EA-ISP-011-System Management Policy

Similar documents
EA-ISP-012-Network Management Policy

EA-ISP Architecture Service Planning Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Newcastle University Information Security Procedures Version 3

EA-ISP-001 Information Security Policy

EA-ISP-002-Business Continuity Management and Planning Policy

University of Aberdeen Information Security Policy

Policy Document. Communications and Operation Management Policy

Information Security Incident Management Policy

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Information Security Management. Audit Check List

Information Security Policy. Chapter 13. Information Systems Acquisition Development and Maintenance Policy

STANDARD ON LOGGING AND MONITORING

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IBX Business Network Platform Information Security Controls Document Classification [Public]

How To Protect Decd Information From Harm

Dublin Institute of Technology IT Security Policy

ISO27001 Controls and Objectives

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Spillemyndigheden s Certification Programme Information Security Management System

DBC 999 Incident Reporting Procedure

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Mike Casey Director of IT

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Spillemyndigheden s Certification Programme Information Security Management System

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

University of Sunderland Business Assurance PCI Security Policy

IT OUTSOURCING SECURITY

Microsoft Windows Client Security Policy. Version 2.1 POL 033

How To Audit A Windows Active Directory System

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Cyber Essentials Scheme

Guideline on Auditing and Log Management

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Information Security Incident Management Policy and Procedure

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

University of Liverpool

ICANWK406A Install, configure and test network security

Network Security Policy

Third Party Security Requirements Policy

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

INFORMATION SECURITY PROCEDURES

Information Governance Framework

Central Agency for Information Technology

Informatics Policy. Information Governance. Network Account and Password Management Policy

A Rackspace White Paper Spring 2010

Standard CIP 007 3a Cyber Security Systems Security Management

Rotherham CCG Network Security Policy V2.0

A Decision Maker s Guide to Securing an IT Infrastructure

Payment Card Industry Data Security Standard

March

Information Incident Management Policy

GFI White Paper PCI-DSS compliance and GFI Software products

ISO Controls and Objectives

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

28400 POLICY IT SECURITY MANAGEMENT

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Change Management Control Procedure

Information Technology Acceptable Use Policy

Standard: Event Monitoring

How To Manage Web Content Management System (Wcm)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

FMCS SECURE HOSTING GUIDE

Internet Use Policy and Code of Conduct

How To Ensure Network Security

Incident Reporting Guidelines for Constituents (Public)

The Office of the Government Chief Information Officer BASELINE IT SECURITY POLICY [S17]

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Implementation of Internal Audit Recommendations: Summary of Progress Report by Head of Finance

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

Hong Kong Baptist University

Standard CIP Cyber Security Systems Security Management

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Aberdeen City Council IT Security (Network and perimeter)

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Terms and Conditions of Use - Connectivity to MAGNET

Information Security

Corporate Information Security Policy

Guideline for department and agency implementation of the Information Security Penetration Testing standard SEC/STD/03.

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Transcription:

Technology & Information Services EA-ISP-011-System Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 17/03/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref: EA-ISP-011 Document Link: http://blogs.plymouth.ac.uk/strategyandarchitecture/wp- content/uploads/sites/4/2015/03/ea-isp-011-system- Management-Policy.pdf Review Date: March 2016

Document Control Version Author Position Details Date/Time Approved by Position Date/Time 0.9 PF Enterprise Initial draft 27/02/2014 Security Architect created 0.91 PF ESA Updated to new document format 19/02/2015 1.00 PW, AH, GB, CD, PF IT Director, HoS, EA Approved policy 13/03/2015 Paul Westmore IT Director 13/03/2015 11:40 Page 2 of 6

Introduction This policy forms part of the University s Information Security Policy Set and should be read in conjunction with the Information Security Policy (EA-ISP-001) and other supporting documentation. This System Management Policy sets out the responsibilities and required behaviour of those managing computer systems, including requirements on the maintenance and management of information systems and the software and service they run. Policies are required to cover all systems in the organisation, whatever the management regime. Some elements of the policy applying to non-critical systems might not need to be as strict as those applying to a high risk system; a risk assessment needs to be made. Policies also need to set out the requirements for system configuration and the implementation of security systems (e.g. antivirus), as well as appropriate logging and monitoring of system activity, and managing capacity. Reference should also be made to the Software Management Policy (EA-ISP-013) as the policies it defines must also be applied to operating system software. 1. System Management 1.1 The organisation s systems are to be managed by suitably trained and qualified staff to oversee their day to day running and to preserve security and integrity in collaboration with nominated system owners. All systems management staff shall be given relevant training in information security issues. 1.2 The implementation of new or upgraded software must be carefully planned and managed, to ensure that the increased information security risks associated with such changes are mitigated using a combination of procedural and technical controls. 1.3 Formal change control procedures, with audit trails, must be used for all changes to systems. All changes must be properly tested and authorised before moving to the live environment. 2. Access Control 2.1 Access to all information services shall use a secure logon process and access to high risk systems shall, where appropriate, also be limited by time of day or by the location of the initiating terminal or both. 2.2 Access controls shall be maintained at appropriate levels for all systems by ongoing proactive management and any changes of access permissions must be authorised by the manager of the system or application. A record of access permissions granted must be maintained. 2.3 Inactive terminals in high risk locations or serving high risk systems shall shut down after a defined period of inactivity to prevent access by unauthorised persons. 2.4 Password management procedures shall be put into place to ensure the implementation of the requirement of the Information Security Policy and to assist users in complying with best practice guidelines. 3. Monitoring System Activity 3.1 Capacity demands of systems supporting existing business processes shall be monitored and projections of future use are made to enable adequate processing power, storage and network capability are provisioned in accordance with business requirements. 3.2 All access to IT services is to be logged and monitored to identify potential misuse of systems or information. 3.3 Security event logs, operational audit logs and error logs must be properly reviewed and managed by qualified staff. 3.4 Access to operating system commands is to be restricted to those persons who are authorised to Page 3 of 6

perform systems administration or management functions. Where appropriate, use of such commands should be logged and monitored. 4. Importing Files 4.1 Files downloaded from the internet, including mobile code and files attached to electronic mail, must be treated with the utmost care to safeguard against both malicious code or inappropriate material. Such files, or any others not known to come from a trusted source, must be scanned for possible malicious code before being executed. 5. System Clocks 5.1 System clocks must be regularly synchronised between the University s various processing platforms. Page 4 of 6

Appendix 1. System Management All systems require ongoing management and system managers will be responsible for overseeing their day to day running. Systems management necessarily involves a significant amount of security related work. It is common for all software and most firmware to require periodic updates and, whether it is a major change or a minor upgrade, changes to active systems need to be handled with care. Change control is essential: a major upgrade to any system or any change to high risk system should have appropriate levels of management authorisation and provide an audit path to aid subsequent enquiries and investigation. 2. Access Control Access control standards are the rule which an organisation applies to control access to its information assets. Such standards should always be appropriate to the organisation s business and security needs. The dangers of using inadequate access control standards range from inconvenience to critical loss or corruption of data. Most computer systems are accessed by a combination of user ID and password. The selection of passwords, their use and management as a primary means to control access to systems and it is necessary to adhere strictly to best practice guidelines. For example, passwords shall not be shared with any other person for any reason. 3. Monitoring System Activity Measurement of current demands may allow systems to be tuned to make better use of available resources. Projections of future capacity requirements should be made to avoid failures or performance degradation resulting from inadequate processing power, disk channel throughput, network capacity or information storage space. These projections should take account or proposed new facilities as well as current and projected trends in the use of IT. System access must be monitored regularly to thwart attempts at unauthorised access and to confirm that access control standards are effective. For high risk systems, or where intrusion would have serious consequences, intrusion detection systems should be used. Records of failed attempts to gain access to privileged facilities and similar security events can give an early indication of unauthorised attempts at intrusion. Audit logs contain details of the changes made to files and to the operational environment, and require close monitoring. Error logs are the reports produced by your system relating to errors or inconsistencies that have arisen during processing and are important sources of information for ensuring proper use of the system. All log files must be protected against modification to ensure that the information they contain is reliable. The operating system controls a computer s operations; preloaded with it are commands and utilities which set up and maintain the computer s environment. Systems should be hardened to remove access to all unnecessary development tools and utilities prior to delivery to end users. Page 5 of 6

4. Importing Files There are significant information security risks when receiving any files (including graphics files of any format), programs, or scripts, etc. from the Internet. It is vital that the information you receive is complete and correct. Take care with electronically supplied data, such as email attachments, in case of possibility of forgery. 5. System Clocks The need to ensure that where time related information is held within your systems, it is set to Universal Coordinated Time (UTC) with the correct time zone and daylight saving settings and, where possible this should be by automatic reference to a reliable time-server system. Most computer clocks tend to vary in their accuracy, but this should not be significant. However, if these differences become material, then this may have security implications for the organisation, especially where transaction timing is crucial. Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information