INFORMATION SECURITY POLICY

Transcription

1 INFORMATION SECURITY POLICY 1. Rationale 2 2. Definitions 2 3. Scope of policy 4 4. Purpose 4 5. Scope 5 6. Duties of the information security officer 5 7. Hardware and equipment security 6 8. Access control 9 9. Processing information and systems documentation or records Proprietary software Unisa software Prevention of contraventions Business continuity Employees Training and awareness Premises Incident response Breach or violation 20 Approved Council

2 1. RATIONALE The use of technology and information in various formats exposes Unisa to legal risk and liability. This policy provides rules, guidelines and standards to ensure the security of Unisa s information, data, records and documents. 2. DEFINITIONS access control audit logs authentication centralised data consumer corporate data decentralised data dual control refers to the rules and deployment mechanisms which control access to information systems, logical (digital) access to systems and to all facilities where information, data, records and documents are stored. The entire subject of information security is based upon access control, without which information security cannot, by definition, exist; means computer files containing details of amendments to records, which may be used in the event of system recovery being required and that also keep track of the history of transactional events. The majority of commercial systems feature the creation of an audit log. Enabling this feature incurs some system overhead, but it does permit subsequent review of all system activity, and provide details of which user ID performed which action to which files when etc.; refers to the verification of the authenticity of either a person or of data, e.g. a message may be authenticated to have been originated by its claimed source. Authentication techniques usually form the basis for all forms of access control to systems and / or data; means physical data that is stored and managed on a platform (one machine or a group of machines managed as one) that is located at a single site. Although the data insertions, updates and deletions may happen from many geographic sites, the storage which supports this data is in one location; means any natural person who enters or intends entering into an electronic transaction with Unisa as the end user of the goods or services offered by Unisa; means centralised data as well as decentralised data; means the physical storage of data, spread across disparate locations, e.g. regions to facilitate easy access to data that is local to that region. Often uses replication and synchronisation of decentralised sites (secondary sites) with headquarters (primary site) at set times. means a control procedure whereby the active involvement of two people is required to complete a specified process. Such control may be physical; e.g. two persons required to unlock the data safe, or logical; as in the case of a higher level authorisation password required to permit the entry of data created or amended by another person; Approved Council

3 encryption equipment error log firewalls Unisa information asset record information security officer operating system sensitivity classification means the process by which data is temporarily re-arranged into an unreadable or unintelligible form for confidentiality, transmission, or other security purposes; means, but not limited to, computers, desktops, servers, routers, laptops, telephones, cell phones, electronic handheld devices, facsimile machines, pagers, software, hardware and/or similar equipment owned by, licensed to or rented by Unisa; means a log of any abnormal activity on application software, usually in simple / plain text (ASCII). Each (main) application generates its own logs, and it is the responsibility of systems operations to retrieve and scrutinise them for any processing errors; are security devices used to restrict access in digital communication networks. They prevent computer access between networks (say from the internet to your corporate network), and only allow access to services which are expressly registered. They also keep logs of all activity, which may be used in investigations; means University of South Africa established under the Higher Education Act, 101 of 1997; is a definable piece of information, stored in any manner which is recognised as 'valuable' to the organisation. The information which comprises an information asset, may be little more than a prospect name and address file; or it may be the plans for the release of the latest in a range of products to compete with competitors; refers to recorded information, regardless of format or medium, which has been created, received, used, accessed and maintained by Unisa (and/or its predecessors) as evidence and information in pursuance of its legal obligations or in the transaction of business. Included are s, records in electronic form and records other than correspondence. Business record has a corresponding meaning. is the person appointed and employed by Unisa to implement and manage this policy; means computer programs that are primarily or entirely concerned with controlling the computer and its associated hardware, rather than with processing work for users. Computers can operate without application software, but cannot run without an operating system; refers to a three-tiered labelling system depending on the sensitivity of information contained in records :Confidential, Internal and public use. It is designed to protect confidential information no matter what form it takes, no matter what technology is used to process it, no matter who handles it, no matter where the information may be located, and no Approved Council

4 matter what stage in its lifecycle (creation, production usage, archival storage, destruction, etc.) the information may be; service level agreement transaction user(s) user requirement specification virus is a contract between Unisa and the vendor of the system(s) to provide a range of support services, up to an agreed minimum standard. Service level agreements (SLA's) will usually specify precisely what the support procedures are and the way in which a support call will be escalated through the vendor's support organisation to achieve resolution; means a transaction of either a commercial or non commercial nature, and includes the provision of information and e-government services; mean all Unisa permanent employees, temporary employees, contractors, advisors, consultants, outsource partners and third parties who have access to or use of Unisa s equipment, communication facilities or communications; is a document produced by or on behalf of Unisa in which document the purposes for a required system is usually set out - its functional requirements - in order of priority; is a form of malicious code and, as such, it is potentially disruptive. It may also be transferred unknowingly from one computer to another. The term virus includes all sorts of variations on a theme, including the nastier variants of macro-viruses, Trojans, and Worms, but, for convenience, all such programs are classed simply as 'virus'. 3. SCOPE OF POLICY This Policy is applicable to all information in the possession or under the control of Unisa. Every user is personally responsible for the protection of information that has been entrusted to his/her care. All users who come into contact with confidential Unisa internal information are expected to familiarize themselves with this Information Security Policy as well as the Information Sensitivity Classification Policy and to consistently use these same ideas in their daily Unisa business activities. 4. PURPOSE 4.1 To protect Unisa's corporate data and information and any client, employee or student information within its custody or safekeeping by safeguarding its confidentiality, integrity and availability. 4.2 To establish safeguards to protect Unisa's data and information resources from theft, abuse, misuse and any form of damage. 4.3 To provide the requirements when handling information (regardless of format or medium) whether it be confidential, for internal use only or for public use. 4.3 To establish responsibility and accountability for information security and sensitivity classification. Approved Council

5 4.4 To encourage management and employees to maintain an appropriate level of awareness, knowledge and skill to allow them to minimise the occurrence and severity of information security incidents. 4.5 To ensure that Unisa is able to continue its business activities in the event of significant information security incidents. 4.6 To provide suitable coverage of South African standards, ISO SCOPE The Information Security Policy is intended to support the protection, control and management of Unisa's data and information assets. This Policy covers all data and information within Unisa which could include data and information that is: 5.1 stored on centralised databases; 5.2 stored on centralised computers; 5.3 transmitted across internal and public networks; 5.4 printed or in electronic format. 5.5 sent by facsimile (fax), telex or other digital communications method; 5.6 stored on removable media such as stiffy, memory sticks, CD-ROMs, DVDs, hard disks, tapes and other similar media under control of ICT; 5.7 stored on centralised fixed media such as hard disks and disk sub-systems; 5.8 held on film or microfiche; 5.9 created, stored or distributed through the use of electronic communications facilities owned by Unisa; 5.10 presented on slides, overhead projectors, using visual and audio media; and 5.11 spoken during telephone calls and meetings or conveyed by any other method. 6. DUTIES OF THE INFORMATION SECURITY OFFICER The information security officer will: 6.1. develop information security and sensitivity classification procedures; 6.2. monitor information security activity and compliance; 6.3. establish business continuity plans in terms of data and information security; 6.4. respond to information security incidents; 6.5. audit and review security and sensitivity classification procedures; 6.6. allocate information security responsibilities; Approved Council

6 6.7. educate and train users; 6.8. communicate all related information security policies, procedures, standards and measures to all Unisa employees; and 6.9. report on a regular basis on the stand of information security of Unisa to the ICT Management Committee. These reports should be in writing and presented to the ICT Management Committee. 7. HARDWARE AND EQUIPMENT SECURITY 7.1. Purchase and installation All purchases of new systems hardware or new components for existing systems will be made in accordance with information security and other Unisa policies, as well as approved technical standards. Such requests must be based upon a user requirements specification document, taking into account the longer term of UNISA business needs. Please refer to the Unisa ICT User Facilities Policy Except for minor purchases, hardware will be purchased through a structured evaluation process which will include the development of a detailed request for proposal (RFP) document. Information security features and requirements will be identified within the RFP All new hardware installations are to be planned formally and notified to all interested parties ahead of the proposed installation date. Information security requirements for new installations are to be circulated for comment to all interested parties All equipment will be fully and comprehensively tested and formally accepted by users before being transferred to the live environment Cabling, printers and modems An uninterruptible power supply is to be installed to ensure the continuity of services during power outages Secondary and backup power generators are to be employed where necessary to ensure the continuity of services during power outages Sensitive or confidential information may only be faxed where more secure methods of transmission are not feasible. Both the owner of the information and the intended recipient must authorise the transmissions beforehand Information classified as confidential, may never be sent to a network printer without there being an authorised person to safeguard its confidentiality during and after printing Network cabling should be installed and maintained by qualified engineers to ensure the integrity of both the cabling and the wall mounted sockets. Any unused network wall sockets should be digitally isolated (or unplugged) and their status formally noted Consumables Approved Council

7 IT consumables must be purchased in accordance with Unisa s approved purchasing policy and procedures with usage monitored to discourage theft and improper use Only employees who are authorised to install or modify software shall use removable media to transfer data to / from Unisa s network. Any other persons shall require specific authorisation Working off premises Please refer to the ICT User Facilities Policy, as well as the Internet Policy for full detail on working off premises as well Line management must authorise the use and issue of portable computers (laptops, palm held devices, notebooks) (also refer to below); Usage is restricted to business purposes. Users must be aware of and accept the terms and conditions of use, especially responsibility for the security of information held on such devices Employees who are issued with portable computers and who intend to travel for business purposes must take cognisance of the information security issues relating to portable computing facilities and implement the appropriate safeguards to minimise the risks. Safeguards to be considered and used includes: Preventing theft of the laptop by attaching it to a structure by means of a safety cable. Locking the equipment away in safes provided for at certain hotels. The removal of sensitive data (information for internal use and confidential information) from the hard disk and locking it away at a safe place before taking the equipment off site. Ensuring that no personal data are on the equipment. Making a backup of the data on hard disk prior to travelling Off-site computer usage, whether at home or at other locations, may only be used with the authorisation of the Head of Department by completing and signing the applicable documentation (Form F5 - removal permit). Usage is restricted to business purposes, and users must be aware of and accept the terms and conditions of use, which must include the adoption of adequate and appropriate information security measures Any movement of hardware between Unisa's locations is to be strictly controlled and authorised by the Head of Department, using the prescribed F5 form to inform Unisa Asset management of such movements Employees using business centres to work on Unisa s business are responsible for ensuring the security and subsequent removal and deletion of any information entered into the business centre's systems. Approved Council

8 Portable computers (laptops, palm held devices, notebooks) are to be issued to, and used only by, authorised employees and only for the purpose for which they are issued. The information stored on the laptop is to be suitably protected at all times. Backups of information should be done on a regular basis and according to the Electronic Data Backup Policy Secure storage Sensitive (information for internal use and confidential information) or valuable material and equipment must be stored securely and according to the classification status in terms of the Information Sensitivity Classification Policy of the information being stored Documents and records are to be stored in a secure manner in accordance with their classification status Paper trail System documentation must be kept up-to-date and readily available to the employees who are authorised to support or maintain systems A formal inventory of all equipment is to be maintained and kept up to date at all times by Unisa Asset Management Department Hardware disposal Equipment owned by Unisa may only be disposed of by authorised employees who have ensured that the relevant security risks have been mitigated, i.e. that no sensitive (information for internal use and confidential information) or classified information are still on the equipment All information system hardware faults are to be reported promptly and recorded in a hardware fault register All computing equipment and other associated hardware belonging to Unisa must carry appropriate insurance cover against hardware theft, damage, or loss All portable computing equipment (laptops, palm held devices, notebooks) is to be insured by Unisa to cover travel domestically or abroad All users of workstations, PCs / laptops are to ensure that their screens are clear / blank when not being used Approved login procedures must be strictly observed and users leaving their screen unattended must firstly lock access to their workstation or log off Sensitive or confidential information must not be recorded on answering machine / voice mail systems Only authorised employees are permitted to take equipment belonging to Unisa off the premises. They are responsible for its security at all times. (See Policy: Management of Physical Assets) Approved Council

9 All equipment owned, leased or licensed by Unisa must be supported by appropriate maintenance facilities from qualified engineers All speed dialling systems must incorporate security features which protect sensitive (information for internal use) or confidential information Only suitable and approved cleaning materials are to be used on equipment owned by Unisa Deliberate or accidental damage to Unisa property must be reported to the nominated information security officer as soon as it is noticed. 8. ACCESS CONTROL Digital access (logical) control 8.1. Access control standards for information systems will be established by ICT management and should incorporate the need to balance restrictions to prevent unauthorised access against the need to provide unhindered access to meet business needs Access to all systems will be authorised, in close collaboration with the Executive Director: ICT, by the business process owner and such access, including the appropriate access rights (or privileges) will be recorded in an access control list. Such records are to be regarded as highly confidential documents and safeguarded accordingly Access to the resources on the network will be strictly controlled to prevent unauthorised access. This will be controlled and managed using login names; passwords and profiles at all times. Access to all computing and information systems, network and peripherals will be restricted unless explicitly authorised Access to operating system commands, networks, databases and processing platforms is to be restricted to those ICT employees who are authorised to perform systems administration / management functions. Even then, such access will be operated under dual control requiring the specific approval of the Executive Director: ICT The selection of passwords, their use and management as a primary means to control access to systems is to strictly adhere to best practice guidelines: Avoid using direct names and/or names associated with the individual or his/her family members. Should ideally exceed five characters. Should ideally be composed of alphabetical and numerical characters. Should be changed on regular basis, preferably monthly. Should not be named after Walt Disney characters. Should not be written down in the vicinity of the PC. Should not be communicated or shared. Approved Council

10 In particular, passwords will not be shared with any other person for any reason Access controls are to be set at an appropriate level which minimises information security risks yet also allows Unisa's business activities to be carried without undue hindrance Access is to be logged and monitored to identify potential misuse of systems or information Access to information and documents is to be carefully controlled, ensuring that only authorised employees (authorised by the business process owner and in close collaboration with the Executive Director: ICT) may have access to confidential information. Access to information should be dealt with in accordance to the Promotion of Access to Information Act, Access controls for confidential information or high risk systems are to be set in accordance with the value and classification of the information assets being protected and should be aligned to the Information Sensitivity Classification Policy Remote access control procedures will provide adequate safeguards through robust identification, authentication and encryption techniques. Physical access control Equipment is always to be safeguarded appropriately - especially when left unattended Physical access to high security areas such as the central computer room, is to be controlled with strong identification and authentication techniques. Employees, who have authorisation to enter such areas, are to be provided with information on the potential security risks involved. Logical access control 8.13 Third party access to corporate information is only permitted with the specific approval of the Executive Director: ICT, where the information in question has been ring fenced and the risk of possible unauthorised access is considered to be negligible. (See Promotion of Access to Information Act, 200 and Records Management Policy for access to information) 8.14 Only authorised persons (authorised by the Executive Director: ICT and the Executive Director: Legal Services) may access sensitive or confidential data on projects owned or managed by Unisa or its employees. 9. PROCESSING INFORMATION AND RECORDS 9.1. Networks The network will be designed, configured and managed to deliver high performance and reliability to meet the needs of the business whilst providing a high degree of access control and a range of privilege restrictions Suitably qualified employees, authorised by the Executive Director: ICT, is to manage Unisa's network, and preserve its integrity in collaboration with the nominated individual business process owners. Approved Council

11 Remote access to Unisa s network and resources will only be permitted providing that authorised users are authenticated, data is encrypted across the network, and privileges are restricted System hardware, operating and application software, the networks and communication systems will all be adequately configured and safeguarded against both physical attack and unauthorised network intrusion System operations and administration Unisa's systems are to be managed by a suitably qualified systems administrator, grouped per system (Human Resources, Finance, Student Administration) who is responsible for overseeing the day to day running and security of the systems System administrators will be fully trained and have adequate experience in the specific system in use and platforms used by Unisa. In addition, they will be knowledgeable and conversant with the range of information security risks which need to be managed For authorised employees, the appropriate data and information will be made available as and when required. For all other persons, access to such data and information is prohibited with appropriate technical control required to supplement the enforcement of this policy The management of electronic keys to control both the encryption and decryption of sensitive messages must be performed under dual control, with duties being rotated between employees Unisa's systems will be operated and administered using documented procedures in a manner which is both efficient but also effective in protecting Unisa s information security System documentation is a requirement for all Unisa s information systems. Such documentation will be kept up-to-date and be available Selected error logs will be properly reviewed and managed by qualified employees Systems operations schedules are to be formally planned, authorised and documented Changes to routine systems operations are to be fully tested and approved before being implemented Selected operational audit logs are to be reviewed regularly by trained employees and discrepancies reported to the owner of the information system System clocks will be synchronised regularly especially between Unisa s various processing platforms Only qualified and authorised employees or approved third party technicians may repair information system hardware faults. Approved Council

12 Transaction and processing reports should be regularly reviewed by properly trained and qualified employees Any facilities management service provider will be able to demonstrate compliance with this Unisa s information security policies and also provide a service level agreement which documents the performance expected and the remedies available in case of non compliance Employees responsible for setting up extranet access will ensure that any access restrictions pertaining to the data in source systems are also applied to access from Unisa s extranet Employees responsible for setting up internet access are to ensure that Unisa s network is safeguarded from malicious external intrusion by deploying, as a minimum, a configured firewall Unisa will use software filters and other techniques whenever an employee reports attempted access. Attempted access will be scrutinised by management on a regular basis Computer files received from unknown senders are to be deleted without being opened, inclusive of , File Transfer Protocol (FTP) etc All parties are to be notified in advance whenever telephone conversations are to be recorded Any fax received in error is to be returned to the sender. Its contents will not be disclosed to other parties without the sender's permission The identity of persons requesting sensitive or confidential information over the telephone must be verified, and employees must be authorised by both the Executive Director: Legal Services and the Executive Director: ICT to receive it. (See also the Records Management Policy and the Promotion of Access to Information Act, 2000) 9.3. Data and database management Confidential data / information, may only be transferred across networks, or copied to other media, when the confidentiality and integrity of the data can be reasonably assured e.g. by using encryption techniques Day-to-day data storage must ensure that current data is readily available to authorised users and that archives are both created and accessible in case of need The integrity and stability of Unisa s databases will be maintained at all times Emergency data amendments may only be done in extreme circumstances and only in accordance with emergency amendment procedures. This will be approved by the Executive Director: ICT in writing The use of removable media disks e.g. memory sticks, disks and CD- ROMs is not permitted except where specifically authorised. Approved Council

13 Data directories and structures should be established by the owner of the information system with users adhering to that structure. Access restrictions to such directories should be applied as necessary to restrict unauthorised access Existing directory and folder structures may only be amended with the appropriate authorisation, usually from the owner of the information system concerned The archiving of documents will take place with due consideration for legal, regulatory and business issues with liaison between technical and business employees and reference to Unisa Record Management Policy The information created and stored by Unisa's information systems will be retained for a minimum period as determined in the Records Retention Schedule that meets both legal and business requirements The classification of decentralised spreadsheets will be appropriate to the sensitivity and confidentiality of data contained therein. All financial / data models used for decision making are to be fully documented and controlled by the information owner Databases must be fully tested for business logic and processing, prior to operational usage. Where such databases are to contain information of a personal nature, procedures and access controls must ensure compliance with necessary legislation e.g. data protection Highly sensitive or critical documents must not rely upon the availability or integrity of (external) data files over which the author may have no control. Key documents and reports must be self contained and contain all the necessary information Draft reports should only be updated with the authority of the designated owner of the report. Encryption of documents can be performed at the level of the document itself and is under direct control of the author Draft version(s) of reports must be archived following production of a final version. A single version of the file should be retained for normal operational access Version control procedures should always be applied to documentation belonging to Unisa or its customers Customer information may only be updated by authorised employees. Customer data is to be safeguarded using a combination of technical access controls and robust procedures, with all changes supported by journals and internal audit controls and executed following the formal change systems and procedures The naming of Unisa's data files must be meaningful and capable of being recognised by its intended users A document's security classification level and ownership should be stated within the header and footer space on each page of all Approved Council

14 documents. (See Information Sensitivity Classification Policy, paragraph 9) Temporary files on users PCs and laptops are to be deleted regularly to prevent possible misuse by possible unauthorised users Customer contact information is to be classified as confidential and secured accordingly All users of information systems whose job function requires them to create or amend data files, must save their work on the system regularly in accordance with best practice, to prevent corruption or loss through system or power malfunction Backup, recovery and archiving ICT will ensure that adequate backup and system recovery procedures are in place Information and data stored on laptop or portable computers will be backed up regularly. It is the responsibility of the user to ensure that this takes place on a regular basis Backup of Unisa s data files and the ability to recover such data is a top priority. Management are responsible for ensuring that the frequency of such backup operations and the procedures for recovery meet the needs of the business The storage media used for the archiving of information will be appropriate to its expected longevity. The format in which the data is stored must be carefully considered, especially where proprietary formats are involved The archiving of electronic data files must reflect the needs of the business and also any legal and regulatory requirements Management will ensure that safeguards are in place to protect the integrity of data files during the recovery and restoration of data files, especially where such files may replace more recent files Document handling Hard copies of sensitive or classified material must be protected and handled according to the distribution and authorisation levels specified for those documents. (See Information Sensitivity Classification Policy under labelling (paragraph 9.6)) These standards to be determined on the corporate level outside the ICT domain All employees to be aware of the risk of breaching confidentiality associated with the copying (duplication) of confidential documents Authorisation from the document owner should be obtained where documents are classified as confidential. (See Information Sensitivity Classification Policy, paragraph 7.2) All information used for or by Unisa, will be filed appropriately and according to its classification, in accordance with the corporate guidelines on information classification.(see Information Sensitivity Classification Policy) Approved Council

15 Documents should be countersigned (either manually or electronically) by the business process owner to confirm their validity and integrity, especially those which commit or oblige Unisa in its business activities.(see Information Sensitivity Classification Policy) Documents should be checked to confirm their validity and integrity, especially those which commit or oblige Unisa in its business activities All written communications sent out by Unisa to third parties are to be approved by the business process owners All signatures authorising access to systems or release of information must be properly authenticated Unsolicited mail should not receive serious attention until and unless the sender s identity and authenticity of the mail have been verified An agreed corporate document style should be used which promotes consistency, integrity and promotes the agreed image of Unisa The designated owners of documents which contain confidential information are responsible for ensuring that the measures taken to protect their confidentiality, integrity and availability, during and after transportation / transmission, are adequate and appropriate All documents of confidential nature are to be shredded when no longer required. The document owner will authorise or initiate this destruction All Unisa documents must indicate the data owner by means of a footnote on every page of the document Securing data Where appropriate, confidential information or data should always be transmitted in encrypted form. Prior to transmission, consideration must always be given to the procedures to be used between the sending and recipient parties and any possible legal issues from using encryption techniques Persons responsible for human resources management are to ensure that all employees are fully aware of their legal and corporate duties and responsibilities concerning the inappropriate sharing and releasing of information, both internally within Unisa and to external parties Prior to sending information and/or reports to third parties, not only must the intended recipient be authorised to receive such information, but the procedures and information security measures adopted by the third party, must be seen to continue to assure the confidentiality and integrity of the information Information relating to the clients and third party contacts of Unisa is confidential, and must be protected and safeguarded from unauthorised access and disclosure. Approved Council

16 Customer credit card details entrusted to Unisa must be afforded a combination of security measures (technology and procedural) which, in combination, prevent all recognised possibilities of the card details being accessed, stolen, modified or an any other way divulged to unauthorised persons All data and information must be protected against the risk of fire damage at all times. The level of such protection must always reflect the risk of fire and the value and classification, in terms of the Information Sensitivity Classification Policy, of the information being safeguarded Financial information is to be classified as confidential and must be afforded security measures (technology and procedural) which, in combination, safeguard such information from authorised access and disclosure Data is to be protected against unauthorised or accidental changes, and may only be deleted on approval by the data owner. (See Records Retention Schedule) Confidential electronic data and information should be secured, whenever possible, with access control applied to the directory on the (computer) system concerned. The sole use of passwords to secure individual documents is less effective, and hence discouraged, as passwords may be either forgotten or become revealed (over time) to unauthorised persons Information classified as confidential may never be sent to a network printer without there being an authorised person to retrieve it and hence safeguard its confidentiality during and after printing General information handling Please refer to the Internet Policy as well as the ICT User Facilities Policy The decision whether dual control is required for data entry is to be made by the information system owner. Where so required, secure data handling procedures including dual input are to be strictly adhered to Employees are not permitted to load non-approved screen savers onto Unisa's PCs, laptops and workstations Any third party used for external disposal of Unisa's obsolete equipment and material must be able to demonstrate compliance with this Information Security Policies and also, where appropriate, provide a service level agreement which documents the performance expected and the remedies available in case of non compliance The use of photocopiers or duplicators for personal use is discouraged. In exceptions, specific permission may be given by the employee's immediate supervisor or manager Only authorised employees may speak to the media (newspapers, television, radio, magazines etc.) about matters relating to Unisa. Approved Council

17 Information regarding Unisa's customers or other people dealing with Unisa is to be kept confidential at all times. The information should only be released by the Executive Director: Legal Services The techniques of dual control and segregation of duties are to be employed to enhance the control over procedures wherever both the risk from, and consequential impact of, a related information security incident would likely result in financial or other material damage to Unisa Unisa expects all employees to operate a clear desk policy addresses and faxes are to be checked carefully prior to dispatch, especially where the information is considered to be confidential and where the disclosure of the addresses or other contact information to the recipients is a possibility Unisa values the integrity and correctness of all its business and related information and requires management to develop and adopt the appropriate procedures in this regard Employees travelling on business are responsible for the security of information in their custody. 10. PROPRIETARY SOFTWARE Please refer to the Internet Policy as well as the ICT User Facilities Policy All requests for new applications systems or software enhancements must be presented to ICT management committee with a business case with the business requirements presented in a user requirements specification document Unisa should generally avoid the selection of business critical software which, in the opinion of the ICT Management Committee, has not been adequately proven by the early adopters of the system. The selection process for all new business software must additionally incorporate the criteria upon which the selection will be made. Such criteria must receive the approval of the ICT Management Committee All office software packages must be compatible with Unisa s preferred and approved computer operating system and platform Patches to resolve software bugs may only be applied where verified as necessary and with the ICT Management Committee s authorisation. They must be from a reputable source and are to be thoroughly tested before use Upgrades to software must be properly tested by qualified employees before they are used in a live environment The disposal of software should only take place when it is formally agreed that the system is no longer required and that its associated data files which may be archived will not require restoration at a future point in time. Approved Council

18 11. UNISA SOFTWARE Please refer to the Internet Policy as well as the ICT User Facilities Policy Only designated employees may access operational program libraries. Amendments may only be made using a combination of technical access controls and robust procedures operated under dual control Formal change management control procedures must be utilised for all changes to systems. All changes to programs must be properly authorised and tested before moving to the live environment Software developed for or by Unisa must always follow a formalised development process which itself is managed under the project in question. The integrity of Unisa s operational software code must be safeguarded using a combination of technical access controls and restricted privilege allocation and robust procedures Emergency amendments to software are to be discouraged, except in circumstances previously designated by the ICT Management Committee as 'critical'. Any such amendments must strictly follow agreed change control procedures Formal change control procedures must be employed for all amendments to systems. All changes to programs must be properly authorised and tested in a test environment before moving to the live environment The use of live data for testing new system or system changes may only be permitted where adequate controls for the security of the data are in place All new and enhanced systems must be fully supported at all times by comprehensive and up to date documentation. New systems or upgraded systems should not be introduced to the live environment unless supporting documentation is available Vendor developed software must meet the user requirements specification and offer appropriate product support. 12. PREVENTION OF CONTRAVENTIONS Security on the network is to be maintained at the highest level. Those responsible for the network and external communications are to receive proper training in risk assessment and how to build secure systems which minimise the threats from cyber crime Plans are to be prepared, maintained and regularly tested to ensure that damage done by possible external cyber crime attacks can be minimised and that restoration takes place as quickly as possible Perpetrators of cyber crime will be sanctioned by Unisa. Suitable procedures are to be developed to ensure the appropriate collection and protection of evidence In order to reduce the incidence and possibility of internal attacks, access control standards and data classification standards are to be periodically reviewed whilst maintained at all times by ICT in collaboration with Internal Audit Department. Approved Council

19 12.5. It is a priority to minimise the opportunities for cyber crime attacks on Unisa's systems and information through a combination of technical access controls and robust procedures Risks to Unisa's systems and information are to be minimised by fostering employee awareness, encouraging employee vigilance and deploying appropriate protective systems and devices Without exception, anti virus software is to be deployed across all PCs with regular virus definition updates and scanning across servers, PCs and laptop computers. The threat posed by the infiltration of a virus is high, as is the risk to Unisa s systems and data files. Formal procedures for responding to a virus incident are to be developed, tested and implemented. Virus incident response must be regularly reviewed and tested Anti virus software must be chosen from a proven leading supplier. 13. BUSINESS CONTINUITY 13.1 ICT Management Committee is required to initiate a business continuity plan ICT Management Committee is to undertake a formal risk assessment in order to determine the requirements for a business continuity plan. 14. EMPLOYEES The terms and conditions of employment of Unisa are to include requirements for compliance with information security All external suppliers who are contracted to supply services to Unisa must adhere to follow the Information Security policies of Unisa An appropriate summary of the Information Security Policies must be formally delivered to any such supplier, prior to any supply of services Notwithstanding Unisa's respect for employee's privacy in the workplace, it reserves the right to have access to all information created and stored on Unisa's systems. All employee data is to be treated as confidential and made available to only properly authorised persons Upon notification of employee resignations, human resources management must consider with the appointed information security officer whether the employee s continued system access rights constitutes an unacceptable risk to Unisa and, if so, revoke all access rights immediately Departing employees are to be treated sensitively, particularly with regard to the termination of their access privileges. 15. TRAINING AND AWARENESS Permanent employees are to be provided with information security awareness tools to enhance awareness and educate them regarding the range of threats and the appropriate safeguards An appropriate summary of the information security policies must be formally delivered to all contractors, prior to any supply of services. Approved Council

20 15.3. Unisa is committed to providing training to all users of new systems to ensure that their use is both efficient and does not compromise information security Periodic training for the information security officer is to be prioritised to educate and train in the latest threats and information security techniques. 16. PREMISES The sites chosen to locate computers and to store data must be suitably protected from physical intrusion, theft, fire, flood and other hazards Computer premises must be safeguarded against unlawful and unauthorised physical intrusion On-site locations where data is stored must provide access controls and protection which reduce the risk of loss or damage to an acceptable level Remote locations where data is stored must provide access controls and protection which reduce the risk of loss or damage to an acceptable level Electronic eavesdropping should be guarded against by using suitable detection mechanisms, which are to be deployed if and when justified by the periodic risk assessments of Unisa. 17. INCIDENT RESPONSE All suspected information security incidents, weaknesses or breaches must be reported promptly to the appointed information security officer Information security incidents must be reported to external authorities whenever this is required to comply with legal requirements or regulations. This may only be done by authorised persons Information security incidents must be properly investigated by suitably trained and qualified employees Evidence relating to an information security breach must be properly collected and forwarded to the information security officer A database of information security threats and remedies should be created and maintained. The database should be studied regularly with the anecdotal evidence used to help reduce the risk and frequency of information security incidents in Unisa The use of information systems must be monitored regularly with all unexpected events recorded and investigated. Such systems must also be periodically audited with the combined results and history strengthening the integrity of any subsequent investigations Information security incidents arising from system failures are to be investigated by competent technicians. 18. BREACH OR VIOLATION Any failure and/or refusal to comply with the provisions of this policy will result in disciplinary action which may include dismissal or liability for damages. Approved Council

21 19. IMPLEMENTATION OF THIS POLICY The Information Security Policy which was in force prior to the commencement of this Policy is replaced with effect from the date on which Council approves this Policy. Approved Council