IT Security Policies

IT Security Policies







Prepared by:







Saltlake Infosolutions Pvt. Ltd.



G-5, Gnd Floor, Koyla Vihar Abhinandan,

VIP Road, Kolkata – 700052

Phone: +91-9831592533

Email – ctcl-iml@saltlakesoft.com

Web: http://www.saltlakesoft.com









[ORGANIZATION]

IT Security Policies [ORGANIZATION] 2010.1





This sample document and all of its contents are copyright of Saltlake Infosolutions Pvt. Ltd.

(http://www.saltlakesoft.com). All rights reserved.









2/[ORGANIZATION]/2010.1

IT Security Policies [ORGANIZATION] 2010.1





Table of Contents



Information Technology Security Policies ................................................................................................. 4

Business Continuity Plan .......................................................................................................................... 8

Disaster Recovery Plan........................................................................................................................... 14

Incident Response Plan .......................................................................................................................... 19

Risk assessment procedure .................................................................................................................... 27

Information Security Policy .................................................................................................................... 31

Network Security Policy ......................................................................................................................... 37

Backup Policy......................................................................................................................................... 42

User Management and Access Control Policy ......................................................................................... 50

Password Policy ..................................................................................................................................... 56

Application Software Policy ................................................................................................................... 60

Audit Trail Policy .................................................................................................................................... 63

Anti-Virus and Firewall Policy ................................................................................................................. 70

Change Management policy................................................................................................................... 77









3/[ORGANIZATION]/2010.1

IT Security Policies [ORGANIZATION] 2010.1





Change Management policy



Overview





As IT infrastructure at [ORGANIZATION] grows, the dependence on IT Resources increases across

functions. These IT Resources could be Application Software, System Software and Operating Systems,

Hardware (including Server and Client machines), Network infrastructure etc.



From time to time, these IT Resources may need to undergo changes which could be planned upgrades

or maintenance. In addition, unexpected events can occur which require upgrades or maintenance of

the resource. During the upgrades or maintenance, the IT Resource could be unavailable or partially

available.



It is critical for the organization to manage the changes occurring due to planned or unplanned events in

such a way that the disruption in the business services of the [ORGANIZATION] is minimized.



Purpose





The purpose of the Change Management Policy is to manage changes in a rational and predictable

manner so that staff members and clients can plan accordingly, to minimize disruption in the business

services of the [ORGANIZATION].



The Change Management Procedures are designed to provide an orderly process and control under

which all change requests made for [ORGANIZATION]’s IT infrastructure are reviewed and approved

prior to the installation or implementation of the change. Furthermore, it also defines the procedure

and steps which need to be followed in case any Unplanned or Emergency change takes place.





Scope





Any change in [ORGANIZATION]’s IT environment requires approval via the process defined in this

policy.



This policy applies to:

• All employees, users and clients

• Changes made to all Information Technology systems and services

• Hardware upgrades or additions

• Network changes

• Infrastructure changes

• Security patches / changes



77/[ORGANIZATION]/2010.1

IT Security Policies [ORGANIZATION] 2010.1





• Software upgrades, updates, or additions

• System architecture and configuration changes



Definitions





Planned Change: A change for which Formal notification received, reviewed, and approved by the

Management in advance of the change being implemented.



Unplanned Change: Failure to present notification to the formal process in advance of the change being

made. It happens in case of unexpected changes, where time is too short to follow any formal

procedure.



Emergency Change: An immediate on-spot response required for an Incident requiring an urgent

solution which is needed to prevent widespread service or system disruption.





Process





The Change management process will consist of the following general procedures which are required to

be followed for all types of changes and few specific procedures which will be followed for respective

type of change being made, i.e. planned, unplanned & emergency changes.



General procedures applied to all type of changes:

• A written request has to be made.

• An advance approval has to be obtained.

• Must be assessed for impact, risk and priority.

• Must be tested in advance as thoroughly as possible/reasonable.

• Must be documented with all supporting documentation updated to reflect the change.

• Only in exceptional circumstances urgent changes may be made out with the normal process

and in any event they must be fully recorded in retrospective manner.

• Communications must ensure that the effect of a change is properly made available to those

who are significantly affected or on need to know basis.

• A Change Review must be completed for each change, whether planned or planned, and

whether successful or not.

• A Change Management Control Log must be maintained for all kind of changes.



Planned Change Procedure

Any potential change made to the [ORGANIZATION]’s IT resources must be communicated to the

Management by the System Administrator & his team responsible for changes. The Change Request

Form must be used for communicating the potential change.







78/[ORGANIZATION]/2010.1

IT Security Policies [ORGANIZATION] 2010.1





The following procedure should be followed in case of a Planned Change:



1. A Change Request Form must be filled and submitted to the senior management for providing

necessary details and information about the change. e.g.

a. Why the change is required?

b. Who is responsible for implementing the change?

c. The estimated date of the change.

d. A description of the change, including a timeline and potential risks associated.

e. Whether the change has been approved by other staff in charge of resources that may

be affected, if any.

f. The IT staff members who are involved in change must be listed.

g. What assistance will be needed by other employees, if any.

2. Potential changes must be communicated before several working days in advance of when the

work is to be done.

3. After receiving notification of a potential change, any user/employee who needs more

information or has an objection to the change should contact the System Administrator.

4. In the event that an objection to the change cannot be resolved informally, the Director or

Senior Management person involved will call a meeting of all involved parties to resolve the

dispute.



Unplanned Change Procedure

For Unplanned Changes, all the steps in the general procedure mentioned above will be followed except

for advance notification.





Emergency Change Procedure

• All emergencies will be handled on a case-by-case basis by the System Administrator

with the approval of the Management.

• Approval must be obtained to execute the change from management.

• Users and/or staff affected by the emergency will be notified as soon as possible.

• Actions taken for dealing with the changes will be taken care by the System

Administrator as soon as possible.

• All change procedures must be recorded in retrospective manner and preserved with

necessary supporting documents.



In the case of emergency changes the above mentioned steps will be followed to allow the

fastest possible response while still maintaining the proper levels of approval, monitoring,

communication and documentation of all change related procedure









79/[ORGANIZATION]/2010.1

IT Security Policies [ORGANIZATION] 2010.1





Responsibility and Implementation

• System Administrator and Compliance Officer will be responsible for implementation of

Change Management Policy and procedures in consultation with Higher Authorities of

the company.

• All Pre Implementation and Post Implementation processes which may be needed for

future reference by the System Department must be documented or noted in Change

Implementation Form and Change Management Log.

• This policy should be periodically reviewed and updated, where and whenever necessary, to

reflect changes in the IT environment of the [ORGANIZATION].



Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, penalty and/or

suspension, up to and including termination of employment.









(Attached : Change Management Forms)



1. Change Request Form



2. Change implementation form



3. Change Management Control Log









80/[ORGANIZATION]/2010.1

IT Security Policies [ORGANIZATION] 2010.1





CHANGE REQUEST FORM

[ORGANIZATION]

Change Request Details

Change Request No: Date:

Requestor Name: Designation:

Department:

Description of Change: Reason for Change:









Initiation Date: Completion Date:

Approval from Other Departments (if any):

Department: Approved By:

Department: Approved By:

Department: Approved By:

Type of Change:

Planned Unplanned Emergency



Associated Risks:





Impact of the Change:

High Medium Low

Personnel Required:





Hardware Required:





Software Required:





Estimated Cost (INR): Signature of

Requestor in full:

Change Approval or Rejection

Change Request Status: Change Scheduled

Approved Rejected

On:

Comments:





Change Change Review

Implementation Assigned To:

Assigned To:

Designation of

Approver:

Signature of Approver

in full:









81/[ORGANIZATION]/2010.1

IT Security Policies [ORGANIZATION] 2010.1





CHANGE IMPLEMENTATION FORM

[ORGANIZATION]

Change Implementation Form

Change Request No: Date:



Department:



Name of Person Designation:

Implementing Change:

Date of Test of Change Change Tested By:

Implementation:

Description of Test: Test Results:









Comments:









Change Results of Change

Implementation Date: Implementation:





Cost Incurred (INR): Comments:





Signature of Person

Implementing Change

(in full):

Comments of

Reviewer:

Signature of Reviewer

(in full):









82/[ORGANIZATION]/2010.1

IT Security Policies [ORGANIZATION] 2010.1



CHANGE CONTROL LOG

[ORGANIZATION]



Change Request Requested Requested Department Change Status Date of Change Change Change Change Cost Result Details Signature

Request Date By (Name) By Description (Approved Approval Initiated Implemented Implemented Supervisor Incurred (Success Entered

No. (Designation) /Rejected) / On On By (Amount / By

Rejection in INR) Failure)









83/[ORGANIZATION]/2010.1