PROCEDURE Cryptographic Security. Number: G 0806 Date Published: 6 July 2010
|
|
- Rosamond Norris
- 6 years ago
- Views:
Transcription
1 1.0 About this procedure This procedure explains the specific requirements that staff handling cryptographic material must follow. Cryptographic material is the medium by which we will configure any computer system requiring encryption. Cryptographic material is generally handled by staff within Information Security, IT Department and Special Branch. Essex Police is accountable for all cryptographic items held within the force. To be able to bear that responsibility all involved members of staff have to be provided with guidance and instructions regarding this accountability. The force has identified a Force Crypto Custodian (FCC) together with a number of deputies, details of these individuals can be found on the Information Security website which is located within the Review and Compliance section of the Corporate Development website. The FCC will be able to provide encrypted devices without the need to compromise the integrity of an individual department or operation. This document contains procedures on: Handling and administration of cryptographic or crypto classified items; COMSEC (Communication Security Incidents/Compromises) Reporting; Audit and Inspection. 2.0 Risk Assessments/Health and Safety Considerations There are no specific risk assessments associated with this procedure. 3.0 Procedure The following roles have been appointed to deal specifically with cryptographic material and provide an overview of all cryptographic related roles and responsibilities - for full clarification refer to HMG IS4 Parts Information Security Officer (ISO) ISO responsibilities are: Compliance with Her Majesty s Government (HMG) security standards and procedures on behalf of the force; The production of force security procedures; Formal liaison with other HMG security authorities and other police forces; Page 1 of 9
2 Incident management, incident investigation and liaison with CINRAS (COMSEC Incident Reporting Alert Service); Force security education, training and awareness; Security advice; Accountability to Communications Electronic Security Group (CESG) for the appropriate management of all key material held within Essex Police. 3.2 Force Crypto Custodian (FCC) In addition to those above, the main responsibilities are: Ensuring compliance with HMG and force policies and procedures; Management and accounting in respect of all cryptographic material and items (this includes reception and distribution of this material to the relevant business areas); Emergency action in accordance with procedures; Audit and inspection of all key material; Acts as a Crypto Accreditor in accordance with the accreditation procedure. 3.3 Deputy Force Crypto Custodian (DFCC) Every department handling cryptographic items will have a Deputy Force Crypto Custodian (DFCC) appointed by the FCC for each location where cryptographic material is stored. The following departments within Essex Police that require a DFCC are Special Branch, IT Department and Airwave Support. The main responsibilities are: Ensuring compliance with HMG and force policies and procedures; Management and accounting of all cryptographic material and items under their control (this includes the reception and distribution of this material to the relevant business areas); Emergency action in accordance with procedures; Incident reporting to the ISO and where appropriate investigation and recovery; Annual authorisation checking; Cougar radios; Page 2 of 9
3 Airwave system radios; Management and accounting in respect of all cryptographic material and items under their control (this includes reception and distribution of this material to the relevant business areas); Periodic and unscheduled security inspections; Providing advice and assistance; Incident investigation and recovery assistance. 3.4 Vetting All cryptographic material will have a protective marking classification assigned at the point of manufacture. Any person allocating any material or equipment must ensure that the person to whom the material or equipment has been issued have been vetted in accordance with the following: Protective Marking of Key Material RESTRICTED CONFIDENTIAL SECRET TOP SECRET Vetting and Clearance Requirements Basic Check and Force Management Vetting Basic Check and Force Management Vetting Security Check and Force Management Vetting Developed Vetting All vetting levels should be checked with the Corporate Vetting Department. The allocation of all equipment will be monitored by the FCC who may require an enhanced level of vetting to certain circumstances. Page 3 of 9
4 The following table identifies the required vetting and clearance level for the roles detailed above. Role Information Security Officer (ISO) Force Crypto Custodian (FCC) Deputy Force Crypto Custodian (DFCC) Vetting and Clearance Requirements Security Check and Force Management Vetting Security Check and Force Management Vetting Security Check and Force Management Vetting All staff with responsibilities concerning cryptographic assets will be in receipt of training as directed by ISO/FCC and where appropriate attend the CESG Crypto Custodian Training Course. 3.5 Crypto Authorisation All employees of Essex Police (including contractors) using or working with equipment marked as CRYPTO, need to be authorised by the Crypto Custodian in advance. To gain authorisation the employee or contractor must complete Appendix B and should be given a formal briefing by the DFCC who manages the particular Crypto item or the FCC as detailed in Appendix A. Appendix B, must be signed by both, the user of the cryptographic item and the Custodian. Details of all authorisations will be kept by the FCC and will remain in place for 12 months. This briefing is to make staff aware of the special threat that exists to the information protected by the cryptographic items in their care. Failure to provide proper protection could result in unauthorised access to information owned by the Essex Police. 3.6 Receipt All items of cryptographic material will only be received by the FCC or a DFCC. In the event receipt is accepted by a DFCC the item will be handed personally to the FCC. Page 4 of 9
5 Upon receipt a careful examination will occur of the outer wrapping of the consignment. If there is any evidence of tampering with either the wrappings or the contents, or suspicion of incorrect handling, this should be reported immediately as a security incident. The consignment must be immediately preserved pending investigation. Only authorised personnel (FCC or DFCC) may open the inner wrapping. All seals and tamper evident packing should be intact when the cryptographic items are received. If seals are removed deliberately for authorised reasons, a note to this effect should be entered on the supply/transfer document. When the recipient is satisfied that the packaging has not been disturbed, the contents may be unpacked and physically checked against the supply/transfer document - Appendix C. A logbook form Appendix D should be completed and the items stored or distributed. 3.7 Storage It is essential that adequate storage space is available for the storage of cryptographic items and that the security containers, safes and cabinets used for storing cryptographic material meet the relevant security standards. Therefore, advice must be sought from the ISO. Where possible there should be a separate storage space for segregation of current, reserve and superseded stocks of key material and code systems. Physical keys to safes, cabinets and other security containers must be handled securely and be subject to authorised access only. Combinations if used should be changed every 6 months and on staff rotation by the FCC or the DFCC. If the environment housing cryptographic material is not manned on a 24-hour basis, a clear desk policy should be in place and procedures for closedown and start-up security checks must be established and recorded in local instructions. Some types of cryptographic equipment are intended to be mobile or portable. Users of such equipment must consult the ISO for further advice on the handling of such assets. 3.8 Distribution The logbook will provide a complete record of the movements of cryptographic material throughout the whole lifecycle of the items and any movement of cryptographic items should be recorded within this document. Existing procedures in respect of Special Branch will continue. The FCC accounts for movements of cryptographic items outside of Essex Police. Page 5 of 9
6 3.9 Destruction Destruction of cryptographic items must be carried out by authorised personnel. All destruction will be authorised by the FCC and verified by a second cryptographic authorised person. Existing procedures in respect of Special Branch will continue. In case of mobile operations or remote location and in case of an emergency the local manager or holder (who is cryptographic authorised) can carry out an emergency destruction. This can only be done to meet required schedules (of key change over) or to avoid the risk of loss or compromise. Also in these situations a destruction record must be filled out. Appendix E contains a destruction checklist which describes all issues to be considered on destruction (also erasure and re-use), including individual responsibilities. An accurate record of all destruction s must be kept, see Destruction Certificate Appendix F Packing If cryptographic items are to be sent they must be packed in double wrapping. Both inner and outer wrapping must be securely sealed. Wherever possible the outer wrapping should consist of new, unused material. The inner wrapping or container must be clearly marked with: Package reference number (for identification and accounting purposes); Highest protective marking; The words to and from followed by addresses; The phrase PASS UNOPENED TO (Crypto Custodian or a name) in BOLD, CLEAR LETTERS. The outer wrapping may consist of an envelope of official pattern, canvas bag, locked container, packing case or crate. It must not give any indication of protective marking, special handling markings or the nature of the contents. The words CRYPTO or CUSTODIAN must not be used at all on the outer wrapping. The outer wrapping must be marked with: Same reference number as the inner wrapping; The words to and from followed by the addresses; A stamped or written instruction if appropriate e.g. BY HAND OF COURIER NOT BY POST. Page 6 of 9
7 Cryptographic equipment and associated key material should be packed and sent separately unless operational impossible Maintenance Equipment should be correctly maintained to ensure its continued availability and integrity. Only authorised personnel should carry out repairs and servicing. Appropriate controls should be taken when sending equipment outside the Force, especially when the equipment has been used for transmission, processing or storage of protectively marked information or when it contains protectively marked or sensitive modules. Controls in case cryptographic marked items are send to external supplier: The third party is Crypto certified by CESG; The third party is authorised to handle the material (by the Force); Protectively marked files or software must be removed; Make notes of date and time of sending and the recipient (including estimated time of repair and contact details). Visits by maintenance engineers to all exchanges and cryptographic facilities should be authorised in advance. The engineer should be escorted by a CRYPTO authorised member of staff. A record should be kept of each visit consisting of: Name of the individual and organisation; Reason for visit; Nature of the work carried out; Date and time in and out Compromise The occurrence of a security incident could lead to the compromise of a system or information. For an explanation of the levels of compromise and the appropriate handling of each level of compromise click here. The levels are put in place to provide some indication of the potential damage and if an immediate notification is necessary. All incidents must be reported to the ISO using the Incident Report Form A480. For the category Compromise Certain an Immediate Notification, form Appendix H will be completed and forwarded to CINRAS immediately after occurrence of the incident. Page 7 of 9
8 Incidents of other compromise categories will be reported to CINRAS by the ISO through an Incident Report Form (A480) Audit and Inspections Information Standards are prescribed in the Security Policy Framework and BS The purpose of the inspection process is to check for compliance against published standards and procedures governing the installation of cryptographic equipment, the management of these cryptographic items and the proper authorisation and clearance levels for staff responsible. The FCC will be responsible for ensure that an audit and inspection process is carried out on at least an annual basis The primary aim of the Auditor/Inspector is determine conformity with the cryptographic standards and to identify any deviations and offer advice and assistance to Custodians. Appendix I is an auditing template to be used as appropriate. The audit report plus template should be submitted to the Head of Information Management and brought to the attention of the Force Information Management Board Further Information about Encryption For further information into the use and control of cryptography, contact the FCC for a copy of HMG Infosec Standard 4: (Communication, Security, and Cryptography). 4. Monitoring and Review The FCC will be responsible for ensuring that the procedure will remain current in line with HMG standards. This procedure will be reviewed by the ISO after one year from the date of publication. 5. Related Procedures This procedure is associated to other procedures appended to the Information Management Policy. 6. Related Policies This procedure forms part of the Information Management Policy. It also provides an integral part of the ACPO Community Security Policy (CSP) and a requirement under the NPIA Accreditation Procedure. Page 8 of 9
9 7. Information Sources Force Information Security Policy HMG Infosec Standard no 4 Parts 1,2,3 Communications Security and Cryptography ACPO/ACPOS (2002) Information Systems Community Security Policy, Version 2.4. CESG (1999) CESG Infosec Memorandum No. 17: Handbook on Cryptographic Security Summary, Issue 1.0. HMG (2008) The Security Policy Framework Force Information Security Policy Airwave System Security Policy and Procedure Page 9 of 9
TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationGatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide
Gatekeeper Public Key Infrastructure Framework Information Security Registered Assessors Program Guide V 2.1 December 2015 Digital Transformation Office Commonwealth of Australia 2015 This work is copyright.
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationIT Security Standard Operating Procedure
IT Security Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance
More informationGeneral Data Protection Regulation
General Data Protection Regulation Workshare Ltd ( Workshare ) is a service provider with customers in many countries and takes the protection of customers data very seriously. In order to provide an enhanced
More informationNational Policing Community Security Policy
Document Name File Name National Policing Community Security Policy Community_Security_Policy_FINAL v4_3.doc Authorisation Information Management Business Area Signed version held by National Police Information
More informationDATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:
DATA PROTECTION SELF-ASSESSMENT TOOL Protecture: 0203 691 5731 Instructions for use touches many varied aspects of an organisation. Across six key areas, the self-assessment notes where a decision should
More informationInformation Security Incident
Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body
More informationWhat is BS 7799? BS 7799 is the most influential, globally recognised standard for information security management.
What is BS 7799? BS 7799 is the most influential, globally recognised standard for information security management. It is currently divided into two parts: Part 1. Contains guidance and explanatory information
More informationDigital Health Cyber Security Centre
Digital Health Cyber Security Centre Current challenges Ransomware According to the ACSC Threat Report 2017, cybercrime is a prevalent threat for Australia. Distributed Denial of Service (DDoS) Targeting
More informationData Protection Policy
Page 1 of 6 General Statement The Local Governing Bodies of the academies have overall responsibility for ensuring that records are maintained, including security and access arrangements, in accordance
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Colin Sloey Implementation Date: September 2010 Version Number:
More informationGDPR Draft: Data Access Control and Password Policy
wea.org.uk GDPR Draft: Data Access Control and Password Policy Version Number Date of Issue Department Owner 1.2 21/01/2018 ICT Mark Latham-Hall Version 1.2 last updated 27/04/2018 Page 1 Contents GDPR
More informationNational Policing - Accreditation Policy
Document Name File Name National Policing - Accreditation Policy National Policing Accreditation Policy v2_0.doc Authors David Critchley, Dave Jamieson and Antony Holland Reviewer Authorisation Police
More informationCorporate Information Security Policy
Overview Sets out the high-level controls that the BBC will put in place to protect BBC staff, audiences and information. Audience Anyone who has access to BBC Information Systems however they are employed
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationAdvent IM Ltd ISO/IEC 27001:2013 vs
Advent IM Ltd ISO/IEC 27001:2013 vs 2005 www.advent-im.co.uk 0121 559 6699 bestpractice@advent-im.co.uk Key Findings ISO/IEC 27001:2013 vs. 2005 Controls 1) PDCA as a main driver is now gone with greater
More informationt a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.
e info@ Mr. James Kavanagh Chief Security Advisor Microsoft Australia Level 4, 6 National Circuit, Barton, ACT 2600 19 August 2015 Microsoft CRM Online IRAP Assessment Letter of Compliance Dear Mr. Kavanagh,
More informationPhysical and Environmental Security Standards
Physical and Environmental Security Standards Table of Contents 1. SECURE AREAS... 2 1.1 PHYSICAL SECURITY PERIMETER... 2 1.2 PHYSICAL ENTRY CONTROLS... 3 1.3 SECURING OFFICES, ROOMS AND FACILITIES...
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationINFORMATION SYSTEM SECURITY
INFORMATION SYSTEM SECURITY For Users of Classified Information Systems (IS) 1 Disclaimer This briefing is generic in nature and should be used as a guideline for briefing System Users. 2 Overview Acronyms
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More information004 Licensing of Evaluation Facilities
Template: CSEC_mall_doc, 7.0 Ärendetyp: 6 Diarienummer: 14FMV1748-1:1 Dokument ID SP-004 HEMLIG/ enligt Offentlighets- och sekretesslagen (2009:400) 2014-02-06 Country of origin: Sweden Försvarets materielverk
More informationThe Data Protection Act 1998 Clare Hall Data Protection Policy
The Data Protection Act 1998 Clare Hall Data Protection Policy Introduction This document is a guide to the main requirements of the new Data Protection Act (DPA) that came into force on 24th October 2001.
More informationPayment Card Industry - Data Security Standard (PCI-DSS)
Payment Card Industry - Data Security Standard (PCI-DSS) Tills Security Standard (SAQ P2PE) Version 1-0-0 14 March 2018 University of Leeds 2018 The intellectual property contained within this publication
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationMobile Working Policy
Mobile Working Policy Date completed: Responsible Director: Approved by/ date: Ben Westmancott, Director of Compliance Author: Ealing CCG Governing Body 15 th January 2014 Ben Westmancott, Director of
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationIECEx Guide Guidance for Applications from Service Facilities seeking IECEx Certification
IECEx Guide Guidance for Applications from Service Facilities seeking IECEx Certification INTERNATIONAL ELECTROTECHNICAL COMMISSION SCHEME FOR CERTIFICATION TO STANDARDS RELATING TO EQUIPMENT FOR USE IN
More informationThe Key Principles of Cyber Security for Connected and Automated Vehicles. Government
The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational
More informationAccess Control Policy
Access Control Policy Version Control Version Date Draft 0.1 25/09/2017 1.0 01/11/2017 Related Polices Information Services Acceptable Use Policy Associate Accounts Policy IT Security for 3 rd Parties,
More informationA Homeopath Registered Homeopath
A Homeopath Registered Homeopath DATA PROTECTION POLICY Scope of the policy This policy applies to the work of homeopath A Homeopath (hereafter referred to as AH ). The policy sets out the requirements
More informationDonor Credit Card Security Policy
Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationSevern Trent Water. Telecommunications Policy and Access Procedure
Severn Trent Water Telecommunications Policy and Access Procedure Contents STW Telecommunications Policy: 5-12 Health and Safety: 13-18 Access Procedures:19-30 2 STW LSH Sites Access Policy [Controlled
More informationGDPR Compliance. Clauses
1 Clauses GDPR The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a privacy and data protection regulation in the European Union (EU). It became enforceable from May 25 2018. The
More informationSafeguarding Adults & Mental Capacity Act Service
Safeguarding Adults & Mental Capacity Act Service Responsible Manager & Administrative Support Service Guidance for the Management of Safeguarding Meetings including the Production & Distribution of the
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationDOCUMENT NO. CSWIP-PED Requirements for the approval of NDT Personnel CERTIFICATION SCHEME FOR PERSONNEL. 2 nd Edition January 2011
CERTIFICATION SCHEME FOR PERSONNEL DOCUMENT NO. CSWIP-PED -2-01 Requirements for the approval of NDT Personnel 2 nd Edition January 2011 Issued under the authority of the Governing Board for Certification
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationISO & ISO & ISO Cloud Documentation Toolkit
ISO & ISO 27017 & ISO 27018 Cloud ation Toolkit Note: The documentation should preferably be implemented order in which it is listed here. The order of implementation of documentation related to Annex
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationData Breach Notification Policy
Data Breach Notification Policy Policy Owner Department University College Secretary Professional Support Version Number Date drafted/date of review 1.0 25 May 2018 Date Equality Impact Assessed Has Prevent
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationDETAILED POLICY STATEMENT
Applies To: HSC Responsible Office: HSC Information Security Office Revised: New 12/2010 Title: HSC-200 Security and Management of HSC IT Resources Policy POLICY STATEMENT The University of New Mexico
More informationINFORMATION SECURITY AND RISK POLICY
INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:
More informationISO27001:2013 The New Standard Revised Edition
ECSC UNRESTRICTED ISO27001:2013 The New Standard Revised Edition +44 (0) 1274 736223 consulting@ecsc.co.uk www.ecsc.co.uk A Blue Paper from Page 1 of 14 Version 1_00 Date: 27 January 2014 For more information
More informationNotebooks and PDAs. Standard Operating Procedure
Notebooks and PDAs Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationINFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ
INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ JYVÄSKYLÄN YLIOPISTO Introduction With the principles described in this document, the management of the University of Jyväskylä further specifies
More informationProtecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program
More informationPS Mailing Services Ltd Data Protection Policy May 2018
PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More informationEuropean Aviation Safety Agency
European Aviation Safety Agency EASA Management Board Decision 12-2007 Amending the products certification procedure MB meeting 04-2007 (11 September 2007) DECISION OF THE MANAGEMENT BOARD AMENDING DECISION
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationAmerican Association for Laboratory Accreditation
R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationINFORMATION SECURITY POLICY
Open Open INFORMATION SECURITY POLICY OF THE UNIVERSITY OF BIRMINGHAM DOCUMENT CONTROL Date Description Authors 18/09/17 Approved by UEB D.Deighton 29/06/17 Approved by ISMG with minor changes D.Deighton
More informationCERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION
CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION Introduction The IFFO RS Certification Programme is a third party, independent and accredited
More informationCourse No. S-3C-0001 Student Guide Lesson Topic 5.1 LESSON TOPIC 5.1. Control Measures for Classified Information
REFERENCES LESSON TOPIC 5.1 Control Measures for Classified Information SECNAV M-5510.36, Chapters 2, 7, 9 and 10 SECNAV M-5510.30, Chapter 3 LESSON A. Basic Policy (ISP 7-2) 1. Classified information
More information2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY
2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY Purpose: The purpose of this policy is to provide instruction and information to staff, auditors, consultants, contractors and tenants on
More informationSafeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer
Safeguarding Controlled Unclassified Information and Cyber Incident Reporting Kevin R. Gamache, Ph.D., ISP Facility Security Officer Why Are We Seeing These Rules? Stolen data provides potential adversaries
More informationThis Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).
PRIVACY POLICY Data Protection Policy 1. Introduction This Data Protection Policy (this Policy ) sets out how Brital Foods Limited ( we, us, our ) handle the Personal Data we Process in the course of our
More informationCastle View Primary School Data Protection Policy
Castle View Primary School Data Protection Policy Aims The Headteacher and Governors of the school intend to comply fully with the requirements and principles of the Data Protection Act 1998. All staff
More informationThis page is intentionally left blank.
This page is intentionally left blank. STANDARD 900-508710-STD-002 REV. 0 REVISION HISTORY Rev. No. Date Details of Rev. Reviewed By Approved By 0 2017/11/06 Comments incorporated. Issued as L. Johns
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationManagement: A Guide For Harvard Administrators
E-mail Management: A Guide For Harvard Administrators E-mail is information transmitted or exchanged between a sender and a recipient by way of a system of connected computers. Although e-mail is considered
More informationSt Bernard s Primary School Data Protection Policy
St Bernard s Primary School Data Protection Policy St Bernard s RC Primary School, A Voluntary Academy Approved by Governors: 11.11.2015 Review date: Autumn 2016 St Bernard s Data Protection Policy General
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Introduction The purpose of this document is to provide a concise policy regarding the data protection obligations of Youth Work Ireland. Youth Work Ireland is a data controller
More informationData Protection Policy
Introduction In order to; provide education, training, assessment and qualifications to its customers and clients, promote its services, maintain its own accounts and records and support and manage its
More informationShavington Academy Exams Policy
Shavington Academy Exams Policy The purpose of this exams policy is: to ensure the planning and management of exams is conducted efficiently and in the best interests of candidates; to ensure the operation
More informationStandard for Security of Information Technology Resources
MARSHALL UNIVERSITY INFORMATION TECHNOLOGY COUNCIL Standard ITP-44 Standard for Security of Information Technology Resources 1 General Information: Marshall University expects all individuals using information
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationWORKSHARE SECURITY OVERVIEW
WORKSHARE SECURITY OVERVIEW April 2016 COMPANY INFORMATION Workshare Security Overview Workshare Ltd. (UK) 20 Fashion Street London E1 6PX UK Workshare Website: www.workshare.com Workshare Inc. (USA) 625
More informationCardiff University Security & Portering Services (SECTY) CCTV Code of Practice
Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice Document history Author(s) Date S Gamlin 23/05/2018 Revision / Number Date Amendment Name Approved by BI annual revision Date
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationAn Introduction to the ISO Security Standards
An Introduction to the ISO Security Standards Agenda Security vs Privacy Who or What is the ISO? ISO 27001:2013 ISO 27001/27002 domains Building Blocks of Security AVAILABILITY INTEGRITY CONFIDENTIALITY
More informationRules for LNE Certification of Management Systems
Rules for LNE Certification of Management Systems Application date: March 10 th, 2017 Rev. 040716 RULES FOR LNE CERTIFICATION OF MANAGEMENT SYSTEMS CONTENTS 1. PURPOSE... 3 2. SCOPE... 3 3. DEFINITION
More informationEX107OFC Application for permission to prepare a transcript or report from a recording made other than by the court
EX107OFC Application for permission to prepare a transcript or report from a recording made other than by the court This form gives limited permission to prepare a transcript or report from a recording
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationSTORAGE OF SSAN. Security Risk Assessment and SECURITY PLAN. (insert name of company) SUBMITTED TO REGULATORY AUTHORITY: (insert date)
STORAGE OF SSAN Security Risk Assessment and SECURITY PLAN (insert name of company) SUBMITTED TO REGULATORY AUTHORITY: (insert date) IMPLEMENTED: (insert date) LICENCE DETAILS: No: Issue date: (Note: You
More informationData Encryption Policy
Data Encryption Policy Document Control Sheet Q Pulse Reference Number Version Number Document Author Lead Executive Director Sponsor Ratifying Committee POL-F-IMT-2 V02 Information Governance Manager
More informationCERTIFICATION CONDITIONS
1 of 5 + CERTIFICATION CONDITIONS PERMIT NO 000/0. SATAS SOUTH AFRICAN TECHNICAL AUDITING SERVICES Pty Ltd Co Reg No 2002/015355/07 AGREEMENT ENTERED INTO WITH Co Reg No.. 2 of 5 CERTIFICATION CONDITIONS
More informationData Erasure Software Changes
Data Erasure Software Changes Current Process Permanent data erasure goes beyond basic file deletion and format commands which only remove part of the information stored on a device. The Secure Data Erasure
More informationAustralian Government Information and Communications Technology Security Manual
Australian Government Information and Communications Technology Security Manual ACSI 33 Defence Signals Directorate Release Date: 29 September 2006 Commonwealth of Australia 2006 This work is copyright.
More informationWELCOME ISO/IEC 27001:2017 Information Briefing
WELCOME ISO/IEC 27001:2017 Information Briefing Denis Ryan C.I.S.S.P NSAI Lead Auditor Running Order 1. Market survey 2. Why ISO 27001 3. Requirements of ISO 27001 4. Annex A 5. Registration process 6.
More informationGuidance on completing the HASS record form (EPR-RSR10) Making and Amending Records
Guidance on completing the HASS record form (EPR-RSR10) Making and Amending Records 1a Date record made 1b Replaces record made on 1c Amends information about Most of the information you record about each
More informationProcedures for responding to requests for personal data to support Data Protection Policy
Procedures for responding to requests for personal data to support Data Protection Policy Heriot-Watt Procedures for responding to requests for personal data; to support Data Protection Policy HERIOT-WATT
More informationSPF Compliance Checklist
SPF Compliance Checklist SPF Security Compliance This compliance checklist is designed to assist businesses, agencies or other organisations, in assessing their ability to meet the requirements of the
More informationSparta Systems TrackWise Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More information