infosec policy iso17799

8/12/2019 InfoSec Policy ISO17799

1/58

[Insert Your Company Logo Here]

[Insert Company Name Here]Information Security Policy

V1.0

DRAFT

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age 1 o! () *+,-+,01-


2/58


Table of Contents

1.0 In!ormat"on #e$ur"ty "ss"on #tatement................................................................................................./,.0 In!ormat"on #e$ur"ty %o&"$y 'er'"e.....................................................................................................2

,.1 De!"n"t"on o! In!ormat"on #e$ur"ty........................................................................................................2,., 34y #e$ur"ty5.................................................................................................................................... 2,.* %4"&osop4y o! %rote$t"on.....................................................................................................................2,.- Cr"t"$a& #u$$ess Fa$tors..................................................................................................................... ),.( In!ormat"on #e$ur"ty %o&"$y #tru$ture................................................................................................. )

*.0 #e$ur"ty %o&"$y..................................................................................................................................... 10*.1 In!ormat"on #e$ur"ty %o&"$y Do$ument..............................................................................................10*., Re'"e an6 7'a&uat"on o! In!ormat"on #e$ur"ty %o&"$y......................................................................10

-.0 #e$ur"ty rgan"8at"on...........................................................................................................................11-.1 In!ormat"on #e$ur"ty In!rastru$ture................................................................................................... 11

-.1.1 A&&o$at"on o! In!ormat"on #e$ur"ty Respons"9"&"t"es.....................................................................11-.1., Aut4or"8at"on %ro$ess !or In!ormat"on %ro$ess"ng Fa$"&"t"es......................................................11-.1.* #pe$"a&"st In!ormat"on #e$ur"ty A6'"$e.......................................................................................11

-.1.- Cooperat"on :eteen rgan"8at"ons......................................................................................... 11-., #e$ur"ty o! T4"r6 %arty A$$ess......................................................................................................... 1,-.,.1 I6ent"!"$at"on o! R"s;s !rom T4"r6 %arty A$$ess..........................................................................1,-.,., #e$ur"ty Reu"rements "n T4"r6 %arty Contra$ts........................................................................1,

-.* utsour$"ng...................................................................................................................................... 1*-.*.1 #e$ur"ty Reu"rements "n utsour$"ng Contra$ts......................................................................1*

(.0 Asset C&ass"!"$at"on an6 Contro&.......................................................................................................... 1((.1 A$$ounta9"&"ty !or Assets............................................................................................................. ..... 1((., In!ormat"on C&ass"!"$at"on................................................................................................................. 1/

(.,.1 C&ass"!"$at"on =u"6e&"nes............................................................................................................1/(.,., In!ormat"on La9e&"ng an6 Han6&"ng............................................................................................ 12

(.* In!ormat"on Retent"on....................................................................................................................... 12/.0 %ersonne& #e$ur"ty............................................................................................................................... 1)

/.1 #e$ur"ty "n o9 De!"n"t"on an6 Resour$"ng........................................................................................1)/.1.1 %ersonne& #$reen"ng %o&"$y.......................................................................................................1)/.1., Con!"6ent"a&"ty Agreements........................................................................................................ 1)/.1.* Terms an6 Con6"t"ons o! 7mp&oyment....................................................................................... 1?

/., @ser Tra"n"ng....................................................................................................................................1?/.,.1 In!ormat"on #e$ur"ty 76u$at"on an6 Tra"n"ng.............................................................................1?

/.* Respon6"ng to #e$ur"ty In$"6ents an6 a&!un$t"ons.........................................................................,0/.*.1 Report"ng #e$ur"ty In$"6ents......................................................................................................,0/.*., Report"ng #e$ur"ty 3ea;nesses................................................................................................,0/.*.* Learn"ng !rom In$"6ents............................................................................................................. ,0/.*.- D"s$"p&"nary %ro$ess.................................................................................................................. ,0

2.0 %4ys"$a& an6 7n'"ronmenta& #e$ur"ty................................................................................................... ,12.1 #e$ure Areas....................................................................................................................................,1

2.1.1 %4ys"$a& #e$ur"ty Contro&s......................................................................................................... ,1

2.1., #e$ur"ng !!"$es Rooms an6 Fa$"&"t"es................................................................................. ...,,2.1.* t4er #"te #e$ur"ty Issues.................................................................................................. ....... ,*

).0 Commun"$at"ons an6 perat"ons anagement...................................................................................,-).1 perat"ona& %ro$e6ures an6 Respons"9"&"t"es...................................................................................,-

).1.1 Do$umente6 perat"ng %ro$e6ures.......................................................................................... ,-).1., perat"ona& C4ange Contro&...................................................................................................... ,-

)., #ystem %&ann"ng an6 A$$eptan$e....................................................................................................,().,.1 Capa$"ty %&ann"ng...................................................................................................................... ,().,., #ystem A$$eptan$e................................................................................................................... ,(

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age , o! () *+,-+,01-


3/58


).* %rote$t"on Aga"nst a&"$"ous #o!tare.............................................................................................,/).- House;eep"ng................................................................................................................................ .. ,2

).-.1 In!ormat"on :a$;up....................................................................................................................,2).( etor; anagement...................................................................................................................... ,2

).(.1 etor; Contro&s....................................................................................................................... ,2)./ 7B$4ange o! In!ormat"on an6 #o!tare........................................................................................ ....,2

)./.1 In!ormat"on an6 #o!tare 7B$4ange Agreements......................................................................,2)./., #e$ur"ty o! %4ys"$a& e6"a "n Trans"t.........................................................................................,))./.* #e$ur"ty o! 7&e$tron"$ e6"a "n Trans"t.......................................................................................,?)./.- t4er Forms o! In!ormat"on 7B$4ange ......................................................................................,?)./.( %ro6u$t"on o! #%A.................................................................................................................. *0

).2 Vu&nera9"&"ty anagement................................................................................................................*0?.0 A$$ess Contro&.....................................................................................................................................*1

?.1 :us"ness Reu"rement !or A$$ess Contro&.......................................................................................*1?.1.1 A$$ess Contro&s an6 ee6 to no.......................................................................................... *1?.1., Types o! A$$ess Contro&s.......................................................................................................... *1

?., @ser A$$ess anagement............................................................................................................... *,?.,.1 @ser Reg"strat"on....................................................................................................................... *,?.,., %r"'"&ege anagement............................................................................................................... *,?.,.* @ser %assor6 anagement.....................................................................................................*,

?.,.- Re'"e o! @ser A$$ess R"g4ts................................................................................................... **?.* @ser Respons"9"&"t"es........................................................................................................................**

?.*.1 %assor6 @se............................................................................................................................ **?.*., @natten6e6 @ser 7u"pment......................................................................................................*-

?.- etor; A$$ess Contro&................................................................................................................... *-?.-.1 %o&"$y on @se o! etor; #er'"$es............................................................................................ *-?.-., @ser Aut4ent"$at"on !or 7Bterna& Conne$t"ons...................................................................... .....*(?.-.* Remote D"agnost"$ %ort %rote$t"on............................................................................................*(?.-.- #egregat"on "n etor;s............................................................................................................*(?.-.( etor; Conne$t"on Contro&......................................................................................................*/?.-./ 3"re&ess etor; %o&"$y !or [C%AY] Fa$"&"t"es................................................................... */

?.( perat"ng #ystem A$$ess Contro&....................................................................................................*/?.(.1 @ser I6ent"!"$at"on an6 Aut4ent"$at"on.............................................................................. ......... */

?.(., %assor6 %rogram.................................................................................................................... *2?.(.* @ser A$$ount Re'"e+Au6"t....................................................................................................... *2?.(.- @se o! #ystem @t"&"t"es............................................................................................................... *2

?./ App&"$at"on A$$ess Contro&............................................................................................................... *2?./.1 In!ormat"on A$$ess Restr"$t"on.................................................................................................. *2

?.2 on"tor"ng #ystem A$$ess an6 @se.................................................................................................*)?.2.1 7'ent Logg"ng............................................................................................................................*)?.2., on"tor"ng #ystem @se..............................................................................................................*)?.2.* C&o$; #yn$4ron"8at"on............................................................................................................... -0?.2.- 7a"& Vo"$ea"& an6 Internet A$$ess on"tor"ng....................................................................-0

?.) o9"&e Comput"ng an6 Te&eor;"ng................................................................................................. -0?.).1 o9"&e Comput"ng...................................................................................................................... -0?.)., Te&e$ommut"ng an6 Remote A$$ess......................................................................................... -,

?.? A$$epta9&e @se o! [C%AY] Computer #ystems........................................................................-*?.?.1 =enera& @se an6 ners4"p......................................................................................................--?.?., #e$ur"ty an6 %ropr"etary In!ormat"on......................................................................................... --?.?.* @na$$epta9&e @se..................................................................................................................... --?.?.- 7n!or$ement........................................................................................................................ ...... -/

10.0 #ystems De'e&opment an6 a"ntenan$e...........................................................................................-210.1 #e$ur"ty Reu"rements o! #ystems................................................................................................ -2

10.1.1 #e$ur"ty Reu"rements Ana&ys"s an6 #pe$"!"$at"on..................................................................-210., #e$ur"ty "n App&"$at"on #ystems..................................................................................................... -2

10.,.1 Input Data 'a&"6at"on................................................................................................................ -2

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age * o! () *+,-+,01-


4/58


10.,., Contro& o! Interna& %ro$ess"ng..................................................................................................-210.,.* utput Data Va&"6at"on............................................................................................................. -)

10.* Cryptograp4"$ Contro&s...................................................................................................................-)10.*.1 %o&"$y on t4e @se o! Cryptograp4"$ Contro&s........................................................................... -)10.*., 7n$rypt"on................................................................................................................................ -?10.*.* D"g"ta& #"gnatures.....................................................................................................................-?10.*.- onrepu6"at"on #er'"$es.........................................................................................................(010.*.( ey anagement.....................................................................................................................(0

10.- #e$ur"ty "n De'e&opment an6 #upport %ro$esses.......................................................................... (110.-.1 #o!tare C4ange Contro& %ro$e6ures.....................................................................................(110.-., Te$4n"$a& Re'"e o! perat"ng #ystem C4anges....................................................................(,10.-.* Restr"$t"ons on C4anges to #o!tare %a$;ages......................................................................(,10.-.- Co'ert C4anne&s an6 TroEan Co6e.......................................................................................... (*

11.0 Comp&"an$e........................................................................................................................................ (-11.1 Comp&"an$e "t4 Lega& Reu"rements............................................................................................ (-

11.1.1 I6ent"!"$at"on o! App&"$a9&e Leg"s&at"on..................................................................................... (-11.1., Inte&&e$tua& %roperty R"g4ts......................................................................................................(-11.1.* Data %rote$t"on an6 %r"'a$y o! %ersona& In!ormat"on......................................................... .....((11.1.- %re'ent"on o! "suse o! In!ormat"on %ro$ess"ng Fa$"&"t"es.......................................................(/11.1.( Regu&at"on o! Cryptograp4"$ Contro&s......................................................................................(/

11., Re'"es o! #e$ur"ty %o&"$y an6 Te$4n"$a& Comp&"an$e..................................................................(/11.,.1 Comp&"an$e "t4 #e$ur"ty %o&"$y.............................................................................................. (/11.,., Te$4n"$a& Comp&"an$e C4e$;"ng..............................................................................................(2

11.* #ystem Au6"t Cons"6erat"ons......................................................................................................... (211.*.1 #ystem Au6"t Contro&s............................................................................................................. (211.*., %rote$t"on o! #ystem Au6"t Too&s.............................................................................................(2

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age - o! () *+,-+,01-


5/58


History

Version Date Author Moifications

1.0 11+1(+0( CLH - F"rst Re'"s"on

-

-

-

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ( o! () *+,-+,01-


6/58


!"# IN$%&MATI%NS'C(&IT)MISSI%NSTAT'M'NT[C%AY] an6 [C%AY] emp&oyees 4a'e an "n4erent respons"9"&"ty to prote$t t4e p4ys"$a&"n!ormat"on assets o! t4e $ompany as e&& as $on!"6ent"a& mem9er 6ata an6 "nte&&e$tua& $ap"ta&one6 9y t4e $ompany. T4ese $r"t"$a& assets must 9e sa!eguar6e6 to m"t"gate any potent"a&

"mpa$ts to [C%AY] an6 [C%AY]s mem9ers. In!ormat"on #e$ur"ty at [C%AY] "st4ere!ore a $r"t"$a& 9us"ness !un$t"on t4at s4ou&6 9e "n$orporate6 "nto a&& aspe$ts o![C%AY]s 9us"ness pra$t"$es an6 operat"ons.

To a$4"e'e t4"s o9Ee$t"'e po&"$"es pro$e6ures an6 stan6ar6s 4a'e 9een $reate6 to ensurese$ure 9us"ness pra$t"$es are "n p&a$e at [C%AY]. In!ormat"on se$ur"ty "s a !oun6at"ona&9us"ness pra$t"$e t4at must 9e "n$orporate6 "nto p&ann"ng 6e'e&opment operat"onsa6m"n"strat"on sa&es an6 mar;et"ng as ea$4 o! t4ese 9us"ness !un$t"ons reu"res spe$"!"$sa!eguar6s to 9e "n p&a$e to m"t"gate t4e r"s; asso$"ate6 "t4 norma& 9us"ness a$t"'"t"es.

[C%AY] "s su9Ee$t to numerous #tate an6 Fe6era& In!ormat"on #e$ur"ty an6 %r"'a$y &as an6regu&at"ons 4"$4 "! not $omp&"e6 "t4 $ou&6 potent"a&&y resu&t "n !"nes au6"ts &oss o! mem9er$on!"6en$e an6 6"re$t !"nan$"a& "mpa$ts to t4e $ompany. Comp&"an$e "t4 a&& app&"$a9&eregu&at"ons "s t4e respons"9"&"ty o! e'ery emp&oyee at [C%AY].

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age / o! () *+,-+,01-


7/58


*"# IN$%&MATI%NS'C(&IT)P%+IC)%V'&VI',7'eryone at [C%AY] "s respons"9&e !or !am"&"ar"8"ng t4emse&'es "t4 an6 $omp&y"ng "t4 a&&[C%AY]s po&"$"es pro$e6ures an6 stan6ar6s 6ea&"ng "t4 "n!ormat"on se$ur"ty.

*"! Definition of Information SecurityT4e @.#. at"ona& In!ormat"on #ystems #e$ur"ty =&ossary 6e!"nes In!ormat"on systems se$ur"tyGIF#7C as

The protection of information systems against unauthorized access to or modification ofinformation, whether in storage, processing or transit, and against the denial of service toauthorized users or the provision of service to unauthorized users, including thosemeasures necessary to detect, document, and counter such threats.

In!ormat"on #e$ur"ty $enters on t4e !o&&o"ng t4ree o9Ee$t"'es !or prote$t"ng "n!ormat"onCon!"6ent"a&"ty Integr"ty an6 A'a"&a9"&"ty. T4e po&"$"es "n t4"s 6o$ument support t4ese o9Ee$t"'es.

*"* ,hy Security-[C%AY] reu"res "n!ormat"on se$ur"ty to prote$t "n!ormat"on assets !rom se$ur"ty t4reats. It "s$r"t"$a& to prote$t t4e system en'"ronment to ma"nta"n a $ompet"t"'e a6'antage "n t4e mar;etp&a$eto ensure pro!"ta9"&"ty an6 to se$ure an6 ma"nta"n mem9er an6 partner trust an6 $on!"6en$e.

#e$ur"ty t4reats or"g"nate at a "6e 'ar"ety o! sour$es "n$&u6"ng $omputerass"ste6 !rau6"n6ustr"a& esp"onage sa9otage 'an6a&"sm an6 natura& 6"sasters. Computer '"ruses unet4"$a&4a$;"ng an6 6en"a& o! ser'"$e atta$;s are eBamp&es o! t4reats en$ountere6 4"&e operat"ng o'ert4e Internet. T4ese types o! t4reats are 9e$om"ng "n$reas"ng&y more $ommon more am9"t"ousan6 more sop4"st"$ate6.

*". Philosophy of Protection[C%AY]s p4"&osop4y o! prote$t"on pro'"6es t4e "ntent an6 6"re$t"on 9e4"n6 our prote$t"onpo&"$"es pro$e6ures an6 $ontro&. ur prote$t"on p4"&osop4y "s $ompr"se6 o! t4ree tenets

1. Security is e/eryone0s responsibility. a"nta"n"ng an e!!e$t"'e an6 e!!"$"ent se$ur"ty posture!or [C%AY] reu"re a proa$t"'e stan$e on se$ur"ty "ssues !rom e'eryone. #e$ur"ty "s notJsome9o6y e&ses pro9&emK as a mem9er o! [C%AY] you 4a'e t4e respons"9"&"ty to a64ere tot4e se$ur"ty po&"$"es an6 pro$e6ures o! t4e $ompany an6 to ta;e "ssue "t4 t4ose 4o are not6o"ng t4e same.

,. Security permeates the [C%MPAN)] or1ani2ation. #e$ur"ty "s not Eust !o$use6 on p4ys"$a&an6 te$4n"$a& J9or6er $ontro&. Rat4er [C%AY] see;s to ensure reasona9&e an6 appropr"ate&e'e&s o! se$ur"ty aareness an6 prote$t"on t4roug4out our organ"8at"on an6 "n!rastru$ture. T4ere"s no p&a$e "n our 9us"ness 4ere se$ur"ty "s not a $ons"6erat"on.

*. Security is a business enabler. A strong se$ur"ty !oun6at"on proa$t"'e&y ena9&e6 an6ma"nta"ne6 9e$omes an e!!e$t"'e mar;et 6"!!erent"ator !or our $ompany. #e$ur"ty 4as a 6"re$t

"mpa$t on our '"a9"&"ty "t4"n t4e mar;etp&a$e an6 must 9e treate6 as a 'a&ue6 $ommo6"ty.T4e tenets o! our p4"&osop4y o! prote$t"on are mutua&&y support"'eK "gnor"ng any one tenet "n !a'oro! anot4er un6erm"nes t4e o'era&& se$ur"ty posture o! our organ"8at"on.



8/58


*"3 Critical Success $actorsT4e !o&&o"ng !a$tors are $r"t"$a& to t4e su$$ess!u& "mp&ementat"on o! se$ur"ty "t4"n [C%AY]

Compre4ens"'e se$ur"ty po&"$"es o9Ee$t"'es an6 "n"t"at"'es t4at $&ear&y re!&e$t

[C%AY] 9us"ness o9Ee$t"'es

A se$ur"ty approa$4 t4at "s $ons"stent "t4 [C%AY]s $u&ture

H"g4&y '"s"9&e support !rom [C%AY]s eBe$ut"'e management

#o&"6 un6erstan6"ng o! se$ur"ty reu"rements an6 r"s; management pra$t"$es

7!!e$t"'e $ommun"$at"on o! se$ur"ty to a&& [C%AY] managers asso$"ates partners

$&"ents 'en6ors an6 6e'e&opers

=u"6an$e on "n!ormat"on se$ur"ty po&"$y to a&& [C%AY] managers asso$"ates

partners $&"ents 'en6ors an6 6e'e&opers

In!ormat"on se$ur"ty aareness an6 tra"n"ng

Cont"nua& re'"e an6 measurement o! t4e e!!e$t"'eness an6 e!!"$"en$y o! se$ur"ty

$ontro&s an6 me$4an"sms

T"me&y a6Eustments to t4e se$ur"ty posture 9y a66ress"ng 6e!"$"en$"es an6 9y re!&e$t"ng

$4anges "n [C%AY]s 9us"ness o9Ee$t"'es as ne$essary

Annua& re'"e o! t4e "n!ormat"on se$ur"ty po&"$y to up6ate po&"$y as nee6e6 to re!&e$t

$4anges to 9us"ness o9Ee$t"'es or t4e r"s; en'"ronment.

*"4 Information Security Policy Structure[C%AY]s In!ormat"on #e$ur"ty %o&"$"es are stru$ture6 "n su$4 a ay to g"'e !&eB"9"&"ty asreu"re6 9y t4e 9us"ness o9Ee$t"'es an6 nee6s 4"&e ma"nta"n"ng a M&e'e& p&ay"ng !"e&6 a$ross t4e

$ompany. Freuent&y t4e ea;est &"n; "s t4e &"n; t4at 9rea;s t4e se$ur"ty $4a"n an6 $auses a9rea$4 "n se$ur"ty. T4roug4 $ons"stent app&"$at"on o! In!ormat"on #e$ur"ty a$ross t4e $ompanyany ea; areas are $ompensate6 !or an6 t4e organ"8at"on "s stronger o'era&&.

In!ormat"on #e$ur"ty %o&"$y !o&&os t4"s t"ere6 stru$ture

In!ormat"on #e$ur"ty "ss"on #tatement

In!ormat"on #e$ur"ty %o&"$y

In!ormat"on #e$ur"ty #tan6ar6s an6 %ro$esses

In!ormat"on #e$ur"ty #pe$"!"$ Con!"gurat"ons an6 %ro$e6ures

T4e 4"erar$4y &en6s support as you progress up t4e t"ers an6 9e$omes more 6eta"&e6 as youprogress 6on t4e t"ers. In t4"s ay a&& a$t"ons ta;en 4a'e a 9as"s "n po&"$y an6 6"re$t&y support

t4e po&"$y or po&"$"es t4ey are go'erne6 9y. To "&&ustrate t4"s 4"erar$4y 6es$r"pt"ons o! t4e 'ar"ous&e'e&s are g"'en 9e&o.

Information Security Mission StatementN T4"s "s t4e o'era&& management 6"re$t"on "n regar6sto In!ormat"on #e$ur"ty at [C%AY]. It "s 9roa6 "n s$ope an6 sets t4e eBpe$tat"ons !orprote$t"ng t4e $ompanys "n!ormat"on resour$es. It "s $onta"ne6 "n t4"s 6o$ument.

Information Security Policy N T4"s "s t4e $o&&e$t"on o! po&"$"es t4at "mp&ement t4e o'era&&gu"6an$e o! t4e "ss"on #tatement. %o&"$"es are some4at 9roa6 9ut top"$a& "n nature G$entere6on spe$"!"$ In!ormat"on #e$ur"ty top"$s. [C%AY]s In!ormat"on #e$ur"ty %o&"$"es are

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ) o! () *+,-+,01-


9/58


organ"8e6 "n a$$or6an$e "t4 IS% !55667 Information Technolo1y 8 Coe of Practice forInformation Security Mana1ement7an "nternat"ona& stan6ar6 an6 "s "n $omp&"an$e "t4 ot4erregu&atory an6 $omp&"an$e man6ates 4ere app&"$a9&e. %o&"$"es app&y eua&&y to e'eryone "t4"nt4e $ompany regar6&ess o! &o$at"on. T4e In!ormat"on #e$ur"ty %o&"$"es are $onta"ne6 "n t4"s6o$ument.

Information Security Stanars an Processes N T4ese are $o&&e$t"ons o! stan6ar6s an6

pro$esses t4at are to 9e use6 to "mp&ement t4e g"'en po&"$y t4ey re!eren$e. #tan6ar6s may6"$tate a type o! te$4no&ogy to use 9ut may stop 9e!ore nam"ng a part"$u&ar pro6u$t G6epen6"ngon t4e po&"$y an6 stan6ar6 su9Ee$t. %ro$esses "&& 6eta"& t4e steps to ta;e to !u&!"&& t4e goa&s o! apart"$u&ar po&"$y. #tan6ar6s an6 %ro$esses "&& 9e pu9&"s4e6 un6er separate t"t&es an6 may 9ereg"ona&"8e6 to !"t t4e $on6"t"ons at 6"!!erent &o$at"ons G".e. t4ere may 9e one set o! stan6ar6s !or apart"$u&ar po&"$y "n t4e @n"te6 #tates an6 a 6"!!erent set "n =ermany. #tan6ar6s an6 %ro$ess "&&$&ear&y 6e&"neate 4ere t4ey app&y.

Information Security Specific Confi1urations an Proceures N T4ese are 'ery spe$"!"$6eta"&s t4at support t4e "mp&ementat"on o! t4e stan6ar6s an6 pro$esses g"'en a9o'e. T4ese "&&"n$&u6e spe$"!"$ pro6u$ts an6 $on!"gurat"on 6eta"&s or step9ystep pro$e6ures to "mp&ementpro$esses. T4ese are 'ery 4"g4&y &o$a&"8e6 an6 "&& app&y to t4e en'"ronment !or 4"$4 t4ey erer"tten G".e. t4ere may 9e a spe$"!"$ $on!"gurat"on !or #un systems t4at "s 6"!!erent !rom 3"n6os$on!"gurat"ons. T4ese "&& 9e pu9&"s4e6 un6er separate t"t&es 4ere 6"re$te6.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ? o! () *+,-+,01-


10/58


."# S'C(&IT)P%+IC)

."! Information Security Policy Document[C%AY] 7Be$ut"'e anagement "&& pro'"6e 6"re$t"on !or appro'e pu9&"s4 an6 $ommun"$atet4e mer"ts o! an In!ormat"on #e$ur"ty %o&"$y 6o$ument. T4"s In!ormat"on #e$ur"ty %o&"$yDo$ument s4a&& out&"ne managements approa$4 to In!ormat"on #e$ur"ty as e&& as pro'"6"ng t4eorgan"8at"on "t4 a strong "n6"$at"on o! t4e managements $omm"tment to In!ormat"on #e$ur"ty"t4"n [C%AY].

T4e purpose o! t4"s po&"$y "s to $ommun"$ate t4e 6"re$t"on o! t4e organ"8at"ons In!ormat"on#e$ur"ty %rogram 9y pro'"6"ng re&e'ant a$$ess"9&e an6 un6erstan6a9&e 6e!"n"t"ons statementsan6 eBp&anat"ons.

T4e In!ormat"on #e$ur"ty %o&"$y Do$ument s4a&&

De!"ne "n!ormat"on se$ur"ty as e&& as "ts s$ope an6 "mportan$e "n t4e organ"8at"onK

In$&u6e a statement o! managements "ntent !or "n!ormat"on se$ur"tyK

In$&u6e a statement o! managements goa&s an6 pr"n$"p&es o! "n!ormat"on se$ur"tyK

7Bp&a"n t4e organ"8at"ons se$ur"ty po&"$"es stan6ar6s an6 $omp&"an$e reu"rements

"n$&u6"ng

- Comp&"an$e "t4 &eg"s&at"'e an6 $ontra$tua& reu"rements

- #e$ur"ty e6u$at"on an6 aareness $omm"tment

- Conseuen$es !or se$ur"ty '"o&at"ons.

- %re'ent"on an6 prote$t"on aga"nst '"ruses an6 ot4er ma&"$"ous so!tare atta$;s

- Comm"tment to e&& t4oug4tout an6 e!!e$t"'e 9us"ness $ont"nu"ty management.

ut&"ne spe$"!"$ respons"9"&"t"es !or "n!ormat"on se$ur"ty management.

ut&"ne po&"$"es an6 pro$e6ures !or report"ng se$ur"ty "n$"6ents.

T4e In!ormat"on #e$ur"ty %o&"$y Do$ument s4a&& ser'e as a re!eren$e 6o$ument t4at "&& &ea6 toa66"t"ona& more 6eta"&e6 "n!ormat"on 4en ne$essary G!or "nstan$e emp&oyee manua&s et$..

."* &e/ie9 an '/aluation of Information Security PolicyT4e C4"e! In!ormat"on #e$ur"ty !!"$er s4a&& 9e t4e oner o! t4"s In!ormat"on #e$ur"ty %o&"$yDo$ument. T4e oner o! t4e 6o$ument s4a&& 9e respons"9&e !or ma"nta"n"ng an6 re'"e"ng t4epo&"$y 9ase6 upon a 6e!"ne6 re'"e pro$ess. T4e po&"$y s4a&& 9e re'"ee6 at &east annua&&y an6up6ate6 "n response to any $4anges t4at ou&6 a!!e$t t4e assumpt"ons !rom t4e 9ase&"ne r"s;assessment su$4 as s"gn"!"$ant se$ur"ty "n$"6ents ne 'u&nera9"&"t"es ne regu&at"ons or$4anges to t4e organ"8at"ons "n!rastru$ture.

T4e re'"es s4a&& "n$&u6e an assessment o! t4e po&"$ys e!!e$t"'eness 9ase6 upon

T4e nature an6 num9er an6 "mpa$t o! re$or6e6 se$ur"ty "n$"6entsK

Cost an6 "mpa$t o! $ontro&s on 9us"ness e!!"$"en$yK an6

7!!e$ts o! $4anges to te$4no&ogy.



11/58


3"# S'C(&IT)%&:ANI;ATI%N

3"! Information Security Infrastructure

4.1.1 Allocation of Information Security ResponsibilitiesT4e purpose o! t4"s po&"$y "s to prote$t a&& o! t4e "n!ormat"on assets "t4"n t4e organ"8at"on 9ya&&o$at"ng spe$"!"$ respons"9"&"t"es !or a&& su$4 assets.

T4e C4"e! In!ormat"on #e$ur"ty !!"$er "s respons"9&e !or t4e o'era&& app&"$at"on o! t4e In!ormat"on#e$ur"ty po&"$"es.

7a$4 "n6"'"6ua& s"te "&& 4a'e a s"te manager 4o "s respons"9&e !or t4e o'era&& app&"$at"on o! t4eIn!ormat"on #e$ur"ty %rogram an6 po&"$"es at t4at s"te.

7a$4 asset "&& 4a'e an Joner 4o may 6e&egate respons"9"&"t"es 9ut rema"ns u&t"mate&yrespons"9&e !or t4e assetGs.

T4e asset oner "&&

I6ent"!y an6 6e!"ne a&& se$ur"ty pro$esses !or t4e"r assetGsK

Do$ument a&& se$ur"ty pro$esses on t4e"r assetsK an6

C&ear&y 6e!"ne an6 6o$ument a&& aut4or"8at"on &e'e&s o! t4e"r assets

4.1.2 Authorization Process for Information ProcessingFacilities

T4e purpose o! t4"s po&"$y "s to prote$t a&& o! t4e "n!ormat"on assets "t4"n t4e organ"8at"on 9yaut4or"8"ng any ne "n!ormat"on !a$"&"ty !or purpose an6 use $ompat"9"&"ty o! 4ar6are an6so!tare an6 se$ur"ty o! persona& "n!ormat"on "n t4e !a$"&"ty.

T4e aut4or"8at"on pro$ess !or ne In!ormat"on %ro$ess"ng !a$"&"t"es reu"res t4at t4e C4"e!In!ormat"on #e$ur"ty !!"$er Gor t4e 6es"gnate6 representat"'e per!orm a r"s; assessment pr"or to

aut4or"8"ng a ne In!ormat"on %ro$ess"ng !a$"&"ty. T4"s r"s; assessment s4ou&6 !o&&o a stan6ar6!ormat or $4e$;&"st.

T4e resu&ts o! t4e r"s; assessment "&& 9e "n$orporate6 to esta9&"s4 a66"t"ona& $ontro&s 9y[C%AY]s IT #e$ur"ty o!!"$er an6 t4e s"te IT #e$ur"ty manager.

4.1.3 Specialist Information Security A!ice[C%AY] may o9ta"n t4e ser'"$es o! outs"6e se$ur"ty eBperts as ne$essary to prote$t t4e"n!ormat"on assets "t4"n t4e organ"8at"on 9y $o$oor6"nat"ng "n4ouse ;no&e6ge an6eBper"en$es to ensure $ons"sten$y pro'"6e gu"6an$e "n 6e$"s"on ma;"ng an6 assess t4e o'era&&e!!e$t"'eness o! [C%AY]s #e$ur"ty po&"$y.

A&& use o! outs"6e se$ur"ty eBperts s4a&& 9e $oor6"nate6 "t4 t4e C4"e! In!ormat"on #e$ur"ty !!"$er9e!ore su$4 eBperts are emp&oye6 9y [C%AY] "n any $apa$"ty.

4.1.4 "ooperation #et$een %rganizationsA&& $onta$t an6 $ooperat"on "t4 t4"r6 part"es on se$ur"ty matters "&& 9e $oor6"nate6 t4roug4 t4eC4"e! In!ormat"on #e$ur"ty !!"$er or a 6es"gnate6 appo"ntee o! t4e C4"e! In!ormat"on #e$ur"ty!!"$er.

T4e purpose o! t4"s po&"$y "s to prote$t a&& o! t4e "n!ormat"on assets "t4"n t4e organ"8at"on assoon a se$ur"ty "n$"6ent "s 6ete$te6 9y ma"nta"n"ng $onta$ts "t4 &a en!or$ement aut4or"t"esregu&atory 9o6"es "n!ormat"on ser'"$e pro'"6ers an6 te&e$ommun"$at"on operators.

T4e C4"e! In!ormat"on #e$ur"ty !!"$er s4a&& ma"nta"n a &"st o! $onta$ts "t4



12/58


T4e &a en!or$ement $ommun"ty

T4e regu&atory $ommun"ty

In!ormat"on ser'"$e pro'"6ers

Te&e$ommun"$at"ons operators

T4e C4"e! In!ormat"on #e$ur"ty !!"$er s4ou&6 a&so ma"nta"n $onta$t "t4 se$ur"ty !orums an6ot4er not"!"$at"on agen$"es.

3"!"3"! Senin1 Information to Thir Parties

:e!ore any $on!"6ent"a& "n!ormat"on Gouts"6e t4e s$ope o! [C%AY]s regu&ar pro6u$t o!!er"ngs"s passe6 to any t4"r6 party organ"8at"on aut4or"8at"on s4a&& 9e re$e"'e6 !rom t4e C4"e!In!ormat"on #e$ur"ty !!"$er t4at "&& "n$&u6e 4o "&& $onta$t t4e t4"r6 party 4o "&& 9e $onta$te6an6 4at "n!ormat"on "&& 9e s4are6. Appropr"ate non6"s$&osure agreements must 9e "n p&a$e"t4 any non&a en!or$ement agen$y 9e!ore "n!ormat"on "s s4are6 "t4 t4at agen$y.

3"* Security of Thir Party Access

4.2.1 Ientification of Ris&s from 'hir Party AccessT4e C4"e! In!ormat"on #e$ur"ty !!"$er "&& $ontro& aut4or"8at"on !or typeso! a$$ess to "n!ormat"onpro$ess"ng !a$"&"t"es 9y t4"r6 part"es 9ase6 upon t4e reasons !or t4at a$$ess.

A r"s; assessment "&& 9e $arr"e6 out 9e!ore any t4"r6 party a$$ess "s grante6 an6 "&& $ons"6ert4e reasons !or a$$ess as e&& as t4e ne$essary $ontro&s to 9e put "n p&a$e.

A$$ess o! t4"r6 part"es to In!ormat"on %ro$ess"ng !a$"&"t"es "&& 9e $&ear&y spe&&e6 out "n $ontra$tsKt4"s a$$ess "n$&u6es t4e s$ope o! a$$ess to p4ys"$a& &og"$a& an6 netor; assets.

4.2.2 Security Re(uirements in 'hir Party "ontractsT4e C4"e! In!ormat"on #e$ur"ty !!"$er "&& $ontro& aut4or"8at"on !or types o! a$$ess to "n!ormat"onpro$ess"ng !a$"&"t"es an6 [C%AY] "n!ormat"on 9y t4"r6 party $ontra$tors.

Any 6"s$&osure o! $on!"6ent"a& "n!ormat"on to $onsu&tants $ontra$tors temporary emp&oyees or

any ot4er t4"r6 part"es s4a&& 9e pre$e6e6 9y t4e re$e"pt o! a s"gne6 [C%AY] non6"s$&osureagreement GDA Gsee /.1.,. T4"s "s "n a66"t"on to t4e ot4er po&"$"es "n se$t"on -.,.

A$$ess 9y t4"r6 party $ontra$tors "&& 9e spe$"!"$a&&y agree6 upon an6 6o$umente6 "n $ontra$ts.

Arrangements "n'o&'"ng t4"r6 party a$$ess to organ"8at"ona& "n!ormat"on pro$ess"ng !a$"&"t"ess4ou&6 9e 9ase6 on a !orma& $ontra$t $onta"n"ng or re!err"ng to a&& t4e se$ur"ty reu"rements toensure $omp&"an$e "t4 [C%AY]s se$ur"ty po&"$"es an6 stan6ar6s. T4e $ontra$t s4ou&6ensure t4at t4ere "s no m"sun6erstan6"ng 9eteen t4e organ"8at"on an6 t4e t4"r6 party.[C%AY] s4ou&6 sat"s!y t4emse&'es as to t4e "n6emn"ty o! t4e"r supp&"er. T4e !o&&o"ng termss4ou&6 9e $ons"6ere6 !or "n$&us"on "n t4e $ontra$t

T4e genera& po&"$y on "n!ormat"on se$ur"tyK

Asset prote$t"on "n$&u6"ng

- %ro$e6ures to prote$t organ"8at"ona& assets "n$&u6"ng "n!ormat"on an6 so!tareK

- %ro$e6ures to 6eterm"ne 4et4er any $omprom"se o! t4e assets ".e. &oss ormo6"!"$at"on o! 6ata 4as o$$urre6K

- Contro&s to ensure t4e return or 6estru$t"on o! "n!ormat"on an6 assets at t4e en6 o! orat an agree6 po"nt "n t"me 6ur"ng t4e $ontra$tK

- Integr"ty an6 a'a"&a9"&"tyK

- Restr"$t"ons on $opy"ng an6 6"s$&os"ng "n!ormat"onK

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age 1, o! () *+,-+,01-


13/58


14/58


T4e $ontra$t s4ou&6 a66ress

Ho t4e &ega& reu"rements are to 9e met ".e. 6ata prote$t"on &eg"s&at"onK

34at arrangements "&& 9e "n p&a$e to ensure t4at a&& part"es "n'o&'e6 "n t4e outsour$"ng

"n$&u6"ng su9$ontra$tors are aare o! t4e"r se$ur"ty respons"9"&"t"esK

Ho t4e "ntegr"ty an6 $on!"6ent"a&"ty o! 4e organ"8at"ons 9us"ness assets are to 9e

ma"nta"ne6 an6 teste6K

34at p4ys"$a& an6 &og"$a& $ontro&s "&& 9e use6 to restr"$t an6 &"m"t t4e a$$ess to t4e

organ"8at"ons sens"t"'e 9us"ness "n!ormat"on to aut4or"8e6 usersK

Ho t4e a'a"&a9"&"ty o! ser'"$es "s to 9e ma"nta"ne6 "n t4e e'ent o! a 6"sasterK

34at &e'e&s o! p4ys"$a& se$ur"ty are to 9e pro'"6e6 !or outsour$e6 eu"pmentK

T4e r"g4t o! au6"t

T4e terms g"'en "n -.,.,s4ou&6 a&so 9e $ons"6ere6 as part o! t4"s $ontra$t. T4e $ontra$t s4ou&6a&&o t4e se$ur"ty reu"rements an6 pro$e6ures to 9e eBpan6e6 "n a se$ur"ty management p&an to9e agree6 9eteen t4e to part"es.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age 1- o! () *+,-+,01-


15/58


4"# ASS'TC+ASSI$ICATI%NANDC%NT&%+

T4e purpose o! t4"s po&"$y "s to 6eterm"ne t4e prote$t"'e $ontro&s asso$"ate6 "t4 ea$4 [C%AY]"n!ormat"on asset an6 to pro'"6e a !oun6at"on !or a&& emp&oyees Gan6 $ontra$tors t4"r6 part"es et$. 4o6ea& "t4 "n!ormat"on assets to un6erstan6 t4e se$ur"ty an6 4an6&"ng o! su$4 assets.

[C%AY]s 6ata $&ass"!"$at"on system 4as 9een 6es"gne6 to support a$$ess to "n!ormat"on 9ase6 ont4e nee6 to ;no so t4at "n!ormat"on "&& 9e prote$te6 !rom unaut4or"8e6 6"s$&osure use mo6"!"$at"onan6 6e&et"on. Cons"stent use o! t4"s 6ata $&ass"!"$at"on system "&& !a$"&"tate 9us"ness a$t"'"t"es an6 4e&p;eep t4e $osts !or "n!ormat"on se$ur"ty to a m"n"mum. 3"t4out t4e $ons"stent use o! t4"s 6ata $&ass"!"$at"onsystem [C%AY] un6u&y r"s;s &oss o! mem9er re&at"ons4"ps &oss o! pu9&"$ $on!"6en$e "nterna&operat"ona& 6"srupt"on eB$ess"'e $osts an6 $ompet"t"'e 6"sa6'antage.

App&"$a9&e In!ormat"on T4"s 6ata $&ass"!"$at"on po&"$y "s app&"$a9&e to a&& "n!ormat"on "n [C%AY]spossess"on "n$&u6"ng e&e$tron"$ 6ata pr"nte6 reports an6 9a$;up me6"a.

Cons"stent %rote$t"on In!ormat"on must 9e $ons"stent&y prote$te6 t4roug4out "ts &"!e $y$&e !rom "tsor"g"nat"on to "ts 6estru$t"on. In!ormat"on must 9e prote$te6 "n a manner $ommensurate "t4 "ts sens"t"'"tyregar6&ess o! 4ere "t res"6es 4at !orm "t ta;es 4at te$4no&ogy as use6 to 4an6&e "t or 4atpurposeGs "t ser'es. A&t4oug4 t4"s po&"$y pro'"6es o'era&& gu"6an$e to a$4"e'e $ons"stent "n!ormat"onprote$t"on a&& emp&oyees are eBpe$te6 to app&y an6 eBten6 t4ese $on$epts to !"t t4e nee6s o! 6ayto6ayoperat"ons.

4"! Accountability for AssetsT4e purpose o! t4"s po&"$y "s to out&"ne t4e met4o6o&ogy !or "6ent"!y"ng $&ass"!y"ng an66o$ument"ng assets "n or6er to pro'"6e prote$t"on t4at "s $ommensurate "t4 t4e 'a&ue an6"mportan$e o! ea$4 asset. A&& users are eBpe$te6 to 9e !am"&"ar "t4 an6 $omp&y "t4 t4"s po&"$y.

In or6er to ma"nta"n a$$ounta9"&"ty !or assets [C%AY] "&& $omp"&e a &"st o! a&& "ts "n!ormat"onassets an6 esta9&"s4 t4e re&at"'e 'a&ue an6 "mportan$e o! ea$4 asset.

T4"s po&"$y reu"res t4at a&& "n!ormat"on systems 9e "6ent"!"e6 an6 6o$umente6 "t4 a program "np&a$e to manage assets $ompany"6e. T4e !o&&o"ng "&& 9e "n$&u6e6 "n t4e program

A&& assets asso$"ate6 "t4 ea$4 "n!ormat"on system s4a&& 9e "6ent"!"e6 an6 6o$umente6

"t4 t4e"r $&ass"!"$at"on oner an6 &o$at"on

A&& assets s4a&& 4a'e an oner Gsee -.1.1 an6 t4at oner s4a&& 9e 6o$umente6

A&& assets s4a&& 9e $&ass"!"e6 Gsee (.,9ase6 upon t4e"r 'a&ue an6 "mportan$e to t4e

organ"8at"on an6+or to t4e organ"8at"ons mem9ers.

C&ass"!"$at"on o! se$ur"ty assets "&& re!&e$t t4e"r se$ur"ty prote$t"on &e'e&s Gsee (., an6

t4e"r 4an6&"ng Gsee (.,., Assets "&& 9e $ategor"8e6 "nto &og"$a& $ategor"es su$4 as "n!ormat"on assets so!tare

assets p4ys"$a& assets an6 ser'"$e assets

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age 1( o! () *+,-+,01-


16/58


4"* Information Classification

).2.1 "lassification *uielinesAsset $&ass"!"$at"on "s t4e pro$ess o! ass"gn"ng 'a&ue to 6ata "n or6er to organ"8e "t a$$or6"ng to "ts

sens"t"'"ty to &oss or 6"s$&osure. A&& "n!ormat"on assets s4a&& 9e $&ass"!"e6 us"ng a $ompany"6easset $&ass"!"$at"on system. A&& 6ata regar6&ess o! "ts $&ass"!"$at"on "&& 9e prote$te6 !romunaut4or"8e6 a&terat"onK t4"s po&"$y pro'"6es gu"6an$e on t4e proper 4an6&"ng o! 6ata.

T4e $&ass"!"$at"on system "&& a&&o t4at $&ass"!"$at"ons o! "n!ormat"on assets may $4ange o'ert"me Gsee ?.1.

4"*"!"! Classifyin1 Information

T4"s po&"$y reu"res t4at a&& "n!ormat"on assets 9e $&ass"!"e6 an6 &a9e&e6 "n a manner t4at a&&ost4e asset to 9e rea6"&y "6ent"!"e6 to 6eterm"ne 4an6&"ng an6 prote$t"on &e'e& !or t4at asset.

Care "&& 9e ta;en 4en "nterpret"ng t4e $&ass"!"$at"on systems !rom ot4er organ"8at"ons as t4e"r$&ass"!"$at"on systems may 4a'e 6"!!erent parameters. In!ormat"on assets s4a&& 9e ass"gne6 asens"t"'"ty $&ass"!"$at"on 9y t4e asset "n!ormat"on oner or t4e"r nom"nees "n a$$or6an$e "t4 t4e

!o&&o"ng $&ass"!"$at"on 6e!"n"t"ons

Con!"6ent"a& #ens"t"'e "n!ormat"on reu"r"ng t4e 4"g4est 6egree o! prote$t"on. A$$ess to

t4"s "n!ormat"on s4a&& 9e t"g4t&y restr"$te6 9ase6 on t4e $on$ept o! nee6to;no.D"s$&osure reu"res t4e "n!ormat"on $usto6"ans appro'a& an6 "n t4e $ase o! t4"r6 part"esa s"gne6 $on!"6ent"a&"ty agreement. I! t4"s "n!ormat"on ere to 9e $omprom"se6 t4ere$ou&6 9e ser"ous negat"'e !"nan$"a& &ega& or pu9&"$ "mage "mpa$ts to [C%AY] or[C%AY]s mem9ers. 7Bamp&es "n$&u6e mem9er s4are "n!ormat"on emp&oyeeper!orman$e re'"es pro6u$t resear$4 6ata et$.

Interna& In!ormat"on t4at "s re&ate6 to [C%AY] 9us"ness operat"ons 9ut not a'a"&a9&e

!or pu9&"$ $onsumpt"on. T4"s "n!ormat"on s4a&& on&y 9e 6"s$&ose6 to t4"r6 part"es "! a$on!"6ent"a&"ty agreement 4as 9een s"gne6. D"s$&osure "s not eBpe$te6 to $ause ser"ous4arm to [C%AY] an6 a$$ess "s pro'"6e6 !ree&y to a&& emp&oyees. 7Bamp&es "n$&u6e

po&"$"es an6 stan6ar6s operat"ona& pro$e6ures et$.

%u9&"$ In!ormat"on t4at reu"res no spe$"a& prote$t"on or ru&es o! use. T4"s "n!ormat"on "s

su"ta9&e !or pu9&"$ 6"ssem"nat"on. 7Bamp&es "n$&u6e press re&eases mar;et"ng 9ro$4ureset$.

T4e C4"e! In!ormat"on #e$ur"ty !!"$er "s respons"9&e !or ma"nta"n"ng t4e po&"$y an6 ensur"ngt4e "n!rastru$ture eB"sts to support t4"s po&"$y.

4"*"!"* Hanlin1 an Protection &ules

7a$4 asset $&ass"!"$at"on s4a&& 4a'e 4an6&"ng an6 prote$t"on ru&es. T4ese ru&es must $o'er any

me6"a t4e assets may res"6e "n at any t"me Gsee (.,.,.A&& $omputerres"6ent $on!"6ent"a& "n!ormat"on s4a&& 9e prote$te6 '"a a$$ess $ontro&s to ensuret4at "t "s not "mproper&y 6"s$&ose6 mo6"!"e6 6e&ete6 or ot4er"se ren6ere6 una'a"&a9&e.

7mp&oyees are pro4"9"te6 !rom re$or6"ng $on!"6ent"a& "n!ormat"on "t4 tape re$or6ers6"g"ta&+ana&og re$or6"ng 6e'"$es et$. "t4out t4e $onsent o! t4e"r manager t4e [C%AY] Lega&Department. T4"s "n$&u6es t4e use o! $amera eu"pment Go! any ;"n6 "n any &a9.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age 1/ o! () *+,-+,01-


17/58


@n&ess "t 4as spe$"!"$a&&y 9een 6es"gnate6 as J%u9&"$ or JInterna& a&& [C%AY] "nterna&"n!ormat"on s4a&& 9e assume6 to 9e $on!"6ent"a& an6 s4a&& 9e prote$te6 !rom 6"s$&osure tounaut4or"8e6 t4"r6 part"es.

o $on!"6ent"a& "n!ormat"on o! [C%AY] or o! any t4"r6 party s4a&& 9e 6"s$&ose6 to t4e pu9&"$ orany unaut4or"8e6 t4"r6 party "t4out t4e pr"or appro'a& o! [C%AY]s Lega& an6 %u9&"$Re&at"ons Departments.

A$$ess to e'ery o!!"$e $omputer room &a9oratory an6 or; area $onta"n"ng $on!"6ent"a&"n!ormat"on s4a&& 9e restr"$te6 an6 emp&oyees s4a&& ta;e a&& reasona9&e steps to prote$t$on!"6ent"a& "n!ormat"on un6er t4e"r $ontro& !rom "na6'ertent 6"s$&osure.

Han6&"ng an6 prote$t"on ru&es must "n$&u6e a&& parts o! an assets &"!e$y$&e !rom$reat"on+"nsta&&at"on t4roug4 use an6 !"na&&y to 6estru$t"on+6"sposa&. #ens"t"'e "n!ormat"on orsystems must 9e appropr"ate&y 6"spose6 o! 4en no &onger nee6e6.

).2.2 Information +abeling an ,anlingIt "s "mportant t4at an appropr"ate set o! pro$e6ures are 6e!"ne6 !or "n!ormat"on &a9e&"ng an64an6&"ng "n a$$or6an$e "t4 t4e $&ass"!"$at"on s$4eme a6opte6 9y [C%AY]. T4esepro$e6ures must $o'er "n!ormat"on assets "n p4ys"$a& an6 e&e$tron"$ !ormats. For ea$4$&ass"!"$at"on 4an6&"ng pro$e6ures s4ou&6 9e 6e!"ne6 to $o'er t4e !o&&o"ng types o! "n!ormat"on

pro$ess"ng a$t"'"tyK

Copy"ng

#torage

Transm"ss"on 9y post !aB an6 e&e$tron"$ ma"&

Destru$t"on

#ystem outputs $onta"n"ng $on!"6ent"a& "n!ormat"on s4a&& $arry an appropr"ate $&ass"!"$at"on &a9e&G"n t4e output.

T4e &a9e&"ng s4ou&6 re!&e$t t4e $&ass"!"$at"on a$$or6"ng to t4e ru&es esta9&"s4e6 "n (.,.1. Items !or$ons"6erat"on "n$&u6e pr"nte6 reports s$reen 6"sp&ays re$or6e6 me6"a Gtapes 6"s;s CDs$assettes an6 e&e$tron"$ messages an6 !"&e trans!ers.

%4ys"$a& &a9e&s are genera&&y t4e most appropr"ate !orms o! &a9e&"ng. Hoe'er some "n!ormat"onassets su$4 as 6o$uments "n e&e$tron"$ !orm $annot 9e p4ys"$a&&y &a9e&e6 an6 e&e$tron"$ meanso! &a9e&"ng nee6 to 9e use6.

A&& pr"nte6 4an6r"tten or ot4er paper man"!estat"ons o! $on!"6ent"a& "n!ormat"on s4a&& 4a'e a$&ear&y e'"6ent sens"t"'"ty &a9e& on t4e 9ottom r"g4t 4an6 $orner o! ea$4 page or a atermar; t4at"n6"$ates t4e sens"t"'"ty $&ass"!"$at"on.

4". Information &etentionIn!ormat"on s4a&& not 9e reta"ne6 any &onger t4an t4e 9us"ness reu"res "t to 9e reta"ne6. T4"sre6u$es t4e "n6o o! t"me t4at 6ata $an potent"a&&y 9e a'a"&a9&e !or m"suse. Contro&s s4ou&6 9e"mp&emente6 to 6e&ete 6ata t4at eB$ee6s reu"re6 retent"on t"me.

7&e$tron"$ mem9er 6ata s4a&& 9e reta"ne6 !or up to !"'e G( years.



18/58


ac?1roun Chec?-

T4e 4"r"ng manager an6 [C%AY] #e$ur"ty !!"$er "&& ma;e t4e 6eterm"nat"ons as to 4et4era $an6"6ate passes t4e [C%AY] gu"6e&"nes !or t4e 9a$;groun6 $4e$;.

-.1.2 "onfientiality Agreements[C%AY] eBpe$ts t4at "n!ormat"on 6"s$&ose6 to [C%AY] emp&oyees "&& 9e treate6 "t4t4e appropr"ate &e'e& o! $on!"6ent"a&"ty. 7B$ept as reu"re6 9y &a "n!ormat"on $on$ern"ng t4e

Companys 9us"ness "s not to 9e 6"s$usse6 "t4 $ompet"tors outs"6ers or t4e me6"a. 7mp&oyeesare pro4"9"te6 !rom !orar6"ng ema"&s $onta"n"ng "n!ormat"on on t4e Companys 9us"ness toanyone outs"6e o! t4e Company or ot4er"se transm"tt"ng Company$on!"6ent"a& "n!ormat"onouts"6e o! t4e Company 4et4er o'er t4e Internet or ot4er"se. Fa"&ure to 4onor t4"s$on!"6ent"a&"ty reu"rement may resu&t "n 6"s$"p&"nary a$t"on up to an6 "n$&u6"ng term"nat"on o!emp&oyment.

In t4e $ourse o! emp&oyees or; t4ey "&& 4a'e a$$ess to [C%AY]s $on!"6ent"a& an6+orpropr"etary "n!ormat"on "n$&u6"ng "n!ormat"on $on$ern"ng mem9ers G".e. s4are+a$$ount num9ersan6 supp&"ers as e&& as !e&&o emp&oyees. It "s "mperat"'e t4at no emp&oyees 6"s$&ose su$4

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age 1) o! () *+,-+,01-


19/58


"n!ormat"on "n any "nappropr"ate ays an6 t4at su$4 "n!ormat"on 9e use6 on&y "n t4e per!orman$eo! regu&ar Eo9 6ut"es.

[C%AY] reu"res $on!"6ent"a&"ty or non6"s$&osure agreements !rom a&& emp&oyees an6 t4"r6party sta!! not ot4er"se $o'ere6 9y t4"r6 party $ontra$ts 9e!ore a$$ess to sens"t"'e "n!ormat"on"&& 9e a&&oe6.

T4"s po&"$y reu"res t4at sta!! s"gn a $on!"6ent"a&"ty or non6"s$&osure agreements Gun&essot4er"se $ontra$tua&&y 9oun6 pr"or to 9e"ng grante6 a$$ess to any sens"t"'e "n!ormat"on orsystems.

Agreements "&& 9e re'"ee6 "t4 t4e sta!! mem9er 4en t4ere "s any $4ange to t4e emp&oymentor $ontra$t or pr"or to &ea'"ng t4e organ"8at"on.

T4e Lega& !!"$er "&& pro'"6e t4e agreements t4e emp&oyees an6 9e respons"9&e !or ma"nta"n"nga&& agreements "n use 9y [C%AY]. T4e !o&&o"ng [C%AY]appro'e6 $on!"6ent"a&"tyagreements "&& 9e use6 as appropr"ate to t4e $"r$umstan$e

Employee Confidential Information, Inventions, Nonsolicitation and Noncompetition

Agreement

n&y emp&oyees 4o are V"$e %res"6ents or a9o'e s4a&& s"gn non6"s$&osure agreements or anytype o! $ontra$t su$4 as arranty an6 Terms an6 Con6"t"ons. A&& reuests !or "n!ormat"on a9out[C%AY] an6 "ts 9us"ness s4a&& 9e re!erre6 to [C%AY]s %u9&"$ Re&at"ons Department.

-.1.3 'erms an "onitions of mployment[C%AY] "&& state t4e emp&oyees ro&es an6 respons"9"&"t"es !or "n!ormat"on se$ur"ty "n t4eterms an6 $on6"t"ons o! emp&oyment.

T4e purpose o! t4"s po&"$y "s ma;e $&ear to a&& emp&oyees t4e"r respons"9"&"t"es !or ma"nta"n"ng an6promot"ng se$ur"ty "t4"n t4e organ"8at"on 6ur"ng an6 su9seuent to t4e"r emp&oyments as e&& ast4e san$t"ons !or not 6o"ng so.

Human Resour$es "&& pro'"6e ea$4 ne emp&oyee "t4 t4e emp&oyees respons"9"&"t"es !orIn!ormat"on #e$ur"ty "n t4e 7mp&oyee Han69oo;. T4"s 4an69oo; "&& $onta"n "n!ormat"on onIn!ormat"on #e$ur"ty po&"$"es a$$epta9&e use an6 et4"$s G6"re$t "n!ormat"on or "nstru$t"ons too9ta"n an6 rea6 re!eren$e6 po&"$"es.

T4e emp&oyees manager "&& pro'"6e t4e emp&oyee spe$"!"$ respons"9"&"t"es t4at are part"$u&ar tot4e spe$"!"$ pos"t"on.

D"s$"p&"nary measures are $o'ere6 "n se$t"on /.*.- o! t4"s po&"$y.


20/58



21/58


5"# PH)SICA+AND'NVI&%NM'NTA+S'C(&IT)

5"! Secure Areas

.1.1 Physical Security "ontrols%4ys"$a& entry $ontro&s "&& 9e use6 to prote$t a&& se$ure areas. T4ese $ontro&s "&& 9e 6es"gne6 topre'ent unaut4or"8e6 a$$ess 6amage or "nter!eren$e to t4e 9us"ness pro$esses t4at ta;e p&a$e"t4 "n t4e area. %4ys"$a& se$ur"ty $ontro&s app&y to any [C%AY] one6 or $ontro&&e6 !a$"&"ty"n$&u6"ng temporary &o$at"ons.

5"!"!"! Site &is? Assessment

A r"s; assessment o! se$ure areas to 6eterm"ne t4e type an6 strengt4 o! t4e p4ys"$a& entry$ontro& t4at "s appropr"ate an6 pru6ent. T4e se$ur"ty $ontro&s !or an area s4ou&6 9e$ommensurate "t4 t4e 'a&ue an6 $&ass"!"$at"on o! t4e "n!ormat"on resour$es $onta"ne6 t4ere"nGsee(.,. T4"s r"s; assessment must a&so ta;e "nto a$$ount t4e p4ys"$a& surroun6"ngs o! t4e s"teGsee 2.1.,. F"na&&y p4ys"$a& se$ur"ty reu"rements s4ou&6 "n$&u6e "tems su$4 as !"re suppress"onp&um9"ng an6 e&e$tr"$a& "r"ng as t4ese may not a&ays 9e man6ate6 9y &o$a& aut4or"t"es.

#"te r"s; assessments must 9e $on6u$te6 !or any s"tes 4ere [C%AY] "&& 9e s4ar"ng!a$"&"t"es "t4 any outs"6e organ"8at"on. T4"s may 9e s4ar"ng a 9u"&6"ng G4ere p4ys"$a& a$$ess "s$ommon to a&& 9ut netor; a$$ess "s spe$"!"$ to ea$4 organ"8at"on or 4ere [C%AY] "ss4ar"ng a su"te G4ere p4ys"$a& an6 netor; a$$ess "s $ommon to a&& "t4 ot4ers. #pe$"!"$se$ur"ty reu"rements must 9e 6eterm"ne6 !or t4ese s"tuat"ons 9ase6 on t4e arrangements.

34ere s"tes are 6e!"$"ent "n p4ys"$a& se$ur"ty $ontro&s Gsu$4 as &ease6 s"tes 4ere t4e oner "&&not a&&o mo6"!"$at"on to t4e stru$ture or s4are6 s"tes "t4 9us"ness partners a66"t"ona& netor;se$ur"ty $ontro&s are arrante6 to prote$t t4e rest o! t4e $orporate netor;. In a66"t"on t4e &e'e&so! sens"t"'"ty o! "n!ormat"on t4at $an 9e pro$esse6 or store6 t4ere may 9e restr"$te6.

5"!"!"* &estricte Access to Sites

A$$ess to sens"t"'e "n!ormat"on an6 "n!ormat"on pro$ess"ng !a$"&"t"es "&& 9e restr"$te6 toaut4or"8e6 persons on&y. Aut4ent"$at"on $ontro&s "&& 9e use6 to aut4or"8e an6 'a&"6ate entry. A&og o! a&& t4at enter "&& 9e ma"nta"ne6 9y t4e s"te manager as appropr"ate !or t4e sens"t"'"ty o! t4e"n!ormat"on resour$es t4ere"n G(.,.1. %4ys"$a& 9arr"ers G".e. 6oors must 9e o! su!!"$"ent strengt4an6 $onstru$t"on to 6eter entry 9ase6 on t4e resu&ts o! t4e r"s; assessment.

Contro&s to restr"$t a$$ess to !a$"&"t"es "&& 9e 6eterm"ne6 on a $ase9y$ase 9as"s. T4ese$ontro&s "&& ensure t4at unaut4or"8e6 persons 6o not 4a'e easy p4ys"$a& a$$ess to t4e !a$"&"t"esan6 su$4 a$$ess "s 6ete$te6 an6 t4e appropr"ate personne& not"!"e6 "! a 9rea$4 o$$urs. T4e C4"e!In!ormat"on #e$ur"ty !!"$er "&& pu9&"s4 stan6ar6s !or a$$ess $ontro&s an6 ot4er p4ys"$a& se$ur"tymeasurements $ommensurate "t4 t4e $&ass"!"$at"on &e'e&s o! 6ata present an6 t4e "n!ormat"onprote$t"on reu"rements Gsee (.,.1.

A$$ess r"g4ts "&& 9e g"'en on a &eastpr"'"&ege 9as"s an6 "&& 9e as granu&ar as ne$essary toappropr"ate&y prote$t 'ar"ous $&ass"!"$at"ons o! "n!ormat"on or !a$"&"t"es. A$$ess r"g4ts to se$ureareas "&& 9e re'"ee6 9y t4e s"te manager per"o6"$a&&y an6 up6ate6 4ere ne$essary.

5"!"!". Visitor Proceures

A&& '"s"tors to se$ure6 areas "&& 9e super'"se6 an6 on&y a&&oe6 "n !or aut4or"8e6 purposes. A'"s"tors &og "&& 9e "n p&a$e at a&& se$ure areas t4at re$or6s 6ate an6 t"me o! entry an6 eB"st t"mes.

A&& '"s"tors "&& 9e g"'en 9ot4 se$ur"ty "nstru$t"ons an6 emergen$y pro$e6ures G"! app&"$a9&e.

7mp&oyees "&& $4a&&enge un!am"&"ar peop&e 4o are unes$orte6 or not s4o"ng '"s"9&e"6ent"!"$at"on.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ,1 o! () *+,-+,01-


22/58


Contra$tors ser'"$e 'en6ors supp&"ers mater"a& men et$. s4a&& 9e a6'"se6 o! t4e 9u"&6"ng ru&esan6 regu&at"ons $on$ern"ng t4e"r proper $on6u$t "t4"n [C%AY]s property. T4ey "&& 9ereu"re6 to s"gn a$;no&e6gement o! t4e BI!"IN# $!E% AN" $E#!ATI&N% pr"or to9eg"nn"ng or;.

5"!"!"3 Thir Party Physical Security at [C%MPAN)] $acilities

#pe$"a& s"tuat"ons may ar"se 4ere t4"r6 part"es "&& 4a'e personne& an6 6e'"$es at [C%AY]!a$"&"t"es on a !u&& t"me 9as"s. T4ese t4"r6 part"es must on&y 9e a&&oe6 !u&& t"me a$$ess "! t4eyser'e to augment t4e $ore $apa9"&"ty or !&o o! [C%AY]s 9us"ness. #pe$"a& $are s4ou&6 9eta;en to &"m"t a$$ess o! t4"r6 party personne& to on&y t4e"r or; areas as mu$4 as poss"9&e.

Contro&s !or t4e p&a$ement o! t4"r6 party 6e'"$es on [C%AY] netor;s are $o'ere6 "n ).,.,.

5"!"!"4 Control of Physical Security Controls

A$$ess to t4e me$4an"sms t4at $ontro& p4ys"$a& a$$ess to se$ure s"tes must 9e 6one on t4e&eastpr"'"&ege 9as"s. T4"s "n$&u6es a$$ess to 9a6ge ena9&"ng systems 6oor &o$; ;eys or anyot4er p4ys"$a& a$$ess $ontro& systems. aster 9a6ges or ;eys must 9e restr"$te6 to 'ery !e"n6"'"6ua&s per s"te or system. 34ere'er poss"9&e $ontro& o! t4ese systems must res"6e "t4 t4e&o$a& In!ormat"on #e$ur"ty or %4ys"$a& #e$ur"ty management.

.1.2 Securing %ffices Rooms an FacilitiesA&& o!!"$es rooms an6 !a$"&"t"es t4at $onta"n ot4er t4an pu9&"$ "n!ormat"on resour$es "&& 9eprote$te6 a$$or6"ng&y to pre'ent unaut4or"8e6 a$$ess 6amage or "nter!eren$e to t4e 9us"nesspro$esses.

5"!"*"! Site &is? Assessment

A r"s; assessment o! se$ure areas to 6eterm"ne t4e type o! $ontro& t4at "s appropr"ate an6pru6ent ta;"ng "nto a$$ount not on&y personne& r"s;s 9ut a&so t4at o! en'"ronment ne"g49or4oo6$"'"& unrest an6 natura& an6 manma6e 6"sasters s4a&& 9e $on6u$te6. Hea&t4 an6 sa!etyregu&at"ons an6 $on$erns "&& a&so 9e eBam"ne6 an6 $ontro&s "n$orporate6. Resu&t"ng po&"$"esmay 'ary great&y 6epen6"ng on t4e &o$a&"ty o! t4e o!!"$e G".e. ort4ern Ca&"!orn"a 'erses #out4ernCa&"!orn"a.

In!ormat"on pro$ess"ng !a$"&"t"es t4at are manage6 9y t4"r6 party organ"8at"ons s4a&& 9e separate6

!rom t4ose t4at are manage6 "n4ouse.

5"!"*"* Securin1 Sites 9hen (noccupie

Rooms "n !a$"&"ty t4at $onta"n sens"t"'e assets "&& 9e &o$;e6 4en not "n use. 3"n6os an6 6oors"&& 9e ;ept &o$;e6 an6 4a'e prote$t"on !rom "ntrus"on or en'"ronmenta& !a$tors. Intrus"on a&arms"&& 9e "n p&a$e an6 ma"nta"ne6 to t4e 'en6ors stan6ar6s as app&"$a9&e a$$or6"ng to t4e"n!ormat"on prote$t"on reu"rements Gsee (.,. @no$$up"e6 areas "&& 9e a&arme6 as reu"re6.

#ens"t"'e 6o$uments "&& 9e &o$;e6 "n !"&e $a9"nets or ot4er prote$t"'e !urn"ture t4at ta;es "ntoa$$ount t4e resu&ts o! t4e r"s; ana&ys"s.

A66"t"ona& $ontro&s "&& 9e "mp&emente6 !or $omputer an6 $ommun"$at"ons rooms or areas. ey!a$"&"t"es "&& 9e s"tuate6 so as t4ey a'o"6 pu9&"$ a$$ess. #upport !un$t"ons an6 eu"pment "&& 9es"tuate6 "n a ay t4at ;eeps t4em aay !rom t4e pu9&"$ an6 unaut4or"8e6 personne&.

5"!"*". Si1na1e an Directory +istin1s for Secure Sites

T4e uses o! 9u"&6"ngs t4at $onta"n sens"t"'e mater"a&s or pro$ess"ng !a$"&"t"es "&& 9e uno9trus"'ean6 not mar;e6 "n su$4 a ay t4at g"'es t4e pu9&"$ an6 "n6"$at"on o! t4e"r purpose or !un$t"on.

D"re$tor"es an6 te&ep4one 9oo;s t4at pro'"6e "n!ormat"on on &o$at"ons o! sens"t"'e !a$"&"t"es s4a&&9e se$ure6 !rom unaut4or"8e6 a$$ess.

5"!"*"3 Monitorin1 of $acilities for Physical Security

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ,, o! () *+,-+,01-


23/58


34ere poss"9&e systems s4a&& mon"tor t4e p4ys"$a& se$ur"ty o! !a$"&"t"es. on"tor"ng $ou&6 "n$&u6eany or a&& o! t4e !o&&o"ng te$4no&og"es 9ase6 on t4e out$ome o! t4e p4ys"$a& se$ur"ty r"s;assessment

C&ose6 $"r$u"t TV or '"6eo $ameras

=&ass 9rea; sensors

Door an6 "n6o open"ng a&arms

Ho&6 open sensors !or 6oors or "n6os

A&aysa$t"'e 6oor a&arms !or emergen$y eB"ts an6 ot4er &"tt&e use6 6oors

A9o'e or 9e&o $e"&"ng sensors Gs"tes "t4 !a&se $e"&"ngs an6 a&&s t4at 6o not eBten6 !rom

!&oor to $e"&"ng

ot"on+4eat sensors !or sens"t"'e or;"ng areas

#e$ur"ty %atro&s

.1.3 %ther Site Security Issues

Ha8ar6ous or $om9ust"9&e mater"a&s s4a&& 9e store6 se$ure&y a sa!e 6"stan$e !rom se$ure!a$"&"t"es. n&y ne$essary 9u&; supp&"es s4a&& 9e store6 "t4"n se$ure !a$"&"t"es.

:a$;up eu"pment an6 me6"a s4a&& 9e store6 o!!s"te an6 a sa!e 6"stan$e !rom !a$"&"t"es su!!"$"entt4at "t ou&6 not 9e 6amage6 "! t4e !a$"&"ty "s 6amage6.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ,* o! () *+,-+,01-


24/58


25/58


"* System Plannin1 an Acceptance

.2.1 "apacity PlanningTo &"m"t 6"srupt"on to t4e netor; app&"$at"ons an6 9us"ness !un$t"ons [C%AY] "&& mon"torsystem $apa$"ty an6 p&an !or !uture $apa$"ty nee6s "n su!!"$"ent t"me to pro$ure system resour$espru6ent&y. T4"s "&& ensure a6euate resour$es are a'a"&a9&e an6 re6u$e t4e poss"9"&"ty o! system

o'er&oa6.

#ystem oners s4a&& mon"tor t4e"r eu"pment !or $urrent uses an6 proEe$te6 $apa$"ty.

"*"!"! Pro/isionin1 of Har9are an Soft9are

IT must 9e $onsu&te6 4ene'er 6ep&oy"ng any ne systems !or a6euate pro'"s"on"ng o! system4ar6are an6 so!tare to ta;e a6'antage o! any $ontra$ts or 6"s$ounts t4at may 9e "n p&a$e. IT"&& o9ta"n an6 "nsta&& t4e eu"pment as appropr"ate an6 t4en a&&o a$$ess to t4e appropr"ategroups !or use o! t4e eu"pment. %ro'"s"on"ng o! so!tare reu"res pur$4as"ng o! any app&"$a9&e&"$enses !or use Gsee11.1.

"*"!"* Mana1ement of Net9or? Stora1e

To a&&o a6euate storage $apa9"&"ty to support a&& users IT "&& 6e'e&op stan6ar6s an6pro$esses !or manag"ng on&"ne an6 o!!&"ne storage $apa$"ty. T4ese stan6ar6s "&& "n$&u6e types

or $&asses o! storage 6ata 9a$;up Gsee ).-.1 prote$t"on 9y $&ass"!"$at"on Gsee (.,.1 an6 anyuotas ne$essary 9ase6 on t4e 9us"ness reasons !or storage. anagement o! storage "&&"n$orporate any reu"rements g"'en "n "n!ormat"on retent"on po&"$"es Gsee (.*.

.2.2 System AcceptanceTo ensure ne systems or app&"$at"ons 6o not 6"srupt t4e netor; eB"st"ng app&"$at"ons or ot4ersystems a system a$$eptan$e pro$ess "&& 9e 6e!"ne6. T4"s pro$ess "&& 6o$ument a$$eptan$e$r"ter"a !or ne systems pr"or to a$$eptan$e. A&& systems "&& 9e teste6 pr"or to a$$eptan$e"n$&u6"ng a 'u&nera9"&"ty assessment or s$an pr"or to 9e"ng perm"tte6 to $onne$t to t4e[C%AY] netor;. T4"s pro$ess "&& ensure t4at se$ur"ty $ontro&s are "n p&a$e an6 t4at t4ene system $omp&"es "t4 t4e 6es"gn an6 !un$t"on reu"re6.

#ystem oners s4a&& ensure t4at t4e eu"pment $apa$"ty reu"rements are met pr"or to use o!

ne system Gsee ).,.1.anagers an6 users G4en app&"$a9&e s4a&& "nspe$t maEor ne systems per"o6"$a&&y t4roug4outt4e 6e'e&opment to ensure !un$t"ona&"ty "s appropr"ate an6 $omp&"ant "t4 6es"gn reu"rements.

%r"or to t4e a$$eptan$e an6 use o! ne systems t4e !o&&o"ng $ontro&s s4a&& 9e 6o$umente6 an6"n p&a$e

T4e system "s 9u"&t a$$or6"ng to stan6ar6 4ar6are or so!tare 9u"&6s pu9&"s4e6 9y IT

7!!e$t"'e manua& $ont"ngen$y pro$e6ures are 6o$umente6 G"! app&"$a9&e

7rror re$o'ery+restart pro$e6ures an6 $ont"ngen$y p&ans G"! app&"$a9&e

@p6ate6 9us"ness $ont"nu"ty p&ans G"! app&"$a9&e

Compat"9"&"ty o! ne system to t4e se$ur"ty reu"rements o! t4e organ"8at"on Compat"9"&"ty o! t4e ne system to t4e eB"st"ng systems

#e$ur"ty $ontro&s are "n p&a$e an6 teste6

Vu&nera9"&"ty s$an run aga"nst system to 'er"!y t4at pat$4 &e'e&s are $urrent an6 t4at no

unne$essary ser'"$es are runn"ng.

@sers s4a&& 9e a6euate&y tra"ne6 pr"or to ta;"ng a ne system "nto operat"ona& mo6e.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ,( o! () *+,-+,01-


26/58


perat"ona& test"ng pro$e6ures s4a&& 9e 6o$umente6 an6 preparat"on !or ne system $omp&ete6pr"or to a$$eptan$e. #ystems must meet a$$eptan$e $r"ter"a or 4a'e !orma& eB$ept"onsaut4or"8e6 9e!ore 9e"ng $onne$te6 to t4e [C%AY] netor;.

ote t4at t4ese reu"rements 6o not app&y to any system not $onne$te6 to t4e [C%AY]$orporate netor;. T4"s "n$&u6es stan6a&one systems or systems "n &a9s not $onne$te6 to t4erest o! t4e netor;. I! t4ese systems are su9seuent&y 9roug4t out o! t4at en'"ronment an6 t4e

6es"re "s to $onne$t t4em to t4e [C%AY] netor; t4en t4ese reu"rements app&y on$e aga"n.

"*"*"! Deployment of Net9or? Infrastructure Systems on theProuction Net9or?

etor; "n!rastru$ture systems su$4 as Doma"n Contro&&ers D# ser'ers DHC% ser'ers orot4er s"m"&ar systems "&& not 9e 6ep&oye6 on t4e pro6u$t"on netor; eB$ept 9y IT. I! ot4er6epartments reu"re t4ese ser'"$es !or proEe$ts t4ey must reuest t4ese ser'"$es to 9e 6ep&oye69y IT an6 t4ese ser'"$es must 9e $on!"gure6 to not "nter!ere "t4 t4e eB"st"ng "n!rastru$ture o! t4enetor;. T4ere "s no restr"$t"on "n 6ep&oy"ng t4ese ser'"$es on "so&ate6 netor;s.

"*"*"* Thir Party Systems on the [C%MPAN)] Net9or?

I! partners or 'en6ors reu"re p&a$ement o! t4e"r 6e'"$es on t4e [C%AY] netor; spe$"a&a$$eptan$e $r"ter"a must 9e app&"e6. T4"r6 party 6e'"$es must meet a&& system a$$eptan$e

$r"ter"a as "! t4ey ere [C%AY] systems "n a66"t"on to spe$"a& a$$ess to t4e netor;.[C%AY] may not ne$essar"&y 4a'e p4ys"$a& or a6m"n"strat"'e $ontro& o! t4e systems som"t"gat"ng netor; $ontro&s must 9e a&so put "n p&a$e.

T4"r6 party 6e'"$es must 9e restr"$te6 "n t4e a$$ess t4ey may 4a'e on t4e netor;. T4"s s4ou&69e "mp&emente6 t4roug4 t4e use o! A$$ess Contro& L"sts on t4e $&osest netor; 6e'"$e or ot4ers"m"&ar te$4no&og"es. T4"r6 party systems s4ou&6 9e p&a$e6 on an M"s&an6 or ot4er segregate6netor; segment a&&o"ng on&y spe$"!"$ 6ata Greu"re6 9y t4e 9us"ness trans!erre6 9eteen t4atnetor; an6 t4e rest o! t4e [C%AY] netor;.

T4e p&a$ement o! su$4 6e'"$es must 9e appro'e6 9y t4e C4"e! In!ormat"on #e$ur"ty !!"$er an6t4e etor; anager 9e!ore t4e 6e'"$e may 9e $onne$te6.

". Protection A1ainst Malicious Soft9are[C%AY] s4a&& "mp&ement pro$e6ures user aareness an6 $4ange $ontro&s to 6ete$t an6pre'ent t4e "ntro6u$t"on o! ma&"$"ous so!tare "nto t4e organ"8at"ons $omput"ng en'"ronment.T4"s po&"$y "&& prote$t t4e "ntegr"ty o! so!tare an6 "n!ormat"on 9y promot"ng pro$e6ures an6 usera$t"ons to m"t"gate t4e r"s;s o! t4e "ntro6u$t"on o! ma&"$"ous so!tare "nto t4e organ"8at"on.

To pre'ent "nterrupte6 ser'"$e $ause6 9y $omputer '"ruses !or 9ot4 $omputers an6 netor;s a&&persona& $omputer users must ;eep $urrent 'ers"ons o! appro'e6 '"russ$reen"ng so!tareena9&e6 on t4e"r pr"mary $omputers at a&& t"mes.

T4e organ"8at"on s4a&& $omp&y "t4 t4e reu"rements o! so!tare &"$enses. o unaut4or"8e6 or"&&ega& so!tare "&& 9e use6. #ee a&so 11.1.,.

A&& ema"& atta$4ments "&& 9e s$anne6 4en enter"ng t4e netor; or ser'er s$anne6 pr"or to use.A&& unaut4or"8e6 !"&es or amen6ments "&& 9e t4oroug4&y "n'est"gate6.

%ro$e6ures an6 respons"9"&"t"es !or t4e use o! tra"n"ng "n report"ng on an6 re$o'ery o! '"rusatta$;s "&& 9e 6e'e&ope6 an6 6o$umente6. A&& users "&& re$e"'e tra"n"ng on '"rus aareness an6'"rus $ontro& pro$e6ures Gsee /.*. :us"ness $ont"ngen$y p&ans s4a&& "n$&u6e t4e 4an6&"ng an6re$o'ery !rom '"rus atta$;s.

anagement "&& resear$4 an6 a$t"'e&y "n!orm users a9out "n!ormat"on on rea& G's. 4oaB t4reatsan6 t4e pro$e6ures !or 4an6&"ng ea$4 type o! atta$;. T4e C4"e! In!ormat"on #e$ur"ty !!"$er s4a&&&ea6 t4"s e!!ort.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ,/ o! () *+,-+,01-


27/58


"3 House?eepin1

.4.1 Information #ac&up[C%AY] "&& regu&ar&y 9a$;up a6euate $op"es an6 generat"ons o! a&& so!tare

6o$umentat"on an6 9us"ness "n!ormat"on an6 store "t o!!s"te. Regu&ar test"ng "&& 9e 6one to"nsure t4e ua&"ty an6 usa9"&"ty o! 9a$;e6up resour$es. T4e purpose o! t4"s po&"$y "s to ma"nta"nt4e a'a"&a9"&"ty an6 "ntegr"ty o! "n!ormat"on resour$es "n t4e $ase o! !a"&ure or 6"saster 9y reta"n"ngupto6ate 9a$;ups t4at are store6 at a 6"stan$e su!!"$"ent to es$ape 6amages t4at m"g4t o$$urat t4e ma"n s"te.

Restorat"on pro$e6ures "&& 9e 6o$umente6 an6 teste6 to ensure t4at t4ey are e!!e$t"'e an6$omp&y "t4 restorat"on t"me reu"rements. Restorat"on pro$e6ures s4a&& 9e ;ept "t4 t4e 9a$;up$op"es at t4e remote &o$at"on.

T4e 9a$;up s"te s4a&& "mp&ement s"m"&ar p4ys"$a& an6 en'"ronmenta& $ontro&s as t4e ones "n p&a$eat t4e ma"n s"te. Gsee2.

:a$;up me6"a s4a&& 9e teste6 sem"annua&&y to ensure t4e 9a$;up $an 9e re&"e6 upon. IT s4a&&9e respons"9&e !or ensur"ng t4at 9a$;ups are teste6.

Retent"on s$4e6u&es "&& 9e a64ere6 to !or a&& 9us"ness "n!ormat"on.

Determ"nat"ons !or t4e permanent ar$4"'a& s4a&& 9e 6eterm"ne6 9y t4e Lega& !!"$er an6 s4a&& 9e6o$umente6 an6 a64ere6 to.

"3"!"! PC Data >ac?up

To prote$t [C%AY]s "n!ormat"on resour$es !rom &oss or 6amage persona& $omputer usersare respons"9&e !or regu&ar&y 9a$;"ngup t4e "n!ormat"on on t4e"r persona& $omputers to t4e"rrespe$t"'e netor; !"&e s4ares t4at are ass"gne6 to t4em 9y t4e IT perat"ons group. T4eses4ares are 9a$;e6 up n"g4t&y to se$ure me6"a !or 6"saster re$o'ery purposes.

"4 Net9or? Mana1ement

.).1 et$or& "ontrols[C%AY] s4a&& "mp&ement str"$t $ontro&s on t4e organ"8at"ons netor;s to ensure t4esa!eguar6"ng o! "n!ormat"on an6 prote$t"on o! t4e organ"8at"ons "n!rastru$ture. Contro&s s4a&&guarantee t4e se$ur"ty o! 6ata "n netor;s an6 prote$t t4e $onne$te6 ser'"$es !rom unaut4or"8e6a$$ess.

A&& pro$e6ures an6 respons"9"&"t"es "&& 9e 6o$umente6.

etor; a$$ess $ontro&s "&& 9e o9ser'e6 !or netor;s $onne$te6 to pu9&"$ netor;s Gsee ?.-.

T4e C4"e! In!ormat"on #e$ur"ty !!"$er "&& $&ose&y $oor6"nate t4e $ontro&s on t4e organ"8at"onsnetor;s to assure !un$t"ona& opt"m"8at"on as e&& as $ons"sten$y o! $ontro&s.

"< 'Bchan1e of Information an Soft9are.-.1 Information an Soft$are 5change AgreementsForma& agreements "&& 9e put "n p&a$e 4en "n!ormat"on an6+or so!tare are to 9e eB$4ange69eteen organ"8at"ons. T4"s po&"$y "s ne$essary to pre'ent &oss m"suse or mo6"!"$at"on to t4eorgan"8at"ons "n!ormat"on 9y esta9&"s4"ng se$ure agreements t4at re!&e$t t4e sens"t"'"ty o! t4e9us"ness "n!ormat"on "n'o&'e6 "n su$4 an6 organ"8at"on to organ"8at"on eB$4ange.

T4e organ"8at"on s4a&& see; gu"6an$e !rom an eBpert or "n4ouse $ounse& "n t4e area o!"nte&&e$tua& property eB$4ange.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ,2 o! () *+,-+,01-


28/58


T4e agreements s4a&& $o'er

Respons"9"&"t"es !or $ontro&&"ng an6 not"!y"ng transm"ss"on 6"spat$4 an6 re$e"ptK

%ro$e6ures !or not"!y"ng sen6er transm"ss"on 6"spat$4 an6 re$e"ptK

Te$4n"$a& stan6ar6s !or pa$;ag"ng an6 transm"ss"onK

Cour"er stan6ar6sK

Respons"9"&"t"es an6 &"a9"&"t"es "n $ase o! &oss o! 6ataK

Agree6 upon &a9e&"ng systemK

Agree6 upon stan6ar6s !or &a9e&"ngK

Lega& respons"9"&"t"es Gsee11.1 !or $opyr"g4t prote$t"on oners4"p an6 6ata prote$t"onK

Te$4n"$a& stan6ar6s !or rea6"ng an6 re$or6"ng "n!ormat"on an6 so!tareK an6

#pe$"a& $ontro&s !or prote$t"ng sens"t"'e "tems G".e. $ryptograp4"$ ;eys 10.*.(.

Agreements s4a&& 9e !orma&&y ena$te6 4en t4e "n!ormat"on to 9e eB$4ange6 "s o! a nonpu9&"$$&ass"!"$at"on.

T4e "n!ormat"on oner s4a&& 9e respons"9&e !or assur"ng t4at agreements are eBe$ute6.

.-.2 Security of Physical 6eia in 'ransitT4e purpose o! t4"s po&"$y "s to pre'ent &oss mo6"!"$at"on or "ssue o! 6ata t4at "s 9e"ng p4ys"$a&&ytransporte6. T4e organ"8at"on "&& sa!eguar6 me6"a or "n!ormat"on to $ommensurate "t4 "ts 6ata$&ass"!"$at"on.

T4e C4"e! In!ormat"on #e$ur"ty !!"$er "&& pro'"6e a &"st o! re&"a9&e eBper"en$e6 $our"ers. n&yt4ese $our"ers s4a&& 9e use6 un&ess t4e aut4or"8at"on o! t4e C4"e! In!ormat"on #e$ur"ty !!"$er "so9ta"ne6.

A&& me6"a "n trans"t "&& 9e &a9e&e6 a$$or6"ng&y an6 pa$;e6 se$ure&y "n a$$or6an$e "t4 t4e

manu!a$turers spe$"!"$at"ons.

#ens"t"'e "n!ormat"on s4a&& 9e prote$te6 !rom unaut4or"8e6 a$$ess or mo6"!"$at"on 9y met4o6st4at "n$&u6e

Lo$;e6 $onta"ners

Han6 6e&"'ery

Tamper e'"6ent $onta"ners

#p&"tt"ng t4e "n!ormat"on "nto more t4an one pa$;age an6 more t4an on route

T4e #ystem oner "&& appro'e t4e met4o6 !or ea$4 transport o! sens"t"'e "n!ormat"on.

Au6"t &ogs "&& 9e ;ept !or ea$4 transport o! sens"t"'e me6"a Ga $&ass"!"$at"on &e'e& o! nonpu9&"$

"n$&u6"ng

34at as sent

To 4om "t as sent

34o sent "t

D"spat$4 t"me

Arr"'a& t"me

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ,) o! () *+,-+,01-


29/58


et4o6 o! transport

#pe$"a& prote$t"ons

#ystem oners appro'a&

.-.3 Security of lectronic 6eia in 'ransitT4e purpose o! t4"s po&"$y "s to pre'ent &oss mo6"!"$at"on or "ssue o! 6ata t4at "s 9e"nge&e$tron"$a&&y transporte6 G".e. ema"& !aB an6 !"&e trans!er. T4e organ"8at"on "&& sa!eguar6 me6"aor "n!ormat"on to $ommensurate "t4 "ts 6ata $&ass"!"$at"on.

#ens"t"'e "n!ormat"on s4a&& 9e prote$te6 !rom unaut4or"8e6 a$$ess or mo6"!"$at"on 9y met4o6st4at "n$&u6e

@se o! 6"g"ta& s"gnature an6 en$rypt"on Gsee 10.*.*.

@se o! se$ure use o! !a$s"m"&e eu"pment Gsee 10.*.*.

T4e #ystem oner "&& appro'e t4e met4o6 !or ea$4 transport o! sens"t"'e "n!ormat"on.

Au6"t &ogs "&& 9e ;ept !or ea$4 transport o! sens"t"'e me6"a Ga $&ass"!"$at"on &e'e& o! nonpu9&"$"n$&u6"ng

34at as sent

To 4om "t as sent

34o sent "t

D"spat$4 t"me

Arr"'a& t"me

et4o6 o! transport

#pe$"a& prote$t"ons

#ystem oners appro'a&

.-.4 %ther Forms of Information 5changeT4e !o&&o"ng po&"$"es go'ern t4e se$ure use o! 'o"$e !a$s"m"&e or '"6eo eu"pment to prote$t t4e$on!"6ent"a&"ty an6 a$$ess to "n!ormat"on t4at "s $ommun"$ate6 t4roug4 t4ese me6"ums an6 toensure t4e a'a"&a9"&"ty o! resour$es.

[C%AY] sta!! s4a&& not re'ea& sens"t"'e "n!ormat"on on t4e te&ep4one G&an6 or mo9"&e t4at $an9e

o'er4ear6 9y ot4ers

4en t4ere "s a t4reat o! "retap or ot4er type o! potent"a& ea'es6ropp"ng

4en ot4ers at t4e re$"p"ents en6 may 9e ea'es6ropp"ng

"n pu9&"$ p&a$es or "n open o!!"$es or o!!"$es 4a'"ng t4"n a&&s

[C%AY] sta!! s4a&& not re'ea& sens"t"'e "n!ormat"on on anser"ng ma$4"nes t4at are s4are6$an 9e a$$esse6 9y ot4ers or $ou&6 9e t4e rong 'o"$ema"& 9oB.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age ,? o! () *+,-+,01-


30/58


[C%AY] sta!! s4a&& not sen6 or re$e"'e sens"t"'e or $on!"6ent"a& messages on !a$s"m"&ema$4"nes t4at store messages.

[C%AY]s sta!! s4a&& $4e$; to assure t4at t4e p4one num9er t4at "n!ormat"on "s 9e"ng sent to"s $orre$t an6 'er"!y t4at t4e "n!ormat"on "s re$e"'e6.

[C%AY]s sta!! s4a&& 'er"!y re$"p"ents !a$s"m"&e "n!ormat"on "t4 t4e re$"p"ent pr"or to sen6"ng

$on!"6ent"a& "n!ormat"on. T4e $on!"6ent"a& "n!ormat"on s4a&& not 9e sent unt"& t4e re$"p"ent 4asstate6 t4at t4e "n!ormat"on $an 9e sent.

A$$ess to 9us"ness resour$es s4a&& 9e $ontro&&e6 Gsee?.

.-.) Prouction of SPA6[C%AY] 9us"ness un"ts "&& ta;e $are not to pro6u$e @nso&"$"te6 Commer$"a& 7ma"&Got4er"se ;non as #%A to 9e sent out to t4e Internet. Any $ommer$"a& ema"& s4ou&6 9espe$"!"$a&&y targete6 to re$"p"ents "n a$$or6an$e "t4 app&"$a9&e &as an6 regu&at"ons Gsee 11.1.I! a&&oe6 mass ema"&"ngs "&& 9e ma6e etor; #er'"$es an6 IT "&& 9e $onsu&te6 to 6eterm"net4e e!!e$ts o! t4ese ma"&"ngs on systems an6 t4e netor; an6 appropr"ate m"t"gat"on e!!orts "&&9e ena$te6 Gsu$4 as system t"me o! 6ay or netor; pat4 restr"$t"ons.

"5 Vulnerability Mana1ement7!!e$t"'e 'u&nera9"&"ty management $an re6u$e r"s; to [C%AY]s $omput"ng en'"ronment 9y'er"!y"ng t4at systems or netor; 6e'"$es are us"ng $urrent pat$4 &e'e&s are not runn"ngunne$essary ser'"$es an6 6o not 4a'e 6e!au&t passor6s.

[C%AY] s4a&& run "nterna& 'u&nera9"&"ty s$ans aga"nst any systems $onta"n"ng Gor a$$ess"ngsystems t4at $onta"n $on!"6ent"a& 6ata at &east on a uarter&y 9as"s.

[C%AY] s4a&& $ontra$t "t4 a truste6 t4"r6 party to run eBterna& 'u&nera9"&"ty s$ans aga"nstany Internet!a$"ng systems on at &east a uarter&y 9as"s.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age *0 o! () *+,-+,01-


31/58


6"# ACC'SSC%NT&%+

6"! >usiness &e@uirement for Access Control

7.1.1 Access "ontrols an ee to 8no$[C%AY] "&& 6e!"ne an6 6o$ument a$$ess $ontro& r"g4ts an6 ru&es !or ea$4 user or group o!users. #er'"$e pro'"6ers s4a&& 9e g"'en $&ear statements o! t4e 9us"ness reu"rements met 9yt4ese a$$ess $ontro&s. A$$ess to "n!ormat"on an6 "n!ormat"on ser'"$es "&& on&y 9e g"'en on t4e9as"s o! 9us"ness an6 se$ur"ty reu"rements.

A$$ess "&& 9e g"'en on a nee6 to ;no 9as"s 9ase6 upon t4e se$ur"ty reu"rements an69us"ness reu"rements o! "n6"'"6ua& 9us"ness app&"$at"ons. A$$ess to "n!ormat"on s4a&& 9epro'"6e6 "n a manner t4at a"ms to prote$t t4e $on!"6ent"a&"ty an6 "ntegr"ty o! t4at "n!ormat"on an6"t4out $omprom"se to asso$"ate6 "n!ormat"on or ra 6ata. Data oners s4a&& re'"e a$$ess$ontro& r"g4ts !or users an6 groups o! users on a 9"annua& 9as"s to ensure t4at a&& a$$ess r"g4tsare aut4or"8e6 an6 rema"n appropr"ate an6 t4at no unaut4or"8e6 pr"'"&eges 4a'e 9een ga"ne6

A&& !orums 4ere $on!"6ent"a& "n!ormat"on may 9e 6"s$usse6 an6 4ere non[C%AY]

emp&oyees are present s4a&& 9e pre$e6e6 9y a 6eterm"nat"on t4at a&& part"es are aut4or"8e6 tore$e"'e t4e "n!ormat"on an6 t4e appropr"ate $ategor"8at"on o! t4at "n!ormat"on.

A$$ess "&& 9e g"'en t4at "s $ons"stent "t4 se$ur"ty &e'e&s an6 $&ass"!"$at"ons $ons"stent "t4&eg"s&at"on an6 $ontra$tua& o9&"gat"ons !or $on!"6ent"a&"ty.

A$$ess to stan6ar6 $ommon groups o! users "&& 9e g"'en stan6ar6 a$$ess pro!"&es.

A$$ess r"g4ts "n a netor;e6 en'"ronment "&& re$ogn"8e a&& $onne$t"on types a'a"&a9&e.

A&& users an6 groups o! users s4a&& re$e"'e a $&ear statement as to t4e a$$ess po&"$y an6 as to t4ereu"rements met 9y t4ese a$$ess $ontro&s.

r"g"nators o! $on!"6ent"a& "n!ormat"on s4a&& 6e$"6e 4o "&& 9e perm"tte6 to ga"n a$$ess to t4at"n!ormat"on an6 s4a&& spe$"!y t4e uses !or t4at "n!ormat"on.

A6m"n"strator a$$ess to pro6u$t"on systems "&& 9e &"m"te6 to on&y t4ose "t4 a Eust"!"e6 9us"nessreu"rement !or su$4 a$$ess. De'e&opers an6 ot4er app&"$at"on personne& "&& not 4a'e a$$ess tot4e un6er&y"ng operat"ng system on pro6u$t"on systems eB$ept "n emergen$"es an6 t4en "t4a$$ess on&y grante6 !or t4e t"me ne$essary. #ystem a6m"n"strators s4a&& not 4a'e a$$ess to t4eapp&"$at"ons "! poss"9&e.

7.1.2 'ypes of Access "ontrols[C%AY] 4as esta9&"s4e6 $&ear a$$ess $ontro& ru&es t4at 6"st"ngu"s4 9eteen opt"ona&eBpress 6"s$ret"onary automat"$ an6 t4ose t4at reu"re appro'a&.

A$$ess ru&es "&& spe$"!"$a&&y 6"!!erent"ate 9eteen t4ose ru&es t4at are opt"ona& or $on6"t"ona& an6t4ose t4at are a&ays to 9e en!or$e6.

A$$ess ru&es "&& 9e 6e$&arat"'e statements su$4 as Ja$$ess "s !or9"66en un&ess spe$"!"$a&&y

perm"tte6 "nstea6 o! Ja$$ess "s genera&&y perm"tte6 un&ess !or9"66enA$$ess ru&es "&& 6"!!erent"ate 9eteen perm"ss"ons t4at are grante6 9y t4e "n!ormat"on systeman6 t4ose perm"ss"ons t4at must 9e grante6 9y an a6m"n"strator.

A$$ess ru&es "&& 6"!!erent"ate 9eteen t4ose ru&es t4at reu"re appro'a& an6 t4ose t4at 6o not.

A$$ess ru&es "&& $ons"6er $4anges "n $&ass"!"$at"ons t4at are automat"$ Gsee (., an6 t4ose$&ass"!"$at"on $4anges t4at must 9e "n"t"ate6 9y an a6m"n"strator.

A$$ess ru&es !or ea$4 system "&& 9e 6e'e&ope6 "n a$$or6"ng "t4 t4e In!ormat"on C&ass"!"$at"ongu"6e&"nes $ommensurate "t4 t4e "n!ormat"ons sens"t"'"ty Gsee (.,.

[Insert Company ame Here] In!ormat"on #e$ur"ty %o&"$y'1.0 DRAFT %age *1 o! () *+,-+,01-


32/58


6"* (ser Access Mana1ement

7.2.1 9ser RegistrationA !orma& user reg"strat"on an6 6ereg"strat"on pro$ess must 9e use6 !or ga"n"ng a$$ess to mu&t"user systems. T4"s pro$ess must prote$t an6 ma"nta"n t4e se$ur"ty o! a$$ess to t4eorgan"8at"ons "n!ormat"on resour$es t4roug4 t4e $omp&ete &"!e $y$&e o! t4e user.

A$$ess to [C%AY] $on!"6ent"a& "n!ormat"on s4a&& 9e pro'"6e6 on&y a!ter t4e aut4or"8at"on o!t4e "n!ormat"on oner 4as 9een o9ta"ne6.

Contra$tors an6 t4"r6 party $ontra$ts "&& $onta"n t4e r"g4ts o! a$$ess an6 "&& $onta"n san$t"ons "!unaut4or"8e6 attempts at a$$ess are ma6e Gsee /.1.* an6/.*.-

#er'"$e pro'"6ers s4a&& 9e ma6e aare o! po&"$y not to pro'"6e a$$ess to users unt"& spe$"!"$aut4or"8at"on 4as 9een g"'en.

7a$4 person a$$ess"ng an [C%AY] mu&t"user 9ase6 "n!ormat"on system s4a&& ut"&"8e aun"ue [C%AY]ass"gne6 @ser ID an6 a pr"

infosec policy iso17799

Documents