Cyber security standard



Similar documents
External Supplier Control Requirements

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

External Supplier Control Requirements

INFORMATION TECHNOLOGY SECURITY STANDARDS

Western Australian Auditor General s Report. Information Systems Audit Report

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

How To Protect Decd Information From Harm

CESG Certification of Cyber Security Training Courses

University of Sunderland Business Assurance Information Security Policy

IT Security Procedure

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, p i.

Data Protection Breach Management Policy

The potential legal consequences of a personal data breach

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

Information security policy

INTERNET ACCEPTABLE USE POLICY

Information Security Management System (ISMS) Policy

IT Governance Regulatory. P.K.Patel AGM, MoF

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Enterprise K12 Network Security Policy

Personal Data Protection Policy and Practices ( the Policy )

Information Security Policy

Committees Date: Subject: Public Report of: For Information Summary

Electronic Payment Schemes Guidelines

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Information Security Policy

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

15 Organisation/ICT/02/01/15 Back- up

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

HP Laptop & Apple ipads

Data Security Incident Response Plan. [Insert Organization Name]

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

This is a free 15 page sample. Access the full version online.

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

INFORMATION TECHNOLOGY POLICY

HIPAA BUSINESS ASSOCIATE AGREEMENT

NHS Business Services Authority Information Security Policy

Network & Information Security Policy

Newcastle University Information Security Procedures Version 3

Data Management Policies. Sage ERP Online

Network Security Policy

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Information & ICT Security Policy Framework

Information Security Policies. Version 6.1

Policy Title: HIPAA Security Awareness and Training

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Corporate Policy. Data Protection for Data of Customers & Partners.

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

University of Aberdeen Information Security Policy

NSW Government Digital Information Security Policy

HIPAA BUSINESS ASSOCIATE ADDENDUM

Financial Services Guidance Note Outsourcing

Audit summary of Security of Infrastructure Control Systems for Water and Transport

Caedmon College Whitby

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

NSW Government Digital Information Security Policy

Accountable Privacy Management in BC s Public Sector

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

Information Governance Policy

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Information security controls. Briefing for clients on Experian information security controls

Standard: Information Security Incident Management

Tipsheet 7 Insurance Clauses Named Insured vs Interested Party

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Data Protection Policy.

Appendix G Process For Protection of Proposal Information For

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

OCIE CYBERSECURITY INITIATIVE

Legislative Language

Policy Document Control Page

Information Governance Policy (incorporating IM&T Security)

on the transfer of personal data from the European Union

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

CROWN EMPLOYEES (ROADS AND TRAFFIC AUTHORITY OF NEW SOUTH WALES - SALARIED STAFF SALARIES AND CONDITIONS OF EMPLOYMENT) AWARD 2008

Draft Information Technology Policy

TELEFÓNICA UK LTD. Introduction to Security Policy

The Ministry of Information & Communication Technology MICT

Information Governance Strategy & Policy

Corporate Information Security Policy

Information Technology Cyber Security Policy

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July Hong Kong

INFORMATION SECURITY California Maritime Academy

Cyber Security - What Would a Breach Really Mean for your Business?

Privacy Statement Relating to the Collection, Use and Disclosure of Personal Data & Customer Information

Transcription:

Cyber security standard Brief description This *Standard specifies security standards that protect *ICT systems and data from unintended or unauthorized access, damage or destruction. Related policies This *Standard is made under and supports the information technology and records management policy (DM#12008675). Introduction The ever increasing reliance on information communication technology and the exponentially rising customer expectation on *Western Power s performance have made cyber security a critical business activity. Without adequate cyber security,*western Power exposes itself to both operational and strategic risks which can lead to potentially devastating consequences to the West Australian community. To mitigate these cyber risks *Western Power seeks to: (i) (ii) (iii) ensure the operation of *ICT systems and business information requirements are effectively protected evolve the *ICT security profile using a risk based approach to new *ICT practices, partnerships and alliances promote continued security awareness amongst all persons accessing *Western Power s *ICT assets Scope This *Standard applies to: (i) all employees, officers and directors of *Western Power (ii) contractors working within *Western Power s workforce (iii) all of *Western Power s business activities and operations ICT cyber security standard Page 1

Details Outcomes (i) (ii) (iii) (iv) (v) (vi) Cyber security is integrated into the organisation s policies, work instructions and practices to ensure *ICT systems are secured against misuse and attacks. Provide a robust and secure *ICT environment for users and maintain *Western Power s reputation. Effective compliance with legal and regulatory requirements. Accountability for cyber security compliance is embedded at all levels of the organisation. Provide guidelines and work instructions to increase user security awareness. Appropriate measures and controls are taken to support the operation of *ICT systems and applications to ensure *Western Power is protected. (vii) An organisation with a strong capability of detecting, responding to and recovering from security breaches. Principles (i) (ii) (iii) (iv) (v) (vi) Access to *Western Power *ICT systems is provided on the basis that the user complies with *Acceptable Use terms which promote a risk-aware culture of responsible use. Every *ICT system and user will have the least set of privileges necessary to perform their role in order to limit the damage resulted from an accident or error. *ICT systems will have a security framework appropriate with the level of risk. *ICT services and applications will be protected by multiple overlapping *security controls. Users and *ICT practitioners will be educated to support *Western Power s security principles in the course of day to day activities. Security will be intrinsic to all phases of *ICT product delivery to ensure cyberattack-resilience, limit and contain damage and recover rapidly. (vii) Data will be secured proportionate to its assigned business information classification level. (viii) *ICT services are to be grouped and segregated according to their assigned trust classification level. (ix) (x) (xi) Commercial, legislative and operational sensitive data will be transmitted securely. Procured *Cloud Services will be *ICT security compliant. *ICT services will be security monitored 24 x 7 with all network traffic scanned for malicious intent or content such as viruses & trojans. (xii) Access to critical business systems will be logged, recorded and validated. ICT cyber security standard Page 2

(xiii) *ICT security incidents resulting in breach, significant loss of data or service, will be reported to the appropriate authorities. (xiv) Physical access to *ICT devices, systems, telecommunications networks and data centres is secured in accordance with *ICT guidelines. (xv) ICT *security processes will be continuously graded on their level of preparedness using the *capability maturity model to ensure their effectiveness. Accountabilities Head of *ICT Function: Accountable for: (i) (ii) (iii) (iv) (v) (vi) implementing this *Standard preparing, issuing and maintaining any required supporting documentation ensuring that people affected by the *Standard and its related documents are aware of their responsibilities ongoing education (as necessary) monitoring compliance with the requirements of the *Standard and its related documents ensuring that appropriate remedial actions are taken if there are compliance breaches (vii) monitoring the continuing relevance of the *Standard and the currency of its contents General Counsel: Accountable for publishing the approved version of this *Standard in*western Power s corporate policies register. A matrix summarising the respective roles and accountabilities in relation to each principle noted in clause 2.2 of this *Standard is appended (appendix 1). Review This *Standard will be reviewed and evaluated by the content owner at least once in every three year period taking into account the purpose of the *Standard and the outcome of the compliance review. Dictionary Words in the first column of the following table are defined terms and have the corresponding meaning shown in the second column of the table. ICT cyber security standard Page 3

Defined terms are identified in this Standard by the insertion of an asterisk ( * ) before the defined term. Defined term *Acceptable Use Meaning Specific Acceptable Use standards apply to the use of all *Western Power Information Technology Assets The definition of Acceptable Use is contained primarily within this Standard and is supplemented by Guidelines for the Acceptable Use of *Western Power Information Technology Assets. Computer Users are required to read, understand and agree to be bound by the Standard and the Guidelines *Accountable *Capability maturity model *Cloud services *Consulted *Informed *ICT *Responsible *Security controls *Standard *Western Power The staff member ultimately answerable for the correct and thorough completion of the advice or communication, and the one who delegates the work to those responsible. In other words, an accountable officer approves work that responsible officer provides A maturity model containing structured levels that describe how well the processes can reliably and sustainably produce required outcomes. Delivery of computing as a procured service rather than a product with the most common form being over the Internet. Those staff members whose opinions are sought, typically subject matter experts; and with whom there is two-way communication Those staff members who are kept up-to-date on progress, often only on completion of communication and advice Information Communication Technology Those staff members who will do the work to develop the communication or advice under this standard. There is at least one role with a participation type of responsible, although others can be delegated to assist in the work required Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks. This ICT cyber security standard Electricity Networks Corporation 1. Further information If you have any questions in relation to this *Standard please contact the *ICT Area Manager of Enterprise Architecture, the Head of Function *ICT or the General Counsel. 2. Content owner Chief Financial Officer, Finance, Regulation & ICT ICT cyber security standard Page 4

3. Related documents Description Information technology and records management policy Information technology and record management corporate policy framework. Western Power confidentiality agreement ICT Enterprise Architecture Standard ICT strategy security high level strategy ICT Cyber Risk Register - (IT/OT/SCADA) ICT Acceptable Use Guidelines ICT security incident management plan Physical security standard Information Classification standard DM reference DM#12008675 DM#12022290 DM#2802455 DM#12243343 DM#10081094 DM#10999657 DM#12482300 DM#8277381 DM#12562446<Draft> DM#12763442<Draft> 4. Approval history Version Approved by Date Resolution no. Notes 1. Managing Director 22/02/2008 ** 2. Managing Director 21/09/2009 ** 3. Managing Director 23/12/2009 ** 4. General Manager Corporate Services 31/08/2011 ** 5. General Council 11/08/2014 #070/2014/BD At this time the document was named the Information and Technology Security Policy 6. Chief Financial Officer 03/08/2015 Date of approval: 03/08/2015..... Guy Chalkley Chief Financial Officer ICT cyber security standard Page 5

Appendix 1 Authority matrix for ICT cyber security standard Principle Responsible Accountable Consulted Informed Access to*western Power ICT systems is provided on the basis that the user complies with Acceptable Use values which promote a risk-aware culture of responsible use. Every system and user will have the least set of privileges necessary to perform their role *ICT systems will have a security framework appropriate with the level of risk. ICT Developers *ICT services and applications will be protected by multiple overlapping *security controls. ICT Developers Business Partner Users and *ICT practitioners will be educated to support *Western Power s security principles in the course of day to day activities ICT Developers ICT cyber security authority matrix Page 6 Date of most recent approval: {dd/mm/yyyy} Published Version: DM#TBA Working Copy: DM#12226321

Security will be intrinsic to all phases of *ICT product delivery to ensure cyber-attackresilience, limit and contain damage and recover rapidly. Data will be secured proportionate to its assigned business information classification level. Records Management *ICT services are to be grouped and segregated according to their assigned trust classification level. Commercial, legislative and operational sensitive data will be transmitted securely. Legal ICT Staff Records Management Procured, *Cloud Services will be *ICT security compliant. Records Management ICT Staff *ICT services will be security monitored 24 x 7 with all network traffic scanned for malicious intent or content such as viruses & trojans. ICT Staff *ICT user access to critical business systems will be logged and recorded Risk & Compliance ICT cyber security authority matrix Page 7 Date of most recent approval: {dd/mm/yyyy} Published Version: DM#TBA Working Copy: DM#12226321

* ICT security incidents resulting in breach, significant loss of data or service, will be reported to the appropriate authorities Legal Records Management Federal Authorities Physical access to devices, systems & data centres is secured in accordance with *ICT guidelines. Security processes will be continuously improved in line with industry standard practice. ICT cyber security authority matrix Page 8 Date of most recent approval: {dd/mm/yyyy} Published Version: DM#TBA Working Copy: DM#12226321

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information