Development trend 3: Cultivating an Information Security Culture
|
|
- Marcia Quinn
- 8 years ago
- Views:
Transcription
1 Chapter 6 Development trend 3: Cultivating an Information Security Culture 6.1 Introduction This chapter will investigate the third development trend of the institutional wave as described by Von Solms. [VON01] Von Solms identified this trend as the cultivation of an information security culture. This includes designing and implementing an information security awareness programme to educate employees about information security in the organisation. Implementing an effective information security awareness programme helps all employees understand why they need to take information security seriously, what they will gain from its implementation and how it will assist them in completing their assigned tasks. An effective information security awareness programme could be the most cost-effective initiative a company can take to protect its critical information assets. [NET01] This protection can only be provided if there are effective programmes in place to make certain that employees are aware of their responsibilities. The NIST handbook [NIS00] states that people are a crucial factor in ensuring the security of computer systems and valuable information resources. This is because human actions account for a far greater degree of computer-related loss than all other sources combined. According to the information security breaches survey in 2000, [ISB00] a big problem that organisations face is the training of people so that they use Chapter 6 70
2 systems properly and securely. This is because people think that whenever anything goes wrong; it is always the information technology department s fault. It is the organisation s responsibility to make employees aware of information security policies and issues in the organisation. Without knowing the necessary security controls (and how to use them), users cannot be truly accountable for their actions. [NIS00] Organisations that have implemented strong protection mechanisms and have educated their staff are in the best position to protect their information from unauthorised disclosure or modification. According to CCTA [CCT99], the information security procedures must be integrated into normal everyday routine, and staff should come to recognise security as an enabler rather than a barrier. The NIST handbook [NIS00] also stresses this every day routine by stating that information security is an ongoing process. This process of making employees information security aware must continue after a candidate has been hired, which includes keeping employees up to date with their information security duties and responsibilities. One method of making employees more aware of information security issues in the organisation is by means of an information security awareness programme. An information security awareness programme must be carefully thought through and correctly implemented to obtain optimal results. An information security awareness programme must be structured in such a way that all employees, from top management to the individuals, understand their responsibilities in terms of information security. The rest of this chapter will investigate the importance of information security awareness in an organisation. This includes why employees must be information security aware and how this awareness can be presented to the employees. This chapter will also investigate different methods that can be used to present information security awareness to employees. Chapter 6 71
3 6.2 Information security awareness According to Netigy, [NET01] security professionals claim that there are three key elements for any security programme: availability, integrity and confidentiality. Corporate management must have confidence in the available information so that it can make informed business decisions. For this reason, information needs to be readily accessible, and controls and reporting mechanisms must be in place to detect unauthorised access, whether by someone outside the organisation or someone within. This idea of availability, integrity and confidentiality is also shared by Internet Security Systems [ISS00] when talking about information security awareness. This can be depicted in the figure below: Business strategy Policy and guidelines Security frameworks, architecture and solutions Awareness and vigilance Figure 6.1: Influence of awareness Chapter 6 72
4 The figure clearly shows that awareness has a big influence on the availability, integrity and confidentiality of information in an organisation. The Internet Security Systems [ISS00] continue to state that this awareness can be obtained through employee education. This education is an ongoing effort to raise awareness of the need for information security at the senior management, administrator and end-user levels. The process cuts across all other security processes and can be depicted in the figure below [ISS00]: Best practices and guidelines Figure 6.2: Fundamental security management life cycle The figure above clearly shows that awareness (education) has an influence on best practices as depicted in the middle of the cycle. In a survey conducted by Information Week and Price WaterhouseCoopers [WOR98], employees and other authorised users were the source of most information security Chapter 6 73
5 breaches in a corporate network. This has driven organisations to look at security from all angles and define an overall security strategy that reduces their risks. These risks can involve a variety of breaches that can occur in an organisation. The next paragraph will investigate different kinds of breaches in more detail. 6.3 Security breaches According to a survey conducted by IDC [WOR98], more than 68% of organisations have deployed network firewalls. These dedicated security applications prevent hackers and other unauthorised users from accessing the corporate network. The "quick-fix" has been adopted by almost everyone in the business environment. These firewalls help to keep security breaches from outside the organisation to a minimum. [WOR98] According to Frank Prince, a senior security analyst at Forrester, the kinds of insider breaches that are the most costly get traced back to a human being, and become a physical security personnel issue. [BRI00]. A survey held by Survey 200 [BRI00] showed nine (A-I) insider breaches that were investigated. These insider breaches included: A: Installation/use of unauthorised software B: Infection of company equipment via viruses/ malicious code/executables C: Use of company computing resources for illegal or illicit communications or activities D: Abuse of computer access controls E: Installation/use of unauthorised hardware/peripherals F: Use of company computing resources for personal profit G: Physical theft, sabotage or intentional destruction of computing equipment H: Electronic theft, sabotage or intentional destruction/disclosure of proprietary data or information I: Fraud Chapter 6 74
6 The figure below depicts the different insider breaches with the percentages of occurrence. % of Breaches I 13 H 24 G 42 Breaches F E D C 63 B A % Figure 6.3: Percentage of insider breaches Insider breaches may be partially addressed with an information security awareness programme. The survey also investigated if these insider breaches were accidental or deliberate. The figure below depicts which of the nine insider breaches were accidental or deliberate. Accidental and deliberate breaches 17% 35% Deliberate Accidental Unsure 48% Figure 6.4: Deliberate and accidental breaches. Chapter 6 75
7 The figure above clearly shows that 48% of all the insider breaches in an organisation are accidental. This means that the employees did not know they were violating the integrity, confidentially and/or the availability of the information. If however, these employees were more aware of the security issues in the organisation, the accidental breaches could have been avoided. One method that organisations can use to make employees more information security aware is an information security awareness programme. The next paragraph investigates an information security awareness programme in more detail. 6.4 An information security awareness programme Presentation of an information security awareness programme There are a lot of different methods that can be used to present an information security programme to employees. Each method has its own advantages and disadvantages in educating employees. These advantages and disadvantages will be investigated in this chapter. The methods that will be investigated include: Posters Screensaver/mouse pads Calendar Workshops Videos Internet Other methods that will not be investigated but are also useful in an information security awareness programme are brochures, newspapers and magazines. Small competitions can also be held in the organisation to encourage employees to participate in an information security awareness programme. These can include Chapter 6 76
8 monthly competitions to see which employee can submit the most interesting information security article he/she has read that month. When planning an information security awareness programme, the following aspects must be looked at: The number of employees who are going to participate in the information security awareness programme. The employees geographical locations. Funds available for security awareness programmes. Timeframes available to complete the security awareness programme. The level of awareness that employees must have to comply with. The amount of awareness information that can be displayed. The rest of this chapter will investigate each of the information security awareness methods and compare them to the aspects mentioned above Posters Posters must be carefully designed to educate the reader, while providing the how and why in order to gain the reader's acceptance, resulting in more widespread adoption of secure practices and greater levels of compliance with existing standards. The advantage of this method is that posters are placed in areas such as above water fountains and coffee machines or in tearooms, for example, where staff normally spend a couple of minutes. Posters can efficiently and effectively educate numerous staff on new security topics each and every month. [SEC00] Posters must be colourful and attract the employees attention. The disadvantage of this method is that the information security awareness team has no idea if the employees actually do read the posters and take the security issues on them seriously. Another disadvantage is that no matter how well the posters are Chapter 6 77
9 designed, they will simply blend in to the environment after a while. To prevent this from happening, all awareness techniques should be creative and changed frequently. [NIS00] Another disadvantage is that only a limited amount of awareness information can be printed on the posters. Posters are usually used if all the employees are working at one central working place. If employees are working at different geographical locations, the cost of transport must be added. The uncertainty is also always there that the poster can get lost, misplaced and will never reach the target employees. The figure below shows an example of a poster. Figure 6.5: Example of a poster [ISA00] The table below evaluates the poster method according to the criteria already mentioned above. Chapter 6 78
10 Table 6.1: Evaluation of posters. Evaluation: Number of employees involved Number of different geographical locations involved Funds needed Timeframes needed for presentation Level of awareness of employees Amount of awareness information displayed Medium High Low Low Low Low Screensaver There are a lot of small things around the office and the workstation that can be used in presenting information security awareness to employees like screensavers and mouse pads. People seem to be intrigued with screensavers. That's why a screen saver is an effective way to bring information security awareness messages right to the individual end-users. The advantage is that screensavers can be used to convey information security facts, awareness tips, and quiz questions with answers. This will provide repetitive learning to the employees. Short security-related animations are included to help elevate interest and encourage attentiveness. [SEC00] These information security facts and awareness tips that are combined with the screensaver can be changed on a regular basis, for instance each month. The employees can obtain these screensavers by means of an sent by the information security awareness team. It is up to senior management to decide who must take responsibility for updating the screensavers. The responsibility can be given to an already established committee like the publicity committee or a new committee can be formed to take responsibility for all information security awareness matters. If the screensaver is not animated, any poster design can be used. Chapter 6 79
11 Another method is using mouse pads to display awareness tips. A security tip is chosen in such a way that it will always be relevant and will be seen by the employee every time he/she works with the mouse. A security awareness tip can include something like always keep your password secure or always remember to log off when finished working. A mouse pad can be seen as a small poster. Figure 6.6: Example of a mouse pad [ISA00] The table below evaluates the screensaver and mouse pad methods according to the criteria already mentioned above. Table 6.2: Evaluation of screensavers and mouse pads Evaluation: Screen saver Mouse pad Number of employees involved: High Medium Number of different geographical locations involved: High Medium Funds needed: Low Medium Timeframes needed for presentation: Low Low Level of awareness of employees: Low Low Amount of awareness information displayed: Low Low Chapter 6 80
12 Calendars Another method organisations can use to present information security awareness is with calendars. Calendars contain the days, weeks and months of the year and can be used on a daily basis. The size of calendars can differ, from pocket-size calendars to calendars that can be hung on a wall. Calendars doesn't have to be dry, boring memos circulated by company or nagging tips of the day on pop-up menus. Instead, calendars must be created to be fun and eye-catching and work as an alternative form of promotional materials that will get the message across [ISA00]. The figure below is an example of a calendar. Figure 6.7: Example of a calendar The table below evaluates the calendar method according to the criteria already mentioned above. Table 6.3: Evaluation of calendars Evaluation: Number of employees involved: Number of different geographical locations involved: Funds needed: Timeframes needed for presentation: Level of awareness of employees: Amount of awareness information displayed: High High Medium Low Low Medium Chapter 6 81
13 Workshops Holding a workshop is an excellent way to provide interaction and a personal touch to your information security awareness training. Workshops must be designed to enable a person to easily present an awareness course to employees. This means that an information security awareness workshop must be interesting and easily understood by employees. The course can cover a variety of areas where employees may face information security issues in the performance of their normal daily activities. An objective of the workshops is for employees to learn about their responsibility towards protecting the information they works with. [SEC00] This can include workshops covering topics ranging from choosing and protecting passwords to making backups, for example. There are a few disadvantages that need to be considered when presenting workshops. One problem is the cost of the workshop. The security awareness teams must organise a venue where these workshops are going to take place. If the organisation does not have a favourable venue on the premises, an external venue must be rented. The employees must take time off from work to attend the workshops. The productivity of the organisation will be affected if employees are absent for any period of time. At workshops, large amounts of information are given to the employees and an employee might not be able to absorb all the information that is given to him. This means that an employee must learn at the presenter s pace and not his own. This is a great disadvantage. When talking about attendance, another problem is what happens when the employees are working at different locations. For example, if an organisation s head office is in Johannesburg and a second office in Cape Town, the problem that arise as to where the workshop should be held. Do all the employees from Johannesburg travel down to Cape Town (where the organisation is paying for all expenses) or are there going to be two different workshops. This means two different venues and different people to present the workshop. The conclusion is that workshops are a very good and personal Chapter 6 82
14 method for presenting security awareness programmes if all the employees are at one geographical location. [ISA00] The table below evaluates the workshop method according to the criteria already mentioned above. Table 6.4: Evaluation of workshops Evaluation: Number of employees involved: Number of different geographical locations involved: Funds needed: Timeframes needed for presentation: Level of awareness of employees: Amount of awareness information displayed: Low Low High High Medium High Videos Showing an information security awareness video is a good way to stimulate discussion for an information security awareness training session. [IRO00] It is through this discussion that managers and trainers can reinforce the need for information security in the organisation. Videos must be created in an interesting and humorous way so the employees find it interesting to watch. Videos can convey vast amounts of information in a short period of time. The disadvantage with the video method is that all the employees must be in one central area at the same time to watch the video. That means scheduling a venue and time that is suitable for all. Videos can cost a lot of money to design and produce, but after the initial expense the videos are a cost-effective method that can be used in workshops (as mentioned Chapter 6 83
15 above) to educate employees. Video is also an excellent idea to use in the orientation of new employees. The table below evaluates the video method according to the criteria already mentioned above. Table 6.5: Evaluation of videos Evaluation: Number of employees involved: Number of different geographical locations involved: Funds needed: Timeframes needed for presentation: Level of awareness of employees: Amount of awareness information displayed: Medium Medium Medium Medium Low High Internet and Intranet Many organisations are finding that an effective way to provide information for their staff is through a company s Intranet. This allows a user to browse or search large amounts of information and he/she can learn at his/her own pace on their own schedule. The world-wide method that is being used for making employees security aware is a security awareness web site. [SEC00] This website can easily be customised to fit your organisation's image. Simply insert the website into your existing Intranet structure. An editable contact page and link are available to inform the reader of whom to contact for more information and what to do in case of a security incident. This is a great tool for promoting awareness of any topic. [SEC00] This website can be designed to attract the employees attention, for example, by displaying jokes and cartoons. The information security awareness team can make Chapter 6 84
16 the learning of security issues fun by running competitions on the website. These competitions can vary from crossword puzzles to word games. Competitions can include things like the employees must find an article published in newspapers, magazines or on the web on any security situation that happened anywhere in the world. The employees learn about information security situations and what can go wrong in organisations while searching for an article. All the articles or summaries of the articles can then be published on the website for all the employees to read. The best one can win a prize. This is to motivate the employees and to let them know that they can also gain from learning about information security aspects. These security awareness websites will cost less than the other methods already mentioned. The websites can also be updated on a regular basis so that the employees will always find something new. The website can be used not only in educating employees on information security awareness aspects but also in testing them. Different information security tests can be posted on the site for completion by the employees. These tests can cover different security aspects. The results of the tests are then checked to see whether or not if the employee successfully completed the test. If the employee failed the test, more information can be sent to the employee about that specific information security aspect(s). The employee is then asked to take the test again. By doing the testing via websites, an information security awareness profile can be built up for every employee. The results of the tests that were done by the employee can then be added together to compile a profile of the state of information security awareness in the whole organisation. Educating employees by means of a website has many advantages. This kind of security awareness education is not only for employees at the same geographical location but can be used for any employee anywhere in the world who has access to the Internet. This concept of education over the Internet falls into the category of distance learning/education. Chapter 6 85
17 Fig AWARENESS IS THE KEY TO SECURITY S-A-F-E Security Awareness for Everyone Main Page Passwords PC Security Backups use Passwords Passwords are an integral part of overall security. Unfortunately, they are one of the vulnerabilities most frequently targeted by someone trying to break into a system. There are several ways an unauthorized person (ie: hacker/cracker) might try to gain access to another person's password. Often, people use personal information such as their own or a family member's name as a password. This is one of the first things a hacker or cracker might try. A more sophisticated method is password cracking software. Most of these programmes can 'crack' a password within seconds by using large dictionary files and lists of common names or passwords. Another type, known as a 'brute force' attack, attempts every possible combination of letters, numbers, or special characters. Back to Main Page Creating Stronger Passwords Figure 6.8: Internet awareness programme [SEC00] Chapter 6 86
18 According to Czirr [CZI00], an Internet education programme saves time and space and reduces or eliminates travel requirements for those working in satellite facilities. This means that the state of the organisation s information security awareness can be known at any time and potential information security risks can be stopped well in advance. Figure 6.8 is an example of the home page of an information security awareness programme. The table below evaluates the Internet method according to the criteria already mentioned above. Table 6.6: Evaluation of Internet Evaluation: Number of employees involved: Number of different geographical locations involved: Funds needed: Timeframes needed for presentation: Level of awareness of employees: Amount of awareness information displayed: High High Low Medium Medium High The contents of an information security awareness programme The method used to present an information security awareness programme is very important, but what is more important, is the awareness information that will be presented. Figure 6.2 depicted that education is based around a best practice. This means that an organisation must educate its employees about the information security awareness aspects that can be found in a best practice. One aspect that BS 7799 addresses is passwords. The section on password use is under the heading Access control in the ISO/IEC guidebook and includes the following [BRI99]: Chapter 6 87
19 Keep password confidential Avoid keeping a paper record of password, unless this can be stored securely Change passwords whenever there is any indication of possible system or password compromise Select quality password with a minimum length of six characters Not based on anything somebody else could easily guess or obtain Free of consecutive identical character or all numeric of all alphabetical groups Change passwords at regular intervals or based on the number of accesses Change temporary passwords at the first log-on Do not share individual user passwords. The information security aspects mentioned above cover only a small amount of information that can be included in an information security awareness programme. This information can be handed to the employees in the following ways: [SEC00] Full presentation on CD Printed handouts Printed speaker notes Presenter's guide Customised audio intro End-user quiz Information security aspects that can be included in the handouts mentioned above and discussed in an information security awareness programme include: [SEC00] Password Construction Password Management Internet Usage Telephone Fraud Chapter 6 88
20 Usage Viruses PC Security Software Licensing Backups Physical Security Social Engineering Data Confidentiality These are many aspects that can be included in the presentation of an informality security awareness programme. Ultimately, each organisation must decide which information security aspects will be included in the awareness programme. 6.5 Conclusion This chapter investigated the presentation methods that can be used to present information security awareness programmes to employees. The main purpose of an information security awareness programme is to make employees aware of their information responsibilities in terms of information security in an organisation. All employees must be aware of information security measures before they can comply with them. This means that it is up to organisations to inform employees about information security issues. Using the definitions of confidentiality, integrity and availability, a basic understanding of information security is possible. These security awareness measures can be presented to the employees by way of information security awareness programmes. Each of the presentation methods has been evaluated against a set of criteria. These information security awareness programmes cannot be a once-off programme, but must be ongoing for the optimum results. These information security awareness programmes and information security measures must become part of all the Chapter 6 89
21 employees everyday routines. Before the employees can start securing information in the workplace, they must know what can be done to prevent information security incidents. The next chapter will investigate the fourth and last information security trend of the institutional wave. The fourth trend is about measuring the information security situation in an organisation. The reason for measuring information security is to determine whether or not information security measures are complied with. Chapter 6 90
How To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationFIVE NON-TECHNICAL PILLARS OF NETWORK INFORMATION SECURITY MANAGEMENT
FIVE NON-TECHNICAL PILLARS OF NETWORK INFORMATION SECURITY MANAGEMENT Elmarie Kritzinger 1 and Prof S.H. von Solms 2 1 School of Computing, University of South Africa, SA. 2 Department of Computer Science,
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationSOMETHING PHISHY IS GOING ON!
SOMETHING PHISHY IS GOING ON! Engaging, easy to understand, memorable training. WHAT WE DO We have created a series of training episodes that are highly engaging, easy to understand and memorable. They
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationInformation Security Awareness Training. Course Outline. Provides a brief orientation to the topics covered in the module.
Information Security Awareness Training Course Outline Module 1 Information security risks 1. explain what information security means. 2. define the four aspects of information security. 3. understand
More informationA Guide to Information Technology Security in Trinity College Dublin
A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Developing the Security Program Jan 27, 2005 Introduction Some organizations use security programs to describe the entire set of personnel, plans, policies, and initiatives
More informationAuthorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together
Groby Community College Achieving Excellence Together Authorised Acceptable Use Policy 2015-2016 Reviewed: Lee Shellard, ICT Manager: May 2015 Agreed: Leadership & Management Committee: May 2015 Next review:
More informationBoston University Security Awareness. What you need to know to keep information safe and secure
What you need to know to keep information safe and secure Introduction Welcome to Boston University s Security Awareness training. Depending on your reading speed, this presentation will take approximately
More informationElectronic Communications Guidance for School Staff 2013/2014
Our Lady of Lourdes and St Patrick s Catholic Primary Schools Huddersfield Electronic Communications Guidance for School Staff 2013/2014 Updated September 2013 Contents 1. Introduction 2. Safe and responsible
More informationENISA s ten security awareness good practices July 09
July 09 2 About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for the European
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation
ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette
More information3 Security needs to keep pace with evolving computer architecture. 1 General perceptions and understanding of computer security vary considerably.
Employee Security Education Patrick Dooley: Wisconsin Department of Revenue Synopsis The electronic world presents today s worker with a totally new set of security problems. The ability to duplicate,
More informationHow To Maintain A Security Awareness Program
(Company Name) SECURITY AWARENESS PROGRAM INFORMATION, PHYSICAL AND PERSONAL SECURITY Company Policies Security Awareness Program Purposes Integrate Define Feedback Activities Elicit Implement Employees
More informationOregon Secretary of State Security Awareness Program Strategic Plan Recommendation
Oregon Secretary of State Security Awareness Program Prepared by: Information Systems Division On: July 31, 2008 - Focused on Security. Dedicated to Success. - Revised 9/4/2008 4:30 PM Document History...
More informationBusiness Case. for an. Information Security Awareness Program
Business Case (BS.ISAP.01) 1 (9) Business Case for an Information Security Business Case (BS.ISAP.01) 2 Contents 1. Background 3 2. Purpose of This Paper 3 3. Business Impact 3 4. The Importance of Security
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationMaking information security awareness and training more effective
Making information security awareness and training more effective Mark Thomson Port Elizabeth Technikon, South Africa Key words: Abstract: Information security, awareness, education, training This paper
More informationMulti-Factor Authentication (FMA) A new security feature for Home Banking. Frequently Asked Questions 8/17/2006
Multi-Factor Authentication (FMA) A new security feature for Home Banking Frequently Asked Questions 8/17/2006 1. Why is MFA being added? We take our obligation to protect our members seriously. To make
More informationSOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY
SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy
More informationINFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL
INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information
More informationYMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY
YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September
More informationAcceptable Use of Information Technology Policy
Acceptable Use of Information Technology Policy Date created: January 2006 Updated Review date: April June 2008 Review date: Oct Dec 2009 Introduction VAW provides IT facilities for promoting its charitable
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationANNUAL SECURITY RESPONSIBILITY REVIEW
ANNUAL SECURITY RESPONSIBILITY REVIEW For Faculty and Staff Who Use Computers Minimally in their work May 2012 Training Topics What is Information Security? Review Security Vulnerabilities Phishing email
More informationTerms and Conditions of Use - Connectivity to MAGNET
I, as the Client, declare to have read and accepted the terms and conditions set out below for the use of the network connectivity to the Malta Government Network (MAGNET) provided by the Malta Information
More informationThink secure. Information security at the University of Copenhagen
Think secure Information security at the University of Copenhagen All staff and students at the University of Copenhagen (KU) have to be familiar with information security (IS), because: we need to take
More informationThe Ministry of Information & Communication Technology MICT
The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.
More informationICT OPERATING SYSTEM SECURITY CONTROLS POLICY
ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...
More informationOnline Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange
The responsibility of safeguarding your personal information starts with you. Your information is critical and it must be protected from unauthorised disclosure, modification or destruction. Here we are
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationAcceptable Use of ICT Policy. Staff Policy
Acceptable Use of ICT Policy Staff Policy Contents INTRODUCTION 3 1. ACCESS 3 2. E-SAFETY 4 3. COMPUTER SECURITY 4 4. INAPPROPRIATE BEHAVIOUR 5 5. MONITORING 6 6. BEST PRACTICE 6 7. DATA PROTECTION 7 8.
More informationThe Internet and e-mail 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3
Table of Contents 1 Acceptable use 1 Violations 1 Administration 1 Director and Supervisor Responsibilities 1 MIS Director Responsibilities 1 The Internet and e-mail 2 Acceptable use 2 Unacceptable use
More informationThe evolution of data connectivity
Leveraging the Benefits of IP and the Cloud in the Security Sector The CCTV and alarm industry has relied on analogue or Integrated Services Digital Network (ISDN) communications to provide data connectivity
More informationGETTING PHYSICAL WITH NETWORK SECURITY WHITE PAPER
GETTING PHYSICAL WITH NETWORK SECURITY WHITE PAPER Molex Premise Networks EXECUTIVE SUMMARY This article discusses IT security, which is a well documented and widely discussed issue. However, despite the
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationQUALIFICATION HANDBOOK
QUALIFICATION HANDBOOK Level 2 Extended Certificate in Health Informatics (7450-12) February 2012 Version 1.0 Qualification at a glance Subject area City & Guilds number 7450 Health Informatics Age group
More informationU07 Information Security Incident Policy
Dartmoor National Park Authority U07 Information Security Incident Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without
More informationMusina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-
Musina Local Municipality Information and Communication Technology User Account Management Policy -Draft- Version Control Version Date Author(s) Details V1.0 June2013 Perry Eccleston Draft Policy Page
More informationCyril Onwubiko Networking and Communications Group http://ncg. ncg.kingston.ac.
Cyril Onwubiko Networking and Communications Group http://ncg ncg.kingston.ac..ac.uk http://ncg.kingston.ac.uk +44 (0)20 8547 2000 Security Threats & Vulnerabilities in assets are two most fundamental
More informationInformation Security Incident Reporting & Investigation
Information Security Incident Reporting & Investigation Purpose: To ensure all employees, consultants, agency workers and volunteers are able to recognise an information security incident and know how
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationAs a System user you need to be informed of the following issues that are governed by Trust policies and by law. Password Control Page 2
JAC MEDICINES MANAGEMENT CLINICAL DATA SYSTEM SECURITY DOCUMENT It is very important that information on JAC is kept secure from unauthorised access and that no one is able to use the system that has not
More informationCyber Security Incident Reporting Scheme
OCIO/G4.12a ISMF Guideline 12a Cyber Security Incident Reporting Scheme BACKGROUND Reporting cyber security incidents is a source of intelligence information that assists in the development of a greater
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationNetwork Security Policy
IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationInformatics Policy. Information Governance. Network Account and Password Management Policy
Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information
More informationWHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?
WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber
More informationInformation Services. Protecting information. It s everyone s responsibility
Information Services Protecting information It s everyone s responsibility Protecting information >> Contents >> Contents Introduction - we are all responsible for protecting information 03 The golden
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationInternet basics 2.3 Protecting your computer
Basics Use this document with the glossary Beginner s guide to Internet basics 2.3 Protecting your computer How can I protect my computer? This activity will show you how to protect your computer from
More informationNetwork Password Management Policy & Procedures
Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL
More informationINFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY
INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY 1. PURPOSE In respect to this policy the term physical and environmental security refers to controls taken to protect
More informationNational Cyber Security Month 2015: Daily Security Awareness Tips
National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.
More informationIntroduction to Computer Security
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security
More informationHengtian Information Security White Paper
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
More informationICT POLICY AND PROCEDURE
ICT POLICY AND PROCEDURE POLICY STATEMENT St Michael s College regards the integrity of its computer resources, including hardware, databases and software, as central to the needs and success of our day-to-day
More informationCode of Business Principles Helping us do the right thing
Code of Business Principles Helping us do the right thing Code of Business Principles Helping us do the right thing Contents 01 Foreword 02 Who is the code for? 03 Where to find advice or raise a concern
More informationVersion: 2.0. Effective From: 28/11/2014
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
More informationInformation Technology Cyber Security Policy
Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please
More information2. _General Help and Technical Support
1. _Welcome Welcome to Business Internet Banking. Our online service is available 06:00 AM ET 12:00 AM (Midnight) ET, seven days a week, so you and your employees can manage your business banking accounts
More informationDevelopment / Monitoring / Review of this Policy. Schedule for Development / Monitoring / Review
Blakeley Heath Primary School E-Safety Policy Development / Monitoring / Review of this Policy This e-safety policy has been developed by a working group made up of: Headteacher Coordinator Staff including
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationSecurity Awareness Quiz Questions
Category Question Awareness Quiz Questions Answer 1. Why is backing up data files important? Backups ensure that the information you need is there when you need it If the information is damaged it can
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationThe supplier shall have appropriate policies and procedures in place to ensure compliance with
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationMike Casey Director of IT
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
More information2) applied methods and means of authorisation and procedures connected with their management and use;
Guidelines on the way of developing the instruction specifying the method of managing the computer system used for personal data processing, with particular consideration of the information security requirements.
More informationINFORMATION SECURITY INCIDENT MANAGEMENT PROCESS
INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS Effective Date June 9, 2014 INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS OF THE HELLER SCHOOL FOR SOCIAL POLICY AND MANAGEMENT Table of Contents 1.
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationICTN 4040. Enterprise Database Security Issues and Solutions
Huff 1 ICTN 4040 Section 001 Enterprise Information Security Enterprise Database Security Issues and Solutions Roger Brenton Huff East Carolina University Huff 2 Abstract This paper will review some of
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 14 Risk Mitigation Objectives Explain how to control risk List the types of security policies Describe how awareness and training
More informationInformation Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project
Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project Introduction This Advice provides an overview of the steps agencies need to take
More informationSocial Network Security. Frank K. F. Chow Vice-Chairperson Professional Information Security Association (PISA)
Social Network Security Frank K. F. Chow Vice-Chairperson Professional Information Security Association (PISA) How Do We Communicate Today? I can write you a letter by snail mail. I can write you a letter
More informationNHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction
NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationNCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.
NCS 330 Information Assurance Policies, Ethics and Disaster Recovery NYC University Polices and Standards 4/15/15 Jess Yanarella Table of Contents: Introduction: Part One: Risk Analysis Threats Vulnerabilities
More informationELECTRONIC INFORMATION SECURITY A.R.
A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy
More information2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy
Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change
More informationThreats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1
Threats and Attacks Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to:
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationSTUDENT S INFORMATION SECURITY GUIDE
STUDENT S INFORMATION SECURITY GUIDE April 2013 Table of contents Information security is important - also for you...1 Use strong passwords and keep them safe...2 E-mail use...3 Beware of phishing and
More informationCyber Security Awareness
Cyber Security Awareness User IDs and Passwords Home Computer Protection Protecting your Information Firewalls Malicious Code Protection Mobile Computing Security Wireless Security Patching Possible Symptoms
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationGetting a Secure Intranet
61-04-69 Getting a Secure Intranet Stewart S. Miller The Internet and World Wide Web are storehouses of information for many new and legitimate purposes. Unfortunately, they also appeal to people who like
More informationExecutive Management of Information Security
WHITE PAPER Executive Management of Information Security _experience the commitment Entire contents 2004, 2010 by CGI Group Inc. All rights reserved. Reproduction of this publication in any form without
More informationIDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience
IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse
More informationNetwork and Workstation Acceptable Use Policy
CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of
More informationBSHSI Security Awareness Training
BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement
More informationINTERNET, E-MAIL USE AND
INTERNET, E-MAIL AND TELEPHONE USE AND MONITORING POLICY Originated by: Customer Services LJCC: 10 th April 2008 Full Council: June 2008 Implemented: June 2008 1.0 Introduction and Aim 1.1 The aim of this
More informationIncident Categories (Public) Version 3.0-2016.01.19 (Final)
Incident Categories (Public) Version 3.0-2016.01.19 (Final) Procedures (PRO 303) Department: GOVCERT.LU Classification: PUBLIC Contents 1 Introduction 3 1.1 Overview.................................................
More informationSaint Martin s Catholic Academy
Saint Martin s Catholic Academy E-Safety Policy - Acceptable Use - Students January 2015 Why have an Acceptable Use Policy? An Acceptable Use Policy is about ensuring that you, as a student at Saint Martin
More informationSecurity Solutions. Protecting your data.
Security Solutions Protecting your data. Ricoh your reliable partner Innovations in information technology have radically changed the way information is created, managed, distributed and stored. This tremendous
More information