Information Security Policy

Similar documents
Manchester Metropolitan University Information Security Strategy

Threat and Vulnerability Assessment Tool

01.0 Policy Responsibilities and Oversight

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Corporate Information Security Policy

Cyber Security Program

Digital Computing Asset Management

CCISO Blueprint v1. EC-Council

Standard for Security of Information Technology Resources

UTAH VALLEY UNIVERSITY Policies and Procedures

Master Information Security Policy & Procedures [Organization / Project Name]

Business continuity management and cyber resiliency

TEL2813/IS2820 Security Management

Forensics and Active Protection

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

SECURITY & PRIVACY DOCUMENTATION

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Information Technology General Control Review

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

ADIENT VENDOR SECURITY STANDARD

A company built on security

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Certified Information Security Manager (CISM) Course Overview

Subject: University Information Technology Resource Security Policy: OUTDATED

Oracle Data Cloud ( ODC ) Inbound Security Policies

The Common Controls Framework BY ADOBE

Access to University Data Policy

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Information Security Policy

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

DETAILED POLICY STATEMENT

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Red Flags/Identity Theft Prevention Policy: Purpose

Department of Management Services REQUEST FOR INFORMATION

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

The University of Queensland

Information Security Policy

Cyber Risks in the Boardroom Conference

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

ITG. Information Security Management System Manual

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Jeff Wilbur VP Marketing Iconix

Member of the County or municipal emergency management organization

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

The University of British Columbia Board of Governors

Putting It All Together:

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

HIPAA Security and Privacy Policies & Procedures

Designing and Building a Cybersecurity Program

The NIST Cybersecurity Framework

How AlienVault ICS SIEM Supports Compliance with CFATS

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Certified Cyber Security Specialist

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Canada Life Cyber Security Statement 2018

Cybersecurity Auditing in an Unsecure World

CONTINGENCY PLANNING GUIDE

Standard: Risk Assessment Program

ITG. Information Security Management System Manual

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

SYSTEMS ASSET MANAGEMENT POLICY

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

ASD CERTIFICATION REPORT

Security Management Models And Practices Feb 5, 2008

Information Security Strategy

CompTIA Cybersecurity Analyst+

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Apex Information Security Policy

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Version 1/2018. GDPR Processor Security Controls

K12 Cybersecurity Roadmap

Defining Computer Security Incident Response Teams

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

M&A Cyber Security Due Diligence

NYDFS Cybersecurity Regulations

INTELLIGENCE DRIVEN GRC FOR SECURITY

Session 5: Business Continuity, with Business Impact Analysis

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

The Impact of Cybersecurity, Data Privacy and Social Media

Healthcare Security Success Story

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Information Security Office. Server Vulnerability Management Standards

Defensible Security DefSec 101

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Transcription:

Document title: [ Information Security Policy May 2017 ] Approval date: [ May 2017 ] Purpose of document: [ To define AUC s information security program main pillars and components] Office/department responsible: [ Information Technology Office] Approved by: [ Name and Title of Approver ] Document classification level: [ PRIVATE, PUBLIC, or RESTRICTED (to who) ] Document accessible: [ www.aucegpyt.edu/xxx/xxx ] Related documents/see also: [ Acceptable Use Policy, Email Policy, Servers Policy, Password Policy, Peer-to-Peer File Sharing Policy ] Policy Statement Information Security Policy Information Security is one of the AUC organization s control areas, with responsibility for ensuring that our information assets are adequately protected. The American University in Cairo (AUC) Information Security Policy is a critical component among our security framework. Reason for Policy/Purpose Since AUC is committed to provide excellence in its services, information security/cyber security is an important pillar among the whole organization activities that need to be defined, prioritized and executed as per the business needs. AUC is committed to comply and cover all requirements demanded by US Federal institutions, International standards like ISO 27001, US and Egyptian laws and regulations. AUC senior administration are committed to support this policy and other related ones to deliver the adequate information security level to all stakeholders Who Approved This Policy Mr. Brian MacDougall - Executive VP for Administration & Finance Ms. Hanan Abdel Meguid - Vice President for Digital Innovation Ms. Nagwa Nicola Chief Technology Officer AUC Policy Template Page 1 of 6

Who Needs to Know This Policy All AUC community in general In specific AUC community members involved in sponsoring, developing, designing, approving, supporting, implementing, administrating, operating or otherwise delivering Information related/it solutions must read and comply with this document. Management has specific responsibility for ensuring that relevant staff are aware of and comply with this material. AUC students, faculty, staff, contractors, partners and any person who interact with AUC information is targeted by this policy The reader is also subject to Acceptable Use Policy and other developed AUC policies AUC Policy Template Page 2 of 6

Web Address for this Policy Please list the location on the university s website where this policy is located. Contacts Responsible University Official: Wessam Maher, Principal Campus Information Security Officer Responsible University Office: Information Security Office, Office of Information Technology If you have any questions on the policy or procedures, you may send an e-mail to infosec@aucegypt.edu Definitions None Policy/Procedures 1 Information security framework Information Security is a specialist area within the university operational risk management. The head of Information Security Principal Campus Information Security Officer is responsible for formulating strategy, policies and standards and for maintaining a consistent and effective information security framework across AUC. 2 Information Security Office The primary role of Information Security office is to set the AUC s agenda for Information Security, its communication and implementation as well. It ensures that the information security processes are implemented in a consistent, risk-based manner across AUC. These activities are concerned with delivering an optimum Governance, Risk and Compliance state within the Information Security scope. A framework/program for these activities is prepared by Information Security head including policies, principles, standards, technical architecture, and methodologies that must be used throughout AUC. Below are some main components for the Information Security strategy and program: - 2.1 Risk Assessment Information Security requirements must be identified through a methodical assessment of risks. Expenditure on controls needs to be balanced against the business harm/cost likely to result in case the risk has been exploited. Risk analysis considers: a) Identifying mission-critical information systems and repositories AUC Policy Template Page 3 of 6

b) The business harm likely to result, taking into account the potential consequences of a loss of confidentiality, integrity or availability of the information and other assets; whether tangible or non-tangible c) The realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and the controls currently implemented. d) Assessing the risks posed by business partners, cloud services adoptions and integrations. e) Determining legal and compliance implications and contingent liability concerns. f) Ensuring Information solutions are hardened and patched in accordance with industry best practices. According to the university risk appetite, the identified risks are handled through one of following actions: - Risk Acceptance, Risk Avoidance, Risk Limitation or Risk Transfer. AUC will ensure to perform Information Security risk assessments in a periodic and in ad hoc ways whether done by internal or external entities in order to manage Information Security priorities and activities. Also, AUC will be taking into consideration the continuous evolving threats mindset plus to confirm that proper controls are in place as well as taking into consideration any new business requirements and priorities. 2.2 Digital Forensics Investigations Information Security office is responsible for conducting Information security investigation and digital forensics activities with regards to any AUC s digital nature subjects. Also, the office is responsible for collecting and validating any digital information/logs and act as a central point of contact with any investigation parties whether internally or externally. Accordingly, Information Security office has the right to request data, meta data and technical logs and history input from AUC system s owners and administrators within the investigation s scope and through a documented communication. 2.3 Business Continuity and Disaster Recovery Plans As business continuity and disaster recovery activities are risk based activities, Information Security office is responsible for leading these activities with regards to the Information and systems sides through planning, data collection, formulating business impact analysis and validating plans components, etc. 2.4 information security awareness program AUC s management, faculty and staff are the main targets for the Information Security awareness program in order to cover all threats related to human behaviors that can affect AUC assets. On another hand, students awareness is important as well as they are the end customers who use AUC systems. Information Security office is responsible for planning and managing all activities related to this subject 2.5 Digital solutions acquisition assessment AUC Policy Template Page 4 of 6

Overseeing and evaluating digital solutions and service providers from Information Security s perspective is an essential task in order to ensure that proper safeguards are in place to protect AUC s valuable assets. 2.6 Penetration testing Penetration testing is an essential activity for detecting vulnerabilities in the system and for checking how effective the controls are in preventing any breaches. Information Security office is responsible for managing these activities whether the testing is done through the internal resources or through an external entity. Caution must be exercised while running these activities in order to safeguard AUC resources from crashing, non-controlled data exposure or unplanned downtime. All these activities must be done with a pre-defined and aligned scope. 2.7 Vulnerability Management Vulnerability/patch management is an ongoing risk based task that is led by Information Security to ensure that all systems are patched and updated against security threats. Actual implementation of patching is done by the respective operations teams. 2.8 Continuous Monitoring Activities Information Security office is responsible for establishing a business accepted Information Security Operation Center (SOC) that will monitor, respond and report any security violation or suspicious behavior. Accordingly, all needed feeds and data logs from AUC systems need to be accessible in order to provide the proper visibility and accordingly better detection and protection to AUC s assets. 2.9 Design validation Information Security office is responsible for assessing Information systems design like network systems, software systems, cloud solutions, hardware security adequacy, etc. in order to ensure that security requirements and constraints are implemented on ground. Read procedures, hardening guides and checklists are to be generated for reoccurring assessments. 2.10 Information Lifecycle Information Security office evaluates and enforce security controls and design restrictions towards the information lifecycle and its related systems whether regarding the Information processing, storage, classification, disposal or transmission etc. 3 Continuous Improvement AUC will ensure to evaluate the output of all the above components in order to adjust the Information Security program adequately and continuously. Forms/Instructions AUC Policy Template Page 5 of 6

List applicable forms or other university and external documents that provide helpful, relevant information. Include where these documents can be located. Related Information List related university policy documents or cross-references and where they can be located. Appendices (optional) Appendices are used for informational material that is helpful in understanding the policy, but not directly related to the implementation of the policy, i.e., not procedures. Content may include graphics or text. History/Revision Dates Origination Date: Month, Day, Year Last Amended Date: Month, Day, Year Next Review Date: Month, Day, Year AUC Policy Template Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback