Information Security Policy



Similar documents
Third party Web hosting services security Policy

Network Resource Management Policy

ISO27001 Controls and Objectives

NSW Government Digital Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

University of Sunderland Business Assurance Information Security Policy

Information Security: Business Assurance Guidelines

Tasmanian Government Information Security Framework

How To Protect Decd Information From Harm

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Information security policy

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

NSW Government Digital Information Security Policy

Information Security Policy

ISO Controls and Objectives

Information Management and Security Policy

NHS Business Services Authority Information Security Policy

Third Party Security Requirements Policy

Service Children s Education

Corporate Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Information Security and Governance Policy

Information Security Program

Hengtian Information Security White Paper

INFORMATION SECURITY PROCEDURES

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Newcastle University Information Security Procedures Version 3

Information Security Management System Policy

1st June Internet Access Service Provider (IASP) Sub-Code for the Communications and Multimedia Industry Malaysia

Information Security Management System Information Security Policy

INFORMATION GOVERNANCE POLICY

Information Security Management Systems

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Information Incident Management Policy

INFORMATION SECURITY POLICY

University of Aberdeen Information Security Policy

Data Protection Policy

Corporate Records Management Policy

Governance and Management of Information Security

Information and Compliance Management Information Management Policy

Information Security Guideline for NSW Government Part 1 Information Security Risk Management

TELEFÓNICA UK LTD. Introduction to Security Policy

Information and records management. Purpose. Scope. Policy

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

CCG: IG06: Records Management Policy and Strategy

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Operational Risk Publication Date: May Operational Risk... 3

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

(Instructor-led; 3 Days)

Information & ICT Security Policy Framework

Scotland s Commissioner for Children and Young People Records Management Policy

How To Ensure Network Security

University of Liverpool

IT SECURITY POLICY (ISMS 01)

Ealing Council Corporate Information and Data Security Policy

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Subject: Safety and Soundness Standards for Information

INFORMATION SECURITY MANAGEMENT POLICY

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Incident Reporting Guidelines for Constituents (Public)

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY

An Approach to Records Management Audit

Mike Casey Director of IT

ACT Auditor-General s Office. Performance Audit Report. Whole-of-Government Information and Communication Technology Security Management and Services

Information Governance Policy (incorporating IM&T Security)

CODE OF PRACTICE ON THE MANAGEMENT OF POLICE INFORMATION

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Practical Overview on responsibilities of Data Protection Officers. Security measures

IT Security Management

Stellenbosch University. Information Security Regulations

Outsourcing and third party access

Information Governance Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Information Governance Strategy & Policy

Access Control Policy

Electronic Information Security Policy - NSW Health

Data Protection Breach Management Policy

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition AH

Council Policy. Records & Information Management

Suppliment tal-gazzetta tal-gvern ta Malta Nru. 18,412, 30 ta April, 2009 Taqsima B FINANCIAL MARKETS ACT (CAP. 345)

Transcription:

Office of the Prime Minister document CIMU P 0016:2003 Version: 2.0 Effective date: 01 Oct 2003 Information 1. statement i) General The Public Service of the Government of Malta (Public Service) shall protect its information assets, employees, and the physical and working environment from a wide range of threats in order to ensure business continuity, minimise business damage and optimise return on investment and business opportunities. The Public Service shall comply with laws, contracts and with this. The Public Service shall put in place appropriate security measures to: protect all information assets from accidental or unauthorised use, theft, modification, destruction and shall prevent the unauthorised disclosure of restricted information; protect the physical and working environment from malicious attacks, power failures and other electrical anomalies, water supply failure etc; reduce the risk of human error, theft, fraud or misuse of facilities including social engineering attacks on Public Service employees; carry out regular reviews to ensure compliance with laws, contractual obligations, this, and.

ii) Information Framework Measurement and benchmarking activities related to information security in the Public Service, and to the physical and working environment of its employees shall be based on the Information Framework (ISF) with a focus on the following domains: Information organisation Asset classification and control Personnel security Physical and environment security Communication and operations management Access control Systems development and maintenance Business continuity management Compliance. An ISF diagram showing these domains is presented in Appendix A of this. iii) Implementation The target population of this is all Public Officers, employees of CIMU and Agents, Third parties, and outsourcing organisations. Employees of Third Parties and outsourcing organisations are involved when there is information processing, and / or in the case of Third Party physical access (to offices, computer rooms, etc.) or logical access (to databases, networks, etc.) to information assets. The implementation strategy needs to be based on three fundamental directions: a) Information security (Umbrella ) The aim of this is to establish security measurement and benchmarking based on the ISF and related to Public Service information assets, employment, and the physical and working environment. b) Corporate (Horizontal) implementation The aim of this implementation phase is to introduce a minimum level of Information security across the whole Public Service, and its Agents. This implementation shall be based on this, the Information Organisation (CIMU P 0017:2003), the Information Compliance (CIMU P 0018:2003), the Minimum Directive (CIMU D 0016:2003), the Information Organisation Directive (CIMU D 0017:2003) and the Information Compliance Directive (CIMU D 0018:2003). The high-level Corporate Information implementation plan will be issued by the CIMU. c) Specific (Vertical) implementation The aim of this implementation phase is to bring Public Service entities and the Agent to a high level of information security. This implementation shall follow the Page 2

Public Service Information Framework Implementation Scenario. (Refer to Appendix B). The high-level Specific Information implementation plan will be issued by CIMU. iv) violations The CIMU will take appropriate measures in cases of violation of this and of the related Framework documents. Heads of Public Service Departments and Agents shall, in cases of violation of this within their respective area, take appropriate and timely measures, and liaise with the Agent to control information security. 2. Purpose The objective of this is to set up a high-level Public Service-wide Information Framework based on an International standard and local experience. This includes introducing security measures to protect Public Service information assets, employees, and the physical and working environment from a wide range of threats in order to ensure business continuity, minimise business damage and optimise return of investment and business opportunities. This will be an umbrella policy for all policies related to the Public Service Information Framework. 3. Who should know this Persons having the following positions, as a minimum, should know this. Additional positions shall be introduced in the Information Organisation. They shall communicate appropriately with persons in other positions regarding the contents and furtherance of this : Head of Coordinating Committee CIMU Communications Executive Permanent Secretaries All Public Officers Information Management Officers Chief Information Management Officer All Account holders Heads of Department Director of the Internal Audit and Investigations Directorate Auditor General Head of Agent Head of Outsourcing Organisation Head of Third Party Organisation Page 3

4. Scope of applicability The scope of applicability of this is to set up an Information Framework within the Public Service as a baseline for further development of Policies, and with the provision that this Framework may be extended to the Public Sector of the Government of Malta (Public Sector). 5. Definitions Access control controlled access to information. For more details, refer to the standard MSA ISO/IEC 17799:2001. Asset classification and control to evaluate, grade and control types of information assets according to information security criteria. For more details, refer to the standard MSA ISO/IEC 17799:2001. Agent A trusted organisation that acts on behalf of Government entities providing services (i.e. Information and Communication Services). Business continuity management counteracting interruptions to business activities and protecting critical business processes from the effects of major failures or disasters. For more details, refer to the standard MSA ISO/IEC 17799:2001. Communications and Operations ensuring the correct and secure operation of information processing facilities. For more details, refer to the standard MSA ISO/IEC 17799:2001. Compliance avoiding breaches to any criminal and civil law, statutory, regulatory or contractual obligation and any security requirement. For more details, refer to the standard MSA ISO/IEC 17799:2001. Information Assets all systems and services that gather, generate and store data, supported by an ICT infrastructure and related technology. In addition, information written or printed on paper, shown on film or recorded in conversation are also information assets. Information security the preservation of confidentiality, integrity and availability of information. Note: Confidentiality ensuring that information is accessible only to those authorised to have access. Integrity safeguarding the accuracy and completeness of information and processing methods. Availability ensuring that authorised users have access to information and associated assets when required. Logical access access to ICT resources, applications, systems or data mediated through software and / or ICT equipment. Page 4

Outsourcing the act of hiring an outside source for acquiring services and an alternative delivery mechanism or resourcing alternative. Personnel security reduction of risk of human error, theft, fraud or misuse of facilities. For more details, refer to the standard MSA ISO/IEC 17799:2001. Physical access concrete and material admission, admittance, entrance, entry to sites, buildings, offices and Data Centres. Physical and Environment security prevention of unauthorised access, damage and interference to business premises and information. For more details, refer to the standard MSA ISO/IEC 17799:2001. measurement administrative and technical / technological methods to quantify business continuity and minimise business damage. organisation initiation and control of the implementation of information security within the Public Service. Also, refers to the establishment of mechanisms for information dissemination. For more details, refer to the standard MSA ISO/IEC 17799:2001. Social engineering can be broken into two types: human based and computer based. Human-based social engineering refers to person-to person interaction to retrieve the desired information. Computer-based social engineering refers to having computer software that attempts to retrieve the desired information. Systems development and maintenance ensures that security is build into information systems. For more details, refer to the standard MSA ISO/IEC 17799:2001. Third Party someone other than the principals directly involved in a transaction or agreement. 6. Roles and responsibilities For the purpose of this policy, the following roles and responsibilities have been identified. Role 01. Head of Coordinating Committee 02. Chief Information Management Officer Responsibility i. to review, endorse and champion Information in the Public Service i. to review Information Policies,, and Handbooks ii. iii. iv. to issue the high level Information implementation plans to monitor core Information within the Public Service and take corrective action when necessary to ensure Information compliance Page 5

03. CIMU Communications Executive i. to publish this 04. Account Holder i. to follow Policies, and related to the nature of their job 05. Permanent Secretary / Head of Department 06. Public Service Officers / CIMU Employees i. to implement and enforce this within the Ministry / Department i. to follow Policies, and related to the nature of their job 07. Head of Agent i. to implement Policies, and related to the nature of their job 08. Agent Employees i. to follow Policies, and related to the Agent s responsibilities 7. Supporting Documents In support of this, the following Policies and shall apply: 01. CIMU D 0016:2003 Minimum Information Directive 02. CIMU P 0017:2003 Information Organisation 03. CIMU D 0017:2003 Information Organisation Directive 04. CIMU P 0018:2003 Information Compliance 05. CIMU D 0018:2003 Information Compliance Directive 8. References 01. Data Protection Act Chapter 440 http://www.justice.gov.mt 02. Electronic Commerce Act Chapter 426 http://www.justice.gov.mt 03. MSA ISO/IEC 17799:2001 Information Technology Code of Practice for information security management http://www.msa.org.mt Page 6

04. United Nations Information Recommended Practices for United Nations Organisations http://accsubs.unsystem.org/isccdocuments/documents/distribution/maintext/ security-managers.html 05. OECD Guidelines for the of Information Systems and Networks Towards a culture of http://www.oecd.org 8. Modification history Version Date Changes 1.0 09.02.2003 Initial Release 2.0 01.10.2003 Scheduled Review without changes 9. Maintenance and review cycle Maintenance and review of this is set for six months after the initial release as indicated in the effective date. Subsequent review to this policy shall be based on a twelve month cycle. Signature and Stamp Joseph R. Grima Permanent Secretary, Office of the Prime Minister Page 7

Appendix A Information Framework Information Framework Organisation Asset Classification & Control Personnel Physical & Environmental Communications & Operations Management Access Control Systems Development & Maintenance Business Continuity Management Compliance Implementation by the Public Service and Agents Compliance regular review and Corrective Action Page 8

Appendix B Public Service Information Framework Implementation Scenario S e c u r i t y D o m a i n 10 Business Continuity Management 9 System Development & Maintenance 8 Communications & Operations Management 7 Asset Classification & Control 6 Personnel 5 Access Control 4 Physical & Environment 3 Information Compliance & Information Compliance Directive 2 Information Organisation & Information Organisation Directive 1 Information & Minimum Information Directive Full Compliance Adequate Minimum S e c u r i t y C o m p l i a n c e Public Service Information Framework Implementation Scenario Page 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information