Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Information Security Management Policy

advertisement 
Information Security
Management Policy
Purpose
This policy defines the objectives, accountabilities and application of
information security management in the Department of . . ..
Replaces
<Previous Policy Document>
Commences
<date>
File:
<file reference or policy number>
Scope
This policy covers the management of security for Department
information including technology infrastructure, information systems,
business information systems, and the systems and services that store,
process and communicate Department information.
Principle
The <Director General/Chief Executive Officer/Commissioner> is
accountable for use of Department resources and to ensure the
requirements for information security are satisfied in accordance with the
principles of risk management, including:
 protecting the availability, confidentiality and integrity of information;
 control of access to and proper use of information and information
systems;
 authentication of users; and
 non-repudiation of electronic transactions
Responsibility The Department’s Corporate Executive Committee is responsible to
oversee this policy.
Staff members, including contractors and consultants, are responsible to
ensure they comply with this policy.
Custodian
Director, Information Services
Date
Executive Director, Corporate Services
Date
Director General
Date
Approver
Endorser
© Copyright 2010 The State of Western Australia
106730236
Page 1 of 12
Department of . . .
1.
Information Security Management Policy
Policy
The Department of . . . is responsible for the security of its information and
information systems.
2.
Objectives
To ensure that Department requirements for information security are satisfied in
accordance with the principles of risk management:
a. the control of access to and proper use of information and information
systems
b. the availability, confidentiality and integrity of information
c. the authentication of users
d. the non-repudiation of electronic transactions
3.
Definition
Interpretation:‘Department information’ means
e. any official information, government record or personal information
(see the Criminal Code, the State Records Act 2000 (WA), Freedom
of Information Act 1992)
f. which is created or obtained by the Department, stored by the
Department or on Department facilities
Interpretation:‘Department resources’ includes
g. official information, equipment and facilities (see the Public Sector
Management Act (1994), section 9(b))
4.
Application
a. The Department will adopt relevant standards for information security
management and risk management, including WA Government
guidelines
b. The compliance with these guidelines is to be managed by the
Information Security Group
c. Compliance means:
 regular reviews of security exposures
 investigation of security infringements, as required
 an ongoing action plan to achieve continuous improvement in
security, within the operational budget allocation
d. The Department’s framework for information security management is
summarised in the appendices. <Departments should include, policy
lists, and delegations>
5.
Accountabilities and Responsibilities
5.1.
The Director General
a. Is accountable for Department compliance with this information
security management policy
© Copyright 2010 The State of Western Australia
106730236
Page 2 of 12
Department of . . .
Information Security Management Policy
b. Shall establish a management group to approve information security
policies, standards and procedures, and to supervise the
management of the information security management process.
5.2.
Director, Information Services
Director, Information Services is responsible for:
a. Information
b. Information infrastructure
c. Information policies
5.3.
Information Security Group
The Information Security Group is responsible for:
a. formulating and managing the Department’s information security
policy
b. Coordinating the implementation of security across the Department.
5.4.
Information Security Manager
The Information Security Manager, <Section>, is responsible for:
a. establishing and maintaining a management system for the
information security process within the Department
b. maintaining the Department’s information and security policies, such
as the Computer and Telecommunications Facility Policy.
5.5.
Staff
Department staff are responsible to:
c. understand and comply with the Department’s information security
policies, standards and procedures, such as:
 the Computer and Telecommunications Facilities Policy
 the Intellectual Property Policy
 the Backup and Recovery Policy
 the Virus and Vulnerability Patching Policy
d. never subvert or attempt to subvert any security measures related to
the protection of Department information systems and assets
e. report immediately any actual or suspected security incidents,
weaknesses or failures to the Service Desk, Line Manager or
Information Security Manager
5.6.
System Owners
a. Are responsible for ensuring the compliance of their systems with this
Information Security Management Policy.
5.7.
Divisional Heads, Executive Directors, Directors
a. Are responsible for managing the risks to their business processes
and assets
b. Must manage the information and information systems that belong to
their business processes and assets
© Copyright 2010 The State of Western Australia
106730236
Page 3 of 12
Department of . . .
Information Security Management Policy
c. Must ensure that the security requirements that are justified for their
processes and assets are satisfied
d. Are responsible for managing the risks to their information and
information systems
e. Are responsible for authorising, controlling access to and
administering their information and systems
f. Must identify and justify security requirements for their information
and information systems
g. Are responsible for the development, management and maintenance
of jurisdiction specific information security management system
including policy, standards and procedures
h. Are responsible for their staff and contractors being properly educated
about relevant Department information security policy, standards and
procedures and being properly trained and authorised to use the
information and information systems necessary to perform their work.
6.
Policy Promulgation
Commencement date
Communication process
7.
Policy Review
The Department reviews and updates this policy as needed.
8.
Contact
Questions related to this policy document may be directed to the Director, Information
Services on (08) 9999-9999.
© Copyright 2010 The State of Western Australia
106730236
Page 4 of 12
Department of . . .
Appendix –
17799:2006)
9.
Information Security Management Policy
Minimum
Standards
(per
ISO
AS/NZS
ISO/IEC
Information security is the protection of information from a wide range of threats in order to
ensure business continuity, minimize business risk, and maximize return on investments
and business opportunities.
Information security is achieved by implementing a suitable set of controls, including
policies, processes, procedures, organizational structures and software and hardware
functions.
9.1.
How to establish security requirements
It is essential that an organization identifies its security requirements. There are three
main sources of security requirements.
1. One source is derived from assessing risks to the organization, taking into account
the organization’s overall business strategy and objectives. Through a risk
assessment, threats to assets are identified, vulnerability to and likelihood of
occurrence is evaluated and potential impact is estimated.
2. Another source is the legal, statutory, regulatory, and contractual requirements that
an organization, its trading partners, contractors, and service providers have to
satisfy, and their socio-cultural environment.
3. A further source is the particular set of principles, objectives and business
requirements for information processing that an organization has developed to
support its operations.
9.2.
Assessing Security Risks
Security requirements are identified by a methodical assessment of security risks.
Expenditure on controls needs to be balanced against the business harm likely to result
from security failures.
9.3.
Selecting Controls
Once security requirements and risks have been identified and decisions for the treatment
of risks have been made, appropriate controls should be selected and implemented to
ensure risks are reduced to an acceptable level [for the Department].
9.4.
Minimum Controls [Protections or Objectives]
Controls considered to be essential to an organization from a legislative point of view
include, depending on applicable legislation[, must address]:
a) data protection and privacy of personal information (see 15.1.4);
b) protection of organizational records (see 15.1.3);
c) intellectual property rights (see 15.1.2).
9.5.
[Recommended] Common Controls
Controls considered to be common practice for information security include:
a) information security policy document (see 5.1.1);
b) allocation of information security responsibilities (see 6.1.3);
© Copyright 2010 The State of Western Australia
106730236
Page 5 of 12
Department of . . .
Information Security Management Policy
c) information security awareness, education, and training (see 8.2.2);
d) correct processing in applications (see 12.2);
e) technical vulnerability management (see 12.6);
f) business continuity management (see 14);
g) management of information security incidents and improvements (see 13.2).
10. Appendix – Information Security Categories (delete as needed)
The International standards define the following information security categories:
Category
Summary
Risk assessment
Security policy
management direction
Organization of information security
governance of information security
Asset management
inventory
and
information assets
Human resources security
security aspects for employees joining,
moving and leaving an organization
Physical and environmental security
protection of the computer facilities
Communications and operations management
management of technical security
controls in systems and networks
Access control
restriction of access rights to networks,
systems, applications, functions and
data
classification
of
Information systems acquisition, development building security into applications
and maintenance
Information security incident management
anticipating
and
responding
appropriately to information security
breaches
Business continuity management
protecting, maintaining and recovering
business- critical processes and
systems
Compliance
ensuring conformance with information
security policies, standards, laws and
regulations
AS/NZS ISO/IEC 17799:2006 is identical with and has been reproduced from ISO/IEC
17799:2005.
ISO/IEC 27002:2005 comprises ISO/IEC 17799:2005 and ISO/IEC
17799:2005/Cor.1:2007. Its technical content is identical to that of ISO/IEC 17799:2005.
ISO/IEC 17799:2005/Cor.1:2007 changes the reference number of the standard from
17799 to 27002.
© Copyright 2010 The State of Western Australia
106730236
Page 6 of 12
Information Security
Management Policy
11. Appendix – Information Security Controls (delete as needed)
AS/NZS ISO/IEC 17799:2006 defines 39 information security controls in twelve categories.
Category
4 Risk Assessment
Section
4.1 Assessing Security
risks
4.2 Treating Security risks
5 Security Policy
5.1 Information Security
Policy
6 Organization Of
Information Security
6.1 Internal Organization
6.2 External Parties
7 Asset Management
7.1 Responsibility For
Assets
To maintain the security of the
organization’s information and
information processing facilities that
are accessed, processed,
communicated to, or managed by
external parties.
To achieve and maintain appropriate
protection of organizational assets.
7.2 Information
Classification
To ensure that information receives
an appropriate level of protection.
© Copyright 2010 The State of Western Australia
106730236
Purpose
Risk assessments should identify,
quantify, and prioritize risks against
criteria relevant to the organization.
Controls to manage or reduce the risk
or its impact
To provide management direction and
support for information security in
accordance with business
requirements and relevant laws and
regulations.
To manage information security within
the organization.
Sub-sections
6.1.1 Management Commitment To Information Security
6.1.2 Information Security Co-Ordination
6.1.3 Allocation Of Information Security Responsibilities
6.1.4 Authorization Process For Information Processing
Facilities
6.1.5 Confidentiality Agreements
6.1.6 Contact With Authorities
6.1.7 Contact With Special Interest Groups
6.1.8 Independent Review Of Information Security
6.2.1 Identification Of Risks Related To External Parties
6.2.2 Addressing Security When Dealing With Customers
6.2.3 Addressing Security In Third Party Agreements
7.1.1 Inventory Of Assets
7.1.2 Ownership Of Assets
7.1.3 Acceptable Use Of Assets
7.2.1 Classification Guidelines
7.2.2 Information Labelling And Handling
Page 7 of 12
Department of . . .
Category
8 Human Resources
Security
Information Security Management Policy
Section
8.1 Prior To Employment
8.2 During Employment
8.3 Termination Or Change
Of Employment
9 Physical And
Environmental
Security
9.1 Secure Areas
9.2 Equipment Security
© Copyright 2010 The State of Western Australia
106730236
Purpose
To ensure that employees,
contractors and third party users
understand their responsibilities, and
are suitable for the roles they are
considered for, and to reduce the risk
of theft, fraud or misuse of facilities.
To ensure that employees,
contractors and third party users are
aware of information security threats
and concerns, their responsibilities
and liabilities, and are equipped to
support organizational security policy
in the course of their normal work,
and to reduce the risk of human error
To ensure that employees,
contractors and third party users exit
an organization or change
employment in an orderly manner.
To prevent unauthorized physical
access, damage, and interference to
the organization’s premises and
information.
To prevent loss, damage, theft or
compromise of assets and
interruption to the organization’s
activities.
Sub-sections
8.2.1 Management Responsibilities
8.2.2 Information Security Awareness, Education, And
Training
8.2.3 Disciplinary Process
8.3.1 Termination Responsibilities
8.3.2 Return Of Assets
8.3.3 Removal Of Access Rights
9.1.1 Physical Security Perimeter
9.1.2 Physical Entry Controls
9.1.3 Securing Offices, Rooms, And Facilities
9.1.4 Protecting Against External And Environmental
Threats
9.1.5 Working In Secure Areas
9.1.6 Public Access, Delivery, And Loading Areas
9.2.1 Equipment Siting And Protection
9.2.2 Supporting Utilities
9.2.3 Cabling Security
9.2.4 Equipment Maintenance
9.2.5 Security Of Equipment Off-Premises
9.2.6 Secure Disposal Or Re-Use Of Equipment
9.2.7 Removal Of Property
Page 8 of 12
Department of . . .
Category
10 Communications
And Operations
Management
Information Security Management Policy
Section
10.1 Operational
Procedures And
Responsibilities
Purpose
To ensure the correct and secure
operation of information processing
facilities.
10.2 Third Party Service
Delivery Management
To implement and maintain the
appropriate level of information
security and service delivery in line
with third party service delivery
agreements.
To minimize the risk of systems
failures.
To protect the integrity of software
and information.
To maintain the integrity and
availability of information and
information processing
facilities.
To ensure the protection of
information in networks and the
protection of the supporting
infrastructure
To prevent unauthorized disclosure,
modification, removal or destruction of
assets, and interruption to business
activities.
To maintain the security of
information and software exchanged
within an organization and with any
external entity.
To ensure the security of electronic
commerce services, and their secure
use.
10.3 System Planning And
Acceptance
10.4 Protection Against
Malicious And Mobile Code
10.5 Back-Up
10.6 Network Security
Management
10.7 Media Handling
10.8 Exchange Of
Information
10.9 Electronic Commerce
Services
© Copyright 2010 The State of Western Australia
106730236
Sub-sections
10.1.1 Documented Operating Procedures
10.1.2 Change Management
10.1.3 Segregation Of Duties
10.1.4 Separation Of Development, Test, And Operational
Facilities
10.2.1 Service Delivery
10.2.2 Monitoring And Review Of Third Party Services
10.2.3 Managing Changes To Third Party Services
10.3.1 Capacity Management
10.3.2 System Acceptance
10.4.1 Controls Against Malicious Code
10.4.2 Controls Against Mobile Code
10.5.1 Information Back-Up
10.6.1 Network Controls
10.6.2 Security Of Network Services
10.7.1 Management Of Removable Media
10.7.2 Disposal Of Media
10.7.3 Information Handling Procedures
10.7.4 Security Of System Documentation
10.9.1 Electronic Commerce
10.9.2 On-Line Transactions
10.9.3 Publicly Available Information
Page 9 of 12
Department of . . .
Information Security Management Policy
Category
Section
10.10 Monitoring
Purpose
To detect unauthorized information
processing activities.
11 Access Control
11.1 Business Requirement
For Access Control
11.2 User Access
Management
To control access to information.
11.3 User Responsibilities
11.4 Network Access
Control
To prevent unauthorized user access,
and
compromise
or
theft
of
information
and
information
processing facilities.
To prevent unauthorized access to
networked services.
11.5 Operating System
Access Control
To prevent unauthorized access to
operating systems.
11.6 Application And
Information Access Control
To prevent unauthorized access to
information held in application
systems.
To ensure information security when
using mobile computing and
teleworking facilities.
11.7 Mobile Computing And
Teleworking
© Copyright 2010 The State of Western Australia
106730236
Sub-sections
10.10.1 Audit Logging
10.10.2 Monitoring System Use
10.10.3 Protection Of Log Information
10.10.4 Administrator And Operator Logs
10.10.5 Fault Logging
10.10.6 Clock Synchronization
11.1.1 Access Control Policy
To ensure authorized user access
and to prevent unauthorized access
to information systems.
11.2.1 User Registration
11.2.2 Privilege Management
11.2.3 User Password Management
11.2.4 Review Of User Access Rights
11.3.1 Password Use
11.3.2 Unattended User Equipment
11.3.3 Clear Desk And Clear Screen Policy
11.4.1 Policy On Use Of Network Services
11.4.2 User Authentication For External Connections
11.4.3 Equipment Identification In Networks
11.4.4 Remote Diagnostic And Configuration Port Protection
11.4.5 Segregation In Networks
11.4.6 Network Connection Control
11.4.7 Network Routing Control
11.5.1 Secure Log-On Procedures
11.5.2 User Identification And Authentication
11.5.3 Password Management System
11.5.4 Use Of System Utilities
11.5.5 Session Time-Out
11.5.6 Limitation Of Connection Time
11.6.1 Information Access Restriction
11.6.2 Sensitive System Isolation
11.7.1 Mobile Computing And Communications
11.7.2 Teleworking
Page 10 of 12
Department of . . .
Category
12 Information
Systems Acquisition,
Development and
Maintenance
Information Security Management Policy
Section
12.1 Security Requirements
Of Information Systems
Purpose
To ensure that security is an integral
part of information systems.
Sub-sections
12.1.1 Security Requirements Analysis And Specification
12.2 Correct Processing In
Applications
To prevent errors, loss, unauthorized
modification or misuse of information
in applications.
12.3 Cryptographic
Controls
To protect the confidentiality,
authenticity or integrity of information
by cryptographic means.
To ensure the security of system files.
12.2.1 Input Data Validation
12.2.2 Control Of Internal Processing
12.2.3 Message Integrity
12.2.4 Output Data Validation
12.3.1 Policy On The Use Of Cryptographic Controls
12.3.2 Key Management
12.4 Security Of System
Files
12.5 Security In
Development And Support
Processes
12.6 Technical Vulnerability
Management
13 Information
Security Incident
Management
13.1 Reporting Information
Security Events And
Weaknesses
13.2 Management Of
Information Security
Incidents And
Improvements
© Copyright 2010 The State of Western Australia
106730236
To maintain the security of application
system software and information.
To reduce risks resulting from
exploitation of published technical
vulnerabilities.
To ensure information security events
and weaknesses associated with
information systems are
communicated in a manner allowing
timely corrective action to be taken.
To ensure a consistent and effective
approach is applied to the
management of information security
incidents.
12.5.1 Change Control Procedures
12.5.2 Technical Review Of Applications After Operating
System Changes
12.5.3 Restrictions On Changes To Software Packages
12.5.4 Information Leakage
12.5.5 Outsourced Software Development
12.6.1 Control Of Technical Vulnerabilities
13.1.1 Reporting Information Security Events
13.1.2 Reporting Security Weaknesses
13.2.1 Responsibilities And Procedures
13.2.2 Learning From Information Security Incidents
13.2.3 Collection Of Evidence
Page 11 of 12
Department of . . .
Information Security Management Policy
Category
14 Business
Continuity
Management
Section
14.1 Information Security
Aspects Of Business
Continuity Management
Purpose
To counteract interruptions to
business activities and to protect
critical business processes from the
effects of major failures of information
systems or disasters and to ensure
their timely resumption.
15 Compliance
15.1 Compliance With
Legal Requirements
To avoid breaches of any law,
statutory, regulatory or contractual
obligations, and of any security
requirements.
15.2 Compliance With
Security Policies And
Standards, And Technical
Compliance
15.3 Information Systems
Audit Considerations
To ensure compliance of systems
with organizational security policies
and standards.
To maximize the effectiveness of and
to minimize interference to/from the
information systems audit process.
Sub-sections
14.1.1 Including Information Security In The Business
Continuity Management Process
14.1.2 Business Continuity And Risk Assessment
14.1.3 Developing And Implementing Continuity Plans
Including Information Security
14.1.4 Business Continuity Planning Framework
14.1.5 Testing, Maintaining And Re-Assessing Business
Continuity Plans
15.1.1 Identification Of Applicable Legislation
15.1.2 Intellectual Property Rights (Ipr)
15.1.3 Protection Of Organizational Records
15.1.4 Data Protection And Privacy Of Personal Information
15.1.5 Prevention Of Misuse Of Information Processing
Facilities
15.1.6 Regulation Of Cryptographic Controls
15.2.1 Compliance With Security Policies And Standards
15.2.2 Technical Compliance Checking
15.3.1 Information Systems Audit Controls
12. Potential Policies (delete as needed)
The ISO/AS/NZS Information Security Controls can be used as a framework or structure for information security policies.
© Copyright 2010 The State of Western Australia
106730236
Page 12 of 12
Related documents
Policy & Procedure Review Policy & Procedure Number: CWUP 2
Policy & Procedure Review Policy & Procedure Number: CWUP 2
Risk and Vulnerability Assessment Analysis in Distribution Networks
Risk and Vulnerability Assessment Analysis in Distribution Networks
OpenWebNet – comparison S.Tomasina 25/02/14 Series ISO/IEC
OpenWebNet – comparison S.Tomasina 25/02/14 Series ISO/IEC
ISO 27002 Policies Outline Policy/Procedure Description
ISO 27002 Policies Outline Policy/Procedure Description
Adam_Stingemore - Plumbing Supply Forum
Adam_Stingemore - Plumbing Supply Forum
Taleisha, Jandamarra
Taleisha, Jandamarra
Clinical Project Officer: Application Form
Clinical Project Officer: Application Form
1) Freedom from accidents (loss events)
1) Freedom from accidents (loss events)
A)5 Security policy
A)5 Security policy
Web Application Security Standards
Web Application Security Standards
Download
advertisement