«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»
Information Security Policies
as Presented by
The Department of Public Service
+ Glossary and Reference Manual
Securing Information in
the Digital Age
Information Security Policies
This document presents a suite of integrated solutions which, together, offer your
organisation the tools necessary to integrate Information Security best practice into
your day-to-day business operations. Whether you are a large corporation or a small
company with a handful of employees. Upon adoption it will serve as a blue print for all organs of state to abide by in implementing various categories of information security, access and management.
Information Security Policies are the cornerstone of Information Security effectiveness.
Without a policy upon which to base standards and procedures, decisions are likely to be inconsistent and security holes will be present - ready to be exploited by both internal and external persons alike. The treat posed by the lack of (consistency in) information security initiatives by a Nation or State bears unbearable consequences of which this document is not purported to discuss in detail.
These Information Security Policies have been drawn from the extensive experience of best international practice where Information Security has played a major role. Based upon the foundation of ISO 17799 and BS 7799, These Information Security Policies provide an extensive range of policies which may be modified and adopted by your organisation and upon which a comprehensive Information Security culture may be built.
Following adoption of the Information Security Polices – either revised or ‘as is’, the primary objective is to have them understood and followed by the organisation’s staff.
Some organisations already have an Intranet for the mass distribution of information.
However, whilst this approach may be effective in some organisations, in others it is little more than an electronic message board, the contents of which few will actively study.
Systems need to be developed or reinforced to deliver each of the Information Security Policies directly to the desktop in a meaningful and practical manner; more importantly, each Policy is delivered in context.
USING YOUR INFORMATION SECURITY POLICIES 6
CHAPTER 01 SECURING HARDWARE, PERIPHERALS
AND OTHER EQUIPMENT 9Sub-Chapter 01 Purchasing and Installing Hardware 10 Sub-Chapter 02 Cabling, UPS, Printers and Modems 15 Sub-Chapter 03 Consumables 22 Sub-Chapter 04 Working Off Premises or Using Outsourced Processing
USING YOUR INFORMATION SECURITY POLICIESThese Information Security Policies are a major step towards a comprehensive, consistent and meaningful security conscious environment within governance. Recent studies have shown that 85% of organisations have no formal set of Information Security Policies and, as a result there is little or no foundation upon which to build the appropriate safeguards to protect the life blood of the organisation – its information.
Expected Reader / User One of the key appointments in any organisation – irrespective of size or function, is to appoint an Information Security Officer.The trend being observed here is that, this person is unlikely to be a full time specialist; on the contrary, they are likely to be performing a role that is business related. The point is, someone must be appointed to take the overall responsibility for ensuring that the appropriate Information Security safeguards are in place, that Polices are agreed and rolled-out, and that all users of information within your organisation understand their responsibilities and duties. These Information Security Policies are aimed at the optimisation of Organs of State. The assumption here is that you have, or will make, such an appointment within your organisation. For further information and a comprehensive guide to the role and responsibilities of the Information Security Officer, you may wish to consider the Information Security Officer’s Manual – Other Expectations Whilst the following Information Security Policies lay a solid foundation for the development and implementation of secure practices within your organisation, the Policies themselves are not instructional or overly descriptive. They represent the rules which must be adhered to by organ of State. Such compliance will require an understanding by staff of not only the individual policies but also of the circumstances in which such compliance is expected in their day-today activities. Knowing the Policies is only one half of the equation - staff need to know how they should comply, from a procedural perspective.
For this reason, version 2.0 of the Information Security Policies includes these additional 3 key features :Explanatory Notes providing background to the Policy Some of the Key Information Security Issues which should be considered when implementing the Policy in question The Related ISO 17799 / BS 7799 reference(s). The British Standard for Information Security was, in October 2000 approved as an ISO standard. This document is a key standard against which Information Security standards can be measured. The references within ensure that easy cross referencing is possible.
The Steps to Implementation In the following Chapters, you will find headings which relate to logical groupings e.g.
the first chapter is concerned with the security of hardware, peripherals and other equipment. Within each chapter there are appropriate sub chapters again group related items. Following these are the individual Information Security Policies. The Policies themselves have been drawn from the extensive experience of IT and Security professionals and are based upon the renowned International Standards of BS 7799 and ISO 17799. Moreover, whilst the Policies do not claim to cover every conceivable area of information systems, their scope is more than adequate to lay the foundation for an organisation operating in accordance with accepted international best practice.
There are six steps involved in getting the best from These- Information Security Policies. Follow these steps and the risks from Information Security related incidents can be reduced – measurably.
Step 1 – Browse the Policies The first step is to print out the Information Security Policies from this document. Start at page 9 and print up to and including the last policy.
Work through each of the main Chapter headings and confirm that it is relevant to your organisation. It is not necessary to consider Information Security Policies which relate to areas and functions beyond the scope of your normal (or anticipated) commercial operations. For example, if you have never (and plan never) to write (or have written) your own business software, the Information Security Policies relating to Developing and Maintaining in-house Software may be omitted. However, such decisions will usually need to be confirmed at Board / Director level.
Step 2 – Study the Policies The majority of the Chapters and Sub Chapters will be relevant to any organ of State.
Think long and hard about excluding areas. It may be that some aspects of your organisation’s operations are less familiar to you. In such cases, you should discuss the scope of the Policies with colleagues who represent each of the key functional / business areas.
Study each Policy within the context of the heading. Whilst the wording is as ‘jargon free’ as possible, it is still likely that some terms may not be totally familiar to you. For this reason, we have embedded links to a comprehensive Glossary and Reference manual (which follows the Policies) which will hopefully answer any immediate queries.
Step 3 – Review and Amend the Policies Whilst the Policies have been developed to be applicable to the majority of organisations, there are key aspects that may need your attention. For example, some Policies make specific reference to Legislation e.g. adherence to the Data Protection Act, The Promotion of Access to Information Act etc, the Labour Relations Act, The Public Service Act the State Information Technology Agency Act etc In the majority of cases however, we anticipate your being able to agree to the wording as presented, which should make this part of the process quick and easy. The generic term ‘organisation’ is to be understood to mean Organ of State, though this policies can be adopted by any organisation, these policies are particularly binding to all organs of State.
Step 4 – Confirm / Ratify the Policies For Policies to be effective, with compliance mandatory, they must be supported and ratified by your Board of Directors or similar governing body. This agreement is likely to require an outline of precisely how compliance will be achieved and the management procedures to be put in place to monitor and manage the process. Your organisation may already have such procedures in place, but if not, you may require some additional support. (Information Security Officer’s Manual is one such source). As approved by Cabinet, some form of institutional framework for the management of effective information security should be reinforced or be put in pace Step 5 – Publish the Policies The Policies will now have been discussed, agreed and passed by your Board of Directors or similar, and may now be published to all staff. The head of Human Resources / Personnel must be one of the first recipients as employment contracts may need to be amended to reflect the mandatory need for compliance with the organisation’s Information Security Policies.
Traditionally, Information Security Policies have been delivered in paper form either to each member of staff or to the Head of Department (or similar) with staff being required to read and then sign to demonstrate their awareness.
Step 6 – Implement / Comply with The Policies Implementation, compliance and follow up are now required. The Information Security Policies have established the ground rules across a wide range of Information Security areas. But translating these into a meaningful and practical response to the various day-to-day situations by your personnel, can be a challenge. The most important aspect of Information Security Policy compliance is knowing what actions are required to constitute ‘compliance’. Your organisation must either develop its own range of procedures or consider using a tool specially crafted for the job.
In addition, the requirements of the Policies will result in the need to initiate one or more Information Security Projects to identify and implement a range of appropriate technical safeguards such as firewalls, anti virus software, intrusion detection systems etc. All enquires regarding these policies should be directed to the DPSA.
Sub-Chapter 01 Purchasing and Installing Hardware Sub-Chapter 02 Cabling, UPS, Printers and Modems Sub-Chapter 03 Consumables Sub-Chapter 04 Working Off Premises or Using Outsourced Processing Sub-Chapter 05 Using Secure Storage Sub-Chapter 06 Documenting Hardware Sub-Chapter 07 Other Hardware Issues
Policy 010102 Specifying Detailed Functional Needs for New Hardware Policy 010103 Installing New Hardware Policy 010104 Testing Systems and Equipment
"All purchases of new systems hardware or new components for existing systems must be made in accordance with Information Security and other organisation Policies, as well as technical standards. Such requests to purchase must be based upon a User Requirements Specification document and take account of longer term organisational business needs. The acquisition has to pass a test that will qualify the need for a presentation on the business case of such acquisition."
“ It is recommended that all acquision be conducted through a central IT acquision Center to ensure economies of scale, consistency and better negotiated service level agreements as well as enabling state organs to focus of their key performance areas ”
EXPLANATORY NOTESThe purchase of new computers and peripherals requires careful consideration of your business needs because it is usually expensive to make subsequent changes.
Information Security issues to be considered when implementing your policy include
• The system must have adequate capacity or else it may not be able to process your data.
• Data must be adequately protected; otherwise there is a risk of loss or accidental / malicious damage.
• Where hardware maintenance is poor or unreliable, you greatly increase the risk to the organisation, because, in the event of failure, processing could simply STOP.
• The system must be sufficiently 'resilient' to avoid unplanned down-time, which can have an immediate negative impact on your organisation.
RELATED ISO 17799 AND BS 7799 REFERENCE(S) • 4.1.4 Authorisation process for information processing facilities
SUGGESTED POLICY STATEMENTfor minor purchases, hardware must be purchased through a structured “Except evaluation process which must include the development of a detailed Request For Proposal (RFP) document. Information Security features and requirements must be identified within the RFP.” This can only be better provided for by a separate and dedicated acquision centre
It is necessary to specify, in detail, the specific functional performance and capacity requirements as part of the hardware purchasing process. The document specifying these detailed requirements is usually called a Request for Proposal or 'RFP'. See Request for Proposal for a more detailed description of how to create such a document
Information Security issues to be considered when implementing your policy include the following:
• Where hardware is purchased without adequate analysis your organisation may:Purchase inappropriate hardware for the required task.
2) Purchase a system that does not comply with your Technical Architecture or IT Strategy.
3) Fail to achieve the best value when (e.g.) price, performance, reliability, capacity and support issues are considered