Bharti Infratel Limited. Policy Abridged Bharti Infratel Third Party Security

Size: px
Start display at page:

Download "Bharti Infratel Limited. Policy Abridged Bharti Infratel Third Party Security"

Transcription

1 Policy Abridged Bharti Infratel Third Party Policy Abridged Bharti Infratel Third Party

2 Policy Abridged Bharti Infratel Third Party Policy Abridged Bharti Infratel Third Party Abridged Bharti Infratel Third Party Policy Version 1.0

3 Policy Abridged Bharti Infratel Third Party Policy Abridged Bharti Infratel Third Party Document Control Document No. : 40 Document Name : Policy Abridged Bharti Infratel Third Party Policy-ISBC-40- V1 Version : 1.0 Date of Release : 30 th October 2012 Name Function / Designation Signature Prepared by Mr. Rajesh Mittal Information Management Representative Process Owner Mr. Prashant Veer Singh Chief Information Officer Reviewed by Mr. Prashant Veer Singh Chief Information Officer Mr. Devender Singh Rawat Chief Executive Officer Document Change Approvals Version No. Revision Date Nature of Change Date Approved Approved by

4 IIndex 1. Bharti Infratel Third-party Policy (BITSP - 001) Introduction Scope Policy Statement and Objective Disciplinary Measures for Non-Compliance Exceptions Information Organisation Policy (BITSP 002) Introduction Policy Statement and Objective Sub-Contractors Asset Management Policy (BITSP 003) Introduction Policy Statement and Objective Asset Register Asset Management Responsibilities Information Asset Classification Human Resources Policy (BITSP - 004) Introduction Policy Statement and Objective During Recruitment During Employment Termination or Change of Employment Responsibility Physical and Environmental Policy (BITSP 005) Introduction Policy Statement and Objective Secure Areas Equipment Communication and Operations Management Policy (BITSP 006) Introduction Policy Statement and Objective Operational Procedures and Responsibilities Sub-Contractor Service Delivery Management System Planning and Acceptance Protection against Malicious and Mobile Code Back-up... 33

5 6.8. Network Management Media Handling Exchange of Information Electronic Commerce Services Monitoring Access Control Policy (BITSP 007) Introduction Policy Statement and Objective User Access Management User Responsibilities Network Access Control Operating System Access Control Application and Information Access Control Mobile Computing and Teleworking Information Systems Acquisition, Development & Maintenance Policy (BITSP 008) Introduction Policy Statement and Objective Requirements of Information System Correct Processing in Application Cryptographic Controls of System Files in Development and Support Processes Technical Vulnerability Management Information Incident Management Policy (BITSP 009) Introduction Policy Statement and Objective Incident Identification Reporting Information Events and Weakness Incident Response, Recovery and Improvements Business Continuity Management Policy (BITSP 010) Introduction Policy Statement and Objective Information Aspects of Business Continuity Management Compliance Policy (BITSP 011) Introduction Policy Statement and Objective Compliance with Legal Requirements... 67

6 11.4. Information Systems Audit Considerations... 70

7 1. Bharti Infratel Third-party Policy (BITSP - 001) 1.1. Introduction In a rapidly expanding telecom and telecom passive infrastructure market, it is almost impossible to deliver services to customers and value to stakeholders without the collaboration of third parties. Today, third parties are extended members of the value chain of Bharti Infratel Limited (hereafter referred to as Bharti Infratel). This calls for improving Bharti Infratel s relationship with third parties, particularly in the area of information security. Given the potential for increased information security lapses from the part of third parties, a stringent Bharti Infratel Third-party Policy (hereafter referred to as the BITSP in this document) is framed to help Bharti Infratel insulate itself from the risks that are likely to arise from such relationships. The foundation on which the BITSP is based is trust but verify stringently. Accordingly, there is a need to involve information security before, during and after the relationships with third parties are established and to impose strict security standards and practices on third parties involved with Bharti Infratel Information Policy (BIISP). There is also a need to ensure that these third parties communicate the effectiveness of their information security controls by obtaining security certifications such as ISO 27001:2005 and/or by having an independent body review their information security and privacy practices against BIISP.

8 1.2. Scope The Bharti Infratel Third-party Policy (BITSP) is applicable to all Third-parties providing services to Bharti Infratel. Definition of Third-party : For the purposes of this document, a Third-party is a service provider/vendor who associates with Bharti Infratel and is involved in handling, managing, storing, processing and transmitting information of Bharti Infratel. The Third-Party could be a service provider/vendor as mentioned below but not limited to:- Diesel Filler Vendors (for e.g. Pratap, Perigreen etc.); Physical Vendor (for e.g. CheckMate etc.); Equipment Suppliers (for e.g. Mahindra, ACME, & Bluestar etc.); IT Equipment Suppliers (for e.g. AGC, Lenovo, & Sony etc.); IT Services Vendor (for e.g. IBM, AES, & AGC Networks etc.); Site Builtup Services Vendor (for e.g. TVSICS, Emerson, & Punj Lloyd etc.); Liasioning Services Vendor ( for e.g. TVSICS etc.); Non-conventional Energy Suppliers (for e.g AST, KMR, & OMC etc.); Management Consulting/ Manpower Service Provider (for e.g. Adecco,E&Y, Protiviti etc.); Office Admin Services (for e.g. CBRE etc.); Equipment Services Vendor like AMCs This definition also includes all sub-contractors, consultants and/or representatives of the Thirdparty. The BITSP is applicable across all geographies where information of Bharti Infratel is processed and/or stored by Third-party. Policy Owner The owner of the BITSP is the Chief Information Officer (hereinafter referred to as CISO in this document).

9 1.3. Policy Statement and Objective of information assets used by Third-parties for providing services to Bharti Infratel is of paramount importance and Confidentiality, Integrity and Availability of these shall be maintained at all times by the Third-parties concerned through controls commensurate with the asset value. The objectives of this policy are to: Provide the Third-party with an approach and directives for implementing information security of all information assets used by them for providing services to Bharti Infratel; and Ensure that the Third-party adheres to all provisions of the Third-party Policy Disciplinary Measures for Non-Compliance Non-compliance with the BITSP is ground for disciplinary actions up to and including termination of the contract Exceptions The BITSP is intended to be the statement of information security requirements that need to be met by the Third-party. However, in case a Third-party perceives difficulty in adhering to any of the controls, exceptions for an individual control may be requested by the Third-party. Exceptions are applicable only if approved by the CISO.

10 2. Information Organisation Policy (BITSP 002) 2.1. Introduction The Third-party is required to ensure that they have an Information Organisation structure in place along with mutually-agreed responsibilities, authority and relationships to maintain information security requirements as per the BITSP Policy Statement and Objective The Third-party shall ensure that they have an Information Organisation in place to implement the provisions of the Third-party Policy Management Commitment to Information Control Statement: The Management of the Third-party shall be committed to implement and adhere to the information security requirements of Bharti Infratel. Explanatory Notes: The Management of the Third-party is required to extend its full co-operation and support to the information security requirements of Bharti Infratel and also ensure that all its employees working for/at Bharti Infratel respect and adhere to the BITSP Information Co-ordination Control Statement: A suitable management body to co-ordinate and maintain information security activities in Bharti Infratel shall be nominated. Explanatory Notes: It is recommended that the Third-party ensures that all its functions such as HR, Administration, Information Technology (IT), IAG, Legal and others willingly co-operate and coordinate with Bharti Infratel to satisfy the latter s information security needs. The Third-party is required to nominate a SPOC to interface with Bharti Infratel for all its information security activities. The SPOC is required to communicate to its team that caters to Bharti Infratel the relevant sections of the BITSP. The CISO of Bharti Infratel and the Third-party SPOC shall coordinate with each other for the implementation of BITSP and address any security-related issues Responsibility for Information Control Statement: The Information responsibilities of all employees working for Bharti Infratel shall be defined and communicated. Explanatory Notes: The Third-party shall ensure that the information security responsibilities of third-party are identified, documented and communicated to its employees providing services to

11 Bharti Infratel. The employees of the third-party are required to understand their security roles and responsibilities that they need to practise in their day-to-day operations in Bharti Infratel Authorisation Process for Information Processing Facilities Control Statement: An authorisation process for new information processing facilities shall be implemented by the Third-party. Explanatory Notes: Third-party shall ensure that they obtain an authorisation from the appropriate authority of Bharti Infratel for obtaining access to information systems and/ or processing facilities of Bharti Infratel. Similarly, all new information processing facilities used for providing services to Bharti Infratel shall be set up only after receiving approvals from the relevant management of third-party. Personal computing devices that are not allowed into the Bharti Infratel and / or Third-party facility shall be communicated to the third-party employees, and visitors. It shall be ensured that these devices are not brought inside the facility without proper authorisation. In case these devices are brought inside the facility and are required to connect to Bharti Infratel network, it shall be ensured that an appropriate authorisation is obtained from Bharti Infratel. Any laptop or other information processing units owned by the Third-party could introduce new vulnerabilities and therefore, controls like antivirus update, personal firewall software and other relevant desktop/laptop security software is required to be configured on the system before connecting it to Bharti Infratel network. The Information processing facility like an offshore development centre of the Third-party, which needs to connect to Bharti Infratel network shall require approval from Bharti Infratel before permitting access Confidentiality & Non-Disclosure Agreements Control Statement: A Non-Disclosure Agreement with Bharti Infratel shall be signed. Explanatory Notes: The Non-Disclosure Agreement mandates that the Third-party shall not disclose any information related to Bharti Infratel which is identified as Restricted, Confidential or Internal to Bharti Infratel. The Third-party shall ensure that they read, accept and sign the Non- Disclosure Agreement provided by Bharti Infratel Contact with Local Authorities Control Statement: Appropriate contacts with all relevant local authorities shall be established and maintained.

12 Explanatory Notes: The Third-party is required to ensure that appropriate contacts are established with all local authorities such as Fire, Police, Hospital(s), Ambulance and the other authorities/services which need to be contacted in case of an emergency. An individual shall be identified (preferably from the Admin function) and assigned with the responsibility to maintain all such contacts Contact with Special Interest Groups Control Statement: Appropriate contacts with relevant special interest groups shall be established and maintained. Explanatory Notes: The Third-party shall establish and maintain contacts with special interest groups to ensure that the understanding of the information security environment is current, including updates on security advisories, vulnerabilities and patches. The IT security function of the Third-party should subscribe to these groups and, based on the periodic updates received; they shall take initiatives to analyse and resolve the security. It should be ensured that the contacts with these forums/groups are for only receiving the alerts; users should not post any queries to such forums revealing details of information assets or network of Bharti Infratel Independent Review of Information Control Statement: An independent review of information security should be conducted to assess the compliance with BITSP. Explanatory Notes: An independent review should be conducted on a yearly basis to assess the compliance of Third-party towards BITSP. Bharti Infratel reserves the right to audit the Third-party. The independent review should be conducted by a reputed audit organisation. It is recommended that the Third-party obtains audit certification/verification from the auditors. The Third-party may need to share the audit report with Bharti Infratel if required. If, during the audit, it is found that the Third-party is not compliant with the directions stated in the BITSP, actions as stated in the clause for non-compliance shall be applicable Sub-Contractors Identification of Risk Related to Sub-contractor Control Statement: All threats and risk related to sub-contractors shall be identified and mitigated. Explanatory Notes: The Third-party shall conduct a Risk Assessment and ensure that all risks due to sub-contractor access to Bharti Infratel information assets are identified, measured and mitigated appropriately before providing access to Bharti Infratel information assets. The Risk Assessment

13 report is required to be shared with the CISO of Bharti Infratel prior to providing access to information and/or information-processing facilities to the sub-contractor Addressing when Dealing with Customers Control Statement: Appropriate security controls shall be addressed when dealing with customers. Explanatory Notes: Controls shall be in place so that information assets or Information processing environment used for providing services to Bharti Infratel are physically and logically segregated from other customers. Specific approval is required to be taken from CISO for any exception to this Addressing in Sub-contractor Agreements Control Statement: Agreements with the sub-contractors, who are involved in providing services to Bharti Infratel, shall cover information security requirements as applicable in the BITSP. Explanatory Note: Agreements with the sub-contractors who are engaged by Third party and are involved in accessing, processing, communicating or managing the information of Bharti Infratel shall cover all information security requirements in accordance with the BITSP. Additionally, the Third-party should ensure that their sub-contractors access the information assets of Bharti Infratel only after signing a formal contract and a Non-Disclosure agreement with them. The Third-party is also required to ensure that Intellectual Property Rights are honoured by all its sub-contractors. Such contracts and Non-Disclosure agreements entered with sub-contractors shall be shared with Bharti Infratel in case required by Bharti Infratel.

14 3. Asset Management Policy (BITSP 003) 3.1. Introduction All information assets deployed for providing services to Bharti Infratel by the Third-party shall be provided comprehensive protection. The Third-party, being the owner and/ or custodian of the information assets and associated processing facilities, shall be responsible for implementing the controls defined in this policy to maintain confidentiality, integrity and availability of these information assets Policy Statement and Objective Identification, classification and CIA valuation of information assets including the identification of asset owner and custodian are extremely important to design and implement the required controls for the protection of the assets. The objectives of the policy are to ensure that: All information assets used by Third-party in providing services to Bharti Infratel have been identified and designated owner and custodian appointed by the Third-party; All information assets are classified based on their criticality to the business; and All information assets receive an appropriate level of protection by implementing relevant controls Asset Register Third-party shall create and maintain asset registers for all information assets belonging to them that are deployed to provide services to Bharti Infratel. The asset register is required to contain, at a minimum, the following information about the assets: The identification and location of assets; The name of business function, process or function that uses this asset; The type and classification of asset; The Asset Owner, Custodian and User; and The Confidentiality, Integrity and Availability ratings of the asset Asset Management Responsibilities The responsibility for implementing appropriate security controls to identify, classify and protect the assets is required to be defined.

15 3.4.1 Inventory of Assets Control Statement: Information assets owned by the Third-party shall be identified and an inventory of these assets shall be documented and maintained. Explanatory Notes: An inventory of all important assets is required to be maintained by the Thirdparty. Such an inventory shall include all necessary information, including type of asset, asset owner, asset custodian, asset location (office location) and criticality value in order to recover from a disaster. This Inventory is required to be maintained in accordance with the Asset Management Procedure laid down by Bharti Infratel Ownership of Assets Control Statement: Information assets that are used to provide services to Bharti Infratel shall have a designated owner from the Third-party. Explanatory Notes: Assets owned by the Third-party and used to process information of Bharti Infratel is required to be owned by a designated individual belonging to the Third-party. The asset owner shall be responsible for the following: Ensuring that the assets are appropriately classified as per the Classification Guidelines (Refer BITSP - section 3.5.1); Ensuring that assets are correctly entered in the Asset Register as per a formal Asset Management Procedure; Defining and reviewing periodically the access rights to their respective assets Acceptable Use of Assets Control Statement: Third-party shall develop and implement Rules for the acceptable use of information assets that are used to provide services to Bharti Infratel. Explanatory Notes: The Third-party is required to ensure that its employees adhere to the acceptable use of assets as developed by them Information Asset Classification The information assets have different degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. The information classification criteria shall be used by the Third-party to classify the information assets used to provide services to Bharti Infratel. Information Assets that are owned by Bharti Infratel are classified by Bharti Infratel and third-party have to handle them based on the classification level.

16 3.5.1 Classification Guidelines Control Statement: All information assets shall be classified in terms of its value, sensitivity, and criticality to Bharti Infratel. Explanatory Notes: Important information assets shall be assigned an asset criticality rating as per guidelines laid down in the Asset Management Procedure, to assess the relative importance of such assets to Bharti Infratel and to determine the level of security measures to be implemented for their protection. The information assets shall be classified in terms of its sensitivity and criticality to the business of Bharti Infratel, into one of the following categories: Restricted: This classification applies to the most critical business information, which is intended strictly for the use of Bharti Infratel. Its unauthorised disclosure could adversely impact the Bharti Infratel business, its stockholders, its business partners, and/ or its customers leading to the legal and financial repercussions and adverse public opinion. The information that some people would consider to be private is included in this classification. Examples: Critical Servers, Critical Passive Infrastructure devices, System Access Controls, System Passwords, Technology related Documents, Engineering documents, etc. Confidential: This classification applies to the sensitive business information, which is intended for the use of Bharti Infratel. Its unauthorised disclosure could adversely impact Bharti Infratel business, its stockholders, its business partners, its employees, and/or its customers. Examples: System configuration procedures, internal audit reports which comprise the collective experience, knowledge, skill, and information of Bharti Infratel. Public: This classification applies to the information, which has been explicitly approved by the Bharti Infratel management for release to the public. By definition, there is no such thing as unauthorised disclosure of this information and it may be freely disseminated without potential harm. Examples: advertisements, and published press releases. Internal: This classification applies to the information, which is specifically meant for internal use within Bharti Infratel. While its unauthorised disclosure is against the policy, it is not expected to seriously or adversely impact business of Bharti Infratel, its employees, customers, stockholders & business partners. Examples: Telephone directory, training materials and manuals, internal staff circulars.

17 3.5.2 Information Asset Labelling and Handling Control Statement: The Third-party shall follow the procedures for information asset labelling and handling for all information assets that are used to provide services to Bharti Infratel. Explanatory Notes: All information assets are required to be labelled by the Third-party and maintained as per a formal Information Labelling and Handling Guideline. These assets shall be labelled (marked) using the classification scheme only to indicate the level of sensitivity of the information. This may exclude public information.

18 4. Human Resources Policy (BITSP - 004) 4.1. Introduction The Human Resource Policy defines the controls that are required to be implemented and maintained during the recruitment process, employment process and termination or change of employment to ensure the protection of information assets that are used to provide services to Bharti Infratel from human error, misuse, theft or fraud Policy Statement and Objective All employees of the Third-party with access to the information assets of Bharti Infratel shall understand their responsibilities for the comprehensive protection of information and processing facilities of Bharti Infratel. The objectives of this policy are to: Ensure that appropriate security controls are followed at the time of recruitment by the Third-party. Ensure that the Third-party employees understand their responsibilities and roles regarding information security in Bharti Infratel; Reduce the risks of human error, theft, fraud or misuse of the information assets; and Ensure that employees are aware of information security threats and concerns and are equipped to support the BITSP in the course of their work. Failure to adhere to information security responsibilities may entail appropriate disciplinary action During Recruitment The Human Resources function of Third party shall ensure that security responsibilities are defined and addressed prior to employment in adequate job descriptions and in terms and conditions of employment. It is strongly recommended that background verification checks are conducted for the employees who will provide services to Bharti Infratel Roles and Responsibilities Control Statement: The security roles and responsibilities of employees shall be defined and documented. Explanatory Notes: It is required that HR function of the Third-party define and document and communicate the security roles and responsibilities of its employees to ensure that they

19 Act in accordance with the BITSP; Protect assets from unauthorised access, disclosure, modification and destruction; and Execute specific security processes and activities Screening Control Statement: Background verification checks shall be carried out for the employees who will provide services to Bharti Infratel. Explanatory Notes: It is required that the Third-party carries out background verification checks for employees who have access to Bharti Infratel information systems and processing facilities. They are also recommended to provide an evidence of the same to Bharti Infratel Terms and Conditions of Employment Control Statement: The Third-party shall ensure that their employees read and accept the terms and conditions of employment, which shall reflect the information security requirements of Bharti Infratel as specified in the BITSP. Explanatory Notes: Before deployed in Bharti Infratel for providing the services as per contract, third-party is required to define terms and conditions of employment and communicate them to its employees. Terms and conditions are required to include the following: Sign a confidentiality agreement which may hold them liable for any unauthorised disclosure, modification and/or destruction of information, information systems and/or processing facilities of Bharti Infratel; Legal responsibilities and rights; The responsibility for handling information as per its level of classification; The responsibility for exhibiting due diligence while handling information received from external parties and protecting its confidentiality and integrity; The actions to be taken, if any employee disregards the information security requirements of Bharti Infratel During Employment HR function and concerned personnel of the Third-party are required to take appropriate actions to ensure that:

20 The employees are duly informed of their information security responsibilities to maintain a reasonable level of security for information assets and processing facilities used to provide services to Bharti Infratel; and An adequate level of awareness, education and training on the information security is provided to all employees Management Responsibilities Control Statement: The Management of the Third-party should require its employees to adhere to information security requirements in accordance with the BITSP. Explanatory Notes: It is recommended that the Management of the Third-party should ensure that its employees providing services to Bharti Infratel apply security in adherence to the BITSP. The Management of Third-party should ensure that: Employees are properly communicated regarding their roles and responsibilities towards information security in Bharti Infratel. Employees achieve a level of awareness on security in proportion to their roles. Employees attend the information security awareness training program before deploying them in Bharti Infratel premises. Employees have appropriate skills and qualifications required to do the job for Bharti Infratel Information Awareness, Education and Training Control Statement: Employees providing services to Bharti Infratel should receive appropriate awareness training and regular updates on the BITSP and information security, as relevant to their job. Explanatory Notes: The Third-party shall ensure that all employees receive formal training in Information Awareness. Inputs and updates for this will be provided by Bharti Infratel to the Third-party as and when they become available. The Third-party should ensure that they update their employees as and when these are made available Disciplinary Process Control Statement: A disciplinary process for information security violations shall be established, and documented. Employees shall be communicated of the disciplinary process. Explanatory Notes: A formal disciplinary process is required to commence against the BITSP after verification that a security breach/violation has occurred involving an employee.

21 The Third-party is required to ensure that its employees are made aware of the formal disciplinary process which may be initiated, if they violate the BITSP or commit/participate in any kind of security breach Termination or Change of Employment Responsibility Adequate security measures are required to be taken by the Third-party when employees undergo role transformation within the Third-party organisation, or withdraw from Bharti Infratel project, or resign from the Third-party organisation. It is required to be ensured that the access rights provided to such employees on information, information assets and/or processing facilities are reduced/changed/revoked depending on the situation Return of Assets Control Statement: The Third-party s employees shall return all assets in their possession, used to provide services to Bharti Infratel, upon termination of their employment. Explanatory Notes: All Third-party s employees are required return of all previously-issued software, documents, equipments, laptops, PDA, access cards, manuals, and information stored on electronic media which are used to provide services to Bharti Infratel Removal of Access Rights Control Statement: The access rights of employees shall be revoked at the time of termination or changed when the current role of the employee changes. Explanatory Notes: Access rights to information and information-processing facilities held by employees of the Third-party is required to be revoked upon termination or withdrawn from Bharti Infratel project. It is required that all passwords for active accounts that a departing employee has known are forcefully changed with immediate effect. In case of change of role of a Third-party employee, BITSP is required to revise and adjust the access rights as appropriate.

22 5. Physical and Environmental Policy (BITSP 005) 5.1. Introduction The Physical and Environmental Policy defines the appropriate controls to maintain the required physical and environmental security of information assets and information-processing facilities that are used to provide services to Bharti Infratel Policy Statement and Objective Assets and facilities, which house information of Bharti Infratel, shall be protected from unauthorised physical access and environmental threats. All physical access and movement of information systems shall be monitored and reviewed. The objectives of the policy are to: Prevent unauthorised physical access, damage, and interference to information assets; Critical and sensitive information systems located at Third-party location and used to provide services to Bharti Infratel are recommended to be protected by defined security perimeters parameters, with appropriate security barriers and entry controls; Protect assets by implementing environmental controls to prevent damage from environmental threats; and Regularly conduct preventive maintenance for infrastructural equipment to ensure faultless services Secure Areas An adequate level of security shall be provided to the facilities and office locations housing information assets used to provide services to Bharti Infratel Physical Perimeter Control Statement: The Third-party shall ensure that a physical security perimeter is defined and implemented for office locations and facility, housing information assets that are used to provide services to Bharti Infratel. Explanatory Notes: The Third-party is required to ensure that a physical security perimeter is used to secure all such facilities where the information systems that are used to provide services to Bharti Infratel are hosted. Physical security perimeters such as a wall, card-controlled entry gates and/or manned reception desks should be used to secure the facility.

23 5.3.2 Physical Entry Controls Control Statement: Secure areas within the facility of the Third-party shall be protected by appropriate entry controls to ensure authorised access. Explanatory Notes: Third-party is recommended to ensure that only authorised persons are provided access to secure areas (areas hosting information systems/ equipment). Access to all such areas should be controlled, recorded and monitored by the Third-party. The secure areas shall have physical security check points Securing Offices, Rooms and Facilities Control Statement: Physical security controls for offices, rooms and facilities should be designed and applied. Explanatory Notes: The Third-party is recommended to ensure that offices, rooms and facilities that store critical information of Bharti Infratel are secured. The following is recommended to be considered: Relevant safety regulations and standards are implemented; Key facilities should be sited securely so as to avoid access by the public; and Where applicable, buildings should be unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building identifying the presence of information processing activities that are used to provide services to Bharti Infratel Protection against External and Environmental Threats Control Statement: Protection against damage from natural and man-made disasters shall be designed and implemented. Explanatory Notes: Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of environmental, natural or man-made disaster is required to be designed and applied. It should be considered that: Adequate air-conditioning and humidity-control systems are implemented to support information systems and equipment that are used to provide services to Bharti Infratel; Fire suppression systems are installed wherever applicable; Hazardous, combustible material and stationery items are stored at a secure distance from the secure area. Adequate power supply controls are implemented to ensure continuous power supply at the facilities being used to provide services to Bharti Infratel;

24 Fallback equipment and back-up media are sited at a different location to ensure continuity of business operations Working in Secure Areas Control Statement: Guidelines for working in secure areas shall be designed and implemented. Explanatory Notes: BITSP is required to ensure the following guidelines: Personnel should be aware of the existence of, or activities within, a secure area only on a need-to-know basis; Unsupervised working in secure areas is required to be avoided to prevent opportunities for malicious activities; Vacant secure areas is required to be physically locked and periodically checked; Photographic, video, audio or other recording equipment, such as cameras in mobile devices, shall not be allowed in restricted areas, unless authorised by the management of the Third-party Public Access, Delivery and Loading Areas Control Statement: All loading and un-loading areas shall be isolated from information-processing facilities that are used for providing services to Bharti Infratel. Explanatory Notes: Entry points in the Third-party s location such as delivery and loading areas and other points where unauthorised personnel may enter are required to be controlled and isolated from information-processing facilities to avoid unauthorised access Equipment controls shall be implemented to prevent loss, damage, theft of any equipment, compromise of information systems and interruption to the services provided to Bharti Infratel by the Third-party. Equipment hereinafter refers to as systems that are used to store and process information of Bharti Infratel. They include, but are not limited to, laptops, desktops, servers, and network devices Equipment-Siting and Protection Control Statement: All equipment used to provide services to Bharti Infratel, shall be sited and protected to reduce risks from environmental threats and hazards and opportunities of unauthorised access. Explanatory Notes: All equipment used to provide services to Bharti Infratel is required to shall be protected against environmental threats and unauthorised access. It is required to ensure that:

25 The equipment are appropriately located and security controls put in place to reduce risk of potential threats (e.g., theft, fire, explosive, smoke, flooding, dust, vibrations, chemical effects, electrical supply interference) to their incessant use; Appropriate controls such as for temperature and humidity are implemented for the safety of the equipment. Guidelines for eating, drinking and smoking in the proximity of any equipment shall be established. All equipment that process sensitive data of Bharti Infratel shall be positioned in such way to restrict the viewing angle in order to reduce the risk of information being viewed by unauthorised personnel Supporting Utilities Control Statement: All equipment used to provide services to Bharti Infratel shall be protected from power failures and other disruptions caused by failure of supporting utilities. Explanatory Notes: The Third-party is required to ensure that: All supporting utilities, such as electricity, water supply, sewage, heating/ventilation, and air-conditioning are in appropriate condition for the systems being used to provide services to Bharti Infratel. Uninterruptible Power Supply (UPS) systems and generators are installed to support controlled shutdown or continued functioning of equipment being used to provide services to Bharti Infratel. An alarm system to highlight any malfunctioning of any of the supporting utilities is installed. Adequate contacts are in place with vendors to provide services whenever there is an emergency Cabling Control Statement: Power and telecommunication network cables shall be protected from damage or interception. Explanatory Notes: In places where Bharti Infratel information assets are housed for maintenance, third-party is required to identify and mark network cables and their corresponding terminals being used to provide services to Bharti Infratel. Third-party is required to segregate power cables from the communication cables through a separate conduit to prevent any interference.

26 5.4.4 Equipment Maintenance Control Statement: All equipment shall be appropriately maintained to ensure their continued availability and integrity. Explanatory Notes: All equipments that are used for providing services to Bharti Infratel are required to be maintained in accordance with the supplier s recommended service intervals and specifications. A preventive maintenance exercise for all equipment being used to provide services to Bharti Infratel are required to conducted at scheduled intervals ensuring their continued availability and integrity. The Third Party shall ensure that appropriate controls are applied to prevent any information leakage or destruction when equipment is scheduled for preventive maintenance of Equipment Off-premises Control Statement: shall be applied to off-site equipment taking into account different risks outside the premises. Explanatory Notes: All equipments being used for Bharti Infratel (e.g. tower, backup media, and laptops) are required to receive the appropriate level of protection against physical and environmental threats. The equipments that are used for providing services to Bharti Infratel and are installed outside the Third-party s premises are to be monitored at regular intervals. The Third-party is required to ensure that the information asset of Bharti Infratel is not taken out without an authorised gate pass signed by concerned authorised personnel Secure Disposal and Re-use of Equipment Control Statement: The equipment containing information of Bharti Infratel shall be disposed of in a secure manner. Explanatory Notes: Equipments like OSS and data switches containing information like the configuration parameters for Bharti Infratel are required to be erased and/ or disposed in a secure manner. If equipments are un-repairable, they shall be physically destroyed. In case of re-use of such equipments, third-party shall ensure that they erase/ format all information parameters used for Bharti Infratel Removal of Property Control Statement: The equipment, information or any software shall not be taken off-site without prior authorisation. Explanatory Notes: Any equipment, information system, storage device or software having information that belongs to Bharti Infratel shall not be taken outside the Third-party s premises

27 without prior authorisation from the management of the Third-party. Gate-pass shall be used as a means to prevent any unauthorised removal of property.

28 6. Communication and Operations Management Policy (BITSP 006) 6.1. Introduction The Communication and Operations Management Policy establishes appropriate controls, including development of operating procedures, monitoring user-activities, and deploying appropriate technology to prevent unauthorised access, misuse or failure of the information systems and equipment and to ensure confidentiality, integrity and availability of information that is processed by, or stored in, the information systems/equipment Policy Statement and Objective The Third-party shall ensure that all defined procedures are followed and implemented to ensure secure and correct operations. The objectives of the policy are to: Develop documented operation procedures for the information systems and computing devices used to provide services to Bharti Infratel; Ensure protection of information during its transmission through communication networks; Protect integrity of software and information against the malicious codes; Develop an appropriate backup strategy and monitoring plan for protecting integrity and availability of information; Have appropriate controls over storage media to prevent its damage and/or theft; and Maintain security during the information exchange with other organisations Operational Procedures and Responsibilities Documented Operating Procedure Control Statement: Standard operating procedures pertaining to all system activities shall be documented, maintained and followed. Explanatory Notes: Procedures are required to be in place, to ensure that activities performed for day-to-day system operations are carried out in a secure manner. Third party is required to document all Operating Procedures to maintain confidentiality, integrity and availability of that specific platform or application. The Third-party is required to ensure that procedures are made available to all their employees who are involved in the respective operations and processes for

29 Bharti Infratel. All system and application administrators shall ensure that operating procedures are kept up-to-date in accordance with any system changes. The procedures are required to include, but not limited to, the following: Any automated or scheduled processes that are running on the system or application associated with Bharti Infratel information; Day-to-day operational tasks that need to be performed by the operator; The actions performed when an error or an exceptional condition occurs, including listed contact details for people that may be required to assist or that may have a dependency on that service; The actions required for start-up, restart or shutdown of the system or application associated with Bharti Infratel information; The actions performed for system or application backup; The actions performed for system or application recovery or restoration; The actions performed for handling of information; for example, backup tapes or disposal of output (such as printed output) from failed runs of automated processes; and Management of audit trail and system log information Change Management Control Statement: A formal Change Management Process shall be developed and implemented for carrying out changes to information systems associated with Bharti Infratel. Explanatory Notes: To ensure that the security of the systems/environments is not compromised, Third party is required to manage the change(s) in the production systems/environment of assets used to provide services to Bharti Infratel. Third-party shall ensure that: a. Change control is required to be applied to all security aspects of the production applications and infrastructure associated with Bharti Infratel. b. All Third-party service providers are required to manage the change(s) to the systems and services supplied to Bharti Infratel. c. All approved changes are required to be tested in a test setup prior to implementing them on the production systems.

30 6.3.3 Patch Management Control Statement: A formal Patch Management Process shall be developed and implemented for applying patches to the information systems associated with Bharti Infratel. Explanatory Notes: Third party is required to apply the patches to the systems being used to provide services to Bharti Infratel in a timely manner to ensure that the systems are running at their optimum level and the threat from vulnerabilities and malicious agents are reduced to an acceptable level Segregation of Duties Control Statement: Duties and areas of responsibility should be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of assets. Explanatory Notes: Third party is recommended to implement segregation of duties so that no one user has the opportunity to subvert any security control associated with Bharti Infratel information. Any one employee of Third-party should not be responsible for more than one of the following duties, at any given point of time: data entry, computer operation, network management, system administration, systems development, change management, security administration, security audit, security monitoring. Where segregation of duties is not possible or practical, the process is recommended to include compensating controls such as monitoring of activities, maintenance and review of audit trails and management supervision. Collusion shall be removed from the design and deployment architecture of the compensating control Separation of Development, Test, and Operational Facilities Control Statement: Development, test and operational facilities which are used to provide services to Bharti Infratel shall be separated to reduce the risk of unauthorised access or changes to the operational system. Explanatory Notes: The development and production facilities/environments used to provide services to Bharti Infratel is required to be physically and/or logically separated. a. Development and Operational software is required to run on different systems. b. Compilers, editors, and other development tools or system utilities shall not be accessible from operational systems when not required. c. Sensitive data shall not be copied into test environment for testing purpose. d. A formal Change Management Process is required to be followed for implementing any changes to the development, test and operational facilities.

31 6.4. Sub-Contractor Service Delivery Management In the course of providing services to Bharti Infratel, the Third-party may outsource some services to a Sub-contractor. When using the services of a Sub-contractor, the Third-party shall ensure that agreed service delivery levels are met and security controls are adhered to by the Sub-contractor. The Third-party shall monitor and review the services of its sub-contractor on an ongoing basis to ensure that services offered to Bharti Infratel are supported without any interruption Service Delivery Control Statement: Appropriate security controls, service definitions and delivery levels included in the Sub-contractor service delivery agreement shall be implemented, operated and maintained. Explanatory Notes: Service delivery by a Sub-contractor is required to include the agreed security arrangements, service definitions, and other aspects of service management. The Third-party is required to ensure that the Sub-contractor maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels to Bharti Infratel are maintained Monitoring and Review of Sub-contractor Services Control Statement: A documented process shall be established to ensure the services, reports and evidences provided by the Sub-contractors who are involved in providing services to Bharti Infratel are monitored and reviewed on defined periodic basis. Explanatory Notes: Third-party is required to monitor and review sub-contractor services to ensure that the BITSP is being adhered to and that information security incidents and problems are managed properly. Audits to assess compliance of the Sub-contractor s services with the agreed contract shall be conducted on a periodic basis. The responsibility of managing the relationship with a Subcontractor of the Third-party is required to be assigned to a designated individual or service management team Managing Changes to Sub-contractor Services Control Statement: A documented procedure to control changes pertaining to a Sub-contractor s services shall be implemented. Explanatory Statement: The Third-party is required to ensure that all changes pertaining to the Sub-contractor s services are maintained, agreed and documented. Services to Bharti Infratel shall not be disrupted due to any changes in service levels between the Third-party and its Subcontractor.

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

ISO IEC 27002 2005 (17799 2005) INFORMATION SECURITY AUDIT TOOL

ISO IEC 27002 2005 (17799 2005) INFORMATION SECURITY AUDIT TOOL 9.1 USE SECURITY AREAS TO PROTECT FACILITIES 1 GOAL Do you use physical methods to prevent unauthorized access to your organization s information and premises? 2 GOAL Do you use physical methods to prevent

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

Information Security Management. Audit Check List

Information Security Management. Audit Check List Information Security Management BS 7799.2:2002 Audit Check List for SANS Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant. Approved by: Algis Kibirkstis Owner: SANS Extracts

More information

Does it state the management commitment and set out the organizational approach to managing information security?

Does it state the management commitment and set out the organizational approach to managing information security? Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1. c Dines Bjørner 2006, Fredsvej 11, DK 2840 Holte, Denmark

April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1. c Dines Bjørner 2006, Fredsvej 11, DK 2840 Holte, Denmark April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

ISO 27002:2013 Version Change Summary

ISO 27002:2013 Version Change Summary Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Physical Security Policy

Physical Security Policy Physical Security Policy Author: Policy & Strategy Team Version: 0.8 Date: January 2008 Version 0.8 Page 1 of 7 Document Control Information Document ID Document title Sefton Council Physical Security

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Decision on adequate information system management. (Official Gazette 37/2010)

Decision on adequate information system management. (Official Gazette 37/2010) Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification Publication

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

INFORMATION SYSTEMS. Revised: August 2013

INFORMATION SYSTEMS. Revised: August 2013 Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Draft Information Technology Policy

Draft Information Technology Policy Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software

More information

Information Security Policy

Information Security Policy Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) (NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) 1. Approval and Authorisation Completion of the following signature blocks signifies

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing

More information

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by: Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004L Payment Card Industry (PCI) Physical Security (proposed) 01.1 Purpose The purpose

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Privacy + Security + Integrity

Privacy + Security + Integrity Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

Gatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria

Gatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria Gatekeeper PKI Framework ISBN 1 921182 24 5 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright. Apart from

More information

Information Security Programme

Information Security Programme Information Security Programme Information Security Policy This document is issued in the strictest business confidence. It should be read in conjunction with a number of other supporting and complementary

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

Cyber and Data Security. Proposal form

Cyber and Data Security. Proposal form Cyber and Data Security Proposal form This proposal form must be completed and signed by a principal, director or a partner of the proposed insured. Cover and Quotation requirements Please indicate which

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

Application Development within University. Security Checklist

Application Development within University. Security Checklist Application Development within University Security Checklist April 2011 The Application Development using data from the University Enterprise Systems or application Development for departmental use security

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

Physical and Environment IT Security Standards

Physical and Environment IT Security Standards Physical and Environment IT Security Standards Author s Name: Jo Brown Author s Job Title: Head of Technical Services Division: Corporate Department: Technical Services Version Number: 1.0 Ratifying Committee:

More information

Information Security Policy. Policy and Procedures

Information Security Policy. Policy and Procedures Information Security Policy Policy and Procedures Issue Date February 2013 Revision Date February 2014 Responsibility/ Main Point of Contact Neil Smedley Approved by/date Associated Documents Acceptable

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Version 1.0 (updated March 2015)

Version 1.0 (updated March 2015) BRIGHT HORIZONS BASELINE THIRD PARTY SECURITY REQUIREMENTS Version 1.0 (updated March 2015) Contents SECTION 1:... 3 REQUIREMENTS INTRODUCTION AND BACKGROUND... 3 1. SUMMARY... 3 2. DEFINITIONS... 3 3.

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT

More information

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Information Security Standards

Information Security Standards Information Security Standards Policy as approved by the Board of Trustees on 3/14/2011 is in black print. Standards (operating draft) as of 8/3/2011 are in blue print. 8/3/2011 Operating Draft The University

More information

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01. . Seite 1 von 11. 521d Seite 1 von 11 Eidgenössisches Departement für Wirtschaft, Bildung und Forschung WBF Staatssekretariat für Wirtschaft SECO Schweizerische Akkreditierungsstelle SAS Checkliste für die harmonisierte Umsetzung der Anforderungen

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS

ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS Rising To Global Information Challenges Information is your most valuable commodity today. As a global enterprise servicing a wide range of businesses, ADEC

More information

Information security management systems Specification with guidance for use

Information security management systems Specification with guidance for use BRITISH STANDARD BS 7799-2:2002 Information security management systems Specification with guidance for use ICS 03.100.01; 35.020 This British Standard, having been prepared under the direction of the

More information