2) applied methods and means of authorisation and procedures connected with their management and use;



Similar documents
Information Technology Security Policies

Decision on adequate information system management. (Official Gazette 37/2010)

RS Official Gazette, No 23/2013 and 113/2013

How To Protect Decd Information From Harm

Regulations on Information Systems Security. I. General Provisions

LAW. ON ELECTRONIC SIGNATURE (Official Gazette of the Republic of Montenegro 55/03 and 31/05)

USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Information Resources Security Guidelines

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Terms and Conditions for Remote Data Transmission

HIPAA Security COMPLIANCE Checklist For Employers

INFORMATION TECHNOLOGY SECURITY STANDARDS

Chapter 8: Security Measures Test your knowledge

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

HIPAA Security Alert

California State University, Sacramento INFORMATION SECURITY PROGRAM

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

University of Liverpool

How To Audit Health And Care Professions Council Security Arrangements

Information Security Policies. Version 6.1

BUSINESS ONLINE BANKING AGREEMENT

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Terms and Conditions of Use - Connectivity to MAGNET

SUBJECT: INFORMATION TECHNOLOGY RESOURCES I. PURPOSE

RULES. MultiCash Electronic Customer Service System

How To Monitor The Internet In Idaho

Network Security Policy

Policy Document. Communications and Operation Management Policy

Newcastle University Information Security Procedures Version 3

Montclair State University. HIPAA Security Policy

DATA AND PAYMENT SECURITY PART 1

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Information Security Plan effective March 1, 2010

Estate Agents Authority

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA

Information Technology Acceptable Usage Policy

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

8.03 Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA

Data Access Request Service

BANK OF UGANDA MOBILE MONEY GUIDELINES, 2013 ARRANGEMENT OF PARAGRAPHS

ISO27001 Controls and Objectives

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Information Technology (IT) Security Guidelines for External Companies

Appendix to Resolution No. 646/2011 of the Warsaw Stock Exchange Management Board dated 20 May 2011 (as amended)

Rulebook on Information Security Incident Management General Provisions Article 1

Supplier IT Security Guide

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

Protection of Computer Data and Software

Spillemyndigheden s Certification Programme Information Security Management System

State HIPAA Security Policy State of Connecticut

Cyber Security Best Practices

BERKELEY COLLEGE DATA SECURITY POLICY

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

CONDITIONS FOR ELECTRONIC DATA EXCHANGE VIA ČSOB MULTICASH 24 SERVICE

Guidelines for Supervision of Credit Rating Agencies

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

Access Control Policy

ACT. on the amendment of the Gambling Law and some other Acts 1

Neutralus Certification Practices Statement

FINAL May Guideline on Security Systems for Safeguarding Customer Information

ABERDARE COMMUNITY SCHOOL

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Information Security

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

A Guide to Information Technology Security in Trinity College Dublin

TERMS AND CONDITIONS OF REMOTE DATA TRANSMISSION

Managing internet security

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Network Security Policy

Authorized. User Agreement

How To Protect A Hampden County Hmis From Being Hacked

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

esnc ACCESS AGREEMENT

Forrestville Valley School District #221

Transcription:

Guidelines on the way of developing the instruction specifying the method of managing the computer system used for personal data processing, with particular consideration of the information security requirements. One of the requirements imposed on the controllers, pursuant to 3 paragraph 1, by the Regulation of April 29, 2004, by the Minister of Internal Affairs and Administration as regards personal data processing documentation and technical and organisational conditions which should be fulfilled by devices and computer systems used for personal data processing (Journal of Laws No. 100 item 1024) is to develop an instruction specifying the method of managing the computer system used for personal data processing, hereinafter referred to as the instruction. The developed instruction shall be approved by the controller and adopted for application as a binding document. The procedures and guidelines contained in this instruction shall be provided to persons responsible for their realisation in the organisation in accordance with the assigned rights, scope of duties and liability. For example, the principles and procedures for authorising to personal data processing or the method of keeping record of persons involved in the processing of personal data shall be passed on to persons managing the organisation of data processing, and the method of beginning and ending work, the system usage method or the password change principles to all the persons being its users, the antivirus protection principles and the procedures of making backup copies to persons involved in technical exploitation and keeping system work continuity. The contents of the instruction shall contain general information on the computer system and personal data filing systems which are processed by using these systems, the applied technical solutions, as well as the exploitation procedures and usage principles which were applied to ensure personal data processing security. In case where the controller uses for the processing of data not one but a few computer systems, then relevantly to the similarity of the applied solutions it shall develop one general management instruction or develop separate instructions for each of the applied systems. So, depending on the adopted solution the scope of developed issues will be different in small entities where the personal data are processed by means of one or few computers, and in large entities where function complex local computer networks with a big number of servers and workstations processing the data with the use of many computer systems. In the instruction concerned the computer systems to which this instruction is related, their localisations and the applied methods of access (directly to the computer where the system is 1

installed, in local computer network or through telecommunications network, e.g. leased access line, Internet) shall be indicated. This instruction shall cover the issues related to ensuring information security, and in particular the elements enumerated in 5 of the Regulation which include: 1) procedures of granting authorisation to process data and registration of these authorisations in the computer system as well as indication of the person responsible for the aforesaid activities; 2) applied methods and means of authorisation and procedures connected with their management and use; 3) procedures of the beginning, suspension and the end of work by the users of the system; 4) procedures of making backups of the data filing systems and programs and software tools used for the data processing. 5) method, place and period of storage of: a) electronic information media containing personal data, b) backups referred to in point 4, 6) method of the computer system securing against software referred to in paragraph III point 1 of the Appendix to this Regulation; 7) method of implementation of the requirements referred to in 7 paragraph 1 point 4 of the Regulation; 8) procedures of executing the inspection and maintenance of systems and information media used for personal data processing. In order to provide the protection of the data being processed the rules of conduct adequate for each of the applied computer systems shall be indicated in the contents of the instruction in relation to each of the above enumerated points. The general guidelines concerning the issues which shall be included in the instruction in relation to the points enumerated above are presented below. 2

1. Procedures of granting authorisation to process data and registration of these authorisations in the computer system as well as indication of the person responsible for the aforesaid activities ( 5 point 1 of the Regulation). In this point the principles of granting an identifier to the user in the computer system, as well as principles of granting or modifying user s authorisation to access the resources of the computer system shall be described. The principles above shall include the operations related to granting users authorisation to work in the computer system from creating user account, through granting and modifying his/her privileges, up to the moment of removing the account from the computer system. The procedure determining the principles of users registration shall unambiguously specify the rules of conduct with privileged users accounts (i.e. users possessing access at the level of computer systems administrators), as well as rules of administering the computer system in emergency cases, for example absence of the administrator. Persons responsible for realisation of the procedures and registering and unregistering users of the computer system shall be indicated in the instruction. 2. Applied methods and means of authorisation and procedures connected with their management and use ( 5 point 2 of the Regulation). In this point the mode of assigning passwords shall be described, i.e. indication whether the passwords of users shall be given in oral or written form and indication of the recommendations regarding the degree of their complexity. Persons responsible for assigning passwords shall also be indicated. This indication may be specified functionally or personally. The recommendation is to avoid giving passwords by third parties or by means of unprotected e-mail messages. After having obtained the password the user shall be obliged to immediately change it, unless the system does not enable the performance of such operation. Depending on the used solutions additional information related to passwords shall be given such as requirements concerning their recurrence or requirements regarding the set of characters of which they consist. The information on the required frequency and the password change method shall be also included, e.g. whether password change is forced after specific time by the computer system or whether the user has to remember about it himself/herself. While determining the frequency of password change one has to remember that pursuant to paragraph IV (2) of the Appendix to the Regulation the user s password shall be changed at least every 30 days and shall consist of 3

at least 6 characters if the data referred to in Art. 27 of the Act are not processed in the system, or 8 characters if such data are processed (paragraph VII of the Appendix). The passwords shall be kept in the computer system in encrypted form. The method of storing the passwords of users having the rights of computer systems administrators and the method of recording their emergency use shall be indicated. Additionally, in case of using the user s identity verification methods other than the identifier and password, such as microprocessor cards or biometric methods, the guidelines on their application shall be included in the instruction. For microprocessor cards e.g. the method of their personalisation shall be indicated, and for biometric methods the way of downloading biometric data in the process of user s registration in the system and the method of their storage shall be indicated. 3. Procedures of the beginning, suspension and the end of work by the users of the system ( 5 point 3 of the Regulation). In this point consecutive activities which shall be conducted to activate the computer system, and in particular the principles of users conduct when their authentication process (logging into the system) is performed, shall be indicated. The compliance with the principles specified in the instruction shall ensure passwords confidentiality and make unauthorised data processing impossible. The methods of conduct in the situation of stopping work temporarily as a result of leaving workplace or in the circumstances when unauthorised person can inspect the data displayed on the screen shall also be determined. The user shall be instructed that it is necessary to log out of the computer system before switching off the workstation and informed of the activities which shall be done for this purpose. The procedures destined for the system users shall indicate the method of conduct in the situation of suspected violation of system security, e.g. in case of lack of possibility for the user to log into his/her account or in case where physical interference in the processed data or used software or hardware tools is stated. 4. Procedures of making backups of the data filing systems and programs and software tools used for the data processing ( 5 point 4 of the Regulation). In this point the methods and frequency of making backups of the data and backups of the computer system used for the data processing shall be indicated. The following needs to 4

be determined: for what data backups will be made, the type of media on which backups will be made and software tools and devices which shall be used for this purpose. In the procedure of making copies the schedule of making backups shall be specified for particular data filing systems with indicating adequate method of making copies (incremental copy, full copy). Part of the instruction regarding making backups in case where the procedures of making these copies are complex may refer to detailed procedures dedicated to particular data filing systems or computer systems. These procedures shall be enclosed to the management instruction. In the procedures specifying the scope and method of making backups the rotation periods and the total time of using particular data media shall be indicated. The procedures of liquidation of media containing data backups after their withdrawal as a result of becoming useless or damaged shall be determined. The procedure of liquidation of media containing personal data shall consider the requirements included in paragraph VI (1) of the Appendix to the Regulation. These requirements order that devices, discs and other electronic information media containing personal data intended to liquidation shall be devoid of those data record, and in the case when it is impossible, the records shall be damaged to make them not readable. 5. Method, place and period of storage of: a) electronic information media containing personal data, b) backups referred to in 5 point 4. In this point of the instruction the method and period of storage of all types of information media (floppy disks, CDs, magnetic tapes) shall be specified. The premises destined for storage of information media, as well as the method of securing these media against unauthorised takeover, readout, copy or destruction shall be also indicated. While developing the recommendations on the method and period of storage of information media one has to consider that pursuant to paragraph IV (4a) of the Appendix to the Regulation backups shall be stored in the premises ensuring security against any unauthorised takeover, change, damage or destruction. The requirements specified in point IV (4b) of the Appendix do the Regulation ordering that backups shall be deleted as soon as their usefulness ceases shall be considered. In case of transferring information media to external entities in order to store them safely, e.g. quite often applied depositing of backups in bank vaults, the procedures of transferring information media to these entities shall be determined and the methods of 5

securing the transferred information media against unauthorised takeover during their transport/transfer shall be indicated. 6. Method of the computer system securing against software referred to in paragraph III point 1 of the Appendix to the Regulation ( 5 point 6 of the Regulation). While describing the securing of the computer system against software referred to in paragraph III (1) of the Appendix to the Regulation the areas of the computer system exposed to interference of computer viruses and all types of other malicious software shall be specified. Possible vulnerabilities in the system allowing malicious software to get into the system and the activities which shall be undertaken in order to minimise the possibility of such software being installed shall be indicated. Regardless of indicating the activities preventing from getting into the system of malicious software, also the applied software tools aimed at counteracting the consequences of harmful activity of such software shall be indicated in the instruction. Antivirus software which was installed shall be indicated, the method and frequency of viruses definitions updates shall be specified and the persons responsible for managing this software shall be determined. The procedures of users conduct in a situation of identifying a specific type of threats shall be also presented. The user shall be informed on the activities which he/she shall perform in case where the securing software indicates the existence of a threat. In case where the methods securing against malicious software other than antivirus software are used, they shall be indicated and the procedures related to their use shall be presented. Such methods may include inter alia physical separation of devices enabling readout of data from exchangeable information media of particular workstations (e.g. disconnecting a CD-ROM drive, a floppy drive, etc.) and designating a separate workstation in computer network destined for exchange of data by means of external media. 7. Method of implementation of the requirements referred to in 7 paragraph 1 point 4. Pursuant to 7 paragraph 1 point 4 of the Regulation for each person whose personal data are being processed within the computer system this system should secure keeping records of disclosing information to recipients within the meaning of Art. 7 point 6 of the Act, including information to whom the personal data have been disclosed and the date and the scope of this disclosure, unless the computer system is used for the processing of personal 6

data contained in open data filing systems. So it can be concluded that the computer system used for the processing of personal data shall have functionalities which enable keeping records of the information mentioned above. Pursuant to 5 point 7 of the Regulation the method and form of keeping records shall be specified in the instruction. Whereby, special attention shall be paid to the fact that it is not sufficient to keep records of the information referred to in 7 paragraph 1 point 4 of the Regulation in paper form, and thus the instruction cannot provide for such method of realisation of the requirement indicated above, because it would be inconsistent with the definition of the computer system set forth in the Act. It shall be also noted that in case of the processing of personal data not only in one computer system the requirements referred to in 7 paragraph 1 point 4 of the Regulation can be realised in one of these systems or in a separate computer system destined for this purpose. The conclusion is that keeping records of information on disclosures is possible in one system only where the data filing system being processed in two or more systems is related to exactly the same persons. An example of such situation is using the same database by many applications. However, it is not permitted to keep records of the indicated information exclusively in one system of groups of persons whose data are being processed in particular systems are not exactly the same. In the situation where the filing system of persons whose data are being processed in one system differs from the filing system of persons whose data are being processed in the other system and where there is no include relation between these filing systems, it is necessary to keep records of the information on disclosures separately in each system servicing these filing systems or possibly in the system dedicated to keep records of the information referred to in 7 paragraph 1 point 4. 8. Procedures of executing the inspection and maintenance of systems and information media used for personal data processing ( 5 point 8 of the Regulation) In this point the purpose, scope, frequency and procedures of executing the inspection and maintenance of the computer system shall be specified. The entities and persons entitled to execute the inspection and maintenance of the computer system shall be indicated. The procedures of executing maintenance activities of the system, in case where these activities are commissioned to persons not authorised to process the data (e.g. specialists from external companies), shall specify the method of supervising these activities by the controller. In case of handing over the information media containing personal data to be 7

repaired the method of deleting personal data from these media shall be determined, before handing them over. The procedures related to repairing the computer software shall consider the requirement specified in paragraph VI (3) of the Appendix to the Regulation which requires that devices, discs and other electronic information media containing personal data intended to be repaired are to be devoid of those data record, thereby to make them not retrievable, or repaired under a supervision of a person who has been authorised by the controller. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information