'Namgis Information Technology Policies



Similar documents
HIPAA Security Alert

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

How To Secure A Remote Worker Network

IT Networking and Security

How To Protect Decd Information From Harm

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

Hengtian Information Security White Paper

How to Secure Your Environment

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

10 easy steps to secure your retail network

Technical Standards for Information Security Measures for the Central Government Computer Systems

HIPAA Security COMPLIANCE Checklist For Employers

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

Network & Information Security Policy

Regulations on Information Systems Security. I. General Provisions

ICANWK406A Install, configure and test network security

Solving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools

Policy Title: HIPAA Security Awareness and Training

Securing the Small Business Network. Keeping up with the changing threat landscape

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Security Policy

Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Management Standards for Information Security Measures for the Central Government Computer Systems

Central Agency for Information Technology

Supplier Security Assessment Questionnaire

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

How To Write A Health Care Security Rule For A University

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Controls for the Credit Card Environment Edit Date: May 17, 2007

A Technical Template for HIPAA Security Compliance

Data Management Policies. Sage ERP Online

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Stable and Secure Network Infrastructure Benchmarks

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Retention & Destruction

Supplier Information Security Addendum for GE Restricted Data

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Odessa College Use of Computer Resources Policy Policy Date: November 2010

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Information Security It s Everyone s Responsibility

Policy Title: HIPAA Access Control

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

BlackBerry 10.3 Work and Personal Corporate

Table of Contents. Introduction. Audience. At Course Completion

Course: Information Security Management in e-governance

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

OCR LEVEL 3 CAMBRIDGE TECHNICAL

On-Site Computer Solutions values these technologies as part of an overall security plan:

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Network Security Policy

74% 96 Action Items. Compliance

HIPAA and Mental Health Privacy:

Section 12 MUST BE COMPLETED BY: 4/22

Wireless Services. The Top Questions to Help You Choose the Right Wireless Solution for Your Business.

NETWORK SECURITY GUIDELINES

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

STATE OF NEW JERSEY Security Controls Assessment Checklist

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Best Practices for DanPac Express Cyber Security

IT Networking and Security

SecureAge SecureDs Data Breach Prevention Solution

Information Technology Security Procedures

Remote Access Security

Security Policy for External Customers

Procedure Title: TennDent HIPAA Security Awareness and Training

University of Pittsburgh Security Assessment Questionnaire (v1.5)

How To Protect Research Data From Being Compromised

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

System Security Plan University of Texas Health Science Center School of Public Health

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

HIPAA Security Balancing Security & Costs

Cyber Security Best Practices

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Information Technology Branch Access Control Technical Standard

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

HIPAA Compliance for Mobile Healthcare. Peter J. Haigh, FHIMSS Verizon

HIPAA Compliance Review Analysis and Summary of Results

ITS HIPAA Security Compliance Recommendations

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

INFORMATION TECHNOLOGY SECURITY STANDARDS

Management Standards for Information Security Measures for the Central Government Computer Systems

Excerpt of Cyber Security Policy/Standard S Information Security Standards

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

National Cyber Security Month 2015: Daily Security Awareness Tips

The Second National HIPAA Summit

UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY

Information Security Policy

SANS Top 20 Critical Controls for Effective Cyber Defense

University of Cincinnati Limited HIPAA Glossary

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Don't Wait Until It's Too Late: Choose Next-Generation Backup to Protect Your Business from Disaster

Transcription:

'Namgis Information Technology Policies Summary August 8th 2011 Government Security Policies

CONFIDENTIAL Page 2 of 17 Contents... 5 Architecture Policy... 5 Backup Policy... 6 Data Policy... 7 Data Classification Policy... 8 Email Policy... 8 Encryption Policy... 9 Guest Access Policy... 9 Incident Response Policy... 10 IT Assets Policy... 11 Mobile Device Policy... 11 Network Security Policy... 12 Password Policy... 13 Physical Security Policy... 13 Remote Access Policy... 14 Retention Policy... 14 Third Party Connection Policy... 15 VPN Policy... 16 Wireless Access Policy... 16

CONFIDENTIAL Page 3 of 17 Revision and Sign-Off Sheet Author Glen Nickol Author s position IT Director Date 3/1/2011 Version number 1.0 Change Record Date Author Version Change reference 6/2/2011 Glen Nickol 1.0 Change "government" to "government" Reviewers Name Version approved Position Date Distribution Name Position Document Properties Item Details Document title 'Namgis Information Technology Policies Summary Author

CONFIDENTIAL Page 4 of 17 Item Creation date Last updated Details

CONFIDENTIAL Page 5 of 17 'Namgis First Nation is hereinafter referred to as "the government." Though there are a number of reasons to provide a user network access, by far the most common is granting access to employees for performance of their job functions. This access carries certain responsibilities and obligations as to what constitutes acceptable use of the corporate network. This policy explains how corporate information technology resources are to be used and specifies what actions are prohibited. While this policy is as complete as possible, no policy can cover every situation, and thus the user is asked additionally to use common sense when using government resources. Questions on what constitutes acceptable use should be directed to the user's supervisor. Since inappropriate use of corporate systems exposes the government to risk, it is important to specify exactly what is permitted and what is prohibited. The purpose of this policy is to detail the acceptable use of corporate information technology resources for the protection of all parties involved. The scope of this policy includes any and all use of corporate IT resources, including but not limited to, computer systems, email, the network, and the corporate Internet connection. Architecture Policy Networks have become an integrated part of our business environment where it was once

CONFIDENTIAL Page 6 of 17 set "no man is an island" it is without a doubt that no computer is an island. Accounting workstations talk to accounting servers, debit machines talk to banks, smart phones talk to email servers. All of this communication takes place over a government network or series of networks like the internet. The very nature of a network from inception gravitates to instability and adhoc growth. The smooth stable, reliable functioning of a network only takes place within the parameters of a clearly defined architecture. The purpose of this policy is to detail the LAN baseline architecture, the standard of operating systems deployed and the documentation standards used. The scope of this policy covers all government local area network and wide area network equipment used by the government. This includes but is not limited to Workstations, Servers switches (Layer 1, Layer 2, Layer 3), routers and wireless devices. Backup Policy A backup policy is similar to an insurance policy - it provides the last line of defense against data loss and is sometimes the only way to recover from a hardware failure, data corruption, or a security incident. A backup policy is related closely to a disaster recovery policy, but since it protects against events that are relatively likely to occur, in practice it will be used more frequently than a contingency planning document. A government's backup policy is among its most important policies. The purpose of this policy is to provide a consistent framework to apply to the backup process. The policy will provide specific information to ensure backups are available and

CONFIDENTIAL Page 7 of 17 useful when needed - whether to simply recover a specific file or when a larger-scale recovery effort is needed. This policy applies to all data stored on corporate systems. The policy covers such specifics as the type of data to be backed up, frequency of backups, storage of backups, retention of backups, and restoration procedures. Data Policy data is typically the data that holds the most value to a government. Often, confidential data is valuable to others as well, and thus can carry greater risk than general government data. For these reasons, it is good practice to dictate security standards that relate specifically to confidential data. The purpose of this policy is to detail how confidential data, as identified by the Data Classification Policy, should be handled. This policy lays out standards for the use of confidential data, and outlines specific security controls to protect this data. The scope of this policy covers all government-confidential data, regardless of location. Also covered by the policy are hardcopies of government data, such as printouts, faxes, notes, etc.

CONFIDENTIAL Page 8 of 17 Data Classification Policy Information assets are assets to the government just like physical property. In order to determine the value of the asset and how it should be handled, data must be classified according to its importance to government operations and the confidentiality of its contents. Once this has been determined, the government can take steps to ensure that data is treated appropriately. The purpose of this policy is to detail a method for classifying data and to specify how to handle this data once it has been classified. The scope of this policy covers all government data stored on government-owned, government-leased, and otherwise government-provided systems and media, regardless of location. Also covered by the policy are hardcopies of government data, such as printouts, faxes, notes, etc. Email Policy Email is an essential component of business communication; however it presents a particular set of challenges due to its potential to introduce a security threat to the network. Email can also have an effect on the government's liability by providing a written record of communications, so having a well thought out policy is essential. This policy outlines expectations for appropriate, safe, and effective email use.

CONFIDENTIAL Page 9 of 17 The purpose of this policy is to detail the government's usage guidelines for the email system. This policy will help the government reduce risk of an email-related security incident, foster good business communications both internal and external to the government, and provide for consistent and professional application of the government's email principles. The scope of this policy includes the government's email system in its entirety, including desktop and/or web-based email applications, server-side applications, email relays, and associated hardware. It covers all electronic mail sent from the system, as well as any external email accounts accessed from the government network. Encryption Policy Encryption, also known as cryptography, can be used to secure data while it is stored or being transmitted. It is a powerful tool when applied and managed correctly. As the amount of data the government must store digitally increases, the use of encryption must be defined and consistently implemented in order ensure that the security potential of this technology is realized. The purpose of this policy is to outline the government's standards for use of encryption technology so that it is used securely and managed appropriately. Many policies touch on encryption of data so this policy does not cover what data is to be encrypted, but rather how encryption is to be implemented and controlled. This policy covers all data stored on or transmitted across corporate systems. Guest Access Policy

CONFIDENTIAL Page 10 of 17 Guest access to the government's network is often necessary for customers, consultants, or vendors who are visiting the government's offices. This can be simply in the form of outbound Internet access, or the guest may require access to specific resources on the government's network. Guest access to the government's network must be tightly controlled. The government may wish to provide network access as a courtesy to guests wishing to access the Internet, or by necessity to visitors with a business need to access the government's resources. This policy outlines the government's procedures for securing guest access. The scope of this policy includes any visitor to the government wishing to access the network or Internet through the government's infrastructure, and covers both wired and wireless connections. This scope excludes guests accessing wireless broadband accounts directly through a cellular carrier or third party where the traffic does not traverse the government's network. Incident Response Policy A security incident can come in many forms: a malicious attacker gaining access to the network, a virus or other malware infecting computers, or even a stolen laptop containing confidential data. A well-thought-out Incident Response Policy is critical to successful recovery from an incident. This policy covers all incidents that may affect the security and integrity of the government's information assets, and outlines steps to take in the event of such an incident. This policy is intended to ensure that the government is prepared if a security incident were to occur. It details exactly what must occur if an incident is suspected, covering

CONFIDENTIAL Page 11 of 17 both electronic and physical security incidents. Note that this policy is not intended to provide a substitute for legal advice, and approaches the topic from a security practices perspective. The scope of this policy covers all information assets owned or provided by the government, whether they reside on the corporate network or elsewhere. IT Assets Policy Considerable financial resources are allocated to technical asset by every department in the government. A unified approach is required for the timely cost effective purchase of all IT asset and the management of their life cycle. Over time employees become possessive and complacent of IT asset particularly workstations using them for non work related activities and storage for personal information it is important that employees have a clear understand of ownership. The purpose of this policy is to ensure that a consistent approach is taken in the development, purchasing, tracking and disposal of IT assets for the entire life cycle. The scope of this policy covers all government IT Assets whether owned or leased regardless of location and issues associated with ownership of assets. Mobile Device Policy Generally speaking, a more mobile workforce is a more flexible and productive workforce. For this reason, business use of mobile devices is growing. However, as these devices become vital tools to the workforce, more and more sensitive data is stored

CONFIDENTIAL Page 12 of 17 on them, and thus the risk associated with their use is growing. Special consideration must be given to the security of mobile devices. The purpose of this policy is to specify government standards for the use and security of mobile devices. This policy applies to government data as it relates to mobile devices that are capable of storing such data, including, but not limited to, laptops, notebooks, PDAs, smart phones, and USB drives. Since the policy covers the data itself, ownership of the mobile device is irrelevant. This policy covers any mobile device capable of coming into contact with government data. Network Security Policy The government wishes to provide a secure network infrastructure in order to protect the integrity of corporate data and mitigate risk of a security incident. While security policies typically avoid providing overly technical guidelines, this policy is necessarily a more technical document than most. The purpose of this policy is to establish the technical guidelines for IT security, and to communicate the controls necessary for a secure network infrastructure. The network security policy will provide the practical mechanisms to support the government's comprehensive set of security policies. However, this policy purposely avoids being overly-specific in order to provide some latitude in implementation and management strategies. This policy covers all IT systems and devices that comprise the corporate network or that

CONFIDENTIAL Page 13 of 17 are otherwise controlled by the government. Password Policy A solid password policy is perhaps the most important security control an organization can employ. Since the responsibility for choosing good passwords falls on the users, a detailed and easy-to-understand policy is essential. The purpose of this policy is to specify guidelines for use of passwords. Most importantly, this policy will help users understand why strong passwords are a necessity, and help them create passwords that are both secure and useable. Lastly, this policy will educate users on the secure use of passwords. This policy applies to any person who is provided an account on the organization's network or systems, including: employees, guests, contractors, partners, vendors, etc. Physical Security Policy Information assets are necessarily associated with the physical devices on which they reside. Information is stored on workstations and servers and transmitted on the government's physical network infrastructure. In order to secure the government data, thought must be given to the security of the government's physical Information Technology (IT) resources to ensure that they are protected from standard risks. The purpose of this policy is to protect the government's physical information systems by setting standards for secure operations.

CONFIDENTIAL Page 14 of 17 This policy applies to the physical security of the government's information systems, including, but not limited to, all government-owned or government-provided network devices, servers, personal computers, mobile devices, and storage media. Additionally, any person working in or visiting the government's office is covered by this policy. Please note that this policy covers the physical security of the government's Information Technology infrastructure, and does not cover the security of non-it items or the important topic of employee security. While there will always be overlap, care must taken to ensure that this policy is consistent with any existing physical security policies. Remote Access Policy It is often necessary to provide access to corporate information resources to employees or others working outside the government's network. While this can lead to productivity improvements it can also create certain vulnerabilities if not implemented properly. The goal of this policy is to provide the framework for secure remote access implementation. This policy is provided to define standards for accessing corporate information technology resources from outside the network. This includes access for any reason from the employee's home, remote working locations, while traveling, etc. The purpose is to define how to protect information assets when using an insecure transmission medium. The scope of this policy covers all employees, contractors, and external parties that access government resources over a third-party network, whether such access is performed with government-provided or non-government-provided equipment. Retention Policy

CONFIDENTIAL Page 15 of 17 The need to retain data varies widely with the type of data. Some data can be immediately deleted and some must be retained until reasonable potential for future need no longer exists. Since this can be somewhat subjective, a retention policy is important to ensure that the government's guidelines on retention are consistently applied throughout the organization. The purpose of this policy is to specify the government's guidelines for retaining different types of data. The scope of this policy covers all government data stored on government-owned, government-leased, and otherwise government-provided systems and media, regardless of location. Note that the need to retain certain information can be mandated by local, industry, or federal regulations. Where this policy differs from applicable regulations, the policy specified in the regulations will apply. Third Party Connection Policy Direct connections to external entities are sometimes required for business operations. These connections are typically to provide access to vendors or customers for service delivery. Since the government's security policies and controls do not extend to the users of the third parties' networks, these connections can present a significant risk to the network and thus require careful consideration. The policy is intended to provide guidelines for deploying and securing direct connections to third parties.

CONFIDENTIAL Page 16 of 17 The scope of this policy covers all direct connections to the government's network from non-government owned networks. This policy excludes remote access and Virtual Private Network (VPN) access, which are covered in separate policies. VPN Policy A Virtual Private Network, or VPN, provides a method to communicate with remote sites securely over a public medium, such as the Internet. A site-to-site VPN is a dependable and inexpensive substitute for a point-to-point Wide Area Network (WAN). Site-to-site VPNs can be used to connect the LAN to a number of different types of networks: branch or home offices, vendors, partners, customers, etc. As with any external access, these connections need to be carefully controlled through a policy. This policy details the government's standards for site-to-site VPNs. The purpose of this policy is to specify the security standards required for such access, ensuring the integrity of data transmitted and received, and securing the VPN pathways into the network. The scope of this policy covers all site-to-site VPNs that are a part of the government's infrastructure, including both sites requiring access to the government's network (inbound) and sites where the government connects to external resources (outbound). Note that remote access VPNs are covered under a separate Remote Access Policy. Wireless Access Policy Wireless communication is playing an increasingly important role in the workplace. In the past, wireless access was the exception; it has now become the norm in many companies. However, while wireless access can increase mobility and productivity of users, it can also introduce security risks to the network. These risks can be mitigated

CONFIDENTIAL Page 17 of 17 with a sound Wireless Access Policy. The purpose of this policy is to state the standards for wireless access to the government's network. Wireless access can be done securely if certain steps are taken to mitigate known risks. This policy outlines the steps the government wishes to take to secure its wireless infrastructure. This policy covers anyone who accesses the network via a wireless connection. The policy further covers the wireless infrastructure of the network, including access points, routers, wireless network interface cards, and anything else capable of transmitting or receiving a wireless signal. 7.0 Revision History Revision 1.0, 2/18/2011

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information