Corporate Information
Security Policy (CISP)
Ver 1.0
“State Agency name here”
April 2010
Table of Contents
1 Introduction..................................................................................................................................... 3
2 General Policy ................................................................................................................................. 3
3 Governance ...................................................................................................................................... 4
4 Enforcement .................................................................................................................................... 5
Definitions & References
“Information System”
This is “State Agency’s” hardware (servers, workstations,
printers, scanners, etc.), software, network infrastructure and
the data stored/associated with them.
“Employee”
This refers to all staff, permanent or temporary, on contract or
employed by third parties and consultants that are providing
services to “State Agency”.
“IT Administration”
This refers to “IT Department”, who are responsible for “State
Agency’s” Information Systems.
“MUST/SHALL”
The statement is an absolute requirement.
“MUST NOT/SHALL NOT”
The statement is an absolute prohibition.
“MAY”
The statement is a truly optional requirement.
“SHOULD”
Use of this term indicates that there maybe valid reasons in
particular circumstances to ignore a particular item, but the
full implications must be understood and carefully weighed
before choosing a different course.
[IAP-GOV-INFA]
Government Information Assurance Manual, ictQATAR 2008
(Unclassified)
[IAP-GOV-DCLS]
Government Information Classification Policy, ictQATAR 2008
(Unclassified)
Corporate Information Security
Policy (CISP)
Classification: Internal
2
1
Introduction
The purpose of this policy is to define “State Agency’s” information security strategy
and demonstrate its commitment to implement the sustainable management of
information security to protect its information assets.
“State Agency” management has agreed to adopt a culture of information security in
its business activities. It has mandated the use of the Government Information
Assurance (GIA) framework as the guiding standard to achieve this objective.
1.1
Scope
This policy applies to all Employees and to all Information Systems including:
a. Those owned or leased by “State Agency”;
b. Those that are outsourced or hosted externally;
c. Those that provide services to our constituents, but are still under “State
Agency’s” responsibility.
2
General Policy
2.1
Information is “State Agency’s” key asset and needs to be suitably available and
protected, to allow us to achieve our strategic and national goals. “State Agency”
SHALL take all necessary steps to protect this information from internal, external,
deliberate or accidental threats.
2.2
To achieve this objective, this Corporate Information Security Policy (CISP) SHALL
act as the foundation for our efforts and provide strategic direction. It is based on
the following three principles:
2.3
2.4
 Confidentiality: Information is accessible only to those authorised to have
such access and unauthorized disclosure of sensitive information is prevented
 Integrity: safeguarding the accuracy and completeness of information and
processing methods and preventing its unauthorised change
 Availability: information and information systems are available for business
use when required
Our standard and baseline for information security within “State Agency” SHALL be
the Government Information Assurance (GIA) scheme [IAP-GOV-DCLS].
Information security policy, controls and procedures SHALL be documented as
follows:
Corporate
Information
Security Policy
State Agency's
Security Manual
Corporate Information Security
Policy (CISP)
Acceptable Usage
Policy
Business
Continuity and
Crisis Managment
Policy
Classification: Internal
Technical
Standards &
Procedures
3
a. This document, the Corporate Information Security Policy (CISP) is the
overarching information security policy;
b. The “State Agency” Security Manual specifies the adopted controls, and
hence documents the detailed security policy that “State Agency” has chosen
to mitigate the assessed risks in its Information Systems;
c. The Acceptable Usage Policy (AUP) provides the users of Information
Systems with clear guidelines on what is permitted/not permitted whilst
using these systems;
d. Continuity of business processes and the mechanism to deal with
interruptions to the business are detailed in the Business Continuity & Crisis
Management (BCCM) Policy;
e. Detailed security requirements for specific technologies and/or systems are
detailed in technical standards, which are used together with technical
procedures for the management and maintenance of systems’ security.
2.5
All Employees SHALL be provided with the AUP, to which they SHALL be obligated
as part of their employment with “State Agency”.
2.6
All Information Systems SHALL be compliant to the relevant requirements of the
CISP, the “State Agency” Security Manual, the BCCM policy and the appropriate
technical standards. Information Systems SHALL have documented Business
Continuity procedures inline with the BCCM policy, which are regularly tested for
effectiveness.
2.7
Adequate and appropriate security awareness programmes SHALL be conducted in
order to ensure that information security policies are understood and followed by
Employees and relevant stakeholders.
3
Governance
3.1
To achieve sustainable management of information security “State Agency” SHALL
appoint a permanent employee, who will fulfil the “State Agency’s” Security
Manager role, having the right levels of authority for the function.
3.2
The Security Manager is accountable for all information security related to “State
Agency’s” Information Systems.
3.3
The Security Manager SHALL have a direct reporting line to <<XXX ex. Director>>
and a functional/dotted reporting line to “State Agency’s” Executive Head.
3.4
The Security Manager is responsible for monitoring, enforcing and reviewing
Information Systems for compliance with information security policies, and
producing regular management reports on the status of information security within
the organisation. He is also responsible for ensuring information security policies
are regularly reviewed and updated as necessary.
3.5
The following departments within “State Agency” have specific roles to play in
maintaining information security within the organisation:
a. The Human Resource (HR) department is responsible for ensuring
Employees are aware of their obligations to Information Security and for
providing appropriate security orientation training for Employees;
Corporate Information Security
Policy (CISP)
Classification: Internal
4
b. “<<Facilities / Administration department>>” is responsible for ensuring
the Physical Security of “State Agency” owned, leased or operated properties;
c. <<IT Department>> is responsible for implementing the Information
Security policies for corporate Information Systems and will carry out daily
security operations;
d. <<Department XX>> is responsible for ensuring Information Systems are
monitored for security risks. Additionally <<Department XX>> will provide
support to the Security Manager, as needed, and will ensure that a third
party audit of Information Systems is conducted annually.
3.6
Divisional directors / managers SHALL be responsible for ensuring “State Agency’s”
information security policies are implemented and complied with for current and
future Information Systems under their management.
4
Enforcement
4.1
Any employee found to have violated this policy MAY be subject to disciplinary
action as per “State Agency’s” HR manual. This could include formal reprimands up
to and including termination of employment. Criminal activities MAY be forwarded
to appropriate law enforcement authorities within the State of Qatar.
XYZ
Executive Head “State Agency”
Dated:
Corporate Information Security
Policy (CISP)
Classification: Internal
5