Information Security Controls Policy

Similar documents
Information Security Controls Policy

Cloud Security Standards

External Supplier Control Obligations. Cyber Security

NEN The Education Network

Security by Default: Enabling Transformation Through Cyber Resilience

AUTHORITY FOR ELECTRICITY REGULATION

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

SECURITY & PRIVACY DOCUMENTATION

University of Sunderland Business Assurance PCI Security Policy

Client Computing Security Standard (CCSS)

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

The Common Controls Framework BY ADOBE

Checklist: Credit Union Information Security and Privacy Policies

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

SFC strengthens internet trading regulatory controls

Digital Health Cyber Security Centre

The University of Queensland

Cyber Security. Building and assuring defence in depth

Google Cloud & the General Data Protection Regulation (GDPR)

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

CYBER SECURITY POLICY REVISION: 12

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

Cyber Essentials Questionnaire Guidance

Cyber security tips and self-assessment for business

Security Standards for Electric Market Participants

Information Technology Branch Organization of Cyber Security Technical Standard

INFORMATION SECURITY AND RISK POLICY

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

Information Security Data Classification Procedure

MIS5206-Section Protecting Information Assets-Exam 1

Information Security Strategy

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Apex Information Security Policy

Network Security Policy

Cyber Security Program

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Requirements for IT Infrastructure

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

A company built on security

Corporate Information Security Policy

QuickBooks Online Security White Paper July 2017

A practical guide to IT security

CYBER RESILIENCE & INCIDENT RESPONSE

Cyber Essentials. Requirements for IT Infrastructure. QG Adaption Publication 25 th July 17

This document provides a general overview of information security at Aegon UK for existing and prospective clients.

Manchester Metropolitan University Information Security Strategy

Canada Life Cyber Security Statement 2018

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Position Title: IT Security Specialist

Security Principles for Stratos. Part no. 667/UE/31701/004

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Internet of Things Toolkit for Small and Medium Businesses

Cloud Security Standards and Guidelines

Unit 3 Cyber security

Daxko s PCI DSS Responsibilities

Emerging Issues: Cybersecurity. Directors College 2015

GDPR Draft: Data Access Control and Password Policy

Information Security Policy

Online Services Security v2.1

Policy. London School of Economics & Political Science. Network Connection IMT. Jethro Perkins. Information Security Manager. Version 1.

Education Network Security

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

10 FOCUS AREAS FOR BREACH PREVENTION

INFORMATION ASSET MANAGEMENT POLICY

ADIENT VENDOR SECURITY STANDARD

POSITION DESCRIPTION

ASD CERTIFICATION REPORT

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

WHITE PAPER- Managed Services Security Practices

General Data Protection Regulation

Mobile Computing Policy

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Juniper Vendor Security Requirements

Cloud Security Standards Supplier Survey. Version 1

Cyber Review Sample report

Monthly Cyber Threat Briefing

INFORMATION SECURITY POLICY

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

Changing face of endpoint security

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Standard for Security of Information Technology Resources

CIS Controls Measures and Metrics for Version 7

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Institute of Technology, Sligo. Information Security Policy. Version 0.2

SECURITY PRACTICES OVERVIEW

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Protecting your data. EY s approach to data privacy and information security

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Total Security Management PCI DSS Compliance Guide

Transcription:

Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January 2018 Next Review Date: 30 January 2019 Document Authors: Service Assurance, ICT (D. Chambers, S. Doyle, S. Jones) Document Owner: Head of Service Assurance, ICT (Stewart Doyle) Department/Contact: help@hull.ac.uk Summary: This policy sets out the high-level objectives that demonstrate the University s approach to a number of key areas in information security. This provides the framework upon which a range of technical controls can be built and maintained. Scope: This policy applies to all University members Collaborative provision: Not mandatory Assessment: Not applicable (where relevant) Consultation: Not applicable (where relevant) Relevant legal frameworks: See relevant section of overarching Information Governance and Assurance Policy Related documents: Information Governance and Assurance Policy Published locations: Public website (www.hull.ac.uk) and SharePoint (share.hull.ac.uk) Document Communication Available upon request. and Implementation Plan: All printed versions of this document are classified as uncontrolled. A controlled version is available from the university website.

Information Security Controls Policy Introduction This policy is based upon the 10 steps to cyber security, originally published in 2012 and promoted by the National Cyber Security Centre (NCSC) as an effective method to protect organisations from cyber-attacks. The 10 steps provide a framework that can be used to establish policies and controls within the University of Hull to mitigate information security risks and cyber security risks in particular. This policy, and subsidiary policies, complement policies and guidelines that cover more general information risks, for example the Data Protection policy and guidelines. Purpose This policy sets out high-level objectives that demonstrate the University s approach to a number of key areas in information security. This provides the framework upon which a range of technical controls can be built and maintained. Scope This policy applies to all ICT systems owned or managed by the University. The term information system will be used to denote any such system, typically involving hardware and software components. This policy, its subsidiary policies and the controls apply to all members of the University. Implementation The principles and objectives outlined in this policy will be implemented through an evolving framework of security controls based on current industry best practice and guidance, as published by the NCSC for example. Principles and objectives The following outlines the high-level requirements of the Security Controls Framework that will guide the technical controls and standards adopted by the University. 1. Secure configuration Establishing and actively maintaining the secure configuration of systems is a key security control. Systems that are not effectively managed will be vulnerable to attacks that may have been preventable. 1.1. All information systems must be vendor (or community) supported, unless developed and supported by ICT. 1.2. All information systems must be kept up to date by applying essential patches to the underlying operating system and applications. 1.3. An inventory of hardware and software shall be maintained and kept up to date at all times. 1.4. All information systems shall maintain a secure configuration. 1.5. Vulnerabilities will be managed in order to maintain a secure configuration that satisfies the objectives of this policy. Information Security Controls Policy v1-00 1

1.6. Secure configuration will be managed in accordance with ICT Service Management processes. 1.7. If feasible, ports and functionality that do not support a specific need should be disabled. 1.8. University members shall not attempt to install software from unauthorised sources. 1.9. Users with normal privileges will be limited in their ability to amend device configurations. 1.10. To limit the potential of an attacker gaining wide reaching system access, privileged users will not use their privileged accounts for day-to-day activities such as email and internet browsing. 2. Network security Networks need to be protected against both internal and external threats. Failing to protect University networks appropriately will leave the University vulnerable to a variety of attacks. 2.1. Only network traffic that supports University activity will be permitted. 2.2. The firewall will deny traffic by default. Only authorised ports, protocols and applications that support University activity will be permitted to exchange data across the boundary. 2.3. Inbound and outbound data will be examined for malicious content. 2.4. There will be no direct routing between internal and external networks. 2.5. Critical information systems shall be identified, grouped and isolated. 2.6. All wireless access points will be appropriately secured. 2.7. Administrator access to any network component will be properly authenticated and authorised. 2.8. Error messages will not return information that may be useful to attackers. 2.9. Network intrusion detection and prevention tools will be deployed and configured by suitably qualified staff. 2.10. Regular penetration testing will be conducted along with simulations of attacks to ensure the objectives of this policy are being met. 3. Managing user privileges The University should understand what level of access employees need to information, services and resources in order to do their job otherwise it will not be possible for those responsible to manage user rights effectively. Failure to manage rights effectively leads to a number of risks including privilege misuse, increased attack capability, and the ability to negate existing security controls. 3.1. The subsidiary User management policy will outline the responsibilities of information risk owners in relation to managing user rights and privileges. 3.2. User accounts will be managed through their lifespan, including when University members leave or change roles or status. Information Security Controls Policy v1-00 2

3.3. A number of password and authentication standards will be implemented. These will seek an effective balance between security and usability. 3.4. Users will be provided with the minimum rights necessary to perform their role in the interests of the University. 3.5. Highly privileged accounts will be tightly controlled and reviewed regularly. Administrators will use normal accounts for standard business use. 3.6. User activity may be monitored. Out of bounds activity may trigger incident response processes. 3.7. Logs should be sent to a dedicated platform that is separated from the core network. Access to logs will be strictly controlled. 4. User education and awareness All University members have a critical role to play in helping to protect the organisation, but this should not affect their ability to perform their role. Failure to effectively support users with the right tools and awareness may leave the University vulnerable to risks such as legal and regulatory sanction, non-reporting of security incidents, and external attack. 4.1. ICT shall maintain guidance for University members to support the objectives of this policy. 4.2. Specific security policies may be produced for specific business systems to outline specific responsibilities within those systems. 4.3. An induction process shall take place, and acceptance of responsibilities will be formally acknowledged and retained. 4.4. Information security training will be mandatory for all staff and a platform will be provided to users to enquire about security risks and discuss advice. 4.5. Staff in specific roles may be required to undertake additional specialist training. 4.6. Mechanisms to test the effectiveness of user security training will be developed and deployed. 4.7. A security culture will be promoted throughout the organisation, where the reporting of incidents will be encouraged. 4.8. University formal disciplinary processes will ensure that the sanctions detailed in this policy are enforceable at a practical level. 5. Incident response and management Security incidents will inevitably happen and will vary in their level of impact. All incidents need to be managed effectively, particularly those serious enough to warrant invoking business continuity or disaster recovery plans. The University will develop its incident management capability to detect, manage and analyse security incidents in line with supporting policies. Information Security Controls Policy v1-00 3

5.1. Security incidents will normally be handled through the Incident Management component of the Service Management processes within ICT. These may be escalated via the associated Major Incident Management process. 5.2. Where personal data is involved, the Breach Management policy (part of the University Data Protection policy) must be followed. This policy includes procedures that should be followed for out of hours reporting. 5.3. If a security incident suggests a breach of the financial regulations may have taken place then the Finance Office and/or Director of Finance must be informed. 6. Malware prevention Malware (malicious software) can cause material harm to systems, including disruption of critical business systems and unauthorised export of sensitive information or data loss. The range of technologies used to introduce malware span the entire infrastructure, and the risk of attack is wide and varied. 6.1. Anti-malware standards will be implemented across the IT infrastructure. Adherence to these standards is required of all business and academic areas. 6.2. All data will be scanned at the network perimeter for malicious content. 6.3. Access will be blocked to known malicious websites. 6.4. A "defence in depth" approach will be taken to ensure that end user devices connecting to the network are sufficiently protected. 6.5. Anti-malware and malicious code checking solutions will be deployed to scan inbound and outbound objects for malicious content. 6.6. Content filtering solutions may be deployed on external gateways to prevent the delivery of malicious code via common desktop applications such as the web browser. 6.7. Where business processes can support it, common browser plugins and scripting languages will be disabled. 6.8. "Autorun" will be disabled where there is no business impact, to prevent the automatic execution of malicious code. 7. Monitoring Monitoring provides the means to assess how systems are being used and whether they are being attacked. Without the ability to monitor our systems we may not be able to detect or react to attacks, or to account for activity. 7.1. A monitoring strategy will be based on business need and an assessment of risk. 7.2. All networks, systems and services will be included in the strategy. This may include the use of network, host based and wireless Intrusion Detection Systems (IDS). These solutions should provide both signature based capabilities to detect known attacks, and heuristic capabilities to detect unusual system behaviour. 7.3. Inbound and outbound traffic traversing the network boundaries will be monitored for unusual activity. Unusual traffic should invoke incident response procedures. Information Security Controls Policy v1-00 4

7.4. Monitoring of user activity should identify the unauthorised or accidental misuse of systems. Monitoring user activity will comply with all legal or regulatory constraints. 7.5. Monitoring systems will be regularly 'tuned' to ensure that attacks are effectively detected, and associated costs are kept in line with expectation. 7.6. A central, automated log management platform will be employed. 7.7. There will be a resilient and synchronised timing source to support monitoring and analysis of logs. 7.8. Incident management and response capabilities will be in place to respond appropriately to incidents detected by monitoring solutions. 7.9. Processes will be implemented to test monitoring capabilities, learn from incidents and improve monitoring efficiency. 8. Removable media Removable media introduces the capability to transfer and store huge volumes of sensitive information as well as the ability to import malicious content. Failure to apply any controls to removable media could expose the University to the risks of information loss, introduction of malware, and reputational damage. 8.1. The subsidiary Removable media policy will outline the limitations of removable media, along with any technical controls that may be implemented where there is a sufficiently high risk to information. 9. Mobile and remote working Mobile working and remote access extends the transit and storage of information (or operation of systems) beyond the University infrastructure, typically over the internet. Mobile devices will also be typically used in spaces that are subject to risks such as oversight of screen, or theft/loss of devices. As such, the University must establish sound mobile working practices to mitigate against these risks. 9.1. The subsidiary Mobile and remote working policy outlines the risks associated with mobile working and remote access, and establishes responsibilities and processes for its authorised use. 9.2. A secure baseline for devices used for mobile and remote working will be enforced to ensure that only sufficiently protected devices are able to connect to the network. 9.3. Where a device used for mobile and remote working supports it, it should be encrypted. In instances where encryption is not supported, no University data shall be stored on the device. 9.4. All information travelling over a remote connection (usually via the internet) shall be appropriately encrypted. 9.5. Incident management plans should be sufficiently flexible to deal with the range of incidents that will occur as a result of mobile working practices. Information Security Controls Policy v1-00 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback