EA-ISP-010 - Architecture Service Planning Policy

Similar documents
EA-ISP-012-Network Management Policy

EA-ISP-011-System Management Policy

EA-ISP-002-Business Continuity Management and Planning Policy

EA-ISP-001 Information Security Policy

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

Information Security Policies. Version 6.1

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Information Management Advice 39 Developing an Information Asset Register

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

05.0 Application Development

University of Sunderland Business Assurance Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

Data Protection Act Guidance on the use of cloud computing

Enterprise Architecture Governance Procedure

Scotland s Commissioner for Children and Young People Records Management Policy

Spillemyndigheden s Certification Programme Information Security Management System

Aberdeen City Council IT Security (Network and perimeter)

The rise of the hybrid network model

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Enterprise Architecture (EA) Principles

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

Security Incident Management Process. Prepared by Carl Blackett

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

ENTERPRISE RISK MANAGEMENT FRAMEWORK

OUTSOURCING INVOLVING SHARED COMPUTING SERVICES (INCLUDING CLOUD) 6 July 2015

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Corporate ICT Change Management

Roles within ITIL V3. Contents

ESKITP7072 IT/Technology Capacity Management Level 2 Role

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

SEC-GDL-005-Anatomy of a Phishing

ISO27001 Controls and Objectives

Maturity Model. March Version 1.0. P2MM Version 1.0 The OGC logo is a Registered Trade Mark of the Office of Government Commerce

NOS for Network Support (903)

State Records Guideline No 25. Managing Information Risk

Module 7 Study Guide

Human Resources and Organisational Development. Job No. (Office Use)

Trust Operational Policy. Information Security Department. Third Party Remote Access Policy

BAND: 5. 37½ hours per week 1. JOB SUMMARY

Information Management Policy

ICT Strategy

How To Protect Decd Information From Harm

GMS NETWORK ADVANCED WIRELESS SERVICE PRODUCT SPECIFICATION

MANAGE THIRD PARTY RISKS

GMS NETWORK BASIC PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. GMS Network Basic

Newcastle University Information Security Procedures Version 3

D-G4-L4-126 Police contact management and demand reduction review Deloitte LLP Service for G-Cloud IV

Aberdeen City Council IT Governance

Policy Document. Communications and Operation Management Policy

ITC 19 th November 2015 Creation of Enterprise Architecture Practice

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt. Monitoring & Audit

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

POSITION DESCRIPTION. General Manager Network Operations (dotted line to Chief Architect)

The Risk Management strategy sets out the framework that the Council has established.

Information security controls. Briefing for clients on Experian information security controls

This interpretation of the revised Annex

Communicate: Data Service Level Agreement. Author: Service Date: October 13. Communicate: Data Service Level Agreementv1.

CHESHIRE FIRE AUTHORITY SUBJECT : DRAFT BUDGET, COUNCIL TAX AND MEDIUM TERM FINANCIAL PLAN

ABC COMPANY Extended Accounting System (EAS) Project Charter Sample

Smart Meters Programme Schedule 8.6. (Business Continuity and Disaster Recovery Plan) (CSP North version)

FINAL. Internal Audit Report. Data Centre Operations and Security

Mapping the Technical Dependencies of Information Assets

Essex Clinical Commissioning Groups. Business Continuity Management System. Scope and Policy

The Newcastle upon Tyne Hospitals NHS Foundation Trust. IT Change Management Policy and Process

ICT SUPPORT SERVICES

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Embedding Digital Continuity in Information Management

W204 - LMS Consolidation, Underlying Design More Important Than Platform

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

ENTERPRISE RISK M A NAGEMENT POLICY

Superseded by T MU AM PL v2.0

Client Study Portfolio

TICSA. Telecommunications (Interception Capability and Security) Act Guidance for Network Operators.

Corporate Information Security Policy

Overview TECHIS Carry out risk assessment and management activities

BEYOND ITIL: A MODEL FOR EFFECTIVE END-TO-END RELEASE MANAGEMENT

Project Management Toolkit Version: 1.0 Last Updated: 23rd November- Formally agreed by the Transformation Programme Sub- Committee

Business Continuity Management

Records Management and Information Lifecycle Strategy

Aberdeen City Council IT Asset Management

Banking Supervision Policy Statement No.18. Agent Banking Guideline

Banking Application Modernization and Portfolio Management

Oadby and Wigston Borough Council. Information and Communications Technology (I.C.T.) Section

Standard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide

How To Ensure Information Security In Nhs.Org.Uk

Document management concerns the whole board. Implementing document management - recommended practices and lessons learned

How To Improve Your Business

Identifying Information Assets and Business Requirements

University of Aberdeen Information Security Policy

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Transcription:

Technology & Information Services EA-ISP-010 - Architecture Service Planning Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 24/06/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref: EA-ISP-010 Document Link: http://blogs.plymouth.ac.uk/strategyandarchitecture/wp- content/uploads/sites/4/2015/06/ea-isp-010-architecture- Service-Planning-Policy.pdf Review Date: June 2016

Document Control Version Author Position Details Date/Time Approved by Position Date/Time 0.9 PF ESA Initial draft 12/02/2014 0.91 SF, PD Head of Comments on draft 04/03/2014 School of Computing, Associate Professor 0.92 PF ESA Updated with new 13/02/2015 document format, added greater details around section 4 and added section 5 0.93 PF ESA Altered section 1 to 19/03/2015 ensure consistency with authorisation channels 0.94 PF, CD ESA, EA Inclusion of System 24/03/2015 Lifecycle information 0.95 PF, CD ESA, EA Alteration of document to refocus 18/06/2015 11:00 on services in place of solely systems 0.96 PF, LF ESA, AIS Slight tweak for Acceptance into Service section 24/06/2015 1.00 PF, CD, PW, DM ESA, EA, IT Director, Operations Manager Alteration to Architecture Service Planning Policy 26/06/2015 15:20 Paul Westmore IT Director 26/06/2015 13:30 Page 2 of 7

Introduction This policy forms part of the University s Information Security Policy Set and should be read in conjunction with the Information Security Policy (EA-ISP-001), Data Classification Policy (EIM-POL-001), Software Management Policy (EA-ISP-013) and Information Handling Policy (EA-ISP-007). The Service Planning Policy sets out how information services or systems are specified, designed and include processes for identifying requirements and risks; these must be addressed and responsibilities assigned to secure and protect the information that will consume, contain or divulge to downstream services. How systems are installed and maintained is covered in the Software Management Policy (EA-ISP-013 1 ). Please refer to the appendix for further explanation of the points below. 1. Authorisation and assessment 1.1 All new services and information systems or significant upgrades to existing provision of service must include authorisation and assessment prior to any: Acceptance into Service; and ultimately implementation This authorisation and assessment should include: Business approval Senior Leadership Team or nominee approves the purpose and use of the system and ensures consistency with departmental strategy and any broader strategies if the system transcends the boundary of any single department. Enterprise Architecture Enterprise Architect or nominee to ensure alignment with approval architectural roadmap and prevention of service, system or functionality duplication across the business landscape. Information security approval Enterprise Security Architect or nominee to ensure the new or altered service or system complies with relevant information security policies and does not adversely affect the security of existing information architecture. Technical approval The Technical Architecture Team to ensure the service or system is sound from a technical perspective. 1.2 The information assets associated with any proposed new or updated service or system must be identified, classified and recorded, in accordance with the Information Handling Policy (EA-ISP-007 2 ). 2. Service lifecycles 2.1 When requirements for new or upgraded services or systems are identified by the relevant Business Partners (BP) they begin the service development lifecycle, presented in figure 1 over leaf. 2.2 Throughout the development lifecycle, logical progression in enhancing business, technology, application and data layers become more defined prior to engagement with the physical work of actual delivery. 2.3 Enterprise Architecture Compliance reviews may be undertaken throughout development, however the final review must be performed before any upgrade or new service or system is accepted into service (through the Technology & Information Services Acceptance Into Service process). 1 EA ISP 013 - Software Management Policy 2 EA ISP 007 - Information Handling Policy Page 3 of 7

Figure 1 Service development lifecycle 3. Equipment planning 3.1 Computer services and systems supporting business functions must be planned to ensure that adequate processing power, storage capacity are available for current and projected needs, all with appropriate levels of resilience and fault tolerance. Equipment shall be correctly maintained. 3.2 Computer services or systems supporting business functions shall be given adequate protection from unauthorised access, environmental hazards and failures of electrical power or other utilities. 4. Service or system access 4.1 Access controls for all information and information services and systems are to be set at appropriate levels in accordance with the value and classification of the information assets being protected. 4.2 Access to operating system commands and application functions are to be restricted to those persons who are authorised to perform system administration or management functions. Use of such commands should be logged and monitored. 5. Implementation and testing 5.1 Prior to acceptance into the live (production) environment, all new or changed services or systems shall be tested by a variety of parties including (but not limited to): Page 4 of 7

5.1.1 TIS Delivery Manager or nominee To provide assurance surrounding resilience, load balancing and other stress tests that may affect the performance of the system or service 5.1.2 TIS Enterprise Architect or nominee 5.1.3 TIS Enterprise Security Architect or nominee To provide enterprise compliance checks for alignment with the architectural roadmap and agreed organisational strategies and policies; divergence from standard working practices and any mitigating measures required to allow service to be accepted into the live environment To provide assurance surrounding compliance with information security policies, access control standards and requirements for ongoing information security management 5.1.4 User Acceptance Testing (UAT) To provide assurance surrounding business capabilities of the system, service or product and ensure end users have a product that is fit for purpose and fulfils all known functionality requirements 5.1.5 TIS Acceptance Into Service (AIS) team or nominee 6. Succession planning To collate documentation allowing the service to be understood, accepted and if required administered, alongside any appropriate routes for escalating problems by suitable members of the Service Management team 6.1 In order to ensure consistent and supported products are maintained within the organisation, it is essential that: 6.1.1 Services should be evaluated (even if very light touch) on a yearly basis review point to ensure that sufficient time is afforded to plan either an upgrade or replacement service or system to be sourced. 6.1.2 If an end of support or end of life date is issued by a manufacturer of a service or system or product in use within the organisation, it is the responsibility of all members of staff to notify the Strategy & Architecture team (within TIS) at the earliest available opportunity. 6.2 These points above will start the service development lifecycle to either detail the upgrade to the supported platform or source a replacement product that meets all of the business needs in an appropriate timescale. Page 5 of 7

Appendix 1. Authorisation and assessment A management authorisation process for new information processing facilities needs to be established and, where restricted (or sensitive) information might be involved, the business requirements for the development must specify the requirements for security controls. Any new implementation or upgrade to an existing service or system where restricted (or sensitive) information is involved needs to be handled with care to ensure the continued integrity and confidentiality of information. Information can be defined as data that has meaning. It is the meaning of this data which has to be protected or held confidential, in accordance with its worth to the organisation. As assessment of the risks to the organisation if information is altered, or seen by others may indicate that changes are needed to the service or system design, for example to improve the resilience or physical security of the service or system. 2. Service lifecycles Due to the diverse nature of the technology and products that are in use within the landscape of the organisation, it is imperative that planning, development, delivery, compliance and business needs are all realised prior to acceptance in the live environment. No product, system or service will remain unchanged from first release until its official retirement. Monitoring throughout the lifetime of the entity will ensure sufficient time and resources are available to plan upgrades or to source replacements. 3. Equipment planning The capacity of all services or systems should be designed to ensure that the forecasted load can be supported and they must be engineered to minimise the impact on business processes of the inevitable faults and failures of system components. The required service or system capacity is likely to increase over time due to increased processing load, software upgrades and other changes. Equipment should be designed with sufficient spare capacity to allow, within reason for these increases; if sufficient spare capacity is not a viable option then the scalability of the system must be assured to mitigate this concern. Equipment must be sited or protected to reduce the risks of damage, interference and unauthorised access. 4. Service or system access Access control standards are the rules that an organisation applies to control access to its information assets. Such standards should always be appropriate to the organisation s business and security needs. High risk service or systems require more stringent access control safeguards due to confidentiality of the information they process and/or the purpose of the service, e.g. the funds Page 6 of 7

transfer systems used by banks. Ideally, the operating systems for such systems should be hardened to further enhance security. Duress alarms may be considered if there is a risk that operators will be subject to coercion. Access controls should extend to all information, including program source libraries, configuration files and back up files. Operating systems are preloaded with commands and utilities which set up and maintain the computers environment. Applications and databases are delivered with tools to facilitate configuration or problem investigation. Services and systems should be hardened to remove all unnecessary development tools and utilities prior to delivery to end users. It is essential that the use of such system utilities is tightly controlled. 5. Implementation and testing Acceptance criteria for all services and systems should be established and tests carried out prior to acceptance into the live environment; these tests should be performed to ensure information security has not been jeopardised, that access control standards are met and that the risks identified during the various risk assessments have been addressed in the agreed way. It is also essential to ensure that systems are only accepted if the ongoing requirements of the Software Management Policy and the System Management Policy can also be met. It is also essential to ensure that sufficient operating documentation is created to transition the service between test and production. This includes alignment with enterprise wide goals, business strategies, policies and working standards to ensure divergence from the roadmap is minimised. 6. Succession planning When a service, system or product transitions from main stream support to extended support, which usually means a reduced priority is afforded by the manufacturer to address security concerns. As this will affect software and hardware, a sufficient lead time will be required to find either a replacement solution and/or plan to upgrade must be started at the earliest available opportunity. Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information