction, of information assets at the end of the contract ; Software virus protection ; Identification of risks from third party connection No third party access to the Council s information technology infrastructure will be permitted without the express permission of the Head of Information Technology. The risks associated with third party connection to the Council s information technology infrastructure and systems will be individually assessed in the context of the policy. Third party connection will only be authorised when the appropriate Head of Department has requested the need for such connection, the IT Division has established appropriate controls, and a suitable contract defining the terms of connection has been signed by the third party Security conditions in third party contracts Contracts with third parties requiring access to council I.T. facilities will be created in conjunction with the Head of Law and Administration to specifically include the necessary security conditions. 3 Assets Classification and Control Appropriate measures will be established to ensure that protection of the Council s physical I.T. assets and computer stored data is maintained at all times. 3.1 Accountability for Assets Objective: To maintain appropriate protection of Council information assets. All major information assets will be accounted for and have a designated owner. (See ) Inventory of Assets Inventories will be maintained of all major information and IT assets. Each Department will maintain a computer based inventory register which will fully address the requirements of the Council s Audit or Inventory Procedures. This register will include all major items of I.T. hardware, but will exclude minor equipment such as connection cables. The register will also include all major software systems, applications and data owned or licensed by the Council including software applications which have been developed by other departments within the Council. Other information assets which are required for business continuity purposes (such as magnetic media, power supplies, communications services and air-conditioning equipment, etc.) will be identified and recorded in the Emergency Inventory List of each department's Business Continuity Plan. 3.2 Information Classification Objective: To ensure that information assets receive an appropriate level of protection, security classifications will be used to indicate the need and priorities for security protection. Page : 13 May 2013

14 A Council wide Information Asset Inventory will be maintained to classify the security requirements of information assets in one of the two classes defined below Normal Security Level. This will be the default classification and will cover the majority of Council s Information assets. No physical identification of this level will require to be shown. High Security Level. Certain commercially sensitive systems, or systems which contain personal data protected under the terms of data protection legislation, will be classified at the High Security Level. Information assets (physical, application or data) which if lost, due to technical failure or accidental deletion, would cause major disruption, should also be classed as High. The responsibility for classifying and declassifying departmental information assets as Normal or High Security Level will reside with the designated asset owners. The Head of Information Technology will be responsible for classifying and declassifying corporate information assets Classification Guidelines Protection for classified information will be consistent with business needs Classification Labelling Outputs from systems containing information classified as sensitive will be labelled appropriately. Items for consideration may include printed reports, display screens and recorded media. 4 Personnel Security Objective: To reduce the risks of human error, theft, fraud or misuse of facilities. The Council s Chief Officers will take all appropriate measures to minimise the potential risk of human error, theft, fraud or the misuse of the Council s information assets. In addition, steps will be taken to ensure that all users of the Council s information systems are made aware of security risks and are equipped to adhere to, and support the Council s Information Security Policy in the course of their normal duties. The employees responsibility for information security will be highlighted and addressed at the induction stage, included in job descriptions where appropriate, and monitored during the individual's employment. 4.1 Security in Job Definition Where an employee has specific responsibilities for information security these will be highlighted in their job outline or description. 4.2 Staff Movements To allow user accounts and group memberships to be kept up to date departmental heads shall inform the Head of Information Technology of all staff movements (terminated employment, maternity leave, long term sick, etc.) where staff members have access to I.T. facilities. 4.3 User Training Page : 14 May 2013

15 Objective: To ensure that users are aware of information security threats and concerns, and are equipped to support organisational security policy in the course of their normal work. Chief officers will ensure that users of council information systems (including, when necessary, third party organisations) are trained in their proper use. This will include, where necessary, highlighting the security implications and legal responsibilities associated with the improper use of information processing facilities. Relevant information security issues will be included in any formal and informal training given to the users of the Council s information systems. 4.4 Responding to Incidents Objective: To minimise the damage from security incidents and malfunctions and to monitor and learn from such incidents. All Council staff have a responsibility for reporting suspected breaches of this Information Security Policy to their own departmental management. Unless authorised by the Head of Information Technology staff will on no account attempt to replicate or simulate any suspected security breach or incident Disciplinary Process Council staff suspected of causing a security breach will be subject to investigation under established formal disciplinary procedures. 5 Physical and Environmental Security 5.1 Secure Areas Objective: To prevent unauthorised access, damage and interference to Council information services Appropriate control mechanisms will be established to prevent unauthorised access, damage or interference to the Council s information infrastructure and systems, including all physical information assets which support critical or sensitive departmental activities Physical Security Perimeter Appropriate physical security will be applied to protect areas which contain information processing facilities or equipment Physical Entry Controls Designated secure areas will be protected by appropriate entry controls to ensure that only authorised persons can gain access Clear Desk Policy Areas dealing with confidential materials and information should consider operating a clear desk policy to reduce the risk of unauthorised access, loss of or damage to information Removal of Property Page : 15 May 2013

16 Removal of property belonging to the Council is prohibited without prior authorisation by the departmental head. 5.2 Equipment Security Objective: To prevent loss, damage or compromise of assets and interruption to business activities. Where deemed necessary and where reasonably practicable, appropriate measures will be taken to ensure that equipment is physically protected from security threats and environmental hazards Equipment Siting and Protection Equipment will be sited and protected to reduce the risks of damage, interference and unauthorised access. Equipment which requires additional security, and cannot be stored in secure areas, will be sited in areas where staff require only occasional access Power Supplies All equipment deemed to support critical operational or business functions, will be protected from power supply failure or fluctuation by un-interuptable power supplies (UPS) Equipment Maintenance Only persons authorised by the Head of Information Technology will carry out repairs and servicing of Council equipment. Where necessary information technology staff will implement appropriate controls for the protection of data before sending equipment off site for repair or allowing third party access to perform maintenance on council equipment Security of Equipment Off-premises Any piece of Council computer equipment authorised for use outwith Council premises, including laptop computers, will be subject to the same guidelines for use as I.T. equipment within the workplace. Authorisation from the appropriate departmental director will be required before equipment is taken off-site. Whilst off-site, such equipment will be protected by the user from the risk of theft and will not be left unattended in public places. When being transported equipment will be stored out of view. Information (magnetic media, printed, etc.) will not be removed for use outside council premises without permission from the appropriate departmental director Secure Disposal of Equipment All data will be erased from equipment prior to disposal. All equipment and media declared as redundant will be disposed of in accordance with Council procedures. In the case of PC equipment, specific care will be taken to ensure that all licensed systems software and data are erased from disk prior to disposal. Page : 16 May 2013

17 Magnetic media removed from equipment will be disposed of in a similar manner. 6 Computer and Network Management 6.1 Operational Procedures and Responsibilities Objective: To ensure the correct and secure operation of computer and network facilities. Responsibilities and procedures for the management and operation of all computers and networks will be established Documented Operating Procedures Formally documented operational procedures will be established to ensure the correct and secure operation of council information systems. Detailed procedures will be established for the management of system failures. These will include the development of comprehensive contingency plans for critical corporate systems and security incident policies Incident Management Procedures Incident management responsibilities and procedures will be established to ensure a quick, effective and orderly response to security incidents. All security incidents will be reported and recorded by means of a formal logging and follow-up system and referred to the Audit, VFM and Risk Manager For each incident, this will include the investigation of the cause and options for the prevention of a recurrence. An audit trail suitable for internal statistical analysis, and for use as evidence on contractual and legal issues such as computer misuse and data protection will be created Segregation of Duties Duties within council departments will be segregated to minimise the risk of negligent or deliberate system misuse Separation of Development and Operational Facilities As far as is practicable, the IT Division will take the following steps to separate operational and development / test environments : Operational and development software will not be run on the same system ; System test environments will, as far as practicable, mirror the planned operational environment ; Unless specifically required, code compilers, editors and system utilities will not reside in operational environments ; Different log-on procedures will be used for operational and test systems. 6.2 System Planning and Acceptance Objective: To minimise the risk of systems failure. Page : 17 May 2013

18 Projections of future capacity requirements will be made to reduce the risk of system overload. The operational requirements of new systems will be established, documented and tested prior to acceptance of the system Capacity Planning The Head of Information Technology will adopt capacity planning and monitoring procedures to minimise the potential risk of system failure due to overload in the I.T. infrastructure. The utilisation of system resources such as processing power, memory capacity, disk and tape storage capacity, throughput and the capacity of the corporate network will be monitored to identify performance bottlenecks and allow assessments of increases in system demands. 6.3 Protection from Malicious Software Objective: To safeguard the integrity of software and data. No unlicensed or unauthorised software will be permitted on any of the Council s I.T. systems. Pro-active measures will be taken to safeguard the integrity of software and data by detecting and counteracting the effects of malicious software such as computer viruses. This will include the provision of virus detection software on the Council s computer systems. Virus detection software will be updated at frequent and regular intervals to ensure that the Council information systems are being protected from infection from new software viruses. All Council staff who use PC equipment will be required to pre-scan all floppy disks received from other external or internal Council sources. Data files may only be downloaded from external sources, such as bulletin boards or the internet in accordance with Angus council s and Internet Usage Policy. Staff who use Council I.T. systems will be responsible for reporting any suspected incidents of computer virus infection to the I.T. Help Desk for further assessment and rectification. Staff will not attempt to rectify the situation themselves. 6.4 Housekeeping Objective: To maintain the integrity and availability of information services. Housekeeping measures are required to maintain the integrity and availability of services Data Back-up Back-up copies of essential business data and software will be taken regularly and in accordance with procedures required by the appropriate head of department. Adequate backup will be provided to ensure that all essential business information can be backed up and recovered if necessary. Critical systems backups will be taken daily or as prescribed by the appropriate head of department. Accurate and complete records of backup copies should be stored in a remote location, sufficient to escape any damage from a disaster at the main site. Backed up information will be given an appropriate level of physical and environmental protection. Backed up media will be regularly tested where practicable to ensure reliability. Page : 18 May 2013

19 6.4.2 Fault Logging Faults will be reported and corrective action taken. Faults will be reported to the IT Division Help desk where they will be processed in accordance with the help desk procedures. 6.5 Network Management Objective: To ensure the safeguarding of information in networks and the protection of the supporting infrastructure Network Security Controls Data networks will be managed in such a way as to prevent unauthorised logical and physical connection, and to detect unauthorised connection should this occur. Controls as specified in the Councils Information Security Controls document will be applied as necessary. No connection to the corporate communications network will be permitted without the prior approval of the Head of Information Technology. 6.6 Media Handling and Security Objective: To prevent damage to assets and interruptions to business activities Management of Removable Computer Media When not in use all computer media containing valuable data will be stored securely. When no longer required the previous contents of reusable media will be erased Data Handling Procedures Operational procedures will be established to protect computer media (tapes, disks, cassettes, etc) and sensitive documentation from the possibility of damage, theft and unauthorised access Security of System Documentation Systems documentation will be subject to the same rules as data for storage, distribution, backup and disposal Disposal of Media Confidential paper based printouts will be collected and disposed of in accordance with Council directives for the disposal of confidential waste. All confidential or sensitive data stored on magnetic media which is deemed to be redundant, will be erased prior to the disposal of the media. 6.7 Data and Software Exchange Page : 19 May 2013

20 Objective: To prevent loss, modification or misuse of data Data and Software Exchange Agreements When deemed necessary the physical or electronic exchange of any software or data between the Council and external bodies shall be subject to formal agreement. Such agreements will include the identification of data formats, secure carrier arrangements and documented verification of receipt Security of Media in Transit When information or software is to be transported, for instance via post or courier, appropriate controls will be applied to safeguard it Electronic Data Interchange Security Special security controls will be applied where necessary, to protect electronic data interchange. Wherever practicable, software applications which depend upon Electronic Data Exchange facilities will include precautions to deal with the possibility that data has been intercepted or modified during transmission, and will include checks that data has been dispatched and delivered in accordance with the system requirements. Communications will be managed through a managed gateway that incorporates controls to prevent any unauthorised access to the Council s data communications network. Data which has been classified as High Security Level will not be transmitted un-encrypted Security of Electronic Mail Controls will be applied where necessary, to reduce the business and security risks associated with electronic mail. Council employees must read and comply with Angus council s and Internet Usage Policy Security of Electronic Office Systems Clear policies and guidelines will be maintained to control the business and security risks associated with electronic office systems. 7.0 System Access Control 7.1 Business Requirement for System Access Objective: To control access to business information. Access to computer services and data will be controlled on the basis of business requirements. Procedures will be established to control access to computer systems and data. These procedures will take full account of policies for the dissemination of, and entitlement to access corporate data. Steps will be taken to make users aware of their responsibilities for maintaining effective system access controls, particularly regarding the use of user accounts, passwords and the security of information systems. Page : 20 May 2013

21 7.1.1 Documented Access Control Procedures Business requirements for access control will be defined and documented. It is the policy of Angus Council to restrict access to information systems to only those staff and authorised agents of the Council who require such access to enable them to undertake their duties. It is the responsibility of all Heads of Department, and Head of Information Technology to implement this policy as required. Each multi-user software application will have user access control procedures clearly defined by the departmental owner of the system. This procedure will define : The access rights of each user or group of users ; The security requirements of individual departments and support applications ; The relevant policy for information dissemination and entitlement ; Adherence to relevant legislation eg., Data Protection Act. 7.2 User Access Management Objective: To prevent unauthorised computer access. Information resources will be subject to risk assessment. Based on the results of the assessments, the necessary controls as specified in the Angus Council information Security Controls document will be applied. To maintain effective control over access to data and information systems, departmental directors will be responsible for ensuring and regularly reviewing; The level of access granted to a user is appropriate their business needs. Use of unique user accounts and passwords. Records of user access rights and group memberships are maintained.. The IT Division is informed immediately of all staff movements. 7.3 User Responsibilities Objective: To prevent unauthorised user access. The responsibilities of staff and authorised system users for the effective security of information systems, access controls and the use and protection of passwords is set out in the Information Security - User Guidelines. These guidelines will be distributed to all users of information systems within the Council. 7.4 Network Access Control Objective: Protection of Network Services Access to both internal and external networked services will be controlled. This is necessary to ensure that users that have access to Council network services do not compromise their security. Page : 21 May 2013

22 This will be done by ensuring, Appropriate interfaces between Council networks and others (public or private); Appropriate authentication systems for users; Control of user access to information systems Policy on Use Of Network Services Insecure connections to network services can affect the security of the whole Council. Users will only be granted access to services that they are specifically authorised to use. To protect Council information systems, controls as specified in the Angus Council Information Security Controls document will be applied as deemed necessary. 8 Systems Development and Maintenance 8.1 Security Requirements of Systems Objective: To ensure that security is built into information systems. The design and implementation of the business process supporting the application or service can be crucial for security. Security requirements will be identified and included in the system specification prior to the development or implementation of new information systems Security Requirements Analysis and Specification Specific checks will be made when upgrading operating systems or applications to ensure that systems security will not be compromised. To minimise the chance of compromising security, strict control will be exercised over the implementation of new software on operational systems. The installation and upgrade of operational systems will only be performed by arrangement with the Head of Information Technology. 8.2 Security in Application Systems To prevent loss, modification or misuse of user data in application systems, controls as specified in the Councils Information Security Controls document will be applied as necessary. 8.3 Security in Development and Support Environments Objective: To maintain the security of application system software and data. Managers and staff responsible for application systems development will ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system, data or operating system necessary and that formal agreement and approval for any change is obtained Change Control Procedures Page : 22 May 2013

23 In order to prevent the corruption of information systems, there will be strict control over the implementation of changes. Formal change control procedures will be implemented. These will ensure that security and control procedures are not compromised, and that developers are given access only to those parts of the system necessary for the purpose of effecting changes. 9 Business Continuity Planning Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures and disasters departmental business continuity management processes will be implemented. Departmental directors are responsible for formulating their departments Business Continuity Plan based on the following points. Council computer systems will be classified into three main categories, these being Council Core, Departmental Core and Non Core. The Head of Information Technology will provide the lead in carrying out risk assessment in relation to Council Core Systems and advising on the formulation of continuity plans for all likely disasters. Departmental Core and Departmental Non Core systems are the sole responsibility of the user department. Departments will appoint a lead officer to manage the business continuity process. Departments will carry out risk assessment in relation to Core Council business and (in cooperation with Head of Information Technology) formulate continuity plans for all likely disasters. Departments will assume responsibility for the maintenance and documentation of alternative manual procedures. Departments will establish an annual test procedure for continuity plans. Plans must include the disaster checklists required for each risk identified, resumption procedures, a list of contacts and a list of the minimum equipment required for ensuring business continuity. The Head of Information Technology will instigate a test programme in order to satisfy the adequacy of those aspects of the plans for which his staff have significant responsibility. Continuity plans are to be familiar to all staff within Departments Departments are responsible for the interim arrangements required to manage the continuity process. Continuity plans are to be stored in a secure, off site location. Departments will test the adequacy of current backup procedures to ensure the availability of complete backups including data, operating system and application software. The Head of Information Technology will accept responsibility for the co-ordination of IT systems recovery within the priority framework. Procedures will be established to annually review the contingency plans in response to operational or technological changes. 10 Compliance Page : 23 May 2013

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by: Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Information Security Management. Audit Check List

Information Security Management. Audit Check List Information Security Management BS 7799.2:2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY

YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Information Security and Electronic Communications Acceptable Use Policy (AUP) Policy No.: AUP v2.0 Effective Date: August 16, 2004 Revision Date: January 17, 2013 Revision No.: 1 Approval jwv / mkb Information Security and Electronic Communications (AUP) 1. INTRODUCTION Southwestern

More information

Harper Adams University College. Information Security Policy

Harper Adams University College. Information Security Policy Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) (NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) 1. Approval and Authorisation Completion of the following signature blocks signifies

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information & ICT Security Policy Framework

Information & ICT Security Policy Framework Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

information systems security policy...

information systems security policy... sales assessment.com information systems security policy... Approved: 2nd February 2010 Last updated: 2nd February 2010 sales assessment.com 2 index... 1. Policy Statement 2. IT Governance 3. IT Management

More information

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy. Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Dublin Institute of Technology IT Security Policy

Dublin Institute of Technology IT Security Policy Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David

More information

Information security management systems Specification with guidance for use

Information security management systems Specification with guidance for use BRITISH STANDARD BS 7799-2:2002 Information security management systems Specification with guidance for use ICS 03.100.01; 35.020 This British Standard, having been prepared under the direction of the

More information

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers

More information

Version: 2.0. Effective From: 28/11/2014

Version: 2.0. Effective From: 28/11/2014 Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director

More information

University of Liverpool

University of Liverpool University of Liverpool IT Asset Disposal Policy Reference Number Title CSD 015 IT Asset Disposal Policy Version Number v1.2 Document Status Document Classification Active Open Effective Date 22 May 2014

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

Information Security Programme

Information Security Programme Information Security Programme Information Security Policy This document is issued in the strictest business confidence. It should be read in conjunction with a number of other supporting and complementary

More information

SECTION 15 INFORMATION TECHNOLOGY

SECTION 15 INFORMATION TECHNOLOGY SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP) 15.1 PURPOSE The Navajo County

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

Access Control Policy

Access Control Policy Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you

More information

Internet Use Policy and Code of Conduct

Internet Use Policy and Code of Conduct Internet Use Policy and Code of Conduct UNIQUE REF NUMBER: AC/IG/023/V1.1 DOCUMENT STATUS: Agreed by Audit Committee 18 July 2013 DATE ISSUED: July 2013 DATE TO BE REVIEWED: July 2014 1 P age AMENDMENT

More information

An Approach to Records Management Audit

An Approach to Records Management Audit An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Information Security Policy

Information Security Policy Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

More information

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé NHS HDL (2006)41 abcdefghijklm = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé Dear Colleague NHSSCOTLAND INFORMATION SECURITY POLICY Summary 1. NHSScotland IT Security Policy was

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 26, 2012 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy Policy LDMS_001_00161706 Effective 2.0 1 of 7 AstraZeneca Owner Smoley, David Authors Buckwalter, Peter (MedImmune) Approvals Approval Reason Approver Date Reviewer Approval Buckwalter, Peter (MedImmune)

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

Information Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy

Information Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy Working Together Information Security Policy Information Security Policy May 2012 Borders College 19/10/12 1 Working Together Information Security Policy 1. Introduction Borders College recognises that

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Does it state the management commitment and set out the organizational approach to managing information security?

Does it state the management commitment and set out the organizational approach to managing information security? Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change

More information

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Decision on adequate information system management. (Official Gazette 37/2010)

Decision on adequate information system management. (Official Gazette 37/2010) Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)

More information

Information Security Management. Audit Check List

Information Security Management. Audit Check List Information Security Management BS 7799.2:2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts

More information