Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES
|
|
- Whitney Shepherd
- 5 years ago
- Views:
Transcription
1 Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES
2 Document Details Title Description Version 1.0 Author Classification Physical and Environmental Security Policy Physical and Environmental Security controls of Oil India Limited Information Security Manager Internal Review Date 27/03/2018 Reviewer & Custodian Approved By CISO Release Date 23/03/2015 Owner Information Security Council (ISC) CISO Distribution List Name Internal Distribution Only Version History Version Number Version Date /03/2015 Internal Page 2 of 12
3 Table of Content 1. Purpose Policy Application Secure Areas Equipment Security Non Compliance Internal Page 3 of 12
4 1. Purpose This Policy supports the high level policy statements defined in Information Security Policy. Information Assets are required to be physically protected from security threats to prevent loss, damage or compromise assets which may lead to disruption of business continuity. Physical & Environmental Security refers to the protection of office site and equipment (and all other information and information assets) from theft, vandalism, natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme temperatures etc.) which may lead to disruption of business operations. The purpose of this document is to describe the acceptable and non acceptable activities to prevent unauthorized access, damage and interference of business premises and information. 2. Policy 2.1 Application The policy applies to employees, including full-time staff, part-time staff, contractors, freelancers, and other agents accessing Oil India business premises and information assets. 2.2 Secure Areas Physical Security Perimeter Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) will be used to protect areas that contain information and information processing facilities. Physical protection will be achieved by creating several physical barriers around the business premises and information processing facilities. Each barrier establishes a security perimeter, creating a defence in depth strategy and eliminating a single point of failure. The following guidelines and controls will be considered and implemented where appropriate: The security perimeter will be clearly defined; Internal Page 4 of 12
5 The perimeter of a building or site containing information processing facilities will be physically sound (i.e. there will be no gaps in the perimeter or areas where a break-in could easily occur). The external walls of the site will be of solid construction and all external doors will be suitably protected against unauthorized access, e.g. control mechanisms, alarms, locks etc; A manned reception area or other means to control physical access to the site or building will be in place. Access to Oil India premise is restricted to authorized personnel only; Physical barriers will, if necessary, be extended from real floor to real ceiling to prevent unauthorized entry and environmental contamination such as that caused by fire and flooding; and All fire doors/exits on a security perimeter will be access controlled, monitored, and tested in conjunction with the walls to establish the required level of resistance Physical Entry Controls Secure areas will be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. The following controls will be implemented to ensure adequate protective measures: Each employee will be issued proximity card for entry to secure areas along with an identification card which will have the following details: Employee name Unique Employee ID Photograph Business Unit Blood Group + emergency contact numbers Department Employees who have forgotten their identification badge/proximity card will obtain a temporary badge after approval team leader. This will not have access to floors such a temporary badge will stay valid for a single day only. The employee needs to return the temporary badge while leaving the office. Internal Page 5 of 12
6 Identification badges that have been lost or stolen or are suspected of being lost will be reported instantly. Such cards will be deactivated once mail is received from the employee or any other user with immediate effect. All temporary workers, trainees, consultants, engineers who require access to secure areas will be issued a temporary card after approval from their respective SPOC and immediate superior in the Department. This will not have access to floors. Such a temporary badge will stay valid for a single day only. The employee needs to return the temporary badge while leaving the office. Visitors to secure areas will be supervised, and their date and time of entry along with the photo identity proof and departure recorded. All personnel will be required to wear their identification card at all times and will be encouraged to challenge unescorted strangers and anyone not wearing visible identification. Access rights to secure areas will be regularly reviewed on quarterly basis and updated by management responsible for the specified areas Securing offices, rooms and facilities A secure area may be a locked office or several rooms inside a physical security perimeter, which may be locked and may contain lockable cabinets or safes. The selection and design of a secure area will take into account the possibility of damage from fire, flood, explosion, accident, malicious intent, and other forms of natural or man-made disaster. Consideration will be given also to any security threats presented by neighbouring premises, e.g., leakage of water from other areas. The following controls are essential considerations: Key facilities will be sited to avoid public access; Buildings will be unobtrusive and will give minimum indication of their purpose; Doors and windows will be locked when unattended and external protection will be considered for windows, particularly at ground level; Internal Page 6 of 12
7 Hazardous or combustible materials will be stored securely at a safe distance from a secure area. Bulk supplies such as stationery will not be stored within a secure area until required. Fallback equipment and back-up media will be sited at a safe distance to avoid damage from a disaster at the main site. Any outlying buildings or areas that house/contain data centre support equipment (backup generators, UPS, etc) will have the similar level of security controls as the data centre itself; secure structure, access control, and technical surveillance systems for monitoring access and activities around the area. CCTV may be implemented to track movement at all critical entry and exit points. The recordings of CCTV will be kept for next 15 days. Surveillance and monitoring is subject to legal limitations in many jurisdictions, and will be subject to contractual limitations in union, Works Council or shop agreements. Legal Counsel will be consulted before implementing these measures. A manned reception area or other means to control physical access to the building will be in place. Access to the building will be restricted to authorized-personnel only. Visitor and Escort Control procedures will be implemented to ensure that all visitors to the company facilities are positively identified and authorized prior to granting access. Visitors to secure areas will be escorted or cleared for unescorted access, and their date and time of entry and departure recorded. Visitors will only be granted access for specific, authorized purposes. Visitor photo pass logs will be established and maintained. Wherever possible, Technical Surveillance Systems (CCTV) will be utilized to monitor activities around the immediate environs of the building and entrances. All safety/fire emergency doors will be access controlled and have closing and locking mechanisms along with hooters in case if it is opened. Special care will be given to ensure the security of loading areas Working in Secure Areas The following guidelines may be considered: Internal Page 7 of 12
8 Access to sensitive information and information processing facilities, will be controlled and restricted to authorized persons only. Authentication controls, (e.g. Card/Badge Access Control System), will be used to authorize and validate all access. An audit trail of all access will be securely maintained. These secure areas will also include telephone and network closets, environmental, UPS and server room etc. All personnel will be required to wear identification badges, and security personnel may challenge unescorted strangers and anyone not wearing visible identification. Access rights to secure areas will be regularly reviewed (quarterly) and updated; Personnel will only be aware of the existence and activities in a secure area on a need to know basis; Unsupervised working in secure areas will be avoided both for safety reasons and to prevent opportunities for malicious activities; and Vacant secure areas will be physically locked and periodically checked Isolated Delivery Loading Areas Delivery and loading areas will be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. The following controls will be considered: Access to a holding area from outside of the building will be restricted to identified and authorized personnel; The holding area will be designed so that supplies can be unloaded without delivery staff gaining access to other parts of the building; Incoming material will be inspected for potential hazards and registered, if appropriate, before it is moved from the holding area to the point of use; and Incoming and outgoing shipments will be physically segregated; wherever required. Internal Page 8 of 12
9 2.3 Equipment Security Equipment Location and Protection LAN servers, routers, midranges, mainframe, PBX s and other computer hardware which would not typically reside on an individual user s desktop or in common working areas will be physically located in a secured area, with adequate controls for preventing or suppressing environmental hazards like fire and other non-environmental threats such as theft which could hamper availability of data. The following guidelines will be considered for protecting the equipments: Equipment will be located to minimize unnecessary access into work areas; Information processing facilities handling sensitive data will be positioned and the viewing angle restricted to reduce the risk of information being viewed by unauthorized persons during their use, and storage facilities secured to avoid unauthorized access; Items requiring special protection will be isolated to reduce the general level of protection required; Controls will be adopted to minimize the risk of potential physical threats, e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism; Smoke detectors and fire extinguishers/ water sprinklers may be placed at all strategic locations across Oil India premises to set off an alarm in case of fire; and Random checks/rounds will be carried to ensure that eating, and smoking in proximity to information processing facilities is not carried out Power Supplies Computer hardware will be protected from electrical problems that might cause a computer malfunction or failure. Magnets or sources of magnetic fields will not be located near computer diskettes or tapes. Examples include radios, magnetic picture and/or coat hangers, flashlight magnets, magnetized screwdrivers, paper clip holders, transformers and motors. Internal Page 9 of 12
10 The following options for continuity of power supplies will be used: Multiple feeds to avoid a single point of failure in the power supply; Uninterruptible power supplies (UPS); and Back-up generator Cabling Security Power and telecommunications cabling carrying data or supporting information services will be protected from interception or damage. The following controls will be considered: Power and telecommunications lines into information processing facilities will be underground, where possible, or subject to adequate alternative protection; Network cabling will be protected from unauthorized interception or damage. Examples of this protection include using conduit or avoiding routes through public areas; and Network distribution areas will be physically secured to prevent unauthorized access or modification. For sensitive or critical systems armoured conduit and locked rooms or boxes will be installed at inspection and termination points Equipment Maintenance Equipments will be correctly maintained to ensure their continued availability and integrity. The following controls will be considered: Internal Page 10 of 12
11 Equipment will be maintained in accordance with the supplier s recommended service intervals and specifications; Records will be kept of all suspected or actual faults and all preventive and corrective maintenance; Only authorized maintenance personnel will carry out repairs and service equipment; and Appropriate controls will be taken when sending equipment off premises for maintenance to prevent unauthorized access to sensitive information Security of Equipment off-premises Security will be applied to off-site equipment taking into account the different risks of working outside the organization s premises. The following controls will be considered: Equipment and media taken off the premises will not be left unattended in public places; Manufacturers instructions for protecting equipment will be observed at all times, e.g. protection against exposure to strong electromagnetic fields; and Adequate insurance cover will be in place to protect equipment off-site Secure disposal or re-use of equipment All items of equipment containing storage media will be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. Devices containing sensitive information will be physically destroyed or the information will be destroyed, deleted or overwritten using techniques to make the original information nonretrievable rather than using the standard delete or format function Removal of Property Equipment, information or software will not be taken off-site without prior authorization. The following controls may be considered: Equipment, information or software will not be taken off-site without prior authorization; Internal Page 11 of 12
12 Employees, contractors and third party users who have authority to permit off-site removal of assets will be clearly identified; Equipment will be recorded as being removed off-site and recorded when returned; and A log of items, facilities and keys in possession of employees will be maintained. 3 Non Compliance Failure to comply with the Physical & Environmental Security Policy may, at the full discretion of the Oil India, result in disciplinary action as per Information Security Policy. Internal Page 12 of 12
Physical and Environmental Security Standards
Physical and Environmental Security Standards Table of Contents 1. SECURE AREAS... 2 1.1 PHYSICAL SECURITY PERIMETER... 2 1.2 PHYSICAL ENTRY CONTROLS... 3 1.3 SECURING OFFICES, ROOMS AND FACILITIES...
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationPHYSICAL AND ENVIRONMENTAL SECURITY
PHYSICAL AND ENVIRONMENTAL SECURITY 1.0 STANDARD FOR PHYSICAL AND ENVIRONMENTAL SECURITY - EQUIPMENT 1.1 PURPOSE The purpose of this standard is to establish baseline controls to prevent loss, damage,
More informationInformation Services IT Security Policies L. Network Management
Information Services IT Security Policies L. Network Management Version 1.1 Last updated: 11th August 2010 Approved by Directorate: 2nd July 2009 Review date: 1st August 2011 Primary owner of security
More informationPhysical Security Standard
Physical Security Standard Version: 1.6 Document ID: 3545 Copyright Notice Copyright 2018, ehealth Ontario All rights reserved No part of this document may be reproduced in any form, including photocopying
More informationTechnical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM
Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM Document Details Title Description Version 1.1 Author Classification Technical Vulnerability and Patch Management Policy
More informationInformation Security Management
Information Security Management BS ISO/ IEC 17799:2005 (BS ISO/ IEC 27001:2005) BS 7799-1:2005, BS 7799-2:2005 SANS Audit Check List Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SFS, ITS 2319, IT
More informationData Centre Security. Presented by: M. Javed Wadood Managing Director (MEA)
Data Centre Security Presented by: M. Javed Wadood Managing Director (MEA) EPI history and global locations UK origin, 1987 Singapore office, 1999 9 EPI offices worldwide Global partner network spanning
More information1. Policy Responsibilities & Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 07/26/2013 Last Revised 07/26/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationData Center Access Policies and Procedures
Data Center Access Policies and Procedures Version 2.0 Tuesday, April 6, 2010 1 Table of Contents UITS Data Center Access Policies and Procedures!3 Introduction!3. Overview!3 Data Center Access!3 Data
More informationU.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool Physical Safeguards Content Version Date:
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationCommunications Room Policy
Information Security Policies Communications Room Policy Author : David Rowbotham Date : 01/07/2014 Version : 1.1 Status : Initial Release MAG Information Security IT Policies Page: 1 1 Table of contents
More informationASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER
ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER IT Audit, Information Security & Risk Insight Africa 2014 Johnson Falana CISA,MIT,CEH,Cobit5 proverb814@yahoo.com Overview Information technology
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationOperations Security Plan Document Name: New Hampshire Lottery Operations Security Plan Date: January 2014
Operations Security Plan Prepared for the Document Name: New Hampshire Lottery Operations Security Plan Date: January 2014 Table of Contents Section 1...1 Introduction...1 Purpose...1 Objective...1 Section
More informationUlster University Policy Cover Sheet
Ulster University Policy Cover Sheet Document Title DATA CENTRE ACCESS POLICY 3.2 Custodian Approving Committee Data Centre & Operations Manager ISD Committee Policy approved date 2017 09 08 Policy effective
More informationIT CONTINUITY, BACKUP AND RECOVERY POLICY
IT CONTINUITY, BACKUP AND RECOVERY POLICY IT CONTINUITY, BACKUP AND RECOVERY POLICY Effective Date May 20, 2016 Cross- Reference 1. Emergency Response and Policy Holder Director, Information Business Resumption
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationData Centers and Mission Critical Facilities Access and Physical Security Procedures
Planning & Facilities Data Centers and Mission Critical Facilities Access and Physical Security Procedures Attachment B (Referenced in UW Information Technology Data Centers and Mission Critical Facilities
More informationUniversity Facilities Management (UFM) Access Control Procedure (non-residence areas)
University Facilities Management (UFM) Access Control Procedure (non-residence areas) Date of Issue: October 1, 2015 A. PURPOSE University Facilities Management s (UFM) Lock Shop Access Control Procedure
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationStandard: Data Center Security
Standard: Data Center Security Page 1 Executive Summary The university data centers provide for the reliable operation of SJSU s computing systems, computing infrastructure, and communication systems.
More informationStandard CIP Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security program
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationINTERNATIONAL SOS. Information Security Policy. Version 2.00
INTERNATIONAL SOS Information Security Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: August 2009 Updated: April 2018 2018 All copyright in these materials are
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationThis document provides a general overview of information security at Aegon UK for existing and prospective clients.
Information for third parties Information Security This document provides a general overview of information security at Aegon UK for existing and prospective clients. This document aims to provide assurance
More informationFACILITY USER GUIDE. Colocation in Key Info s Agoura Court Data Center
FACILITY USER GUIDE Colocation in Key Info s Agoura Court Data Center Page 1 of 11 Key Info Facilities User Guide v2.4 Table of Contents Welcome... 3 GETTING STARTED... 4 Colocation Access... 4 Proof of
More informationINFORMATION TECHNOLOGY POLICY
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF HUMAN SERVICES, INSURANCE AND AGING INFORMATION TECHNOLOGY POLICY Name Of Policy: Physical and Environmental Security Policy Domain: Security Date Issued: 06/09/11
More informationStandard CIP-006-4c Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-4c 3. Purpose: Standard CIP-006-4c is intended to ensure the implementation of a physical security
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationStandard CIP-006-3c Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3c 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationHosted Testing and Grading
Hosted Testing and Grading Technical White Paper July 2010 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or
More informationPhysical Safeguards Policy July 19, 2016
Physical Safeguards Policy July 19, 2016 SCOPE This policy applies to Florida Atlantic University s Covered Components and those working on behalf of the Covered Components (collectively FAU ) for purposes
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationAwareness Technologies Systems Security. PHONE: (888)
Awareness Technologies Systems Security Physical Facility Specifications At Awareness Technologies, the security of our customers data is paramount. The following information from our provider Amazon Web
More informationCompany Policy Documents. Information Security Incident Management Policy
Information Security Incident Management Policy Information Security Incident Management Policy Propeller Studios Ltd is responsible for the security and integrity of all data it holds. Propeller Studios
More informationOffice Name: Enterprise Risk Management Questions
Office Name: Business Impact Analysis Questions The identification of information, computing hardware and software, and associated personnel that require protection against unavailability, unauthorized
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationGM Information Security Controls
: Table of Contents 2... 2-1 2.1 Responsibility to Maintain... 2-2 2.2 GM s Right to Monitor... 2-2 2.3 Personal Privacy... 2-3 2.4 Comply with Applicable Laws and Site Specific Restrictions... 2-3 2.5
More informationStart the Security Walkthrough
Start the Security Walkthrough This guide will help you complete your HIPAA security risk analysis and can additionally be used for periodic review. It is based on the methodology used in PrivaPlan Stat
More informationPoP ROOM: INSIDE AND OUTSIDE PLANT RULES & REGULATIONS
PoP ROOM: INSIDE AND OUTSIDE PLANT RULES & REGULATIONS Version 14 November 19, 2014 Digital Realty Table of Contents INTRODUCTION... 3 ACCESS TO THE POP ROOMS, ISP & OSP... 3 PoP- MoP Forms... 3 Who must
More informationSelect Agents and Toxins Security Plan Template
Select Agents and Toxins Security Plan Template 7 CFR Part 331.11, 9 CFR Part 121.11, 42 CFR Part 73.11 Prepared by U.S. Department of Health and Human Services (HHS) Centers for Disease Control and Prevention
More informationSECTION 15 KEY AND ACCESS CONTROLS
15.1 Definitions A. The definitions in this section shall apply to all sections of the part unless otherwise noted. B. Definitions: Access Badge / Card a credential used to gain entry to an area having
More informationINFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK
INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK 1. INTRODUCTION The Board of Directors of the Bidvest Group Limited ( the Company ) acknowledges the need for an IT Governance Framework as recommended
More informationFacility Security Policy
1. PURPOSE 1.1 The New Brunswick Institute for Research, Data and Training (NB-IRDT) is located in the University of New Brunswick. It consists of: (i) employee offices in Singer Hall and Keirstead Hall,
More informationSYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement
SYSTEM KARAN ADVISER & INFORMATION CENTER Information technology- security techniques information security management systems-requirement ISO/IEC27001:2013 WWW.SYSTEMKARAN.ORG 1 www.systemkaran.org Foreword...
More informationTimico Data Centres: Access Policy
Timico Data Centres: Access Policy Timico Ltd 2012 Page: 1 of 6 1 Contents 1 Contents... 2 2 Version control... 2 3 Overview... 3 4 Introduction... 3 5 Rules of conduct... 3 6 Access request procedure...
More informationStandard CIP-006-1a Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-1a 3. Purpose: Standard CIP-006 is intended to ensure the implementation of a physical security program
More informationIT Security Standard Operating Procedure
IT Security Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance
More informationGUIDELINES FOR RECORDS STORAGE FACILITIES
GUIDELINES FOR RECORDS STORAGE FACILITIES Physical Control of Records in a Repository Main Things to Remember about Managing Records in a Records Storage Facility Establish how long the records need to
More informationCenteris Data Centers - Security Procedure. Revision Date: 2/28/2018 Effective Date: 2/28/2018. Site Information
Section 01 Document Information Creation Date: 12/1/2016 Centeris Data Centers - Security Procedure Revision Date: 2/28/2018 Effective Date: 2/28/2018 Section 02 Site Information Site Information Document
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationUITS Data Center Access Policies and Procedures
UITS Data Center Access Policies and Procedures Revision 5: 2/15/2017 2/15/17 Page 1 Author: Len Sousa, UConn/UITS Contents... 1 UITS Data Center Access Policies and Procedures... 1 1. Introduction...
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationn+2 DATA CENTER CONTROL POLICY
This Data Center Control Policy (the Control Policy ) forms a part of the Master Services Agreement between n+2 LLC ( n+2 ) and Client (the Agreement ), in which this Control Policy is incorporated by
More informationGeneral Data Protection Regulation
General Data Protection Regulation Workshare Ltd ( Workshare ) is a service provider with customers in many countries and takes the protection of customers data very seriously. In order to provide an enhanced
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationNorfolk & Suffolk Crime Prevention Guidance Note Building Site Security
Norfolk & Suffolk Crime Prevention Guidance Note Building Site Security. The construction industry loses an estimated 43m a year through theft or vandalism, that s almost 1m per week (source: Home Office).
More informationIT Service Delivery And Support Week Eight - Data Center
IT Service Delivery And Support Week Eight - Data Center IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 Data Center 101 Facility-Based Controls Physical security HVAC Fire Suppression
More informationSabey Data Center Properties CONSOLIDATED WORK RULES
Sabey Data Center Properties CONSOLIDATED WORK RULES Contents Overview... 2 Building Security... 2 General... 2 Access Badge Display... 2 Security Rounds... 2 Access to Secure Spaces... 2 Emergency Exits...
More informationSevern Trent Water. Telecommunications Policy and Access Procedure
Severn Trent Water Telecommunications Policy and Access Procedure Contents STW Telecommunications Policy: 5-12 Health and Safety: 13-18 Access Procedures:19-30 2 STW LSH Sites Access Policy [Controlled
More informationREPORTING INFORMATION SECURITY INCIDENTS
INFORMATION SECURITY POLICY REPORTING INFORMATION SECURITY INCIDENTS ISO 27002 13.1.1 Author: Owner: Organisation: Document No: Chris Stone Ruskwig TruePersona Ltd SP-13.1.1 Version No: 1.0 Date: 1 st
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationMEETING ISO STANDARDS
WHITE PAPER MEETING ISO 27002 STANDARDS September 2018 SECURITY GUIDELINE COMPLIANCE Organizations have seen a rapid increase in malicious insider threats, sensitive data exfiltration, and other advanced
More informationTUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY
JUNE 2017 TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY OVERVIEW The intent of this document is to provide external customers and auditors with a high-level overview of the Tufts Health Plan Corporate
More informationPRACTICE QUESTIONS INFORMATION SECURITY AUDITORS MODULE PART II
PRACTICE QUESTIONS INFORMATION SECURITY AUDITORS MODULE PART II 1) A system has been patched many times and has recently become infected with a dangerous virus. If antivirus software indicates that disinfecting
More informationUsage Policy Document Number: OIL-IS-POL-EU
Email Usage Policy Document Number: OIL-IS-POL-EU Document Details Title Email Usage Policy Description Acceptable usage of emails by users Version 1.0 Author Information Security Manager Classification
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationServer Colocation Standards
Server Colocation Standards 1 Overview The purpose of this document is to communicate the minimum requirements and configuration necessary to colocate a server or other equipment in the datacenter of Duke
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationStandard CIP Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-1 3. Purpose: Standard CIP-006 is intended to ensure the implementation of a physical security program
More informationNational Museums & Galleries of Wales Standard Facilities Report
NAME OF BORROWING INSTITUTION: National Museums & Galleries of Wales Standard Facilities Report [A] BUILDING (a) General information 1 Are your premises purpose-built galleries / museums / other? 2 If
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationStandard CIP 004 3a Cyber Security Personnel and Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-3a 3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access
More informationState of Rhode Island Department of Administration Division of Information Technol
Division of Information Technol 1. Background Physical and environmental security controls protect information system facilities from physical and environmental threats. Physical access to facilities and
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationFRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.
FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationSample Security Risk Analysis ASP Meaningful Use Core Set Measure 15
Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15 Risk Analysis with EHR Questions Example Answers/Help: Status What new electronic health information has been introduced into my practice
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationMobile Working Policy
Mobile Working Policy Date completed: Responsible Director: Approved by/ date: Ben Westmancott, Director of Compliance Author: Ealing CCG Governing Body 15 th January 2014 Ben Westmancott, Director of
More informationSecurity of critical project performed by vendor abroad
Israel Electric Corporation National Security unit Data Security Security of critical project performed by vendor abroad Aproved by: doron berger Data Security Manager - National Security unit Project
More informationAdvent IM Ltd ISO/IEC 27001:2013 vs
Advent IM Ltd ISO/IEC 27001:2013 vs 2005 www.advent-im.co.uk 0121 559 6699 bestpractice@advent-im.co.uk Key Findings ISO/IEC 27001:2013 vs. 2005 Controls 1) PDCA as a main driver is now gone with greater
More informationBUSINESS CONTINUITY. Topics covered in this checklist include: General Planning
BUSINESS CONTINUITY Natural and manmade disasters are happening with alarming regularity. If your organization doesn t have a great business continuity plan the repercussions will range from guaranteed
More informationINFORMATION SECURITY POLICY
Open Open INFORMATION SECURITY POLICY OF THE UNIVERSITY OF BIRMINGHAM DOCUMENT CONTROL Date Description Authors 18/09/17 Approved by UEB D.Deighton 29/06/17 Approved by ISMG with minor changes D.Deighton
More informationCyber Security Policy. September12, 2009
Cyber Security Policy September12, 2009 Table of Contents Preface...4 Purpose...4 Scope...4 Policy...5 Organizational and Functional Responsibilities...5 Information Policy...6 Individual Accountability...6
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationRFP Annex A Terms of Reference UNHCR HQ Data Centre Colocation Service
RFP 2017 845 Annex A Terms of Reference UNHCR HQ Data Centre Colocation Service Version 1 Contents Project objectives... 1 Background... 1 Scope... 1 Timeframe and Cost... 4 Stakeholders, roles and responsibilities...
More informationAged Care Security Solutions. security.gallagher.com
Aged Care Security Solutions security.gallagher.com Aged care security solutions The safety of residents and staff is the most important thing. Our objective at Gallagher is to create innovative solutions
More informationUniversity Network Policies
BACKGROUND Washington State University s network infrastructure and network services are vital to carry out the mission of the University. Policies are needed to ensure the continued integrity of these
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationInformation Security Management Criteria for Our Business Partners
Information Security Management Criteria for Our Business Partners Ver. 2.1 April 1, 2016 Global Procurement Company Information Security Enhancement Department Panasonic Corporation 1 Table of Contents
More information