Service Children s Education



Similar documents
Information Security Policy September 2009 Newman University IT Services. Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

ISO Controls and Objectives

How To Protect Decd Information From Harm

ISO27001 Controls and Objectives

Newcastle University Information Security Procedures Version 3

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Information Security Policies. Version 6.1

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Data Management Policies. Sage ERP Online

Mike Casey Director of IT

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Information security controls. Briefing for clients on Experian information security controls

University of Aberdeen Information Security Policy

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Rotherham CCG Network Security Policy V2.0

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

University of Sunderland Business Assurance Information Security Policy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Network Security Policy

ULH-IM&T-ISP06. Information Governance Board

Supplier Security Assessment Questionnaire

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Physical Security Policy

INFORMATION SECURITY PROCEDURES

How To Ensure Network Security

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Estate Agents Authority

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

University of Liverpool

Policy Document. IT Infrastructure Security Policy

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Network Security Policy

University of Brighton School and Departmental Information Security Policy

NETWORK SECURITY POLICY

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

VMware vcloud Air HIPAA Matrix

Information Security

Draft Information Technology Policy

Nine Steps to Smart Security for Small Businesses

Hengtian Information Security White Paper

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

TELEFÓNICA UK LTD. Introduction to Security Policy

Central Agency for Information Technology

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

HIPAA Security Alert

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1. c Dines Bjørner 2006, Fredsvej 11, DK 2840 Holte, Denmark

Information Shield Solution Matrix for CIP Security Standards

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

HIPAA Information Security Overview

Supplier Information Security Addendum for GE Restricted Data

Information Security Policy

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Information Security Management. Audit Check List

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Third Party Security Requirements Policy

Music Recording Studio Security Program Security Assessment Version 1.1

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Information Security: Business Assurance Guidelines

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

Information Security Policy

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

LSE PCI-DSS Cardholder Data Environments Information Security Policy

Management Standards for Information Security Measures for the Central Government Computer Systems

Small businesses: What you need to know about cyber security

NSW Government Digital Information Security Policy

28400 POLICY IT SECURITY MANAGEMENT

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

Operational Risk Publication Date: May Operational Risk... 3

Highland Council Information Security Policy

Information Security and Governance Policy

REMOTE WORKING POLICY

A practical guide to IT security

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

ISO IEC ( ) INFORMATION SECURITY AUDIT TOOL

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

HIPAA Security. assistance with implementation of the. security standards. This series aims to

ISO 27002:2013 Version Change Summary

Transcription:

Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence

Information Security Audit 2

Information handling and security questionnaire Does your school / office have an information security policy? The creation of an information security policy is a crucial step towards the effective management of information across all levels of an school / office. It is critical that any information security policy created by a school / office is approved by senior management, and that this is subsequently published and communicated to all employees. This document should be maintained and reviewed regularly, or in response to a change in circumstances that may affect the risks to a school / office's information. An example here may be the introduction of a school or department web site. Are staff allocated with specific security responsibilities, e.g. locking the building, allocating passwords? Successful implementation of a security programme is more likely if there is some formality to the roles, responsibilities and communication involved in securing a school / office's information. The most successful implementation normally involves integrating this formality with current roles and responsibilities - rather than trying to impose something new that cuts across normal reporting and communication lines. A fundamental element of this approach is the identification of external resources (people, school / offices etc) that have specialist knowledge and skills. Information security is at best a complex discipline that requires specialists. Keeping up to date with trends, concepts, tools, standards and methods can prove invaluable, and specialist services can often do this more effectively than general management. An example of such specialist services is the Agency Peripatetic ICT Team who should deal with the control and eradication of computer virus infections. Do you know what your school / office's main assets are, do you have a list of them, and does this list include information? This is a fundamental concept of information management. Without a comprehensive identification of your school / office's information and supporting technical assets, it would be impossible to tell if they are being protected effectively. You should be able to identify clearly your assets, their relative value and their importance. With this information you can provide levels of protection appropriate to the value and importance of the assets. Examples of assets are: 1. Information assets, e.g., databases, archived information 2. Software assets, e.g. application software, system software 3. Physical assets, e.g. computer equipment, communications equipment, media 4. Services, e.g. general utilities such as heating and lighting. Are specific personnel measures, such as training users or including security in their job descriptions, taken with respect to security? A well-trained, well-educated and suitably motivated workforce is one of the most cost effective means of ensuring ongoing information security. It is recognised, however, that malevolent or ill-disposed staff can pose a real threat to a school / office's information assets. Information Security Audit 3

To address this, there are a variety of measures that can be used to reduce the risk. These include: incorporating security in job descriptions - this should include any general responsibilities for the implementation or maintenance of security, as well as any specific responsibilities such as the execution of a particular process, e.g. virus scanning, back-ups. personnel screening - where possible verification checks on permanent staff should be carried out at the time of job application. This may include the use of character references, a check of the C.V, confirmation of a claimed academic record and professional qualifications. These checks could be extended when an individual is to have access to sensitive information. It is important that similarly appropriate checks are made on contractors and temporary staff who have the same access as permanent staff. Does your school / office take steps to prevent unauthorised access to your premises? A secure area normally contains assets of high value, such as IT equipment or communications conduits. It can also apply to office spaces where sensitive information is routinely handled and stored. To prevent unauthorised access, damage and interference to such assets, various steps can be taken to reduce the risk and impact of any incidents. Examples include: 1. Physical security measures, e.g. floor-to-ceiling walls, a controlled entry door or a manned reception desk. 2. Physical entry controls, e.g. authentication controls, such as swipe cards, visible identification badges, access rights based on a defined process. 3. Securing offices, rooms and facilities by, for example, locking doors and windows when rooms and buildings are left unattended or unoccupied. Other examples include installing suitable intruder detection systems, as well as storing hazardous or combustible materials at a safe distance from secure areas. Have you implemented operational controls and procedures to safeguard your information, e.g. use of back-ups, anti virus software, firewalls? This subject covers a wide area. The objective of such controls is to help ensure the correct and secure operation of information processing facilities. In order to do this, the following areas need to be considered: 1. Operational procedures need to be documented and maintained. This will include the specification for the detailed execution of each job, including, for example, the processing and handling of information and any support contacts in the event of unexpected difficulties. 2. Inadequate control of changes to information processing facilities and systems is a common cause of system or security failures, especially if the installation is growing in size and complexity. Once a certain size is reached, formal management responsibilities and procedures need to be in place to ensure satisfactory control of all changes to equipment, software, or procedures. When this point is reached is not easily determined. However, even smaller systems can benefit from good discipline in regard to change management. 3. Incident management procedures need to be established to ensure a quick, effective and orderly response to security incidents. Information Security Audit 4

4. In many circumstances it is important that various business roles are segregated e.g. a person who raises a purchase order should not also be the person who verifies that the goods have been received. Do you control access to information through the effective use of user ids and passwords, e.g. making sure users don't share passwords, write their passwords on post-it notes? It is important that access rights for users are based on a defined policy. This should consider factors such as the security requirements of individual applications, the need to know principle, classification of information and relevant legislation. Have steps been taken to ensure that security requirements are defined and incorporated during system development or met by packaged software solutions? Do you ensure that you meet all your legal requirements/obligations, e.g licensing, copyright, data protection? When addressing matters regarding compliance with your legal requirements, the first crucial step is that you identify all relevant statutory, regulatory and contractual obligations for your school / office. Some areas that might be relevant include: 1. Data(Protection) 2. Intellectual Property Rights 3. Software(licensing) 4. Safeguarding school / official records It is crucial that advice on specific legal requirements is sought where this is not available internally Do you have any business continuity plans? Any school / office, no matter the size, should have business continuity plans, whether formal or informal, in place. These plans should take account of the consequences of disasters, security failures and loss of service. Contingency plans should be developed and implemented to ensure that processes can be restored within required timescales. The process of developing these plans should begin by identifying events that can cause disruption to business processes, e.g. equipment failure, flood, fire. This should then be followed by a risk assessment to determine the impact of those interruptions (both in terms of damage and recovery period). Depending on the results of this assessment, a strategy plan should be developed to determine the overall approach to BCM. To fail to do so is to invite failure. Does your school / office have an information security policy? Has this policy been agreed by senior management? Do you make staff aware of this policy? e.g. at their induction? Can staff access this policy at any time? e.g. via an Intranet. Is adherence to this policy included in staff contracts? Is someone responsible for the maintenance of the policy? Has your school / office implemented an information security infrastructure? Does a member of the SLT / office manager (or equivalent) have responsibility for information security? Information Security Audit 5

Have designated staff been given specific security responsibilities as part of their existing duties, e.g. IT Manager? Is information security represented as an agenda item at regular senior management meetings? Is expertise on Information Security available internally, and where not, is external advice sought when required? Is third party access to information managed within your school / office? If a third party e.g. unit, medical centre, advisory staff, has access to information does this access require approval by an appropriate manager? If access is allowed, are the associated risks assessed and the appropriate security measures put in place? Does your school / office maintain an inventory of assets? Do you maintain an inventory of information e.g.databases? Do you maintain an inventory of software? Do you maintain an inventory of hardware? Do you maintain an inventory of services, such as utilities? Are information classification guidelines in operation? Do you tell staff how they should handle information with regard to its storage, postage and destruction? Is the responsibility for classifying information clearly defined? Are staff required to lock away sensitive documents when not in use? Are specific personnel measures taken with respect to security? Are staff aware of their security responsibilities via details in their job descriptions? Are job applicants' claims of previous experience, qualifications and identity, and character references verified? Are employees and contract staff required to sign confidentiality or non-disclosure agreements? Is information security training provided? Do all staff receive basic information security training at induction e.g. use of passwords? Is the training provided periodically?, e.g. monthly, yearly Do staff with specific responsibilities (e.g. IT Manager) receive additional training? Does your school / office respond to security incidents? Are staff aware of how to recognise and report security incidents, suspected weaknesses or threats to systems? Is someone responsible for reviewing and progressing the closure of reported incidents? Are employees who violate the security policy subject to a disciplinary process? Does your school / office take steps to prevent unauthorised access to your premises? Does each entrance have some form of physical access control? Are secure areas (such as computer rooms), or office areas where sensitive information is stored, protected by access controls? Information Security Audit 6

Are visitors always signed in and escorted around the building? Are unmanned external doors and accessible windows protected through additional controls? Does your school / office take steps to prevent loss, damage or compromise of equipment and interruption to business activities? Is important equipment, e.g. servers, located in secure areas? Is equipment protected from power failure, e.g. use of a UPS? Is equipment maintained in accordance with the manufacturer's requirements? Is guidance provided with regard to the use of school / office material off site, e.g. use of a laptop? Does your school / office implement general measures to protect information? Is there a "clear desk" policy in operation? Are paper and computer media locked away when not in use? Are computers left logged on whilst unattended? Do you have effective, formal operational procedures? Are key tasks for computer systems, such as backup and restoration, documented? Are changes to systems, e.g. installing a new piece of software, justified and managed? Do you have incident management procedures covering areas such as system failures, viruses and breaches of confidentiality? Are job roles (where practical) segregated to help prevent incidents such as fraud? Are formal anti-virus measures in operation? Do you have an anti virus policy? Is anti-virus software operating on all servers, PCs and mobile computers? Are anti-virus updates rigorously applied? Is your school / office's network connected to public networks? Have controls been implemented to protect systems connected to the internet, e.g. firewalls? Do you have a policy on the use of e-mail? Does your school / office control access to information? Do you have an access control policy, e.g. defining who has access to what information? Is access granted on a "need to know basis"? Is there a formal registration process before access is permitted? Are access requests and authorisations documented and retained? Are unique user ids deployed so that users can be held accountable? Do you maintain records of all staff given access to the system? Are access rights immediately removed when a user leaves? Do you undertake a periodic review of user access rights? Is access given only to authorised members staff? Information Security Audit 7

Are records of all privileges issued to staff retained? Is the allocation of passwords endorsed through a formal process? Must users change the password allocated when they first logon? Are users given guidance on their responsibilities for access control? Yes/ No, guidance is given to users on their responsibilities for access control. Do you issue documented guidelines on the selection and use of passwords? Can users change their password at any time, for example if they suspect that it has been disclosed? Is there a minimum password length? Are terminal time-outs enforced? Are users restricted from sharing user ids? Do you use an application that is crucial to the operation of your school / office? Does the application allow restriction of access, e.g. password protection? Is restriction of the application enforced through an access control policy? Do you have any mobile computing facilities (laptops or other hand-held devices)? Do restrictions apply to mobile computing, Does your security policy or guideline address the use of mobile computing facilities Do you develop applications internally? Are security requirements determined following a risk assessment of the proposed system? Is the Project Manager assigned responsibility to include the requirements of information security? Do you use outside contractors for development activity? Do you ensure formal agreements exist that stipulate that contractors must comply with good practice? When development is outsourced, do you ensure you have the right to audit? Do you have any Business Continuity Plans? Is a nominated individual responsible for managing the Business Continuity process? Is a Business Impact Analysis carried out to identify the events that can cause interruptions? Is there a regular programme of Business Continuity Process testing? Do you ensure that you meet any legal requirements / obligations? Is (are) a nominated individual(s) responsible for maintaining knowledge of all applicable legislation, including copyright and data protection? Can you demonstrate that you adhere to licensing agreements? Are guidelines available for the safeguarding and retention periods of important school / official records such as accounting records? Do you make users aware of the Computer Misuse Act? Information Security Audit 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information