Information Security Policy

From IT frameworks

Jump to: navigation, search

The ITIL Map

Define a vision for your IT organisation that is aligned with the Business.Control your IT expenses!Ensure correct handling of future expectations and requirements.Provide assurance of IT services.Ensure agreement with your customer on services.Guarantee an up to date service menu.Ensure the correct capacity of your services.Ensure the correct avalability of your services.Plan for the unexpected.Ensure appropriate security for your services.Control who delivers to us.Reply to user requests in a service minded manner.Solve the unexpected in the daily operations!Detect and sort activities in your IT infrastructure.Ensure correct access to your services.Fix the unexpected in the daily operations.Reduce mistakes affecting Business.Control the changes to the IT infrastructure.Predicted performance vs. Actual performance.Change services without unexpected downtime.Assure that your service does what is intended.Keep the knowledge in your company!Keep track of how your services are interconnected.Know how to measure your services.Ensure correct analysis of your services.Standstill = Decline!Friendly and helpful single point of contact for your users.Contract between you and your customers.
About this image

This article contains a template for a Security Policy falling under Information Security Management.

Contents

Introduction

Information Security covers areas such as access control, cryptography, firewalls and intrusion detection, safe protocols to us, handling of sensitive information, privacy, physical security and security risk management.

Access to services

Access to systems is regulated by this policy and by the Information Security Management process. The day-to-day upholding of this policy is performed by the Access Management process.

Overall rule: No one can grant increased access to himself on any system.

Types of users

There are three types of IT users:

  • Internal users: Those with an employee number
  • External contractors: Consultants with a long-term contract having an “extxxx” number. They must have signed a contract that includes the text in appendix A of this policy
  • External users: Anyone else needing access to a system
  • Internal users: Any employee will be given access to a non-critical system when authorized by his or her senior. For access to critical systems, additional authorization by the system owner is needed.
  • External contractors: Access is never granted per company basis but rather to individuals. System Owner and System Responsible together, grant access to external contractors.
  • External users: External users are either bound by the Access Contract or are under supervision of the employee responsible for the system where access is temporarily granted. During the time of access, the System Responsible will bear the full responsibility of any wilful harm done by the external user.

Contracts to cover access for external contractors and users

All contracts with IT suppliers are handled by Supplier Management. Any contracts (IT or other suppliers) that require privileged access to external users or contractors must be approved by the Information Security Manager. If the contract demands or implies access to critical systems, the contract must also be approved by the IT Manager.

Trust levels

Each user is placed on a scale of trust from 0-5: 0: Only public access 1: Temporary access to non-critical systems granted, supervised by the System Responsible 2: Temporary access to critical systems granted, supervised by the System Responsible 3: Permanent access granted to non-critical system by user’s senior and to critical systems by the senior and the System Owner 4: Administrative rights granted to non-critical systems. Permanent access to critical systems granted by IT 5: Administrative rights to critical systems granted by IT

An internal user or external contractor has a general trust level of 3. IT staff has a general trust level of 4. The following process owners have a general trust level of 5:

The Service Knowledge Management System (SKMS) shows which systems are critical and who are the responsibles and owners of each system.

Physical access

All IT facilities are to be locked. Physical access is granted according to the rules for system access given for the three types of users above.

ADD MORE INFORMATION HERE AS NEEDED

All access control to physical IT premises is the ultimate responsibility of the Information Security Manager. He or she sets specific rules for each area and for each group/role/person.

The following has default physical access to the IT premises:

  • Fire department
  • Security guard
  • IT staff
  • ADD MORE HERE AS NEEDED

The Information Security Manager keeps a list of all groups/roles/persons with IT privileges.

Introduction and decommissioning of users

Normally, the Human Resource (HR) department is responsible for announcing new users and to provide information on users that are to be decommissioned (access revoked).

All new employees will receive information on how to handle IT security and how to relate to IT as a user, customer or authority.

Introduction and decommissioning of services and systems

Any introduction or decommissioning of services, systems or IT units or components are to be sanctioned by the Information Security Manager – either on a case-to-case basis or if the Manager so decides, as a standard approval for certain types of systems. This means that there is not to be installed anything without his or her explicit approval.

Decommissioning of systems must also be approved by the Information Security Manager.

Privacy and confidentiality

Employees are bound by their contract of employment. All others must sign the Access Contract in order to be granted any IT privileges.

E-mail

INCLUDE SOME INFORMATION ON HOW TO ENSURE SECURITY HERE

Company's equipment (mobile phones, laptops, etc)

INCLUDE SOME INFORMATION ON HOW TO ENSURE SECURITY HERE

Protection of services

Critical systems are defined in the CMDB. All critical systems are to be protected by a firewall. Any external links must be governed by a firewall controlled by the IT Organisation.

Changes in the firewall rules are handled through the Change Management process.

The Information Security Manager is responsible for keeping up-to-date regarding security breaches to any of the business critical systems. He/she is further responsible to take any needed action to limit the impact of security problems. Usually such action is done by sending an RfC to Change Management, but he/she is at liberty to invoke Emergency Changes if need be.

Protocols, passwords and cryptography

All usernames and passwords must be transferred through encrypted channels in the network.

INCLUDE INFORMATION ON PASSWORD POLICY

Passwords are to be minimum FILL IN NUMBER HERE characters for desktop users and required changed every FILL IN NUMBER HERE months. Administrative passwords are to be minimum FILL IN NUMBER HERE mixed characters (alphanumeric and special characters) and required changed every FILL IN NUMBER HERE months.

Risk Management

The Information Security Manager has senior authority in assessing risk when new systems are to be designed and introduced. He or she has veto against introduction of new systems in the network.

Security review

Security review (audit) for critical systems should be done FILL IN NUMBER OF TIMES HERE per year. The security audit will also cover the need for IDS, tripwire, anomaly detection etc. The IS Manager is responsible for convening the review and writing a report with an IT security plan for the coming year.

Policy authorization

INCLUDE SIGNATURE FIELDS HERE

Retrieved from "http://www.itframeworks.org/wiki/Information_Security_Policy"