Third party Web hosting services security Policy



Similar documents
Network Resource Management Policy

Information Security Policy

Policy. VBA Enterprise Risk Management. Governance Unit

Newcastle University Information Security Procedures Version 3

ELECTRONIC TRANSACTIONS ACT 1999 BERMUDA 1999 : 26 ELECTRONIC TRANSACTIONS ACT 1999

Merchants and Trade - Act No 28/2001 on electronic signatures

RECORDS MANAGEMENT POLICY

BERMUDA ELECTRONIC TRANSACTIONS ACT : 26

CODE OF PRACTICE ON THE MANAGEMENT OF POLICE INFORMATION

How To Protect Decd Information From Harm

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Qualified Electronic Signatures Act (SFS 2000:832)

[Brought into force by appointed day notice on 16 th June 2003.]

REMOTE WORKING POLICY

INFORMATION TECHNOLOGY SECURITY STANDARDS

28400 POLICY IT SECURITY MANAGEMENT

Federal law on certification services in the area of the electronic signature

Application of the Electronic Communications and Transactions Act to Online Merchants From Other Jurisdictions

ISO27001 Controls and Objectives

ELECTRONIC TRANSACTIONS ACT

Guidelines Related To Electronic Communication And Use Of Secure Central Information Management Unit Office of the Prime Minister

Information security policy

Secondary DMZ: DMZ (2)

Rules for Unibz It And eurac.edu

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

An Act to provide for the facilitation of the use of electronic transactions and signatures and for related matters.

TRUST OR COMPANY SERVICE PROVIDER APPLICATION FOR AUTHORISATION

2. Cyber legislation harmonization process in Central Africa

THE ELECTRONIC TRANSACTIONS LAW,

Information Technology Services

Electronic Documents Law

Electronic Commerce ELECTRONIC COMMERCE ACT Act. No Commencement LN. 2001/ Assent

INTRODUCTION... 3 OVERSEA COMPANIES... 9

Managing internet security

NSW Government Digital Information Security Policy

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice

Recommendations for companies planning to use Cloud computing services

APPLICATION OF INFORMATION TECHNOLOGY IN COMBATING MONEY LAUNDERING IN UKRAINE: legal

DATA PROTECTION LAWS OF THE WORLD. India

Information Security Policies. Version 6.1

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

ISO Controls and Objectives

FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 CODE OF PRACTICE ON RECORDS MANAGEMENT

LAW ON ELECTRONIC TRANSACTIONS

If you have any questions about any of our policies, please contact the Customer Services Team.

Federal Electronic Signature Law. (Signature Law - SigG)

State of Rhode Island and Providence Plantations DEPARTMENT OF BUSINESS REGULATION Division of Insurance 233 RICHMOND STREET PROVIDENCE, RI 02903

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

EARLY CHILDHOOD CARE AND EDUCATION AUTHORITY ACT Government Gazette of Mauritius No. 119 of 22 December I assent ARRANGEMENT OF SECTIONS

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition AH

ANNEXURE - I MPD/EPC/TIC/ NR logo web application development dated: Page 1

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

The lawful monitoring and recording of communications conveyed on the Thames Valley Police telecommunications systems.

GUIDELINES FOR THE ADMINISTRATION OF INSURANCE AGENTS

NHS Business Services Authority Information Security Policy

TITLE 5.1 AND TITLE 5.2 FLAG STATE INSPECTION AND CERTIFICATION AND PORT STATE INSPECTION

APPLICATION FOR AFFILIATION TO THE ASSOCIATION ROMANDE DES INTERMÉDIAIRES FINANCIERS (ARIF) (DIRECTIVE 1)

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

USE OF INFORMATION TECHNOLOGY FACILITIES

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Merthyr Tydfil County Borough Council. Information Security Policy

Cloud Computing and Records Management

Identity Cards Act 2006

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

GENERAL TERMS AND CONDITIONS OF BUSINESS ADDITIONAL CONDITIONS FOR INTERNET SERVICES

Code of Professional Conduct for Accredited Suppliers of Monitored Medical Alarms

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE. Chapter two. ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

INFORMATION SECURITY PROCEDURES

Contents

INFORMATION SECURITY MANAGEMENT POLICY

Definition of Service Supplier and Related Requirements

University of Sunderland Business Assurance Information Security Policy

4. Laying of orders and regulations before Houses of Oireachtas.

Highland Council Information Security Policy

9/11 Heroes Stamp Act of 2001 File System

FINANCIAL INTELLIGENCE UNIT MINISTRY OF FINANCE AND THE ECONOMY

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

IT Heath Check Scoping guidance ALPHA DRAFT

Information Security Management System Policy

SECURITY GUIDELINES INFORMATION SECURITY MANAGEMENT SYSTEM FOR COMPUTERISATION OF LAND RECORD

PARLIAMENT OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA

ESKISP Direct security testing

DVLA ELISE GSi Closed User Group Code of Connection

Transcription:

Office of the Prime Minister Policy document CIMU P 0013:2003 Version: 2.0 Effective date: 09.04.2003 Third party Web hosting services security Policy 1. Policy statement i) General The Government of Malta (Government) requires the secure provision of third party Web hosting services to Government Entities. Web hosting services security requires that a third party Web hosting services provider maintains the integrity of a Government Entity s Web site through physical and logical security at the Data Centre and on the technology deployed. Should the third party Web hosting services provider use the Agent as intermediary, then the third party Web hosting services provider shall access data through the Agent s Demilitarised Zone (DMZ). Web hosting services security requires that a third party Web hosting services provider establishes and maintains its own DMZ. ii) Web hosting server technology Web hosting server technology for third party Web hosting services to a Government Entity shall be subject to the following : (i) the Web hosting server technology shall operate from a Data Centre that is physically located in Malta, that is secure and that guarantees logical information security, based on European recognised standards as specified in the Supporting Documents section of this Policy (ii) the Web hosting server technology shall be equipped for business continuity purposes, and (iii) the administration of the Web hosting Page 1

server technology shall require documented security procedures that shall be available for audits. iii) Network The network between the third party Web hosting services provider and the Government Entity shall be secure from unauthorised access. iv) Implementation The target population are : (i) Government Entities and (ii) third party Web hosting services providers. Implementation from a security point of view shall be backed by : (i) A Service Level Agreement, between the third party Web hosting services provider and the Government Entity, that shall comply with this Policy. (ii) A Declaration of Security Conformance, issued by the third party Web hosting services provider to the Government Entity, copied to CIMU. This Declaration shall be used as another reference for the selection of a third party Web hosting services provider. It shall be the responsibility of the third party Web hosting services provider to ensure, on an on-going basis, that services provided via an Internet services provider are subject to the Declaration of Security Conformance. (iii) Internal security audits, by the third party Web hosting services provider on its operations, for Security Conformance purposes. Records shall be maintained in the process. The third party Web hosting services provider shall carry out timely and effective follow-up action to satisfactorily close items arising in the internal security audits. The third party Web hosting services provider shall maintain records of the actions taken. (iv) Security Compliance checks, by CIMU on the third party Web hosting services provider. CIMU shall maintain records in the process. The third party Web hosting services provider shall carry out timely and effective follow-up action to satisfactorily close items arising in the external security audits. The third party Web hosting services provider shall maintain records of the actions taken. Implementation shall be within the context of: (i) CIMU P 0012:2003 Third party Web hosting services Policy (ii) MSA BS 7799 Part 2:2003 (Information security management. Specification with guidance for use), (iii) CIMU P 0016:2003 Information Security Policy (iv) Convention on Cyber Crime ETS No. 185 (signed by Government on 17.01.2002, but still to be ratified) and (v) Laws of Malta and regulations by statutory bodies. v) Policy violations Abuse or misuse of third party Web hosting services by the Government Entity and/or the third party Web hosting services provider in terms of the Telecommunications (Regulation) Act, Electronic Commerce Act, the Data Protection Act and the Computer misuse provisions of the Criminal Code shall be treated as an offence. Page 2

2. Purpose The objective of this Policy is to ensure that third party Web hosting service providers provide secure third party Web hosting services to Government Entities. 3. Who should know this Policy Knowledge of this Policy should extend up and down the organisations concerned and be wide spread within them. Chief Information Management Officer (CIMO) CIMU Communications Executive Head of Government Entity Head of Third party Web hosting services provider Head of Agent Head of Internet services provider Ministry of Justice and Local Government Information Management Officers (IMOs) Head of MCA 4. Scope of applicability The provisions of this document apply to the security of third party Web hosting services provided to Government Entities by third party Web hosting services providers that (i) operate the services through the Agent or independently and (ii) host Web sites published under the gov.mt domain. 5. Definitions Agent - a trusted organisation that has the mandate by Government to provide Information and Communications services. Computer network - a network of data processing nodes that are interconnected for the purposes of data communication. Data Centre - a facility that includes personnel, hardware and software organised to provide information processing services. Declaration of Security Conformance - a documented statement issued by the third party Web hosting service provider to the Government Entity; by which the third party Web hosting service provider declares, under its sole responsibility, conformance to this Policy. In the event that the third party Web hosting services provider does not act as an Internet services provider, the Declaration of Security Conformance shall also cover the Internet services provider that provides services to the third party Web hosting services provider. The Page 3

Declaration shall also include the reference number of registration with the MCA. This Declaration shall be considered as separate from the Declaration of Conformance. Demilitarised Zone (DMZ) - the organisation s "neutral zone" between the organisation s computer network and the external network to prevent outside users from getting direct access to internal computer servers that have data. Outside users can only have access to the DMZ that may typically also have Internet resources that could be served to the outside world. Government Entity - a Government Ministry, Department, Local Government or Public Sector entity. Security Compliance -the process performed by CIMU or by an independent body to check that a service provided satisfies the security criteria set in a referenced document. Security Conformance - the correspondence by a service to the security criteria set in a referenced document. Third party Web hosting service - the process in which a third party services provider furnishes a Government Entity with a Web site presence. Third party Web hosting service provider - a local private organisation having a physical Web hosting presence under Maltese jurisdiction and be compliant with the applicable authorisation requirements of the MCA.. 6. Roles and responsibilities For the purpose of this Policy, the following roles and responsibilities have been identified: Role Responsibility 1. Chief Information Management Officer (CIMO) 2. CIMU Communications Executive i. To maintain this Policy. ii. To audit for security compliance. i. To publish this Policy. ii. To liaise appropriately with the Agent with regards to the publication of this Policy on the CIMU Website. 3. Head of Agent i. To establish and maintain the DMZ. Page 4

4. Head of Government Entity i. To direct the Government Entity according to the provisions found in this Policy. ii. To grant access to the Government Entity s Web site once the appropriate controls have been implemented and the terms for connection or access have been defined and agreed upon in a contractual agreement. 5. Head of third party Web hosting services provider i. To have a publicly declared target dates to achieve accredited certification to MSA BS 7799 Part 2:2003 for the scope of applicability of this Policy. ii. To operate Web hosting services according to the provisions of this Policy. iii. To establish and maintain its own DMZ. iv. To audit for Security Conformance. v. To conduct timely and effective follow-up action to satisfactorily close items arising in internal and external security audits. vi. To keep updated on vulnerabilities that effect the Web hosting services environment and have the latest security fixes in place. 6. Head of Internet services provider i. To operate according to the provisions of the Declaration of Security Conformance issued by the third party Web hosting services provider. 7. Supporting Documents In support of this Policy, the following Standard shall apply: 01. MSA BS 7799 Part 2:2003 Information security management. Specification with guidance for use. 8. References 01. The Telecommunications (Regulations) Act Chapter 399 02. Data Protection Act Chapter 440 03. Electronic Commerce Act Chapter 426 Page 5

04. Article 337 of the Criminal Code Chapter 09 05. Code of practice for Internet Service Providers http://www.mca.org.mt 06. Convention on Cyber Crime ETS No. 185 http://conventions.coe.int 07. Third party Web hosting services Policy 08. Information Security Policy 9. Modification history Version Date Changes 1.0 19.06.2002 Initial release 2.0 09.04.2003 Updated release 10. Maintenance and review cycle Maintenance of this Policy shall be based on a twelve month cycle. Signature and stamp Joseph R. Grima Permanent Secretary, Office of the Prime Minister Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information