Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Similar documents
ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Checklist: Credit Union Information Security and Privacy Policies

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

The Common Controls Framework BY ADOBE

Juniper Vendor Security Requirements

SECURITY & PRIVACY DOCUMENTATION

Security Policies and Procedures Principles and Practices

Virginia Commonwealth University School of Medicine Information Security Standard

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Information Security Policy

Google Cloud & the General Data Protection Regulation (GDPR)

Sparta Systems TrackWise Digital Solution

Manchester Metropolitan University Information Security Strategy

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

01.0 Policy Responsibilities and Oversight

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Information Technology General Control Review

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

ADIENT VENDOR SECURITY STANDARD

Corporate Information Security Policy

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Version 1/2018. GDPR Processor Security Controls

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

A company built on security

Sparta Systems TrackWise Solution

Guidelines for Data Protection

EU General Data Protection Regulation (GDPR) Achieving compliance

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

Virginia Commonwealth University School of Medicine Information Security Standard

Oracle Data Cloud ( ODC ) Inbound Security Policies

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

MEETING ISO STANDARDS

HIPAA Compliance Checklist

Sparta Systems Stratas Solution

The Project Charter. Date of Issue Author Description. Revision Number. Version 0.9 October 27 th, 2014 Moe Yousof Initial Draft

HIPAA Security Checklist

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

HIPAA Security Checklist

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Institute of Technology, Sligo. Information Security Policy. Version 0.2

Cyber Risks in the Boardroom Conference

21 CFR PART 11 FREQUENTLY ASKED QUESTIONS (FAQS)

WORKSHARE SECURITY OVERVIEW

Security Awareness, Training, And Education Plan

Cloud Security Standards and Guidelines

QuickBooks Online Security White Paper July 2017

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Trust Services Principles and Criteria

Port Facility Cyber Security

Table of Contents. PCI Information Security Policy

Development Authority of the North Country Governance Policies

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Information Security Controls Policy

Identity Theft Prevention Policy

Ohio Supercomputer Center

Apex Information Security Policy

Policy and Procedure: SDM Guidance for HIPAA Business Associates

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

General Data Protection Regulation

HIPAA Security Rule Policy Map

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

CYBER SECURITY POLICY REVISION: 12

Application for Certification

Watson Developer Cloud Security Overview

Cloud Security Standards

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Security Standards for Electric Market Participants

Subject: University Information Technology Resource Security Policy: OUTDATED

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Information Technology Disaster Recovery Planning Audit Redacted Public Report

Electronic Signature Policy

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Certified Information Systems Auditor (CISA)

RMU-IT-SEC-01 Acceptable Use Policy

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Lakeshore Technical College Official Policy

7.16 INFORMATION TECHNOLOGY SECURITY

II.C.4. Policy: Southeastern Technical College Computer Use

Executive Order 13556

Position Description IT Auditor

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

Policy. Business Resilience MB2010.P.119

I. PURPOSE III. PROCEDURE

UTAH VALLEY UNIVERSITY Policies and Procedures

Transcription:

Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:... 1 Security Policy Workflow:... 1 Scope... 1 Exceptions... 1 SEC Workflow Diagram... 3 Pomeroy Principle Security Statements and Policies... 4 Security Processes and Procedures... 6 Revision Details:... 7 Purpose: Effective security is done by coordinating all aspects of controls, based on policies defined by the company, to form a unified and well-defined mandate. Basis of these Principles is found in such standards as the ISO 27002 (note: Pomeroy does not claim ISO 27002 certification but rather adheres to accepted best practices for security). This document provides the policies that Pomeroy has deemed required for proper governance. The fundamentals outlined here will be referenced in the Pomeroy Security Controls Reference. That manual will provide the instructions for enforcing the policies outlined here. Security Policy Workflow: Pomeroy has adopted the policy workflow model as shown in Figure 1 below. This shows how policies are generated to act upon business objects to protect them and how the procedures applied are refined to produce proper controls. Management approval is required to approve the policies and the controls applied as well as the auditing reports that can drive new or revised policies. The integral concept is that security is a continuous process of testing and revisions to maintain an appropriate level of protection. Scope This policy applies to all workers, contractors, consultants, temporary workers and other workers at Pomeroy, including those workers affiliated with third parties to access Pomeroy computer networks. This policy also applies to all computer and data communication systems owned and/or administered by Pomeroy. Workers employed in client locations must adhere to Pomeroy Security policies when doing so does not conflict with or counter security policies at the client s location Exceptions Under rare circumstances, business needs may require that Pomeroy deviate from this policy. POM_SEC_Principles_2015_v1.docx Page 1 of 7

Exceptions to this policy must be documented. To document an exception, the designated security coordinator and/or business unit management must complete the Security Exception Form (SecExceptionTemplate.docx) located in the Pomeroy Security Binder ( Sites > Sites > > Company-Wide). POM_SEC_Principles_2015_v1.docx Page 2 of 7

SEC Workflow Diagram Figure 1- Security Policy Workflow Management Approvals Produce Security /Controls Policies applied via procedures/processes Produces Business Objects: Revisions Security Procedures Infrastructure and support for deliverables External and internal processes, connectivity, and access to these objects Security Policies Updates Reporting and Auditing New objects needing policies Produce Revisions Management Approvals POM_SEC_Principles_2015_v1.docx Page 3 of 7

Pomeroy Principle Security Statements and Policies Principle Security Statement 1) Access to private Pomeroy systems, assets, and physical space will be restricted to authorized users. 2) Those with access to Pomeroy systems, assets, and physical space will be expected to use this access appropriately 3) Those with access to Pomeroy systems will be informed on a regular basis how they can help keep Pomeroy secure (security awareness). 4) Important Pomeroy assets will be labeled and tracked so that they can be properly managed. Assets containing Pomeroy business information are considered important assets. Corresponding Policy a) Pomeroy will award logon names and passwords (credentials), tokens, or other means for access to be protected, secret, and unshared. b) Least privilege access will be required for any special access within the company s systems. c) All new users must be authorized by the appropriate management process and this authorization must be documented. d) Timely revocation of the credentials is required and also requires documentation via the approved process. e) Adherence to these access policies will be periodically audited and feedback given to improve the processes. a) An appropriate use policy document will outline specific expectations and all users will acknowledge an understanding of these expectations. b) Documents for appropriate use will be readily available to all users. c) All users will be expected to understand contractual and licensing constraints in using Pomeroy systems. a) A security awareness program will inform users of security issues. It will provide both new and current users with information on proper behavior to minimize security risks. b) This program will be provided at least annually. a) Assets with significant impact on Pomeroy business are to be uniquely labeled and tracked such that they may be retained or disposed of as appropriate to their lifecycle. b) Assets that store information and are re-used or disposed of will have all previous information removed prior to this status change. POM_SEC_Principles_2015_v1.docx Page 4 of 7

Principle Security Statement 5) Pomeroy will regularly assess the risk of loss or damage from internal and external means. Proper steps will be taken to mitigate these risks. 6) Plans must be in place to recover and re-establish company assets and systems so that the business may continue after a risk becomes an actual disruption to normal operations. 7) All forms of data, systems, and communication for the company will be protected from improper use, control, or damage due to loss. This includes written, voice, or electronic communications. Related policy is the Network Design and Maintenance Policy. Corresponding Policy a) Risk assessments and audits must be done on a regular basis. b) Pomeroy will employ objective third-party auditing to review security and information protection on an annual basis. c) An appropriate incident management process will be defined to respond threats to the business. a) Disaster Recovery (DR) and a Business Continuity Plan (BCP) must be available to proper Pomeroy staff and reviewed/updated on a regular basis. b) Disaster recovery tests for all critical systems (information, facilities, and personnel) must be held at least once a year. These tests will include a postmortem of the findings to properly revise future implementations. c) Any significant disrupting incident (as defined by agreed criteria) will use the incident response and notification procedures approved by management. a) Disclaimers will be attached to all communications in case of mistakenly addressed instances b) Encryption will protect all network or application logins c) Encrypted communications will exist whenever external connections are made to the Pomeroy network. d) Devices attaching to company networks must be authorized to do so and must be properly protected. e) Physical and virtual protection will be applied to the devices handling communications to prevent unauthorized access f) Monitoring of systems to discover malicious programs or unauthorized system alterations will be maintained. g) Monitoring of systems for appropriate capacity (regarding availability) will be maintained. h) Redundancy and duplication of critical data, systems and communications is assessed and provided. POM_SEC_Principles_2015_v1.docx Page 5 of 7

Principle Security Statement 8) All information owned by the company will be classified so that it may be handled appropriately. 9) All information stored by the company will be stored and moved appropriate to its classification. 10) All changes to important and/or critical systems will follow appropriate processes of testing and approval and be documented (change management). The availability of these systems will be properly communicated during planned change or other disruption. 11) The Company will designate staff that will create, review, and update the security policies, controls, risk assessments, and responses needed for operating a secure business. Impartial 3rd parties will audit these measures at least annually. This will include appropriate compliance to applicable laws and regulations. Corresponding Policy a) Pomeroy will keep, as part of its security awareness program, information as to how to classify information handled by users. 1. Pomeroy will update this information to keep pace with business, government and other legal requirements of protected information. a) User roles/functions within the company will determine what information they can see and act upon. b) An appropriate separation of duties will exist to prevent unchecked execution of financially impacting actions. c) Removal or destruction of information or assets will be done to prevent re-use or inappropriate access. a) A documented workflow will be followed, based on ITIL service lifecycle concepts, to handle production changes. b) Only after testing and quality assurance will changes be submitted for review via the approval workflow. c) Emergency changes to systems, regardless of the cause, will be communicated to all appropriate users and management. a) Policies will be written and procedures generated by these policies by the appropriate staff. These will be vetted by the appropriate authority. b) Executive management will have knowledge of the risks discovered and the policies and procedures created to mitigate these risks. Approval of security policy documents is done at least annually. c) Organization of contracts and legal requirements will be maintained. d) Annual audits by a 3rd party firm will apply generally accepted, independent standards, to review the security policies, procedures and controls in place for The Company. Security Processes and Procedures The above principles and policy statements relate directly to the Security Controls- Pomeroy document. This should be referenced for details on how Pomeroy applies its security policies. POM_SEC_Principles_2015_v1.docx Page 6 of 7

Revision Details: Date Version Change Summary 4/11/13.1 DRAFT creation of document for review by stakeholders 5/13/2013 1 Approved for rollout by CIO 1/28/2014 1.1 3/28/14 1.2 Added statement 11 (designated security policy creators and reviewers) Added incident response language to Principle 6 policy and added language to Principle 7 and policies for malicious programming or malware and redundancy. 7/3/2014 1.3 Added Principle 11 and attendant policies, CIO approval of changes 10/17/14 1.4 Added capacity language for Principle 7 3/14/15 1.5 Placed revisions at end of doc, reviewed Policy Approval: Signature: Kristi Nelson, SVP Shared Business Services Date: signed POM_SEC_Principles_2015_v1.docx Page 7 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback