Qatar University Information Security Policies Handbook November 2013
|
|
- Madlyn Lamb
- 8 years ago
- Views:
Transcription
1 Qatar University Information Security Policies Handbook November 2013 Information Security Policies Handbook November 2013 Produced by Information Technology Services Department / Information Security Reviewed by Office of Associate Vice President for Facilities & Information Technology
2 Table of Contents 1 PL-ITS-ISO-001: INFORMATION SECURITY POLICY PL-ITS-ISO-002: INFORMATION SECURITY MANAGEMENT PL-ITS-ISO-003: INFORMATION ASSET CLASSIFICATION PL-ITS-ISO-004: PRIVACY AND PROTECTION OF PERSONAL INFORMATION PL-ITS-ISO-005: RISK MANAGEMENT PL-ITS-ISO-006: BUSINESS CONTINUITY MANAGEMENT PL-ITS-ISO-007: IT SYSTEMS SECURITY COMPLIANCE PL-ITS-ISO-008: ACCESS CONTROL AND PRIVILEGES PL-ITS-ISO-009: SOFTWARE SECURITY PL-ITS-ISO-010: MEDIA SECURITY PL-ITS-ISO-011: MALWARE PROTECTION PL-ITS-ISO-012: MOBILE COMPUTING AND TELEWORKING PL-ITS-ISO-013: DATA RETENTION AND ARCHIVAL PL-ITS-ISO-014: SECURITY AWARENESS PL-ITS-ISO-015: INTELLECTUAL PROPERTY PL-ITS-ISO-016: LEGAL AND FORENSICS POLICY PL-ITS-ISO-017: PHYSICAL SECURITY PL-ITS-ISO-018: ACCEPTABLE USE OF INFORMATION RESOURCES PL-ITS-ISO-019: USE OF NETWORK SERVICES PL-ITS-ISO-020: USER ACCOUNT MANAGEMENT PL-ITS-ISO-021: ACCESS POLICY... 79
3 1 PL-ITS-ISO-001: Information Security Policy Contents: Policy Description Policy Security Values Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 1.1 Policy Description Qatar University considers information to be a strategic asset that is essential to its core mission and business operations. Furthermore, the University values the privacy of individuals and is dedicated to protecting the information with which it is entrusted. Therefore, the University is committed to providing the resources needed to ensure the confidentiality, integrity, and availability of its information as well as reduce the risk of exposure that would damage the reputation of the University. 1.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Information Security Policy 3
4 1.3 Policy The Board of Regents, President, senior management and employees at Qatar University are committed to protect the confidentiality and integrity of all the information assets, ensure availability in accordance to business objectives and conduct business in compliance with all statutory, regulatory and legal requirements. 1.4 Security Values The policy supports the following core security values: 1. The Policy is designed to support the mission of the University by protecting the University s resources, reputation, legal position, and ability to conduct its operations. It is intended to facilitate activities that are important to the University. 2. The Policy is consistent with and serves to enforce relevant University policies, contracts and license agreements governing software, copyrighted files, and other forms of intellectual property; and laws and policies governing student, employee, student, and research information, other sensitive information, and records retention laws and policies. 3. Information Privacy is covered in the University Privacy Policy. 4. Not all University resources require the same level of protection. Policy requirements are formulated with the objective that the application of measures be commensurate with the sensitivity and value of resources and the actual threats to those resources. The intent is not to dictate requirements whose implementation would impose unnecessary costs. 5. The Policy articulates requirements that are intended to be consistent with the best practices at institutions of higher education, and in line with local and International standards. 6. All members of the University community share in the responsibility for protecting University resources for which they have access or custodianship. The Policy recognizes that people will need adequate information, training, and tools to exercise their responsibilities and that these responsibilities must be made explicit. 7. The Policy intends that members of the University community be accountable for their access to and use of University resources. 8. The Policy aims to mandate specific procedures and practices only where necessary to provide adequate protection. The goal is that members of the University community be able to exercise their discretion and best judgment when determining how to protect resources for which they have responsibilities, subject to legal and other obligations and policies of the University. Where procedures and practices are required, they are meant to be flexible enough to change as circumstances change. Information Security Policy 4
5 9. It is not possible to prevent all incidents affecting information technology. 10. The Policy is designed to ensure that appropriate measures are taken to prepare for possible incidents, including implementation of business continuity measures to protect critical information systems and processes. 11. The Policy recognizes that revisions may be required and that reassessment of the Policy is valuable. Information Security Policy 5
6 2 PL-ITS-ISO-002: Information Security Management November 2013 Contents: Policy Description Who Should Know This Policy Scope Policy Roles and Responsibilities Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 2.1 Policy Description The Information Security Management Policy establishes the foundation for managing the information security program at Qatar University. 2.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Information Security Management 6
7 2.3 Scope This policy applies to all systems and individuals that access, handle, or use QU information assets. 2.4 Policy Qatar University is committed to ensuring the proper management and security of its information assets in accordance with established best practices, and in compliance with all relevant laws and regulations. In particular, the University shall keep the Qatar Government Information Assurance Policy (GIA) in focus as it develops its information security and assurance strategy. In that regard: 1. Qatar University s executive management fully supports the establishment of an Information Security Office (ISO) that will be the focal point for all information security-related matters involving QU information assets. 2. Qatar University s leadership team is the highest approval authority for all policies and strategic plans related to information security. 3. Qatar University shall establish a steering committee to address the organization s information security issues and provide guidelines for the proper management of information assets. This committee shall include representatives from various academic, research, administrative, and technology fields. 4. The Information Security Office (ISO) is responsible for the development, oversight, and implementation of all information security related functions at all QU managed and operated locations and venues. In addition, the ISO shall assure the proper handling of QU information by third parties through oversight and constant monitoring and review. 5. Major business units at QU shall identify at least one person to act as a liaison with the central Information Security Office. This information security liaison shall be well versed with the major aspects of the business unit, in particular with respect to the flow of information within the unit. 6. Information owners shall be responsible for the identification, proper classification of their information asset. They are also responsible for defining proper access authorization levels to their institutional data. 7. Information custodians shall be responsible for implementing controls identified and recommended by the ISO. 8. Ultimately, the protection of all information resources including hardware, software, data, and documentation, is a fundamental responsibility for all QU personnel. Information Security Management 7
8 2.5 Roles and Responsibilities All QU constituents are expected to fully cooperate with the Information Security Office in its mission to ensure the confidentiality, integrity, and availability of QU information assets QU Executive Management Committee With regard to information security, the QU Executive Management Committee shall: 1. Provide insight, guidance, and general input with regards to QU strategy as it relates to information assurance. 2. Ensure support of various business units for various information assurance initiatives Information Security Steering Committee The Information Security Steering Committee s role is mainly to validate and promote the recommendations of the Information Security Office s leading role in the information assurance process. The Committee s role is critical in: The establishment and ratification of information security policies, guidelines, and standards. Monitoring of guidelines to ensure that QU personnel adhere to the Information security policies. The promotion of information security awareness and its importance to the University Information Security Office (ISO) The ISO shall work with the various functional and technical groups on campus to assure the appropriate levels of confidentiality, integrity, and availability of information assets to the respective stakeholders. The Information Security Office (ISO) shall: 1. Identify, develop, and produce the necessarily policies, guidelines, standards, and other documents needed to ensure the appropriate levels of confidentiality, integrity, and availability (C.I.A.) of information assets. This shall be accomplished in cooperation with the various entities identified in the Information Security Management Policy. 2. Respond to and manage exceptions to information security-related policies. 3. Establish and maintain compliance with relevant laws, regulations, standards, and generally-accepted best practices as they related to information assurance. Information Security Management 8
9 4. Ensure that QU s information security policies are in compliance with the Qatar Government Information Assurance Policy or its equivalent, and associated laws and regulations. 5. Embrace a risk-based information security management program that identifies risks associated with the processing, storage, transmission, and management of QU information assets. 6. Report to senior management and shall have: a. Status sufficient to effectively review systems security and implement recommendations for improvements to systems security; and b. Sufficient authority to implement the QU information security policies and standards 7. Have sufficient resources to execute tasks it has been assigned. 8. Provide central IT management with audit logs of their critical system components. The review and follow-up of issues will be performed on a regular basis. 9. Be directly responsible for ensuring that all QU personnel are aware of their obligations to safeguard the University s information assets. 10. Enforce the implementation of information security policies as set out in this document Information Security Liaison Major business and technical units shall be identified and requested to appoint at least one Information Security Liaison to act as the single point of contact for the ISO within the unit. The Information Security Liaison shall: 1. Be well-versed with the business conducted within the business unit, in particular with regard to the flow and handling of information. 2. Assist the ISO in data classification, process analysis, and risk assessment efforts necessary to implement a risk-based security management framework. 3. Inform the business unit of relevant information security efforts, policies, and guidelines. 4. Ensure that business unit input is communicated to, and considered by the ISO for further action Information Owners Information owners are expected to: 1. Be able to assert their ownership of their data Information Security Management 9
10 2. Define and maintain information assurance profiles for their information and related processes, e.g. classification, access control, chain of authority, etc. 3. Report any breaches or attempts at compromising their information to the appropriate authority Information Custodians Information custodians are expected to: 1. Be able to identify the owners of the data with which they are entrusted. 2. Implement and maintain the required baseline controls necessary to protect the data per the QU information security guidelines. 3. Report any breaches or attempts at compromising their information to the appropriate authority Information Users Information Users must: 1. Comply with all policies approved by Qatar University s Higher Management and communicated by the ISO. 2. Ensure that QU s information resources are maintained and utilized in the most efficient way possible and they are used for legitimate business purposes only. 3. Ensure that information and data are solely used for purposes specified by the resource owner/custodian. Information Security Management 10
11 3 PL-ITS-ISO-003: Information Asset Classification Contents: Policy Description Who Should Know This Policy Overview Scope Policy Information Asset Classification Model Data Handling Guidelines Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 3.1 Policy Description The purpose of the Information Asset Classification Policy is to provide a foundation for the development and implementation of necessary security controls to protect information according to its value and/or risk. 3.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Information Asset Classification 11
12 3.3 Overview For the purpose of information assurance, an information asset ( Asset ) is defined as one of the following: 1. Electronic or other forms of data that are used to conduct a University business 2. Hardware, software, processes, and/or people utilized in the access, processing, transport, and/or storage of data as defined above. A consistent framework for asset classification is a fundamental requirement and a basic building block in establishing of a sound information security policy. The Information Asset Classification Policy defined in this document demands close cooperation between various business units and the Information Security Office in order to properly control and protect QU information. This policy shall remain consistent with the Qatar Government s Information Assurance Policy (GIAP) or equivalent. 3.4 Scope The Information Asset Classification Policy applies to all information assets that handled, maintained, or operated by Qatar University or its associates in the course of conducting the University s business. This policy applies equally to all QU information assets regardless of their location or custodian affiliation. 3.5 Policy 1. All information owners shall classify their information and associated processes according to the guidelines provided below under Guidelines. 2. Qatar University shall implement the minimum appropriate set of baseline controls required to ensure the confidentiality, integrity, and availability of QU information assets. Information custodians and/or the Information Security Office may require the implementation of additional controls as deemed appropriate. 3. All individuals who access/process QU information assets shall adhere to the defined protection controls. 4. The Information Asset Classification policy shall remain in compliance with the Qatar Government Information Assurance Policy (GIAP) or equivalent. 3.6 Information Asset Classification Model The Information Asset Classification model is based on the Qatar Government Information Assurance Policy Manual s Asset Classification Model. Unless otherwise specified, the default classification for all assets is C1 ( Internal ). Information Asset Classification 12
13 The following table summarizes the various classification labels for an asset: Confidentiality, Integrity, and Availability(C.I.A.). The full labeling of an asset is the combination of all three labels, e.g. C0I1A2 label results in an overall M (Medium). Security Classification Table (Adopted from the Qatar Government Information Assurance Manual) Availability A0 A1 A2 A3 Integrity Confidentiality Security Classification C0 L M H I0 C1 L L M H C2 M M M H C3 H H H H C0 L L M H I1 C1 L L M H C2 M M M H C3 H H H H C0 M M M H I2 C1 M M M H C2 M M M H C3 H H H H C0 H H H H I3 C1 H H H H C2 H H H H C3 H H H H Confidentiality C0 Public Public information is intended for general disclosure. There is no requirement for confidentiality controls. Classification label: Unclassified, Public or no label. C1 Internal For internal use; material whose disclosure would cause light to moderate damage to the affected party Only QU employees and staff should have access to internal departmental information. Employees may share internal information with others based upon University business and operational needs. Information Asset Classification 13
14 Classification label: Internal C2 Limited Access November 2013 Access for defined users, roles or user groups, according to specific rules; material whose disclosure would cause serious damage to the affected party (e.g. HR data, sensitive constituent data, etc.). Only QU employees and staff who have a legitimate business and operational need may have access to this type of information. Disclosure of this type of information requires the approval of the data owner. Classification label: Limited Access C3 Restricted Confidential information with access limited to a very small set of persons; material whose disclosure would cause severe damage to the affected party (Board/executive/minister level management changes, decisions etc.). Highly sensitive information should be strictly controlled, granted limited access and disclosure within the QU campus. Only QU employees and staff who have authorization from the relevant information owner, and have a signed confidentiality agreement can access this type of information. In certain cases a written approval might be needed to handle this type of information depending on the data owner and department director. Classification label: Restricted C4+ - National Security Markings Information which has nationwide implications should be marked as Confidential, Secret or TOP secret Integrity Labels Label Description I0 Source of information and time of change are not important I1 It should be possible to identify the source of information and time of changes I2 Source of information and time of change is identified and periodically checked I3 Authenticity and integrity should be provable to third party Information Asset Classification 14
15 3.6.3 Availability Labels Label Reliability Allowed Downtime Allowed Max. Response Time A0 Reliability and productivity/reaction time not important A1 90% 17 hr/week 1-10 hours A2 99% 2 hr/week 1-10 minutes A % 10 min/week 1-10 seconds 3.7 Data Handling Guidelines Guidelines on the handling of classified assets at Qatar University include: 1. Do not discuss or display QU restricted or limited access information in an environment where it may be viewed by unauthorized persons. 2. When sending classified information by , ensure that the content is encrypted. 3. Do not send classified messages via instant messaging or unsecured file transfer unless it is encrypted. 4. Store electronic media (including backups) containing such information in a secure location. If this media contains QU classified information, encrypt it, inventory it and review the inventory periodically. 5. When printing, photocopying or faxing QU classified information, ensure that only an authorized person will be able to obtain the output. 6. Paper documents should be stored in a locked area to prevent unauthorized access. 7. Do not leave keys or access badges for rooms or file cabinets containing classified confidential information in areas accessible to all Destruction University information records should be properly disposed with the assistance of the Information Security Office, which will assist in properly destroying the media holding this information and will take special care not to wipe out needed information Declassification Data declassification can be done either by the owner or by University if the information is no longer Restricted, Limited Access or Internal. While defining the information classification the owner should define the time period for which the information can be considered as classified information. Information Asset Classification 15
16 4 PL-ITS-ISO-004: Privacy and Protection of Personal Information Contents: Policy Description Who Should Know This Policy Scope Responsibilities Policy Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 4.1 Policy Description The purpose of this policy is to identify and implement controls that will keep the risks to information assets at an acceptable level. 4.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Privacy and Protection of Personal Information 16
17 4.3 Scope The policy applies to all personal data held by QU. 4.4 Responsibilities All users of QU IT resources are responsible for adherence to this policy. 4.5 Policy 1. QU is committed to comply with applicable requirements of local and International laws and regulations for data protection and privacy. 2. QU ensures compliance with contractual requirements for data protection and privacy. 3. All QU users handling personal data are responsible for the protection and privacy of the data held in any form, including paper and electronic. 4. Personal data is classified as C2 Limited Access. 5. Any breach of this policy is subject to disciplinary action. Privacy and Protection of Personal Information 17
18 5 PL-ITS-ISO-005: Risk Management Contents: Policy Description Who Should Know This Policy Overview Scope Policy Roles and Responsibilities Vulnerability Assessment Guidelines Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 5.1 Policy Description The purpose of this policy is to identify and implement controls that will keep the risks to information assets at an acceptable level. Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Risk Management 18
19 5.2 Overview Periodic threat and vulnerability assessments are essential and allow for proactive management of the risks associated with the use of information assets. A threat and vulnerability assessment can point out potential weaknesses, thereby allowing the responsible security team to take proactive measures in mitigating the associated risks. The resulting actions can range from defining policies to implementing specific administrative or technical controls. 5.3 Scope This policy applies to all QU information systems, defined as any device, system, or service owned and/or operated by QU or holds QU information. 5.4 Policy 1. Periodic threat and vulnerability assessments shall be carried out based on the criticality of the QU information systems. Identified threats and/or vulnerabilities shall be recommended by the ISO and mitigated by the custodians of the information system prior to deployment. For information systems that are already deployed, the system custodian shall coordinate with the ISO on a suitable mitigation plan. 2. If the system custodians do not mitigate identified threats and/or vulnerabilities within a pre-defined time interval, the ISO shall have the authority to isolate the information system from the network until corrective action is taken. 5.5 Roles and Responsibilities The asset owners shall: 1. In coordination with the ISO, categorize the QU information system as high, moderate or low based on ISO-approved and published guidelines. 2. Ensure that proper authorization and access is given to an ISO-approved assessor for conducting the security assessment. Consent should be provided before performing such assessment. 3. Devise a Plan of Action and Milestone (POAM) based on the threat and/or vulnerability findings and mitigation plans. 4. Authorize re-testing after action is taken to mitigate the identified risks. The security assessor shall: 1. Inform the appropriate stakeholders, including management, the system administrators and system owners of threat and vulnerability assessment activities. Risk Management 19
20 2. Develop threat and vulnerability assessment plans in cooperation with the system managers, which cover the scope of the plans and activities that will be carried out. 3. Execute examinations and tests, and collect all relevant data. 4. Analyze collected data and develop mitigation recommendations. 5. Conduct additional examinations and tests as needed to validate mitigation actions. 5.6 Vulnerability Assessment Guidelines Vulnerability assessment frequency depends on the criticality of the information system based on the Confidentiality, Integrity and Availability ratings, as outlined in the table below: Category Security Assessment Frequency High 6 months Moderate 12 months Low 18 month Risk Management 20
21 6 PL-ITS-ISO-006: Business Continuity Management November 2013 Contents: Policy Description Who Should Know This Policy Scope Policy Institutional Context Responsibilities and Approvals Procedures Definitions Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 6.1 Policy Description QU shall conduct Business Continuity Planning to minimize any disruption to the continuity of its operations. Information Technology Services shall take the necessary steps to ensure the restoration of information service related operations/activities as soon as possible following an emergency or critical incident. 6.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Business Continuity Management 21
22 6.3 Scope This policy applies to all staff and areas within the University and its controlled entities. 6.4 Policy 1. Business continuity management is an integral part of the University s overall risk management, corporate governance and quality management framework. 2. Using a risk management approach, the University s key business interruption risks are to be identified and assessed so as to ensure the uninterrupted availability of all key business resources required to support essential or critical business activities. 3. All unacceptably high business interruption risks will be subject to risk mitigation treatment in line with the University s overall risk management plans. The effectiveness of the business continuity management program is to be constantly monitored and regularly reviewed. 6.5 Institutional Context The University has an obligation to its stakeholders (students, staff and wider community) to ensure that its operations can continue to a pre-determined minimum level in the event of a major disruptive incident. Through the adoption of Business Continuity Management best practices the University will achieve its business continuity objectives of: 1. Providing timely availability of key resources necessary to operate the critical business processes at a level of operation that is acceptable to management 2. Maintenance of staff, student, client and other stakeholder contact and confidence 3. Fulfillment of regulatory requirements 4. Safeguarding our reputation and public image 5. Controlling extraordinary expenditure caused by the event 6. Controlling risk in priority areas. All organizations have potential risk areas. Some of the most common, in the educational institute s context, with associated preventative requirements (controls), are: 1. Information Systems (including academic & other records): ensuring security is maintained; ensuring the physical assets are protected against damage/loss and records are controlled and secure. Business Continuity Management 22
23 2. Financial Systems and Procedures: ensuring systems cannot be misused; ensuring appropriate accountability for expenditure of funding; ensuring security of financial assets. 3. Buildings, Infrastructure and other Assets: ensuring the organization s resources are protected against damage/loss; ensuring University material assets are available to support key business activities Responsibilities and Approvals Risk Management Committee Business Continuity Management is a component of the overall risk management function of the University, overseen at a strategic level by the Risk Management Committee. This committee: 1. ensures that the University maintains effective risk management practices across all areas of its activities; 2. oversees the development of a systematic and coordinated risk management framework; 3. monitors the external risk environment; 4. ensures appropriate Business Units It is the responsibility of the business units, both academic and administrative, to ensure that they have enough information in their specific Business Continuity Plans to enable them to recover from an incident and continue to provide a service to clients within acceptable timeframes Information Security Office The University Information Security Office shall consider coverage and review of this policy during the course of the annual audit program. 6.7 Procedures Under this Policy, it is incumbent upon all University managers to ensure that the key functions for which they have responsibility are able to continue following major disruptive events and that arrangements are in place to achieve this. This requires the proactive development, maintenance and devolution of business continuity planning within their areas. Managers are expected to encourage and Business Continuity Management 23
24 facilitate the active participation of staff in business continuity issues and must ensure that key personnel are able to perform competently during a major disruptive event Developing the Business Continuity Plan (BCP) While a variety of approaches may achieve the same result, there is a common set of requirements that any approach should provide for. These include the means of identifying: 1. The critical business objectives that still must be achieved during and after a major disruption. 2. Stakeholder expectations of acceptable service delivery. 3. The likely scenarios that may result in disruption to the business. 4. What is important to protect, provide or operate during a disruption ie. the critical 5. business functions and processes. 6. The people, infrastructure and data resources required to maintain a minimal 7. acceptable level of operations. 8. Communications requirements and the methods and channels of dissemination The Process 1. Identify the critical business functions and processes that support achievement of key business objectives. This involves the identification of core business objectives, critical business functions that support these objectives and their critical success factors. 2. The maximum period of time (Maximum Acceptable Outage) that each of the University s key functions and processes can operate before the loss of critical resources affects overall operations needs to be defined at this time. 3. Identify the types of disruptions (risks) that are likely to occur and that will need to be catered for. The actual events do not necessarily have to be considered individually, but the impact of losing key resources, facilities, processes etc. as a result of a disastrous event must be. 4. These impacts will probably be similar across the operations of the University but each business unit will need to consider such impacts on its own operations. The vulnerability of business processes and interdependencies should be considered as part of this analysis. Business Continuity Management 24
25 5. Any Business Continuity Plan (BCP) should allow the organization to respond flexibly to a wide variety of potential disruption scenarios. 6. Each business unit will then need to identify its business cycles, because the severity of a disruption will depend upon where each area is within its business cycle. 7. While this, in the University context, will be similar for many areas and units, it will not necessarily be the same for all. During some stages of a business cycle (academic year, for example), a limited resource outage can be more disruptive than at other stages. At these times, decisions in relation to implementing emergency alternative procedures to cater for the outage/loss will need to be made more quickly. 8. Conduct a business impact analysis to identify the effect of the different types of outages/losses on the key business functions/processes at each phase of the business cycle. Often there will need to be alternative approaches to cater for disruptions to or losses of different resources, facilities etc. at various times of the year. The loss of a work space, for example, will require different contingency procedures to the loss of computing resources, even at the same point in the business cycle. Business Continuity Management 25
26 9. Identify and document existing workarounds and continuity arrangements. The development of alternative procedures to be implemented in the event of a major disruption can become part of the area s business improvement plan. 10. Identify the resources required to ensure speedy restoration of a minimum acceptable level of the area s key operations. 11. These might include people (specialist and support); IT infrastructure; information and data (hardcopy and electronic); office and specialist equipment; facilities and accommodation; internal dependencies and/or interfaces (eg. other business units); external dependencies and/or interfaces (eg. suppliers, contractors, customers, competitors and regulators etc), and current stock holdings, among others. 12. The resource requirements for business continuity can be considered in relation to other business requirements and included in budget proposals. 13. Senior management will need to consider the business impact analysis of each area to determine what additional resources are required across the University. The approach to meeting these requirements, including the sequence in which they should be provided, is to be determined. 14. The BCP should be documented in such a way that it is of practical use in a disaster and that it fulfills business, regulatory, training and audit requirements. 15. A BCP communications strategy should be developed which should include identification of who needs information, what information is needed, how that information can be provided, what constraints on its provision might exist and who has the authority to approve the communications. 16. The strategy should also define the means by which different types of messages will be promulgated to each of the stakeholders. 17. There should be BCP testing and training, a verification process to ensure that staff is familiar with the business continuity measures to be implemented and that the various components of the plan function properly. At this stage, plan inadequacies are identified and corrected. 18. BCP reviews and updates should occur on a regular basis to ensure its currency. Any changes to business functions and activities, key dependencies, facilities and supporting infrastructure etc must be reflected in the plan. 6.8 Definitions Disaster : An unexpected disruption to normal business of sufficient duration to cause unacceptable loss to the organization necessitating disaster recovery procedures to be activated. Business Continuity Management 26
27 Disaster Recovery : Activities and procedures designed to return the organization to an acceptable condition following a disaster. November 2013 Business Continuity : The uninterrupted availability of all key resources supporting essential business functions. Business Continuity Management : Provides for the availability of processes and resources in order to ensure the continued achievement of critical objectives. Business Continuity Planning : A process developed to ensure continuation of essential business operations at an acceptable level during and following a disaster. Maximum Acceptable Outage (MAO), also Maximum Tolerable Outage (MTO) and Maximum Downtime (MD): The maximum period of time that critical business processes can operate before the loss of critical resources affects their operations. Business Continuity Management 27
28 7 PL-ITS-ISO-007: IT Systems Security Compliance Contents: Policy Description Who Should Know This Policy Overview Scope Policy Exceptions Security Compliance Standard Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 7.1 Policy Description The purpose of the IT Systems Security Compliance policy is to ensure that information security is considered prior to any IT system procurement or deployment. 7.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets IT Systems Security Compliance 28
29 7.3 Overview The IT Systems Security Compliance Policy defines compliance guidelines for all information systems considered for use at Qatar University. 7.4 Scope The IT Systems Security Compliance policy applies to all IT systems under consideration for use at Qatar University. An IT System is any combination of hardware, software, and/or IT services that will access and/or process Qatar University electronic data. 7.5 Policy 1. All IT systems being considered, purchased, or deployed must undergo a security assessment by the Information Security Office. 2. The security assessment must be included as an integral part of any Request for Proposals, feasibility studies, contracts, or other such efforts that may lead to the procurement of an IT system. 3. IT system compliance requirements are to be set by the QU Information Security Office. 7.6 Exceptions Exceptions to this policy MUST be submitted to the Information Security Office which will review the request and pass it on to the office of the VP for Facilities and Information Technology for further action. Approved exceptions are then documented and communicated to the requesting party. 7.7 Security Compliance Standard Requests for Proposal (RFPs) or communication with potential vendors regarding the requisition of an IT system must consider the security implications of the IT system early in the process. The sections below outline the information that is needed for the Information Security Office to properly assess the suitability of a proposed solution from an information security perspective General Information The following information must be provided to the Information Security Office prior to the RFP/request being released to Procurement: 1. Name/Title of the IT system IT Systems Security Compliance 29
30 2. General system description/purpose 3. System type (e.g. major application, general support system, etc.) 4. Data sources and types that will be used in the product/service November Data security classification, if known (Low, Medium, High; contact the ISO for further details) 6. Contact information: a. QU authorizing official/sponsor b. QU functional/end user contact(s) c. QU technical contact(s) d. Vendor contacts (sales, management, technical) e. Other designated contacts (e.g. major stakeholders) f. Assignment of security responsibility (i.e. person/group responsible for communicating with the Information Security Office regarding information security requirements) VENDOR Requirements The following information must be requested from potential VENDORs as part of their proposal response submittal: 1. An architecture overview of the proposed IT system depicted major components and associated interactions and data exchange boundaries 2. Major IT system components and roles (hardware, software, communication equipment, databases, web servers, etc.) 3. Detailed security design for the proposed solution, including: a. Organizational structure and relationships between systems managers, security personnel, and users b. User roles and access requirements c. Authentication method d. Logical access control (authorization) e. Access control f. Application security and malicious code protection mechanisms g. Security audit and reporting process h. Security awareness requirements i. Physical security requirements 4. A list of security controls that are included, planned, and/or expected for the IT system. A table with the following information would be preferred: IT Systems Security Compliance 30
31 a. Security control title November 2013 b. Details on the implementation requirements and plan for the security control c. Any scoping guidance that has been applied and what type of consideration d. Indicate if the security control is a common control and who is responsible for its implementation 5. A data classification matrix for each data element. At a minimum, the matrix should include: a. Data element description b. Data classification, as follows: C0 Public C1 Internal C2 Limited Access C3 Restricted C4 National Security Markings c. Function/process using the data d. System and/or database where the data is stored e. Associated security controls, as detailed above Hosted Service Requirements For IT systems that are not hosted at QU-managed facilities, potential vendors must provide details on the following, IN ADDITION to the above: 1. Data recoverability and migration process 2. Details on VENDOR s hosting and storage facilities and network redundancy capabilities 3. Operational controls adopted at VENDOR s facilities 4. Data protection controls 5. Incident response process 6. Service level agreements, including clauses that address timely notification of breaches to data security Notification of Change to Solution IT Systems Security Compliance 31
32 Any changes to the project as approved must be communicated to the Information Security team for further review and re-examination for compliance. 7.9 Notification of Security Compliance The Information Security Office will work with the project team on addressing the security requirements and will notify the project manager of the compliance status prior to the RFP being released. IT Systems Security Compliance 32
33 8 PL-ITS-ISO-008: Access Control and Privileges Contents: Policy Description Who Should Know This Policy Overview Scope Policy Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 8.1 Policy Description The purpose of this policy is to prevent inappropriate use of QU resources by the staff, faculty, students and other employees. 8.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Access Control and Privileges 33
34 8.3 Overview The policy is developed to minimize risk to QU resources and information assets by establishing the principle of least privileges for QU users, which includes staff, faculty, students, guests and other employees, to perform the job functions. Technical support staff, security administrators, system administrators and others may have special access account privilege requirements compared to normal users. 8.4 Scope The policy applies to all students, faculty, staff and other employees having access to QU computing systems, applications, network, files and other information resources. 8.5 Policy 1. Asset owners should consider the principle of least privileges, while defining access, to ensure that users has only the right permission to perform their job functions. 2. The allocation of privileged rights should be restricted and controlled 3. Access privileges beyond the need-to-know requirements shall be assessed for risk and dealt with accordingly. 4. Privileges assigned to each user must be reviewed on a regular basis, and modified or revoked upon a change in status within the University. When the privileges assigned to an individual change (e.g. due to a change in role or responsibilities), access to University IT resources should be adjusted accordingly. 5. QU holds the right to revoke the access privileges in case of abuse. 6. Privileged users should not access user data under any circumstances, unless expressly authorized by the university or the asset owner. 7. Each individual that uses Administrative/Special access accounts must use the account privilege most appropriate for the work being performed 8. Access granted to vendors, sub-contractor and to other non-qu employees or workers shall be revoked when their association with QU end. Access Control and Privileges 34
35 9 PL-ITS-ISO-009: Software Security Contents: Policy Description Who Should Know This Policy Scope Policy Guidelines Non-Compliance and Exceptions References Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 9.1 Policy Description The purpose of this policy is to ensure that the appropriate information security controls are implemented for all of the QU In-house \ Outsourced and Contracted application development. 9.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Software Security 35
36 9.3 Scope This standard applies to all software applications being developed or administered by faculty, staff, student employees, contractors and vendors that are designed to handle or manage university data and that are running on devices, physical or virtual. Adherence to this standard will increase the security of applications and help safeguard university resources. 9.4 Policy To keep risk to an acceptable level, the Information Security Office shall ensure that the proper security controls will be implemented for each application developed. These controls will vary in accordance with the sensitivity and criticality of each application. 9.5 Guidelines Minimum Security Standards The minimum standards applicable to the development of applications designed to handle or manage university data are listed below. All listed standards are generally required for applications designed to handle or manage confidential university data and are either required or recommended for all other applications. Standard Practice Classify the university data handled or managed by the application Prominently display a Confidential Record banner to the screen or interface in use by the application, depending on the type of data being accessed Display no data that have been specifically restricted by external law or policy. Confidential University Data Required All Other Data Required Recommended Recommended Required 4 Ensure applications Required Recommended Software Security 36
37 validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to, cross-site scripting, buffer overflow errors, and injection flaws Ensure applications execute proper error handling so that errors will not provide detailed system information, deny service, impair security mechanisms, or crash the system. Ensure applications processing data properly authenticate users through central authentication systems (Active Directory, LDAP, RADIUS), where possible. Establish authorizations for applications by affiliation, membership, or employment, rather than by individual, where possible. Use central authorization tools (Enterprise Directory Service or Active Directory for rudimentary authorization decisions with appropriate configuration) where possible, and if additional functionality (such as attribute or grouping) is needed, coordinate development with the Required Required Required Required Recommended Recommended Recommended Recommended Software Security 37
38 Information Security Office. Provide automated review of authorizations where possible. Set any individual authorizations to expire and require their renewal on a periodic basis, at least annually. Ensure applications make use of secure storage for university data as required by confidentiality, integrity and availability needs. Personal information must be encrypted. Security for all other data can be provided by means such as, but not limited to, encryption, access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate. Implement encrypted communications for services or applications, as required by confidentiality and integrity needs. Implement the use of application logs to the extent practical, given the limitations of certain systems to store large amounts of log data. When logging access to university data, store logs of all users and times of access for at least 14 days. November 2013 Recommended Recommended Required Recommended Required Recommended Required Recommended Required Recommended Software Security 38
Information Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationOhio Supercomputer Center
Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationR345, Information Technology Resource Security 1
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationPolicy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:
Policy No: TITLE: AP-AA-17.2 Data Classification and Data Security ADMINISTERED BY: Office of Vice President for Academic Affairs PURPOSE EFFECTIVE DATE: CANCELLATION: REVIEW DATE: August 8, 2005 Fall
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationIssue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager
Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security
More informationMarist College. Information Security Policy
Marist College Information Security Policy February 2005 INTRODUCTION... 3 PURPOSE OF INFORMATION SECURITY POLICY... 3 INFORMATION SECURITY - DEFINITION... 4 APPLICABILITY... 4 ROLES AND RESPONSIBILITIES...
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationRowan University Data Governance Policy
Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data
More informationELECTRONIC INFORMATION SECURITY A.R.
A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationDelphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11
Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationInformation Shield Solution Matrix for CIP Security Standards
Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationCREDIT CARD SECURITY POLICY PCI DSS 2.0
Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationINFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security
INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security State Fair Community College shall provide a central administrative system for use in data collection and extraction. Any system user
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationCopyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience
Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationsecurity policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.
Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationRevision Date: October 16, 2014 Effective Date: March 1, 2015. Approved by: BOR Approved on date: October 16, 2014
Information Security Information Technology Policy Identifier: IT-003 Revision Date: October 16, 2014 Effective Date: March 1, 2015 Approved by: BOR Approved on date: October 16, 2014 Table of Contents
More informationTitle: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION
Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationISO 27002:2013 Version Change Summary
Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationDoes it state the management commitment and set out the organizational approach to managing information security?
Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationSupporting FISMA and NIST SP 800-53 with Secure Managed File Transfer
IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan
More informationCITY UNIVERSITY OF HONG KONG
CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification Publication
More informationISMS Implementation Guide
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation
More information---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---
---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of
More informationIndiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002
Indiana University of Pennsylvania Information Assurance Guidelines Approved by the Technology Utilities Council 27-SEP-2002 1 Purpose... 2 1.1 Introduction... 2 1.1.1 General Information...2 1.1.2 Objectives...
More informationPAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA
1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationNew River Community College. Information Technology Policy and Procedure Manual
New River Community College Information Technology Policy and Procedure Manual 1 Table of Contents Asset Management Policy... 3 Authentication Policy... 4 Breach Notification Policy... 6 Change Management
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationApproved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee
Policy History Date Action Approved by President Mohammed Qayoumi May 27, 2013 April 9, 2013 Reviews: IT Management Advisory Committee Draft Policy Released Table of Contents Introduction and Purpose...
More informationCentral Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy
Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy I. PURPOSE To identify the requirements needed to comply with
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationBusiness Continuity Planning and Disaster Recovery Planning
4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationInformation Security Policy Manual
Information Security Policy Manual Latest Revision: May 16, 2012 1 Table of Contents Information Security Policy Manual... 3 Contact... 4 Enforcement... 4 Policies And Related Procedures... 5 1. ACCEPTABLE
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationA Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards
A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security
More informationNetwork Security: Policies and Guidelines for Effective Network Management
Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationContact: Henry Torres, (870) 972-3033
Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures
More informationPDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]
PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] [Date] [Location] 1 Prepared by: [Author] [Title] Date Approved by: [Name] [Title] Date 2
More informationINFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationIndex .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY
Information Security Section: General Operations Title: Information Security Number: 56.350 Index POLICY.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE DATE OF POLICY.140
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationUMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director
More information