IT Information Security Policy

Document Sample
IT Information Security Policy Powered By Docstoc
					IT Information Security Policy
Version 1.3




                                   th
Author: Matt Cannon              13 July 2010
Table of contents

Table of contents .................................................................................................................................... 2

1.0        Policy Overview ........................................................................................................................... 3

   1.1        Policy Review .......................................................................................................................... 3

       1.1.1          Review Process................................................................................................................ 3

       1.1.2          Review intervals .............................................................................................................. 4

2.0        Physical security .......................................................................................................................... 4

   2.1        Security Management ............................................................................................................. 4

3.0        IT Hardware................................................................................................................................. 4

4.0        Data handling .............................................................................................................................. 5

5.0        Administration ............................................................................................................................ 5

   5.1        Administration restrictions ..................................................................................................... 5

   5.2        Administration of user actions ................................................................................................ 5

       5.2.1          Software Administration ................................................................................................. 6

6.0        Backups ....................................................................................................................................... 6

7.0        User Obligations .......................................................................................................................... 7

   7.1        Fundamental Obligations ........................................................................................................ 7

   7.2        Client Data Obligations ........................................................................................................... 7

8.0        Appropriate use of resources ..................................................................................................... 7

   8.1        Acceptable use of the internet ............................................................................................... 8

       8.1.1          Accessing and downloading ............................................................................................ 8

       8.1.2          Uploading and posting information outside CCR networks ............................................ 8

   8.2        Acceptable use of email .......................................................................................................... 8

9.0        Visitor control ............................................................................................................................. 8

   9.1        Visitor access to secure areas ................................................................................................. 8



                                                                     Page 2 of 8
1.0 Policy Overview
CCR Data Ltd is comprised of management, staff, temporary workers, contractors, investors,
shareholders, business partners and will herein be referred to as “CCR”.

CCR takes very seriously our Information Security Policy. We have taken great care to ensure the
safety of the often confidential information entrusted to us by our clients. We work with partners
such as The Royal Mail, BSI, and Experian to achieve the highest levels of security when handling
client data.

Our security is based on BSI 9666 and 9667, which is used by the Royal Mail as a pre-requisite to
becoming a Royal Mail accredited data bureau. The Royal Mail performs a regular audit to ensure
that standards and new working practices are adhered to.

These policies and standards outline the core requirements for all of CCR when handling its clients.

        1.1     Policy Review
        It is the duty of CCR management and staff to ensure its IT policy is kept up to date and
        reviewed as global policy or policies of interested parties are reviewed. The policy is
        reviewed as per the business requirements and the business environment by assessing
        internal and external environments, threats and other issues created by trend, change or
        new developments.

        The information security policies and standards are controlled by the appointed technical
        lead within CCR. Changes may only be made by approval from the board of directors.
        Changes maybe applied without warning but must be approved and associated with a
        business case justifying the change.

                1.1.1 Review Process
                The following actions must be adhered to in order to modify the information
                security policy.

                       The change details must be in writing
                       An associated business case must accompany the change details
                       Both the change and the business case must be presented to the board of
                        directors
                       The board of directors will then vote on the change
                       The change is then applied by one of the following
                            o The chief technical officer
                            o A member of the board of directors
                            o The proposer
                            o A delegated person assigned by the board
                       The revised document must then be disseminated to all interested parties

If the board rejects the request for change then the proposer may appeal the decision in writing, the
steps above must be taken again in order to reapply for the change along with any amendments and
reasoning for the appeal, the board will then consider all evidence. Where the appeal continues to
fail the decision from the board is final.


                                             Page 3 of 8
                1.1.2 Review intervals
                The policies and standards with the Information Security Policy document must be
                reviewed when any of the following conditions is met:

                    1. A year has passed since the last review
                    2. A new product / solution is connected to any part of the infrastructure
                       managed by CCR
                    3. A new IT related project or solution is planned for deployment to CCR
                       infrastructure
                    4. A change is required on an existing system / hardware connected to the core
                       CCR infrastructure


2.0     Physical security
In accordance with regulatory and contractual requirements the premises on which CCR conducts its
business must be risk assessed and policy managed, this ensures the protection of both the interests
of the client and CCR.

       Electronic door entry system on entrance doors.
       Coded entry systems on key internal doors, such as server rooms and opening rooms.
       ADT alarm system
       CCTV in opening room
       3 Data safes
       24 hour security guard on gated vehicle entrance

CCR should also have the following information to hand in case of an emergency scenario in which
the information may be needed:
     Fire protection policy
     Grounds and office risk assessment
     Evacuation and threat response procedures
     Process for activation of the business continuity plan

    2.1         Security Management
    Any member of staff with a set of keys to the premises is responsible for ensuring that the keys
    are in their control at all times, any loss or suspicion of loss should be reported to the board of
    directors immediately.

    The CCR premises are managed by further security personnel who will also need to be informed
    so as to be aware of any potential threat to the building.

    Failure to recover the keys before the building is to be left unattended must result in a locksmith
    being called to replace the locks.


3.0     IT Hardware
Regulatory and contractual requirements for the premises also demand that our hardware can
protect all interested parties.

       Hardware based Firewall (Cisco PIX).

                                               Page 4 of 8
       Our firewall is managed and maintained by a 3rd party who run regular vulnerability tests.
       All servers housed in racks in a secure coded lock based server room that applies to all the
        standards set out above.
       Spare connections are physically disconnected from the patch panels so “extra” equipment
        can only be connected on an authorised basis.
       IT policy prevents the connection of other devices such as MP3 players or USB key drives or
        hard drives for all staff.


4.0     Data handling
When receiving or transmitting data to or from the CCR infrastructure it is vital that the following
conditions are met in accordance with regulation policy, NDA and any SLA’s put in place to ensure
levels of service provision to the client.

       No data is sent from the CCR network without security using either SFTP or encryption using
        “Utimaco Safeguard Private Crypto” software as a minimum unless a specific request is
        made by the customer in writing beforehand.
       Data is only shared with Experian as per our standard NDA as the services CCR provide may
        be Experian services and not entirely CCR Data Ltd’s own.
       CCR can provide secure FTP or other secure endpoints on demand in order to allow
        customers to send data to us securely but this is not a requirement needed by all customers.

Data sent from the client to CCR must be used only for the job it is specifically intend unless prior
authorization is provided by the client in writing, in order to carry out the job CCR may need to share
the client data with carefully selected partners during which it is the responsibility of CCR to ensure
that the data is protected from intrusion, attack, theft, or unintended modification.


5.0     Administration
Administrators of the CCR infrastructure are required to ensure that the following is carried out:

       All users must change their passwords every 30 days.
       Key users (e.g. IT) must change their passwords every 30 days.
       Password policy is enforced by the domain controllers.
       Logs are carefully monitored and maintained through internal process.
       Administrators regularly apply patches and updates to ensure all servers are up to date.


    5.1         Administration restrictions
    CCR administration personnel may not use their rights to spy on / breach the rights of users or
    individuals without the express written authorization of the board of directors, such permission
    is to be granted only in conjunction with a formal investigation which should be presented to the
    board with the request for access to the user in question’s data.

    5.2         Administration of user actions
    Administration of all user interactions with client data and contact is core to protecting the
    interests of all involved parties.

                                              Page 5 of 8
    Administration of the following actions is carried out but will not be limited to:

           File interactions (copy, move, delete, update)
           Server access, logins whether successful or not
           CRM use
           General computer use
           Storage use
           Application use
           Internet and email use

    Administration is performed using security products and log data from across the core services
    infrastructure, logs may contain usernames, dates, key information about the action taken, and
    other data relating to the action in question (e.g. status codes).


        5.2.1 Software Administration
        By using administrative products and solutions CCR is able conform to a standardized
        process which includes but is not limited to the following:

               Scriptlogic’s File System Auditor
                    o Audits, reports and alerts on Windows file server activity, showing who
                        touched which files and folders, when and on what server.
               Authenex‘s two-factor authentication for network logons.


6.0     Backups
UK law dictates that CCR must be accountable for its business actions and therefore an audit trail
must be provable for the required minimum period, whilst account information may be stored for
longer customer data may be backed up and kept for a minimum period of 1 year.

       Incremental backups are performed daily of all business critical and customer data.
       A full backup is taken of all servers weekly.
       Ongoing work may be treated as critical and further backups can be scheduled (e.g. on the
        hour) where large numbers of changes are made in a single day where appropriate.
       Copies of the daily backups are kept in a secure safe off site in case of emergency for
        business continuity.

Data from backups may be stored in a secure off site location providing it is in accordance with the
information security policy and transportation to that location is the responsibility of CCR, any failure
to meet the requirements set out in the policy is a clear compliance failure and will be acted upon
accordingly.

Backed up customer data may only be recovered as part of a request from the customer in writing.
Expired backups are to be fully erased so as not to be recoverable in the future.




                                              Page 6 of 8
7.0     User Obligations
All users are required to carry out the following before having any contact with the CCR
infrastructure:

       All staff are required to sign a comprehensive non-disclosure agreement.
       All staff are required to sign a declaration stating that they have read and understood our
        Information Security Policy.
       Attend any CCR required user training to ensure awareness of CCR standard process and
        policy.

    7.1         Fundamental Obligations
    All users are expected to understand their roles and mitigate security risk themselves, if a risk is
    identified that is not being properly addressed and not possible to mitigate by themselves it is
    the responsibility of the user to ensure that the proper escalation process is followed to ensure
    any risk is mitigated appropriately.

    When leaving a workstation unattended it is the responsibility of the user to protect the
    workstation by either logging off or locking to prevent unauthorized access.

    7.2         Client Data Obligations
    Compliance to regulation and policy or standard process dictates that all personnel must be
    aware of and understand their obligations regarding client or other sensitive data, NDA’s cover
    many key points but the following must also be adhered to in order to ensure CCR and the client
    are both protected.

    Users are obligated to respect the confidential nature of the business and the relationship of
    CCR with its client and protect the interest of the client at all times, the user must never
    knowingly copy data from the CCR infrastructure to any other location unless explicitly
    requested in writing by the customer. Data provided by the client must be protected by the user
    by ensuring that no data is left on an area of the network that is not approved for storage by the
    board of directors.

    Client data must never knowingly be deleted or altered without prior authorization from the
    client.

    Client data or other confidential information must not be left on unattended desks to ensure
    that the client interests are upheld.


8.0     Appropriate use of resources
All CCR authorized personnel that have access to CCR systems / resources are required to adhere to
the following standards of working when using those resources.

Users may not use CCR resources to break any laws or contravene the terms of the IT Information
Policy, any action taken against CCR or its clients will result in prosecution.



                                              Page 7 of 8
        8.1     Acceptable use of the internet
        Users are reminded that internet use is for business use only, whilst some use of the
        internet is allowed during breaks or out of working hours such access may be monitored for
        any irregularity. Illegal use of the internet is strictly against company policy.

                8.1.1 Accessing and downloading
                The internet must not be used to view, access or download anything that might be
                deemed inappropriate which includes but may not be limited to the following:

                       Pornography
                       Illegally sourced material (e.g. copy-written software, music, video)

                8.1.2 Uploading and posting information outside CCR networks
                The internet may not be use to slander CCR or its clients, publish client data, or
                transfer data from CCR servers to non customer agreed locations. When accessing
                message boards or forums the use of company logos or other related corporate
                information must be explicitly authorized by the board or directors to ensure that
                the company is being presented in a fashion that is appropriate to the direction of
                the business.

        8.2     Acceptable use of email
        Users are reminded that internet use is for business use only, whilst some use of the
        internet is allowed during breaks or out of working hours such access may be monitored for
        any irregularity.


9.0     Visitor control
Visitors to the building must be escorted at all times and must never be left unattended. It is the
responsibility of the host for any guest to ensure that their guest is not left unattended at any time.
Any questions around unknown visitors should be raised immediately with a line manager.

        9.1     Visitor access to secure areas
        Any visitor accessing a secure area should be monitored at all times with a member of CCR
        management in attendance during the entire time. Express written permission must also be
        sought from a CCR director and linked to the business case or reasoning for the access
        required.

        Such access must include an audit trail that can be confirmed after the visit, the audit trail
        must also include details of what actions were taken in the secure area and why.




                                              Page 8 of 8

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:8/29/2012
language:English
pages:8
Lingjuan Ma Lingjuan Ma
About