Information Systems and Technology Security
Integrity Protection Standard
Document History
Copyright © [Creation Date] [Company Name]
All rights reserved. This document is for internal use only. No part of the contents of this
document may be reproduced or transmitted in any form or by any means without
the expressed written permission of [Company Name].
Integrity Protection Standard
The [Company Name] (the "Company") Asset Protection Standard defines
objectives for establishing specific standards for protecting the confidentiality,
integrity, and availability of Company information assets.
This Integrity Protection Standard builds on the objectives established in the Asset
Protection Standard, and provides specific instructions and requirements for the
proper identification, authentication, and authorization controls necessary to
remotely access Company information assets.
1. Scope
All employees, contractors, part-time and temporary workers, and those
employed by others to perform work on Company premises or who have been
granted remote access to Company information or systems, are covered by this
standard and must comply with associated guidelines and procedures.








Authentication refers to the controls for providing Remote Users the means to
verify or validate a claimed identity through the presentation of something
they know (e.g., passwords), something they own (e.g., token), or something
they are (e.g. fingerprint, biometrics, etc.).
Authorization refers to the controls for determining the resources that Remote
Users are permitted to access based upon the permissions and privileges for
which they have been authorized.
Confidentiality Classifications are defined in the Information Classification
Standard.
Encryption refers to a method of scrambling information to render it
unreadable to anyone except the intended recipient, who must decrypt it to
read it.
Identification refers to the controls for providing Remote Users the means to
convey their identities through the use of pre-determined identifiers.
Information assets are defined in the Asset Identification and Classification
Standard.
Integrity Protected refers to information that is classified as Integrity Protected.
Refer to the Information Classification Standard for integrity classification
categories.
Remote Access refers to the ability to access Company information and
systems from a remote location such as, but not limited to, branch offices,
employee’s home, contracted locations, hotels, telecommuting, and mobile
users. Types of remote access technologies and implementations include,




2.
but are not limited to, dial-in modems, cable modems, and virtual private
networks (VPN), etc.
Remote Access Credentials refers to identification and authentication
credentials/data such as User IDs, passwords, tokens, etc.
Remote Access Systems refers to the systems, networks, and applications that
facilitate remote access to Company information and systems.
Sensitive information refers to information that is classified as Restricted or
Confidential. Refer to the Information Classification Standard for
confidentiality classification categories.
Two-Factor Authentication refers to the method of authentication that
requires two factors before a Remote User will be allowed access to a
network or system: 1) a hardware or software token which produces a code
that will change randomly at short time intervals and 2) a password which is
unique and only valid for the token.
Requirements
a. General
i. “Integrity Protected" information and Sensitive information must be
protected with integrity controls.
ii. Integrity controls must be defined and incorporated into
development and production processes and procedures to ensure
that the information is correct, auditable, and reproducible.
iii. The Company-approved file integrity and file hashing algorithms are
specified in the Encryption Standard.
iv. The controlling application should perform integrity checking when
integrity controls are inappropriate (for example, databases).
v. "Integrity Protected" information and Sensitive information must be
encrypted during storage and when transmitted over a public or
shared network in accordance with the Encryption Standard and
Information Handling Standard.
vi. A formal review must be conducted at least annually to evaluate
the integrity controls that are included in the processes and
procedures that manage the storage, processing, and transmission
of sensitive information.
b. Confidential Information
i. Automated integrity checking should be used during the input of
data into a system whenever possible.
ii. Systems that store or process "Confidential" information should use
Company-approved file integrity mechanisms on critical system
and data files.
c. Restricted Information
i. The input of "Restricted" information should be checked manually
for accuracy.
ii. Systems that store or process "Restricted" information should use
Company-approved file integrity mechanisms on critical system
and data files.
3. Responsibilities
The [Security Executive's Title] approves the Integrity Protection Standard. The
[Security Executive's Title] also is responsible for ensuring the development,
implementation, and maintenance of the Integrity Protection Standard.
Company management, including senior management and department
managers, is accountable for ensuring that the Integrity Protection Standard is
properly communicated and understood within their respective organizational
units. Company management also is responsible for defining, approving and
implementing procedures in its organizational units and ensuring their
consistency with the Integrity Protection Standard.
Asset Owners (Owners) are the managers of organizational units that have
primary responsibility for information assets associated with their functional
authority. When Owners are not clearly implied by organizational design, the
[Security Executive's Supervisor Title] will make the designation. The Owner is
responsible for defining processes and procedures that are consistent with the
Integrity Protection Standard; defining the remote access control requirements
for information assets associated with their functional authority; processing
requests associated with Company-approved remote access request
procedure; determining the level of remote access and authorizing remote
access based on Company-approved criteria; ensuring the revocation of
remote access for those who no longer have a business need to access
information assets; and ensuring the remote access controls and privileges are
reviewed at least annually.
Asset Custodians (Custodians) are the managers, administrators and those
designated by the Owner to manage process or store information assets.
Custodians are responsible for providing a secure processing environment that
protects the confidentiality, integrity, and availability of information;
administering remote access to information assets as authorized by the Owner;
and implementing procedural safeguards and cost-effective controls that are
consistent with the Access Control Standard and the Integrity Protection
Standard.
Remote Users are the individuals, groups, or organizations authorized by the
Owner to access to information assets. Remote Users are responsible for
familiarizing and complying with the Integrity Protection Standard and
associated guidelines; following Company-approved processes and procedures
to request and obtain remote access to information assets; ensuring Remote
Access Credentials such as password and tokens are not written down or stored
in a place where unauthorized persons might discover them; reporting
immediately to Information Security Helpline at [Contact Number] when Remote
Access Credentials have been or may have been compromised; ensuring that
connection to non-Company networks are not established while remotely
connected to the Company network; and maintaining the confidentiality,
integrity and availability of information accessed consistent with the Owner's
approved safeguards while under the User's control.
4. Enforcement and Exception Handling
Failure to comply with the Integrity Protection Standard and associated
guidelines and procedures can result in disciplinary actions up to and including
termination of employment for employees or termination of contracts for
contractors, partners, consultants, and other entities. Legal actions also may be
taken for violations of applicable regulations and laws.
Requests for exceptions to the Integrity Protection Standard should be submitted
to the Company [Security Executive's Title]. Exceptions shall be permitted only
on receipt of written approval from the [Security Executive's Title]. The [Security
Executive's Title] will periodically report current status to the Company [Security
Executive's Supervisor Title] or its designee.
5. Review and Revision
The Integrity Protection Standard will be reviewed and revised in accordance
with the Information Security Program Charter.
Recommended: ________________________
Signature
[Name]
[Security Executive's Supervisor Title]
Approved: ____________________________
Signature
[Name]
[Security Executive's Supervisor Title]