INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY



Similar documents
ISO IEC ( ) INFORMATION SECURITY AUDIT TOOL

ISO27001 Controls and Objectives

Physical Security Policy

ISO Controls and Objectives

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

How To Protect Decd Information From Harm

ULH-IM&T-ISP06. Information Governance Board

Service Children s Education

Policy Document. IT Infrastructure Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

MOBILE TELEPHONES POLICY & GUIDELINES

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Physical Security of Remote Pilot Stations and Aircrafts (when On Ground)

State of Vermont. Physical Security for Computer Protection Policy

Hengtian Information Security White Paper

Highland Council Information Security Policy

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

NSW Government Digital Information Security Policy

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Information Security Policy

Information System Audit Guide

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

INFORMATION SECURITY PROCEDURES

Network Security Policy

Mike Casey Director of IT

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Rotherham CCG Network Security Policy V2.0

University of Sunderland Business Assurance Information Security Policy

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Newcastle University Information Security Procedures Version 3

Does it state the management commitment and set out the organizational approach to managing information security?

April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1. c Dines Bjørner 2006, Fredsvej 11, DK 2840 Holte, Denmark

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security Alert

COUNCIL POLICY R180 RECORDS MANAGEMENT

Information Security Incident Management Policy September 2013

Data Access Request Service

University of Brighton School and Departmental Information Security Policy

IT Data Security Policy

University of Liverpool

Security Controls What Works. Southside Virginia Community College: Security Awareness

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

UF IT Risk Assessment Standard

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Wellesley College Written Information Security Program

06100 POLICY SECURITY AND INFORMATION ASSURANCE

Risk Management Policy and Framework

ENISA s ten security awareness good practices July 09

Security Control Standard

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

INFORMATION SECURITY POLICY

Network Security Policy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

IT Security Management

Information Governance Framework. June 2015

Dublin Institute of Technology IT Security Policy

NSW Government Digital Information Security Policy

Information Governance Policy (incorporating IM&T Security)

Security Requirements for Wireless Local Area Networks

Estate Agents Authority

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

Understanding Sage CRM Cloud

Music Recording Studio Security Program Security Assessment Version 1.1

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

So the security measures you put in place should seek to ensure that:

ENTERPRISE RISK M A NAGEMENT POLICY

Electronic business conditions of use

The Ministry of Information & Communication Technology MICT

Protective Marking Standard Implementation Guide for the Australian Government

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Managing internet security

Supplier Information Security Addendum for GE Restricted Data

NSW Government. Cloud Services Policy and Guidelines

Supplier Security Assessment Questionnaire

State HIPAA Security Policy State of Connecticut

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

USE OF INFORMATION TECHNOLOGY FACILITIES

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Transcription:

INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY 1. PURPOSE In respect to this policy the term physical and environmental security refers to controls taken to protect information systems, buildings, and related supporting infrastructure against threats associated with their physical environment. The purpose of this policy is to: increase awareness among WA Health ICT staff of their responsibilities in relation to ICT physical and environmental security;. ensure that good security principles are reinforced within WA Health ICT; manage the way in which WA Health complies with Australian Standards. 2. SCOPE The scope of this policy will follow the Australian Standard AS/NZS ISO/IEC 17799:2006 Information technology Security techniques Code of Practice for Information Security Management which has 2 major categories under Physical and Environmental Security: 1. Secure Areas Objective: To prevent unauthorized physical access, damage, and interference to the organisation s premises and information. The physical facility is usually the building, other structure, or environment housing the system and network components. 2. Equipment Security Objective: To prevent loss, damage, theft or compromise of assets and interruption to the oganisation s activities. Are those services (both technical and human) that support the operation of the system. The system's operation usually depends on supporting facilities such as electric power, heating and air conditioning, and telecommunications. The failure or unsatisfactory performance of these facilities may interrupt operation of the system and may cause physical damage to system hardware or stored data. The facility's geographic location relates to natural threats. These include earthquakes and flooding; man-made threats such as burglary, civil disorders, or interception of transmissions and emanations; and damaging nearby activities, including toxic chemical spills, explosions, fires, and electromagnetic interference from emitters, such as radars. These location decisions are generally beyond the control of ICT personal and is only mentioned for completeness.

This policy applies to all personnel of WA Health (employees, contractors, students, volunteers and agency personnel) incorporating the following entities: Department of Health; Metropolitan Health Services; WA Country Health Service. This policy also applies to external organisations and their personnel who have been granted access to WA Health Information and Communications Technology (ICT) infrastructure and services. This policy must be read in conjunction with the Acceptable Use Policy Computing and Communication Facilities, which governs the use of ICT by WA Health personnel. This and other policies and standards are available at the HIN Intranet Site. 3. POLICY 3.1 Appropriate physical and environmental security controls will be implemented at all WA Health Information Communication Technology (ICT) facilities to protect people, property and other information system resources. 3.2 WA Health will adopt a risk management approach when identifying physical and environment controls for ICT systems facilities. 4. POLICY DETAILS Five major areas of physical and environmental security controls are: 1. Physical access controls, 2. Fire safety, 3. Supporting utilities, 4. Interception of data, and 5. Mobile and portable systems. 4.1 Physical Access Controls Physical access controls restrict the entry and exit of personnel, equipment and media from an area, such as an office building, suite, data centre, or room containing a LAN server. The objectives of physical access controls may be in conflict with those of life safety. Life safety focuses on providing easy exit from a facility, particularly in an emergency, while physical security strives to control entry. In general, life safety must be given first consideration, but it is usually possible to achieve an effective balance between the two goals. Physical access controls, include badges, memory cards, guards, keys, true-floor-to-trueceiling wall construction, fences, and locks. Printed Copies are Not Controlled 2/7

4.2 Fire Safety Factors Building fires are an important security threat because of the potential for complete destruction of both hardware and data, the risk to human life, and the pervasiveness of the damage. 4.3 Failure of Supporting Utilities Information systems and the people who operate them need to have a reasonably well-controlled operating environment. Consequently, failures of heating and airconditioning systems will usually cause a service interruption and may damage hardware and possibly even a loss of information. These utilities are composed of many elements, each of which must function properly. 4.4 Interception of Data Depending on the type of data a system processes, there may be a significant risk if the data is intercepted. There are three routes of data interception: direct observation, interception of data transmission, and electromagnetic interception. Direct Observation. System terminal and workstation display screens may be observed by unauthorized persons. Interception of Data Transmissions. If an interceptor can gain access to data transmission lines, it may be feasible to tap into the lines and read the data being transmitted. Interceptors could also transmit spurious data on tapped lines, either for purposes of disruption or for fraud. Electromagnetic Interception. Systems routinely radiate electromagnetic energy that can be detected with special-purpose radio receivers. The trend toward wireless (i.e., deliberate radiation) LAN/WAN connections may increase the likelihood of successful interception. 4.5 Mobile and Portable Systems The analysis and management of risk usually has to be modified if a system is portable, such as a laptop computer. Encryption of data files on mobile and portable equipment may be a cost-effective precaution against disclosure of confidential information if a laptop computer is lost or stolen. Portable and mobile devices share an increased risk of theft and physical damage as well as the risk of being "misplaced" or left unattended. Secure storage of laptop computers is often required when they are not in use. 5. IMPLEMENTATION As with other security measures, physical and environmental security controls need to undergo a cost/benefit analysis. Indicative general approaches to justify the selection of controls are: 1 They are required by law or regulation. There are no option but to implement all statutory security measures. 2 The cost is insignificant, but the benefit is material. Once a significant benefit/minimal cost security measure has been identified, no further analysis is required to justify its implementation. Printed Copies are Not Controlled 3/7

3 The security measure addresses a potentially "fatal" security exposure but has a reasonable cost. Backing up system software and data is an example of this justification. 4 The cost of a potential security measure is significant, and it cannot be justified by any of the first three reasons listed above, then its cost (both implementation and ongoing operation) and its benefit (reduction in future expected losses) need to be analysed to determine if it is cost-beneficial. In this context, cost-beneficial means that the reduction in expected loss is significantly greater than the cost of implementing the security measure. Justification requires a detailed risk and cost benefit analysis. Simple rules of thumb do not apply. 6. BACKGROUND All WA Health ICT facilities supporting critical or sensitive business activities should be housed in secure areas. These facilities should be physically protected from unauthorised access, damage and interference. They should be located in secure areas, protected by a defined security perimeter, with appropriate entry controls and where appropriate security barriers.. As information accessibility is essential to business WA Health is committed to providing effective ICT facilities physical environment conditions and security to safeguard equipment and information from unauthorised intrusion and damage and, to provide optimum equipment operating performance. The planning and implementation of ICT equipment environments, security safeguards and controls, procedural, access control, architectural, electrical and structural requirements is essential. 7. RELEVANT LEGISLATION AND GOVERNMENT POLICIES (WA Acts are available at the State Law Publisher website; Commonwealth Acts are available at the Australian Government ComLaw website) 8. ASSOCIATED DEPARTMENT OF HEALTH POLICIES, STANDARDS AND GUIDELINES WA Health ICT policies are available on the HIN Intranet Site. Information Security Policy. ICT Risk Management Policy. Printed Copies are Not Controlled 4/7

9. INTERNATIONAL STANDARDS / SPECIFICATIONS AS 2834-1995 AS/NZS ISO 31000: AS/NZS ISO/IEC 27001: AS/NZS ISO/IEC 27002: AS/NZ ISO/IEC 27799: HB 167: HB 327: ISO/IEC 27005: Computer Accommodation Sets out recommended requirements for the accommodation of computer systems in buildings for which special provisions are necessary or desirable. It excludes provisions for personal or home computers and those installed in an uncontrolled environment. Risk Management Principles and Guidelines Information Technology Security Techniques Information Security Management Systems Requirements. Information Technology - Code of Practice for Information Security Management. Information Security Management in Health Using ISO/IEC 27002. Security Risk Management. Communicating and Consulting about Risk. Information Technology - Security Techniques - Information Security Risk Management. 10. REFERENCES 11. DEFINITIONS Access Term Australian Government Information Security Manual (ISM) Business continuity planning (BCP) Printed Copies are Not Controlled 5/7 Definition Obtaining knowledge or possession of information (including verbal, electronic and hard-copy information) or other resources, or obtaining admittance to an area. The Defence Signals Directorate s document suite that details controls and principles for information security on ICT systems, as well as relevant rationale. The ISM (previously known as ASCI 33) comprises an Executive Companion, Principles document and Controls Manual. The development, implementation and maintenance of policies, frameworks and programs to assist agencies manage a business disruption, as well as build agency

ICT Asset Information Information Asset Information Systems Secure Area resilience. It is the capability that assists in preventing, preparing for, responding to, managing and recovering from the impacts of a disruptive event. All applications and technologies that are owned, procured and/or managed by WA Health. These include desktop and productivity tools, application environments, hardware devices and systems software, network and computer accommodation, and management and control tools. Any collection of data that is processed, analysed, interpreted, organised, classified or communicated in order to serve a useful purpose, present facts or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form. An identifiable collection of data stored on ICT Assets and recognised as having value for the purpose of enabling WA Health to perform its business functions, thereby satisfying a recognised requirement. The organised collections of hardware, software, equipment, policies, procedures and people that store, process, control and provide access to information. Provides the highest integrity of access to, and audit of, information assets to ensure restricted distribution and to assist in subsequent investigation if there is unauthorised disclosure or loss of information assets. The essential physical security features of a Secure Area include: appropriately secured points of entry and other openings tamper-evident barriers, highly resistant to covert entry an effective means of providing access control during both operational and non operational hours all persons to wear passes all visitors escorted at all times during non-operational hours a monitored security alarm system, providing coverage for all areas where Security Classified information assets are stored an approved means of limiting entry to authorised persons. Printed Copies are Not Controlled 6/7

12. VERSION CONTROL Current Version Effective Date: Operational Directive No: SHEF ICT Approved Date: Next Review Date: 3.0 02 Feb 2014 OD: 0506/14 16 December 2013 January 2016 Responsible Group: Health Information Network (HIN) - Strategy Enquiries Contact Manager, HIN Information Policy Version Notes 2006 Original Development 2007 General maintenance. 2013 General Maintenance and reformatting. Printed Copies are Not Controlled 7/7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information