28400 POLICY IT SECURITY MANAGEMENT



Similar documents
ISO27001 Controls and Objectives

ISO Controls and Objectives

INFORMATION TECHNOLOGY SECURITY STANDARDS

Third Party Security Requirements Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy

INFORMATION SECURITY PROCEDURES

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Service Children s Education

Newcastle University Information Security Procedures Version 3

Policy Document. Communications and Operation Management Policy

Information Security Policies. Version 6.1

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Cyber Essentials Scheme

Dublin Institute of Technology IT Security Policy

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Network Security Policy

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

University of Aberdeen Information Security Policy

06100 POLICY SECURITY AND INFORMATION ASSURANCE

ISO 27002:2013 Version Change Summary

Information security controls. Briefing for clients on Experian information security controls

Ohio Supercomputer Center

HIPAA Compliance Evaluation Report

Information Security: Business Assurance Guidelines

Information Security Management. Audit Check List

How To Protect Decd Information From Harm

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Operational Risk Publication Date: May Operational Risk... 3

Information Security Policy

Hengtian Information Security White Paper

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

INFORMATION SYSTEMS. Revised: August 2013

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Managing internet security

An Approach to Records Management Audit

Cloud Computing and Records Management

University of Sunderland Business Assurance Information Security Policy

October 2015 Issue No: 1.1. Security Procedures Windows Server 2012 Hyper-V

MANAGE THIRD PARTY RISKS

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

ULH-IM&T-ISP06. Information Governance Board

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Draft Information Technology Policy

Information Security Policy

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Data Management Policies. Sage ERP Online

Information Security

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Mike Casey Director of IT

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Cyber and Data Security. Proposal form

Lot 1 Service Specification MANAGED SECURITY SERVICES

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

The Ministry of Information & Communication Technology MICT

University of Brighton School and Departmental Information Security Policy

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Technology Risk Management

Security Controls What Works. Southside Virginia Community College: Security Awareness

Rotherham CCG Network Security Policy V2.0

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

External Supplier Control Requirements

Information Security and Governance Policy

Information Security Policy. Policy and Procedures

Information Security Programme

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

External Supplier Control Requirements

RISK MANAGEMENT AND ACCREDITATION OF INFORMATION SYSTEMS ALSO RELEASED AS HMG INFOSEC STANDARD NO. 2

Karen Winter Service Manager Schools and Traded Services

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Information Shield Solution Matrix for CIP Security Standards

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

John Essner, CISO Office of Information Technology State of New Jersey

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Client Security Risk Assessment Questionnaire

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

How To Ensure Network Security

Transcription:

Version: 2.2 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low 1. About This Policy 1.1. The objective of this policy is to provide direction and support for IT Security in accordance with business requirements and relevant laws and regulations. 1.2. This policy outlines Hampshire Constabulary s approach to the protection of its IT infrastructure. This policy is intended to prevent major and widespread damage to Constabulary assets such as the network, user applications, files, and hardware. 1.3. The policy applies to all Hampshire Constabulary staff (permanent and temporary personnel), contractors and third parties with contractual obligations to maintain Force IT systems. 2. General Principles 2.1. systems represent essential core assets to the daily operation of the Constabulary. Availability, performance and security of the network including its computers and systems are key to service delivery. 2.2. New viruses represent a continual threat, requiring continual research to plan proactive measures against them. 2.3. systems are subject to the discovery of operating system or application vulnerabilities and the subsequent emergence of exploits of such vulnerabilities which have the potential to cause disruption or damage to those systems. 2.4. Hampshire Constabulary recognises that there may be legitimate business needs for members of the Constabulary and other third parties to be able to access information systems on the Constabulary s network from remote locations that are not linked directly to the network. 3. Statement Of Policy

3.1. Asset Management 3.1.1. Responsibilities for assets 3.1.2. Objective To achieve and maintain appropriate protection of Hampshire Constabulary assets Inventory of assets Ownership of assets Acceptable use of assets All assets shall be clearly identified and an inventory of all information security assets drawn up and maintained. All information and assets associated with information processing facilities shall have nominated Asset Owners. Rules of acceptable use of information and assets associated with information processing facilities shall be identified, documented, and implemented in the form of Security Operating Procedures (SyOPs). 3.2. Communications and Operations Management 3.2.1. Operational Procedures and Responsibilities 3.2.2. Objective To ensure the correct and secure operation of information processing facilities Documented operating procedures Change management Segregation of duties Separation of Operating procedures shall be documented, maintained and made available to all users who need them. Changes to information processing facilities and systems shall be controlled. Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of Hampshire Constabulary s assets.

development, test and operational facilities Development, test and operational facilities shall be separated to reduce the risks of unauthorised access or changes to the operational system. 3.2.3. Third Party Service Delivery Management 3.2.4. Objective - to implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. Service delivery Monitoring and review of third party services Managing changes to third party services Remote Access It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated and maintained by the third party. The services, reports and records provided by third party shall be regularly monitored and reviewed, and audits shall be carried out regularly. Changes to the provision of services, including maintaining and improving exiting information security policies, procedures and controls, shall be managed, taking into account of the criticality of business systems and processes involved and re-assessment of risks. Remote access by third parties will be uniquely identified, subjected to robust risk analysis and supported via contracts between the Constabulary and the third party. All request for remote access will be authorised by the Sy&IA Unit. 3.2.5. System Planning and Acceptance 3.2.6. Objective to minimise the risk of systems failures Capacity management The use of resources shall be monitored, tuned

System acceptance and projections made of future capacity requirements to ensure the required system performance. Acceptance criteria for new information systems, upgrades, and new versions shall be established and suitable tests of the system(s) carried out during development and prior to acceptance. 3.2.7. Protection Against Malicious and Mobile code 3.2.8. Objective to protect the integrity of software and information. s against malicious code s against mobile code Patch Management Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented, these will include the provisions to detect, remove and protect against viral infections. All computers connected physically or remotely to the Hampshire Constabulary network will have anti-virus software correctly installed, configured, activated, and up-dated with the latest version of virus definitions. Where the use of mobile code is authorised, the configuration shall ensure that the authorised mobile code operates according to a clearly defined security policy, and unauthorised mobile code shall be prevented from executing. Critical system updates will be deployed as soon as practicable, after an assessment of risks and ensuring patch stability. 3.2.9. Back-up Where patching of the infrastructure us not a viable option other security measures will be sought. 3.2.10. Objective to maintain the integrity and availability of information processing facilities.

back-up Back-up copies of information and software shall be taken and tested regularly in accordance with the agreed backup policy. 3.2.11. Network Security Management 3.2.12. Objective to ensure the protection of information in networks and the protection of the supporting infrastructure. Network controls Security of network services The network will be adequately managed and controlled in order to be protected from threats and to maintain security for the systems and applications using the network, including information in transit. Security features, service levels and management requirements of all network services shall be identified and included in any network services agreement, whether these services are provided in-house or outsourced. 3.2.13. Media Handling 3.2.14. Objective to prevent unauthorised disclosure, modification, removal or destruction of assets and interruption to business activities. Management of removable media Disposal of media handling procedures Security of system There shall be documented procedures in place for the management of removable media. Media shall be disposed of securely and safely when no longer required, using formal procedures. Procedures for the handling and storage of information shall be established to protect this information from unauthorised disclosure or misuse.

documentation System documentation shall be protected against unauthorised access. 3.2.15. Exchange of 3.2.16. Objective To maintain the security of information and software exchanged within Hampshire Constabulary and with any external entity. exchange policies and procedures Sharing agreements Physical media in transit Electronic messaging Business information systems Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use if all types of communication facilities. Agreements shall be established for the exchange of information and software between Hampshire Constabulary and external parties. Media containing information shall be protected against unauthorised access, misuse or corruption during transportation beyond Hampshire Constabulary s physical boundaries. involved in electronic messaging shall be appropriately protected. Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems 4. Implications Of The Policy 4.1. The implementation of the required information security standards will incur substantial resource implications for the Hampshire Constabulary. The cost of physical and technical security controls required for new initiatives will be included in their procurement. 5. Monitoring / Evaluation

5.1. Monitoring for compliance with this policy is the responsibility of the Joint Management Unit. The Force Security Policy and associated documents are independently evaluated by the CJX / Airwave Accreditor as part of the annual process for seeking to renew the Force s Codes of Connection to those national services. 6. Review 6.1. This policy and all associated documents will be every three years or more frequently as deemed necessary. 7. Other Related Policies, Procedures And Sources 7.1. 06100 Policy - Security 7.2. AD203 Equality Impact Assessment 7.3. sources: HMG IA Standards CESG Good Practice Guides Security Policy Framework ISO 27001 Origin: Management

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information