Appendix, Definition of roles and terms, to policy for IT security

Similar documents
Appendix, Definition of Roles and Terms, to Policy for IT Security. Date of publication November 2014 (rev. June 2012)

College of Education Computer Network Security Policy

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service

The University of Information Technology Management System

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

HSCIC Audit of Data Sharing Activities:

APPENDIX 4D HELP DESK SERVICES

HSCIC Audit of Data Sharing Activities:

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

APPENDIX 4D HELP DESK SERVICES

U06 IT Infrastructure Policy

Public Health England, an executive agency of the Department of Health ("We") are committed to protecting and respecting your privacy.

BKDconnect Security Overview

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Access Control Policy

Manager. Configuration Guide. ICS Software Solutions Clarendon House Church Lane Naphill HP14 4US Buckinghamshire

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

REVIEW OF THE FIREWALL ARRANGEMENTS

NMSU Procedural Guidelines (Policy Security Cameras on University Premises)

Polish Financial Supervision Authority. Guidelines

How To Protect Information At De Montfort University

Setting Up Scan to SMB on TaskALFA series MFP s.

Ulster University Standard Cover Sheet

Standard Operating Procedure. Authority to access and monitor University IT Account holder communications and data

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

UMHLABUYALINGANA MUNICIPALITY IT CHANGE MANAGEMENT POLICY

SOFTWARE LICENSING POLICY

CONFIGURATION AND SETUP USER GUIDE AND REFERENCE MANUAL

Information Security Operational Procedures Banner Student Information System Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Security White Paper The Goverlan Solution

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

SPECIAL CONDITIONS FOR WEBSITE HOSTING SERVICES ON A VIRTUAL PRIVATE SERVER. Version date

Access Control Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Statutes of the Doctoral School of Computer Science

Panda Cloud Protection. Quick guide Service registration procedure

INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL

How to set up the HotSpot module with SmartConnect. Panda GateDefender 5.0

Connecting an Android to a FortiGate with SSL VPN

UCLA Policy 401 Minimum Security Standards for Network Devices

Information Technology Services

Reporting procedures for External Examiners. UNIVERSITY of CUMBRIA ACADEMIC PROCEDURES AND PROCESSES. APPENDIX 4e

Certification services for electronic security certificates

SITTINGBOURNE COMMUNITY COLLEGE IT SUPPORT MANAGER. Job Description

ISAAC Risk Assessment Training

University of Sunderland Business Assurance Information Security Policy

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Department of Transportation Office of Transportation Technology Services

JOB SPECIFICATION. Service Support Manager ORGANISATION CHART: JOB PURPOSE:

Computer and Network Security Policy

Spillemyndigheden s change management programme. Version of 1 July 2012

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Information Security Operational Procedures

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

The original version was published in: Official Announcements Vol. 29 / 2010, pp. 2473

Bodywhys Privacy Policy

Google Docs Print. Administrator's Guide

Abstract ( ) Introduction

COMMITTEES. Electronic management system of decision processes and associated documents for managing boards

CareGiver Remote Support Information Technology FAQ

Adlib Hosting - Service Level Agreement

HSCIC Audit of Data Sharing Activities:

Policy for Intellectual Property Rights and the Development of Software

Information Security Policy. Information Security Policy. Working Together. May Borders College 19/10/12. Uncontrolled Copy

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port

ONLINE PAYMENT PRIVACY POLICY

TECHNICAL SUPPORT. and HARDWARE/SOFTWARE/NETWORK MAINTENANCE. for STUDENT-ACCESS LABS

Network Security Policy

Dacorum Borough Council Final Internal Audit Report

Supplier Security Assessment Questionnaire

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

System Requirement Checklist

Description of Policy. Revision. New Policy. Date of Original Approval 29 April 2008 Review Date April 2011 Approved By

COMMUNICATION STRATEGY FOR THE UNIVERSITY OF GOTHENBURG

Dublin City University

An Approach to Records Management Audit

EA-ISP-012-Network Management Policy

Network Resource Management Directive

INTEGRATING RECORDS MANAGEMENT

IT Security Procedure

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Installation Guide for Microsoft SQL Server 2008 R2 Express. October 2011 (GUIDE 1)

ESTRO PRIVACY AND DATA SECURITY NOTICE

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE. Chapter two. ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

University of Sunderland Business Assurance PCI Security Policy

Controls should be appropriate to the scale of the assets at risk and the potential loss to the University.

THE OPEN UNIVERSITY OF TANZANIA

WORKPLACE HEALTH AND SAFETY AUDITING GUIDELINES

How To Audit Health And Care Professions Council Security Arrangements

Terms and Conditions of Use in the RCTSaai Federation

VEHICLE LOCATION SYSTEM POLICY. Version 0.2. Paul Robinson, Strategic Director, Richard Kniveton, Fleet and Depot Manager

Video surveillance policy (PUBLIC)

GE Measurement & Control. Remote Comms System. Installation and User Reference Guide

Technical Interoperability Standard for Data Mediation Protocols

TECHNICAL SUPPORT. and HARDWARE/SOFTWARE/NETWORK MAINTENANCE. for

Service Support Kasse Initiatives, LLC. ITIL Configuration Management - 1. version 2.0

TECHNICAL SECURITY AND DATA BACKUP POLICY

Recommendations for companies planning to use Cloud computing services

Transcription:

Division of Buildings and Services CONTROL DOCUMENT Leif Bouvin 24-05-07 ref. no. A 13 349/ 07 031-786 58 98 Appendix, Definition of roles and terms, to policy for IT security Date of Publication June 2007 Published Decision-maker www.gu.se Vice-Chancellor Date of decision 11-06-2007 Person responsible for document Period of validity Summary Leif Bouvin Until further notice The appendix, Definition of roles and terms provides definitions of roles and terms that are used in policies, regulations and guidelines for IT security as well as in other control documents concerning IT. Division of Buildings and Services Karl Gustavsgatan 12 B, Box 100, SE 405 30 Göteborg 031 786 0000, 031 786 1142 (fax) www.gu.se

May 2007 Definition of roles and terms An employee can, primarily with regard to smaller systems, occupy several of the roles below. In order to prevent irregularities, the combination of roles that grants authorisation for a transaction and at the same time authorisation to conceal the transaction by, for example, deleting a log, is not permitted. E.g. a personnel administrator who is authorised to perform transactions in the personnel administration system may not simultaneously be technical manager or system administrator for the same system. The principal connection between the roles below is set out in Basic outline of roles and responsibilities, page 5. Authorisation administrator Authorisation administrators are appointed by authorisation managers and are responsible for registration and deregistration of access rights in accordance with the decisions of the authorisation manager. The administrator is also responsible that decisions on allocation of authorisation are filed according to the stipulated filing requirements. Authorisation manager Authorisation managers decide on allocation of access rights to the university s common and local systems, and are also responsible for follow-up of access rights that have been allocated. Allocation and follow-up must comply with guidelines set by the system owner and technical manager. Authorisation managers are: head of department head of division in Central Administration head of section for libraries within the University Library head of faculty office and equivalent. Page 2 of 6

Information owner The information owner is the person who issues and/or approves a certain piece of information and who has responsibility that the information is correct and reliable and for the way in which it is distributed. All information must have an information owner. The following table gives examples of who is considered an information owner in different cases, unless decided otherwise. Category Approved documents Data in information systems All other information Owner (unless indicated otherwise) The person who approves the document The system owner The issuer Isolated network An isolated network has no connections whatsoever with the Internet or other networks. It must not be possible for any IT systems outside the isolated network to communicate with IT systems in an isolated network. IT infrastructure Basic university-wide configuration of servers, clients, operating systems, networks, work stations, printers, software, databases etc. IT facilities IT facilities refer to computers, software, licences and all other peripheral equipment that are used in connection with handling information in digital form. IT system IT system refers to equipment and software that handle, i.e. gather, process, store and distribute information and exchange data between functional units using data transfer and in accordance with technical protocols. IT service Functions that users utilize and that are based on IT infrastructure and IT systems specific to activities. Protected network In a protected network both incoming and outgoing traffic is regulated, which means that there are regulations for how IT services in the protected network are permitted to communicate with IT services outside the protected network. Page 3 of 6

The restriction lies in the infrastructure and is not a part of the IT service s authentication process as is the case with, for instance a login procedure. Firewalls are examples of how to create protected networks. System System is defined in IT security documents as a broader term which contains not just the IT system but also the manual routines and human resources that go together with an IT system. System administrator Is responsible that the stipulated security requirements are applied in the technical administration and operation of IT systems. System administrators are not permitted to be users of the administrative system for which they are system administrator. E.g. a personnel administrator who is authorised to perform transactions in the personnel administration system may not simultaneously be system administrator for the system in question. System manager Is responsible for system management based on the system owner s directives with respect to application, the users requirements and needs. The system manager must have in-depth knowledge about the operations that the system is to support, as well as overall knowledge about the technology that is applied in the system. System owner A system owner (official with responsibility for the system) must be appointed for each IT system. System owners are to attend to the users requirements and have overall responsibility that the IT system supports the operations and the goals. It is the responsibility of system owners that analysis of security requirements are carried out with respect to information content and operational requirements. The security requirements must be indicated with the focus on availability, integrity, confidentiality and traceability guidelines for allocation of access rights are drawn up technical officers security requirements are met. E.g. the director of personnel and organisation development is the system owner for the personnel administration system and a head of a research team can be system owner for the team s research database. Technical officer An official with technical responsibility is to be appointed to ensure technical reliability. It is the responsibility of the technical officer that Page 4 of 6

analyses of technical security are carried out with respect to availability, integrity, confidentiality and traceability and that deficiencies revealed are rectified. system owners security requirements are met technically. For example, the head of the department for information technology, the IT manager at the Sahlgrenska Academy, faculty and University Library respectively. Technical manager Is responsible for the technical administration of the system based on the technical manager s directives. The technical manager must have a good knowledge of the system s design, data management and technical security format, as well as overall knowledge of the operations that the system supports. User Person who is allocated access rights to use Göteborg University s IT facilities and whom it must be possible to identify. Page 5 of 6

Basic outline of roles and responsibilities System- and operational organisation (System and operational-/technical responsibility) Line organisation (Overall responsibility for IT security) Vice-Chancellor System owner Technical officer System manager Technical manager Dean, equiv. System administrator Head of Dept., equiv. User User Note In the system- and operational organisation, an employee can, primarily with regard to smaller systems, occupy several of the roles above. Technical managers are appointed at University-wide level and faculty or equivalent level respectively. The lowest level at which system owners are appointed is head of department or equivalent. Page 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information