DVLA ELISE GSi Closed User Group Code of Connection
|
|
- Clement Melton
- 8 years ago
- Views:
Transcription
1 DVLA ELISE GSi Closed User Group Code of Connection Security Warning Notice The following handling instructions apply to this document: - Handle, use and transmit with care - Take basic precautions against accidental compromise, opportunist or deliberate attack - Dispose of sensibly by destroying in a manner to make reconstruction unlikely Author: Dave Betts, DVLA IT Security Version: 7.0 Date: November 2010 Status: Final
2 DVLA ELISE GSi Closed User Group Code of Connection Contact Details - DVLA Connection Information Organisation Name Driver and Vehicle Licensing Agency (DVLA) Information Security Manager Details IT/System Manager Name Mark Lees Leigh Allen Address DVLA, C2 East DVLA, C2 East Longview Road, Morriston, Swansea Longview Road, Morriston, Swansea SA6 7JL SA6 7JL Telephone Number mark.lees@dvla.gsi.gov.uk leigh.allen@dvla.gsi.gov.uk Accreditor Details Name Company (if applicable) Address David Pope DVLA DVLA, C1 East Longview Road, Morriston, Swansea SA6 7JL Telephone Number david.pope@dvla.gsi.gov.uk DVLA Contact Details (Enquiries relating to the completion of Code of Connection) - dave.betts@dvla.gsi.gov.uk Phone Fax Job Title - DVLA IT Security Assurance Manager Address - DVLA C2 East Longview Road Morriston
3 DVLA ELISE GSi Closed User Group Code of Connection Contact Details - Organisation Connection Information Organisation Name [Insert Name of Organisation] IT Security Officer Details IT/System Manager Name [See FAQs] [See FAQs] Address Telephone Number Accreditor Details (where relevant) Name [See FAQs] Company Address Telephone Number Alternate Contact Details (See FAQs) - Phone - Fax - Address -
4 Annex A - Common Terms Risk Owner Risk Manager The Risk Owner accepts responsibility for ensuring that Information Systems (IS) risk within the organisation is managed appropriately. The Risk Owner should hold a position at Board level and understand how the strategic business goals of the connecting organisation may be impacted by IS failures, including the compromise of data provided to the organisation by DVLA. Within UK Government this role is undertaken by a Senior Information Risk Owner (SIRO). The Risk Manager is responsible for the day to day evaluation of the organisation's exposure to risk and controlling these exposures through such means as mitigation, avoidance, management or transference. This role is usually held by an Information Security Manager or Departmental Security Officer. Each control in Annex B uses the following terms for each requirement. This word means that the control is an absolute requirement. SHOULD This word means that there may be valid reasons not to implement the control and therefore implementation of that control is optional. The valid reasons should be documented within Annex B. Each control in Annex B applies to a particular part of the organisation or network. A collection of hosts together with the network through which they can exchange data. Server A network entity that provides a service to other network entities. Host(s) A computer that is attached to a communication sub-network or inter-network and can use services provided by the network to exchange data with other attached systems. This includes both clients and servers. Host A computer or server that is directly attached to or provides services by proxy to the DVLA CUG. User(s) A person, organisation, or automated process that has direct or proxy access to the DVLA.
5 DVLA - ELISE Closed User Group - Control Table No. Subject Control Requirement Applies to Reference Sources Comply (Yes, No or Partial) Comments (Please give details of implementation e.g. products, if practical timescales) 1.0 Physical Security All hosts and network equipment providing connectivity to the DVLA ELISE GSI CUG be located in secure accommodation compliant with industry best practice, e.g. ISO27001 and ISO27002., Server ; 9.1.2; 9.1.3; 9.14 FAQ Question User Education All employees of the Organisation and where relevant contractors and third party users SHOULD receive appropriate awareness training and awareness updates in organisational policies and procedures as relevant for their job function. 2.1 User Education An acceptable usage policy SHOULD be in place. 3.0 Incident Response 3.1 Incident Response 3.2 Incident Response Information Security events relating to the DVLA ELISE GSI CUG or any DVLA services being used via the CUG be reported through appropriate management channels as quickly as possible. Management responsibilities be established to ensure quick, effective and orderly response to Information Security incidents relevant to the DVLA ELISE GSI CUG or any DVLA services being used via the CUG. The organisation report Information Security incidents to the DVLA Information Security Manager (contact shown on Contact Details - DVLA tab). 4.0 Clearance Levels All privileged users (e.g. System Administrators and Information Security Managers) SHOULD have been subjected to detailed background personnel checks (e.g. Criminal Record Check, Credit Worthiness Check). SHOULD Users SHOULD Users ; , Users,, Users,, Users, SHOULD Users FAQ Question Clearance Levels Details of the Security Clearance Processes in place which have been applied to all users of the DVLA ELISE GSI CUG within your organisation be provided to the DVLA Information Security Manager upon request. Users Schematic The connecting organisation submit a network schematic that details the networks that will utilise the DVLA ELISE GSI CUG connection. This schematic document any onward connections and remote access. 6.0 IP Addressing Servers have static IP addresses (even if DHCP is used). 7.0 Firewalls An assured (EAL) firewall be installed between the organisation and the DVLA ELISE GSI CUG. 7.1 Firewalls An assured (EAL) firewall be installed between the organisation and any third party networks it connects to. 7.2 Firewalls Firewalls be configured to limit communication to that required between connecting hosts and DVLA ELISE hosts providing the same proxy service. e.g. local HTTP proxies ONLY communicate with DVLA ELISE HTTP Proxies. 8.0 Proxies All communication utilising the DVLA ELISE GSI CUG SHOULD pass through a proxy service. and Servers and FAQ Question SHOULD Servers Page 1 of 2
6 DVLA - ELISE Closed User Group - Control Table 8.1 Proxies Where used, proxy servers ensure users are authenticated. 8.2 Proxies Where used, proxy servers authenticate the hosts with which they communicate. Servers Servers Proxies Where used, proxy servers perform protocol checking to prevent buffer overflows and other vulnerability exploitation. Servers 8.4 Proxies Where used, proxies implement controls against malicious content e.g. Anti Virus. 9.0 Protective Monitoring 9.1 Protective Monitoring Organisations carry out Protective Monitoring and have the ability to identify and investigate suspicious activity. Servers All audit logs relating to the use of the DVLA ELISE CUG be retained for a minimum of six months. Organisations also be aware of any additional legislation that may require them to hold logs for longer periods Protective Monitoring Organisations be prepared to provide logs to the DVLA IT Security Officer on request Configuration run a file system supporting access controls that limit access to only the required operations and data Configuration All connecting hosts and infrastructure elements be configured in accordance with current best practice and vendor recommendations for secure operation. Where possible relevant resources should be assessed and applied where effective technical operation is not impeded. e.g. NSA or CIS guides Configuration Organisations take steps to adequately disinfect any device that has been infected by malicious software Configuration Organisations SHOULD check configurations at least once during any period of 12 months. SHOULD 10.4 Configuration Countermeasures be provided to prevent the execution of software not authorised by the administrator on IT devices, particularly desktops Configuration All hosts be maintained at the most current patch level or as recommended by the vendor. Vendors' web sites, be monitored and relevant software and service packs be applied where practicable Configuration Unpatchable or unsupported software not be used Vulnerability Scanning 11.1 Vulnerability Scanning SHOULD be scanned for the presence of security vulnerabilities at least annually. The vulnerability scanner SHOULD not be run from the host being scanned. SHOULD SHOULD 11.2 Content Analysis SHOULD at least SHOULD identify viruses, macros, dangerous file-types (e.g. executable), mobile code and spyware. Content analysis of all incoming and outgoing data SHOULD be performed at the organisation's gateway and hosts ; Page 2 of 2
7 Annex C - Organisational Commitment Statement I confirm, on behalf of the organisation listed below, that my organisation will endeavour to uphold the Confidentiality, Integrity, Availability and reputation of the DVLA in compliance with the requirements of the DVLA ELISE GSI CUG Code of Connection. I will ensure that my organisation complies with all relevant legal requirements, including those of the Data Protection Act 1998, Freedom of Information Act 2000, Police and Criminal Evidence Act 1984, Computer Misuse Act 1990 and Regulation of Investigatory Powers Act 2000; and I will make all reasonable efforts to inform potential users of the system, including users not directly employed, that communications transmitted across the DVLA ELISE GSI CUG are logged and that their content may be monitored and/or recorded in accordance with the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations These purposes include, but are not limited to: Preventing or detecting crime; The interests of national security; Investigating or detecting the unauthorised use of the DVLA ELISE GSI CUG including other connected systems; and in order to secure, or as an inherent part of, the effective operation of the system. I confirm that my organisation briefs, trains or otherwise formally disseminates information to staff about their secure use of the DVLA Service across the DVLA ELISE GSI CUG as laid down in the CoCo, contractual documentation and other materials as may be made available by DVLA. This includes either a personal commitment statement, user acceptance policy or equivalent in which the user agrees to comply with the security rules of the organisation as well as those within the DVLA ELISE GSI CUG CoCo and relevant Annexes. I confirm that my organisation maintains accurate records of who has access to the DVLA ELISE GSI CUG and that all such personnel signed the appropriate Personal Commitment Statement, or have otherwise positively confirmed their acceptance in a similar way. I confirm that my organisation regularly reviews DVLA access lists (at least bi-annually) to ensure that only users with a legitimate business need have access to DVLA data. I confirm that the Control Table and a description of the network(s) and physical infrastructure of this organisation are accurately completed and returned to DVLA. My organisation agrees to assist DVLA in conducting audits and investigation that pertain to this CoCo or the organisation s connection to the DVLA ELISE GSI CUG. I confirm that all reasonable efforts have been made to inform all users that their communications on the DVLA ELISE GSI CUG may be monitored and/or recorded for lawful purposes and that this may take place without the organisation s prior knowledge or consent. Name : Signature : Position : Printed Name : Date : Date : Please Note : DVLA will only accept physical signatures on this document. The documents should be either 1) signed, scanned and ed to DVLA 2) Faxed to DVLA 3) Posted to DVLA.
8 Frequently Asked Questions 1. Why is the Code of Connection necessary? We've signed a contract and the transaction is over a secure line. The Code of Connection gives DVLA assurance that connecting organisations have implemented best practice information assurance standards. DVLA has a responsibility to ensure the data it is responsible for is handled appropriately by data partners and customers. The Code of Connection is part of the governance and assurance DVLA has in place to ensure data handling meets minimum acceptable standards. 2. I'm not sure what you mean by an IT Security Officer or IT/System Manager, can you elaborate? (Contact Details tab) Job titles will undoubtedly vary from organisation to organisation. The IT Security Officer (also known as the Information Security Manager) would be the person within a connecting organisation most likely to complete the Code of Connection and would have an understanding of IT and Information Security within the organisation. An IT or System Manager would be the person with overall responsibility for IT or a subsystem within an organisation. The IT/System Manager would be likely to be consulted for completion of the Code of Connection. DVLA requires the contact details of these people within your organisation so that they can be reached in the event of any information security incidents as they should be best placed to manage such incidents. 3. What do you mean by an Accreditor? (Contact Details tab) UK Government uses system accreditation to ensure systems meet appropriate Information Assurance (IA) standards or are deployed within tolerable levels of risk. Each Department or Agency has at least one Accreditor with this responsibility. If your organisation has someone with an overall responsibility for ensuring that your network(s) and systems meet defined standards you should complete this section. 4. Whose details should I put in the Alternate Contacts Details? (Contact Details tab) You should only complete this if there is a different person other than those named already could be contacted to discuss any issues relating to the Code of Connection or in the case of information security incidents. 5. My organisation doesn't have ISO27001 certification, does this mean we cannot connect to DVLA? (Annex B Control 1.0) Not necessarily, not all organisations can afford to pursue full certification. However, DVLA expects connecting organisations to meet industry best practice in terms of its datacentres and network configurations and should be as near as possible compliant (but not necessarily certified) to ISO Our System Administrator(s) and Information Security Manager(s) have been with the organisation for a number of years and have earned a high level of trust. Are these additional checks necessary for such people? (Annex B Control 4.0) DVLA cannot mandate such checks, however it is best practice to carry out additional checks on staff with privileged levels of access to networks or systems. If your organisation is content with the level of trust earned over time this would be sufficient. 7. Our network diagrams are confidential and we are not comfortable with sharing them with DVLA. Can we ignore this control? (Annex B Control 5.0) No, however we require a high-level diagram/schematic rather than a detailed one. It is not DVLA's intention to contravene the confidentiality of connecting organisations' network designs, however we do need to see how you propose to connect to us. 8. My organisation doesn't use proxy services/proxy services aren't appropriate to the service my organisation is consuming, do we need to complete controls 8.0 to 8.4? No, in such cases this control is Not Applicable (N/A). 9. Who should sign the Organisational Commitment Statement (Annex C)? The statement should be signed by the Risk Owner (see Annex A) or equivalent.
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationINSTANT MESSAGING SECURITY
INSTANT MESSAGING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part
More informationMonitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012
Monitoring and Logging Policy Document Status Security Classification Version 1.0 Level 1 - PUBLIC Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Change History
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationDublin Institute of Technology IT Security Policy
Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David
More information1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...
Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless
More informationCorporate Information Security Management Policy
Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationSTRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction
Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,
More informationPSN IA conditions supporting guidance
PSN IA conditions supporting guidance Guidance July 2012 version 1.4 Introduction This document provides guidance on achieving compliance with the PSN IA conditions (Ref [ST09]). The PSN IA conditions
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationULH-IM&T-ISP06. Information Governance Board
Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationIT Heath Check Scoping guidance ALPHA DRAFT
IT Heath Check Scoping guidance ALPHA DRAFT Version 0.1 November 2014 Document Information Project Name: ITHC Guidance Prepared By: Mark Brett CLAS Consultant Document Version No: 0.1 Title: ITHC Guidance
More informationU06 IT Infrastructure Policy
Dartmoor National Park Authority U06 IT Infrastructure Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without the agreement
More informationHow To Ensure Network Security
NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationNetwork Security Policy
Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant
More informationThe University of Information Technology Management System
IT Monitoring Code of Practice 1.4 University of Ulster Code of Practice Cover Sheet Document Title IT Monitoring Code of Practice 1.4 Custodian Approving Committee Deputy Director of Finance and Information
More informationDMA Information Security Management Requirements January 2012. DMA Standard: produced for the protection of electronic information.
January 2012 DMA Standard: produced for the protection of electronic information. INTRODUCTION Information within an organisation can take many paths and can be used for many varied purposes. This data
More informationICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationInformation security policy
Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationSpecific recommendations
Background OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3 and Transport Layer Security (TLS) V1 implementation along with a general purpose cryptographic library. It
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationUMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY
UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY Antivirus Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Originator Recommended by Director
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationAppendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY
Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Steven Snaith, Risk
More informationVersion 1.0. Ratified By
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience
More informationVersion: 2.0. Effective From: 28/11/2014
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationIM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers
IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationIBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing
IBM Global Technology Services Statement of Work for IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing The information in this Statement of Work may not be disclosed
More informationNetwork Security Policy
IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service
More information06100 POLICY SECURITY AND INFORMATION ASSURANCE
Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information
More informationInternet Use Policy and Code of Conduct
Internet Use Policy and Code of Conduct UNIQUE REF NUMBER: AC/IG/023/V1.1 DOCUMENT STATUS: Agreed by Audit Committee 18 July 2013 DATE ISSUED: July 2013 DATE TO BE REVIEWED: July 2014 1 P age AMENDMENT
More informationApproved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2
Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationTop tips for improved network security
Top tips for improved network security Network security is beleaguered by malware, spam and security breaches. Some criminal, some malicious, some just annoying but all impeding the smooth running of a
More informationSTFC Monitoring and Interception policy for Information & Communications Technology Systems and Services
STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationAn Approach to Records Management Audit
An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation
ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationUNCLASSIFIED. http://www.govcertuk.gov.uk. General Enquiries. Incidents incidents@govcertuk.gov.uk Incidents incidents@govcertuk.gsi.gov.uk.
Version 1.2 19-June-2013 GUIDELINES Incident Response Guidelines Executive Summary Government Departments have a responsibility to report computer incidents under the terms laid out in the SPF, issued
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationKEELE UNIVERSITY IT INFORMATION SECURITY POLICY
Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical
More informationUniversity of Kent Information Services Information Technology Security Policy
University of Kent Information Services Information Technology Security Policy IS/07-08/104 (A) 1. General The University IT Security Policy (the Policy) shall be approved by the Information Systems Committee
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationFortinet Solutions for Compliance Requirements
s for Compliance Requirements Sarbanes Oxley (SOX / SARBOX) Section / Reference Technical Control Requirement SOX references ISO 17799 for Firewall FortiGate implementation specifics IDS / IPS Centralized
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationUMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director
More informationReducing the Cyber Risk in 10 Critical Areas
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationHow To Protect Information At De Montfort University
Network Security Policy De Montfort University January 2006 Page 1 of 18 Contents 1 INTRODUCTION 1.1 Background... 1.2 Purpose and Scope... 1.3 Validity... 1.4 Assumptions... 1.5 Definitions... 1.6 References..
More informationTELEFÓNICA UK LTD. Introduction to Security Policy
TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationExternal Supplier Control Requirements
External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration
More informationHow To Protect The Time System From Being Hacked
WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/21/13 2014 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationThales Service Definition for PSN Secure Email Gateway Service for Cloud Services
Thales Definition for PSN Secure Email Gateway Thales Definition for PSN Secure Email Gateway for Cloud s April 2014 Page 1 of 12 Thales Definition for PSN Secure Email Gateway CONTENT Page No. Introduction...
More informationEmail Usage Policy Document Profile Box
Document Profile Box Document Category / Ref QSSD 660 Version: 0004 Ratified by: Governance and Risk Committee Date ratified: 12 th January 2012 Name of originator / author: Name of responsible committee
More informationEvaluation Report. Office of Inspector General
Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationMike Casey Director of IT
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
More informationIM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...
IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This
More informationINDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION
INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationH.I.P.A.A. Compliance Made Easy Products and Services
H.I.P.A.A Compliance Made Easy Products and Services Provided by: Prevare IT Solutions 100 Cummings Center Suite 225D Beverly, MA 01915 Info-HIPAA@prevare.com 877-232-9191 Dear Health Care Professional,
More informationDene Community School of Technology Staff Acceptable Use Policy
Policy Overview Dene Community School of Technology The school provides computers for use by staff as an important tool for teaching, learning, and administration of the school. Use of school computers,
More informationState of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005
State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology
More information28400 POLICY IT SECURITY MANAGEMENT
Version: 2.2 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low 1. About This Policy 1.1. The objective of this policy is to provide direction and support for IT
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationNational Approach to Information Assurance 2014-2017
Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version
More informationUniversity of Liverpool
University of Liverpool Information Security Incident Response Policy Reference Number Title CSD-012 Information Security Incident Response Policy Version Number 1.2 Document Status Document Classification
More informationRemote Network Access Procedure
Remote Network Access Procedure Version: 1.1 Bodies consulted: - Approved by: PASC Date Approved: 20.8.13 Lead Manager: Ade Sulaiman Responsible Director: Simon Young Date issued: Aug 13 Review date: Jul
More informationHow To Ensure Information Security In Nhs.Org.Uk
Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:
More informationTop five strategies for combating modern threats Is anti-virus dead?
Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.
More informationINFORMATION SECURITY POLICY
Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies
More informationAUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR
AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationWe are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review
We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review The security threat landscape is constantly changing and it is important to periodically review a business
More informationHarper Adams University College. Information Security Policy
Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting
More information