Apex Information Security Policy
|
|
- Janel Darlene Morgan
- 5 years ago
- Views:
Transcription
1 Apex Information Security Policy
2 Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for Desktop Security (desktop, licenses, servers, virus protection (Messaging) Policy Network Security (LAN and WAN) Internet (Perimeter) Security Intranet Policy Data Base Administration Freeware / Shareware Security Operating System (OS) Security Remote access security Virus Protection and Prevention Logical access policy Password Policy Physical access security policy Backup & Recovery Policy Asset (Data) Classification Policy Compliance Policy Business Continuity Management Risk Management Handling Exceptions Document Approval Criteria 12 2
3 Approval and Amendment History Ver sion no. Revi sion No. Version/ Revision Date Authored / Modified By Approved By Revision details Remarks MR Mr. Srinivasan, Initial document MD MR MSF General guidelines have been appended IS Team MSF Revised as per observation in 3 rd Pre assessment CISO / MR ETG Head Annual review CISO / MR ETG Head Risk Management approach added CISO / MR ETG Head Updated Corporate address CISO / MR ETG Head Updated Approval Authority CISO/MR ETG Head Amended Remote Access Security (7.9) 3
4 1. Objective The Objective of this policy is to ensure there are documented standards / procedures for establishing and maintaining information security management system in 3i Infotech Ltd. 2. Policy 3i Infotech Ltd. is committed to provide services and protect confidentiality, integrity and availability of the information assets through continuous improvement, pro-active approach, courtesy, timely response and accuracy to achieve customer satisfaction, enhance trust, reliability and confidence of the stake holder. 3. Scope This policy applies to all 3i Infotech Ltd. employees worldwide and to all employees / consultants of 3i Infotech Ltd.s 100% subsidiary companies. It is the responsibility of all operating units to ensure that these policies are clearly communicated, understood and followed. These policies cover the usage of all of the Company s Information Technology and communication resources, including, but not limited to: All computer-related equipment, including portable PCs, terminals, workstations, PDAs, wireless computing devices, telecom equipment, networks, databases, printers, servers and shared computers, and all networks and hardware to which this equipment is connected All software including purchased or licensed business software applications, Companywritten applications, employee or vendor/supplier-written applications, computer operating systems, firmware, and any other software residing on Company-owned equipment All intellectual property and other data stored on Company equipment This policy also applies to all users, whether on Company property, connected from remote via any networked connection, or using Company equipment 4
5 4. Approval Authority The Information Security Policy has been approved by Management Security Forum (MSF) comprising of Deputy Managing Director and Chief Financial Officer, President South Asia Geography, Senior General Manager Legal and Compliance, Head Enterprise Risk Management and General Manager ETG to support the ISMS framework and to review the information security policy annually. The Chief Information Security Officer has direct responsibility for maintaining the Policy and providing advice and guidance on its implementation. It is the responsibility of each member of staff to adhere to the Policy. In case of any exceptions / breach of policy, MSF shall initiate appropriate action against users / group and the Business Heads / Functional Heads shall be responsible to implement the action 5. Purpose The management of 3i Infotech Ltd. whose corporate office is located at Tower # 5, 3rd to 6th Floor, International Infotech Park, Vashi, Navi Mumbai and is in the business of software development & IT operation support, is committed to preserving the physical and electronic information assets throughout the company and it is the policy of the 3i Infotech Ltd. to ensure that: Information will be protected against unauthorized access ity of information will be assured; Integrity of information will be maintained; Availability of information is ensured as required by the business processes; Regulatory and legislative requirements will be met; Business Continuity plans will be produced, maintained and tested; Information security within the organization is managed; The security of organizational information processing facilities and information assets accessed by third parties is maintained; Appropriate protection of organizational assets is available by maintaining inventory of important assets; Information assets receive an appropriate level of protection by having classification guidelines; 5
6 The risks of human error, theft, fraud or misuse of facilities is reduced by defining security in job and resourcing; The users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work; The damage from security incidents and malfunctions is minimized, and to monitor and learn from such incidents; Unauthorized physical access, damage and interference to business premises and information are prevented; The loss, damage or compromise of assets and interruption to business activities is prevented by securing the equipment; The compromise or theft of information and information processing facilities is prevented by having general controls; The correct and secure operation of information processing facilities is ensured by having operational procedures and defining responsibilities; The risk of systems failure is minimized by proper procedures of system planning and acceptance; The integrity of software and information from damage by malicious software is protected; The integrity and availability of information processing and communication services is maintained by taking and testing back-up copies of essential business information and software, The safeguarding of information in networks and the protection of the supporting infrastructure is ensured by implementing range of network controls; The damage to assets and interruptions to business activities is prevented by having good media handling practices and business continuity and disaster recovery procedures; The loss, modification or misuse of information exchanged between organizations is policies for and electronic office systems and by having proper authorization process before information is made publicly available; The access to information is controlled as per access control policy; Access rights to information systems are appropriately authorized, allocated and maintained by having user registration procedures and good practices of privilege management & user password management 6
7 Unauthorized user access is prevented by having sound password policies and by ensuring that unattended equipment is given appropriate protection by users; Networked services are protected by having policy and network security procedures; Unauthorized computer access is prevented by implementing operating system access controls; The unauthorized activities are detected by monitoring system access and use; Information security when using mobile computing facilities is ensured; Security into information systems is built by analyzing and specifying the security requirements for controls; The breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements are avoided by identifying and complying with all the applicable laws/statutory, regulatory or contractual obligations; Systems comply with organizational security policies and standards by reviewing procedures/practices; The effectiveness of system audit process is maximized and interference to/from the system audit process is minimized by planned audits Information security training will be available to all staff All breaches of information security, actual or suspected, will be reported to, and investigated by IT Compliance team to CISO 6. General Guidelines 3i Infotech Ltd. information must be consistently protected in a manner commensurate with its sensitivity, value, and criticality. 3i Infotech Ltd. information must be used only for the business purposes expressly authorized by management. Information is a critical and vital asset, and all accesses to, uses of, and processing of, 3i Infotech Ltd. information must be consistent with its policies and standards. All employees of the 3i Infotech Ltd. and related third parties are expected to comply with this policy and with the ISMS that implements this policy This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually 3i Infotech Ltd. uses access controls and other security measures to protect the confidentiality, integrity, and availability of the information handled by computers and 7
8 communications systems. In keeping with these objectives, management maintains the authority to: o restrict or revoke any user's privileges, o inspect, copy, remove, or otherwise alter any data, program, or other system resource that may take any other steps deemed necessary to manage and protect its information systems. This authority may be exercised with or without notice to the involved users. 3i Infotech Ltd. disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives. This policy also applies to all users, whether on Company property, connected from remote via any networked connection, or using Company equipment All 3i Infotech Ltd. information security documentation including, but not limited to, policies, standards, and procedures, must be classified as Internal Use Only, unless expressly created for external business processes or partners. This Document is available to all users on Intranet. 7. Sub policies exist for 7.1 Desktop Security (desktop, licenses, servers, virus protection) End-user workstations used in sensitive or critical tasks shall have adequate measures to ensure information security. Virus protection software and other appropriate security measures will be implemented to ensure that individual data and information are safeguarded. All the systems will be protected against misuse and unauthorized access by implementing necessary controls (Messaging) Policy The messaging policy emphasizes on message hygiene and controls both at perimeter and at end user levels. Content Filtering will be enabled on outgoing messages which will safeguard the confidential information and IT assets from being abused. Mail scanner to guard against the spam mails is deployed. 7.3 Network Security (LAN and WAN) This policy establishes Enterprise-wide security policy to document, implement, and enforce in order to augment privacy, authentication, and security via deployment of network security tools. This policy helps to ensure the security of 3i-infotech Ltd. s IT assets, in response to increasing threats, and will allow the company to meet and fully comply with Regulatory and statutory requirements. And it also establishes controls on 8
9 utilization, management, direction of flow and procedures to protect of communication on the network 7.4 Internet (Perimeter) Security (Internet and any customer network terminating at our premises) Connectivity to and from the outside world with 3i Infotech Ltd. s internal network ensures appropriate perimeter security controls. Access will be restricted to the internet based on business need and controls will be implemented at gateway to prevent unauthorized access from the internet into our systems. 7.5 Intranet Policy Connectivity within 3i Infotech Ltd. ensures appropriate perimeter security controls. Access will be restricted to the Employees. Controls will be implemented at gateway to prevent unauthorized access from outsiders into our systems 7.6 Data Base Administration It applies to database management systems containing business data. It also covers personnel directly involved with operation and administration of these systems as well as owners of information and/ or applications. 7.7 Freeware / Shareware Security Downloading and installation of freeware/shareware must be restricted to authorized personnel and must be in accordance with the procedures listed in this policy 7.8 Operating System (OS) Security Ensuring restrict access to the operating system to those people who need the information to perform their business functions. Unix security - Systems and procedures should be implemented for ensuring adequate security at operating system level. Access to the operating system should be restricted to those people who need the information to perform their business functions. 7.9 Remote Access Security Remote Access shall be granted to employees who have demonstrated business need and obtained necessary approvals. Use of unauthorized or unlicensed or free remote access software, hardware, networking equipment is against the IS policy. Usage of licensed remote access software/hardware shall be monitored Virus Protection and Prevention Systems and procedures shall be implemented and constantly monitored for ensuring adequate protection and prevention of IT resources against computer viruses and other virus like activities at various operating levels. 9
10 7.11 Logical Access Policy Access controls for shared resources including systems and applications ensures detection and minimizing the effects of unintended or unauthorized access. Access to facilities will be limited to persons authorized based on their role and level of access to information Password Policy Password policy ensures protection of users confidential information and data by authenticating user s id and establishes the accountability. Controls on password shall be on length, complexity and regular enforcement for change Physical Access Security Policy 3i Infotech Ltd. ensures appropriate physical and environmental controls in place to protect and monitor IT assets from unauthorized or illegal access and environmental threats / hazards Backup and Recovery Policy Proper backup strategy and recovery procedures ensure that production systems are brought up from a crisis with least possible loss of data & time Asset (Data) Classification Policy IT Assets shall be classified in accordance with the requirements and shall be ensured that they receive an appropriate level of protection from unauthorized disclosure, threats, use, modification or destruction. Proper accountability shall be defined to have a better control on IT assets Compliance Policy 3i Infotech Ltd. shall ensure compliance to security policy document, applicable legal requirements and the security procedures. 8. Business Continuity Management BCP/DR team is formed for deployment of BCP/DR plans. Procedures exist to support the policy. These include 3i Infotech Ltd. IT Security procedures and Guidelines and business continuity plan. Business requirements for the availability of information and information systems will be met. The BCP/DR team leader has direct responsibility for maintaining the Policy and providing advice and guidance on its implementation. It is the responsibility of each member of staff to adhere to the Policy. 10
11 9. Risk Management The information stored on electronic or magnetic media or on paper or on plastic or with people or information in transit or in any other form is considered as an Information asset of 3i Infotech Ltd - ETG. These assets are to be protected from all the possible threats at all the times. These information assets fall within the scope of Risk Management Plan. Risk is defined as the possibility of unsatisfactory outcome. Hence risk management plan based on PDCA model (Plan-Do-Check-Act) model is prepared and implemented to either reduce or eliminate the risk. The Risk management approach is based on the following principles: The risks to information assets will be identified Each identified risk is assessed in terms of it's probability of occurrence and its resulting loss. The risk is calculated and used to prioritize risks. High priority risks will be managed first. All team members assist in suggesting solutions to minimize risks. Plans consist of specific actions to be taken by specific individuals within specific time frames. Progress is monitored and adjusted if necessary. As actions are performed, the risk value changes, so the priorities continually change. The Methodology adopted for Risk Management is: Defining Risks: o Identifying Risks o Assessing and Prioritizing Risks Managing Risks: o Planning o Acting o Monitoring, Reporting and Adjusting The Risk management methodology is explained in details in the "Risk management plan and treatment' document. 11
12 10. Handling of Exceptions In case of any exceptions / breach of policy, ETG shall seek advice from legal to take appropriate action against users / group. And the Functional Heads / Managers shall be responsible to implement the action. 11. Document Approval Criteria Approving authority DMD / MD Approval Documents for approval Purchase approval authority, Individual Eligibility policy ETG Head Approval (member of MSF) All the other documents except the above 12
TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationInformation Security Management System
Information Security Management System Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationCorporate Information Security Policy
Overview Sets out the high-level controls that the BBC will put in place to protect BBC staff, audiences and information. Audience Anyone who has access to BBC Information Systems however they are employed
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationINFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK
INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK 1. INTRODUCTION The Board of Directors of the Bidvest Group Limited ( the Company ) acknowledges the need for an IT Governance Framework as recommended
More informationInstitute of Technology, Sligo. Information Security Policy. Version 0.2
Institute of Technology, Sligo Information Security Policy Version 0.2 1 Document Location The document is held on the Institute s Staff Portal here. Revision History Date of this revision: 28.03.16 Date
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Colin Sloey Implementation Date: September 2010 Version Number:
More informationAdvent IM Ltd ISO/IEC 27001:2013 vs
Advent IM Ltd ISO/IEC 27001:2013 vs 2005 www.advent-im.co.uk 0121 559 6699 bestpractice@advent-im.co.uk Key Findings ISO/IEC 27001:2013 vs. 2005 Controls 1) PDCA as a main driver is now gone with greater
More informationSYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement
SYSTEM KARAN ADVISER & INFORMATION CENTER Information technology- security techniques information security management systems-requirement ISO/IEC27001:2013 WWW.SYSTEMKARAN.ORG 1 www.systemkaran.org Foreword...
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationPolicy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.
London School of Economics & Political Science IT Services Policy Remote Access Policy Jethro Perkins Information Security Manager Summary This document outlines the controls from ISO27002 that relate
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationISMS Essentials. Version 1.1
ISMS Essentials Version 1.1 This paper can serve as a guideline for the implementation of ISMS practices using BS7799 / ISO 27001 standards. To give an insight and help those who are implementing this
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationINFORMATION SECURITY POLICY
Open Open INFORMATION SECURITY POLICY OF THE UNIVERSITY OF BIRMINGHAM DOCUMENT CONTROL Date Description Authors 18/09/17 Approved by UEB D.Deighton 29/06/17 Approved by ISMG with minor changes D.Deighton
More informationEU GDPR & ISO Integrated Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso integrated-documentation-toolkit
EU GDPR & https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit Note: The documentation should preferably be implemented in the order in which it is listed here. The order
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationResponsible Officer Approved by
Responsible Officer Approved by Chief Information Officer Council Approved and commenced August, 2014 Review by August, 2017 Relevant Legislation, Ordinance, Rule and/or Governance Level Principle ICT
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationFRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.
FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from
More informationSeven Requirements for Successfully Implementing Information Security Policies and Standards
Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information
More informationSOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2
Requirement Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management
INTERNATIONAL STANDARD ISO/IEC 17799 First edition 2000-12-01 Information technology Code of practice for information security management Technologies de l'information Code de pratique pour la gestion
More informationISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management
INTERNATIONAL STANDARD ISO/IEC 17799 Second edition 2005-06-15 Information technology Security techniques Code of practice for information security management Technologies de l'information Techniques de
More informationPS 176 Removable Media Policy
PS 176 Removable Media Policy December 2013 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data
More informationISO/IEC Information technology Security techniques Code of practice for information security management
This is a preview - click here to buy the full publication INTERNATIONAL STANDARD ISO/IEC 17799 Second edition 2005-06-15 Information technology Security techniques Code of practice for information security
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationBring Your Own Device Policy
Title: Status: Effective : Last Revised: Policy Point of Contact: Synopsis: Bring Your Own Device Policy Final 2017-Jan-01 2016-Nov-16 Chief Information Officer, Information and Instructional Technology
More informationStandard for Security of Information Technology Resources
MARSHALL UNIVERSITY INFORMATION TECHNOLOGY COUNCIL Standard ITP-44 Standard for Security of Information Technology Resources 1 General Information: Marshall University expects all individuals using information
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationHow To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation
How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create
More informationInformation Security Strategy
Security Strategy Document Owner : Chief Officer Version : 1.1 Date : May 2011 We will on request produce this Strategy, or particular parts of it, in other languages and formats, in order that everyone
More informationInformation Security Management
Information Security Management BS ISO/ IEC 17799:2005 (BS ISO/ IEC 27001:2005) BS 7799-1:2005, BS 7799-2:2005 SANS Audit Check List Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SFS, ITS 2319, IT
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationThis regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.
UAR NUMBER: 400.01 TITLE: Wireless Network Policy and Procedure INITIAL ADOPTION: 11/6/2003 REVISION DATES: PURPOSE: Set forth the policy for using wireless data technologies and assigns responsibilities
More informationISO & ISO & ISO Cloud Documentation Toolkit
ISO & ISO 27017 & ISO 27018 Cloud ation Toolkit Note: The documentation should preferably be implemented order in which it is listed here. The order of implementation of documentation related to Annex
More informationINFORMATION SECURITY AND RISK POLICY
INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:
More informationInformation Security Management Criteria for Our Business Partners
Information Security Management Criteria for Our Business Partners Ver. 2.1 April 1, 2016 Global Procurement Company Information Security Enhancement Department Panasonic Corporation 1 Table of Contents
More informationINFORMATION TECHNOLOGY SECURITY POLICY
INFORMATION TECHNOLOGY SECURITY POLICY Author Responsible Director Approved By Data Approved September 15 Date for Review November 17 Version 2.3 Replaces version 2.2 Mike Dench, IT Security Manager Robin
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationAcceptable Use Policy
Acceptable Use Policy POLICY 07.01.01 Effective Date: 01/01/2015 The following are responsible for the accuracy of the information contained in this document Responsible Policy Administrator Information
More informationPCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1
PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman
More informationDonor Credit Card Security Policy
Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationMEETING ISO STANDARDS
WHITE PAPER MEETING ISO 27002 STANDARDS September 2018 SECURITY GUIDELINE COMPLIANCE Organizations have seen a rapid increase in malicious insider threats, sensitive data exfiltration, and other advanced
More informationWireless Network Policy and Procedures Version 1.5 Dated November 27, 2002
Wireless Network Policy and Procedures Version 1.5 Dated November 27, 2002 Pace University reserves the right to amend or otherwise revise this document as may be necessary to reflect future changes made
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationIs your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner
Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationPhysical and Environmental Security Standards
Physical and Environmental Security Standards Table of Contents 1. SECURE AREAS... 2 1.1 PHYSICAL SECURITY PERIMETER... 2 1.2 PHYSICAL ENTRY CONTROLS... 3 1.3 SECURING OFFICES, ROOMS AND FACILITIES...
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationData Protection. Plugging the gap. Gary Comiskey 26 February 2010
Data Protection. Plugging the gap Gary Comiskey 26 February 2010 Data Protection Trends in Financial Services Financial services firms are deploying data protection solutions across their enterprise at
More informationSHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT
SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT AGREEMENT DATED [ ] BETWEEN: (1) SHELTERMANAGER LTD and (2) [ ] ( The Customer ) BACKGROUND (A) (B) (C) This Agreement is to ensure there is in place
More informationNUKG Business Solutions Pvt Ltd. Information Security Incident Management Procedure (IS-IMG)
NUKG Business Solutions Pvt Ltd Information Security Incident Management Procedure (IS-IMG) Version No 1.0 Document Classification Prepared by Vasu Reviewed by Ravi Kanduri Approved by Ravi Kanduri Date
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management
INTERNATIONAL STANDARD ISO/IEC 17799 First edition 2000-12-01 Information technology Code of practice for information security management Technologies de l'information Code de pratique pour la gestion
More informationUSER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.
These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection
More information<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy
Policy Title: Effective Date: Revision Date: Approval(s): LASO: CSO: Agency Head: Allowed Personally Owned Device Policy Every 2 years or as needed Purpose: A personally owned information system or device
More informationISO 27002: 2013 Audit Standard Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD ISO 27002
: 2013 Audit Standard Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationBFB-IS-3: Electronic Information Security
Responsible Officer: Responsible Office: Chief Information Officer & VP - Information Technology Services IT - Information Technology Services Issuance Date: TBD, 2017 Effective Date: TBD, 2017 Last Review
More informationGatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide
Gatekeeper Public Key Infrastructure Framework Information Security Registered Assessors Program Guide V 2.1 December 2015 Digital Transformation Office Commonwealth of Australia 2015 This work is copyright.
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationUTAH VALLEY UNIVERSITY Policies and Procedures
Page 1 of 5 POLICY TITLE Section Subsection Responsible Office Private Sensitive Information Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Information
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationInformation Security Controls Policy
Information Security Controls Policy Version 1 Version: 1 Dated: 21 May 2018 Document Owner: Head of IT Security and Compliance Document History and Reviews Version Date Revision Author Summary of Changes
More informationData Processing Amendment to Google Apps Enterprise Agreement
Data Processing Amendment to Google Apps Enterprise Agreement The Customer agreeing to these terms ( Customer ) and Google Inc., Google Ireland, or Google Asia Pacific Pte. Ltd. (as applicable, Google
More informationCloud Security Standards
Cloud Security Standards Classification: Standard Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January 2018 Next
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationDATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:
DATA PROTECTION SELF-ASSESSMENT TOOL Protecture: 0203 691 5731 Instructions for use touches many varied aspects of an organisation. Across six key areas, the self-assessment notes where a decision should
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More information