Your SlideShare is downloading. ×

IT Security & Governance Template

1,015

Published on

This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go …

This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312

This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,015
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IT Security & Governance Policy Template . Page 1
  • 2. Dartview Consulting – IT Security & Governance Policy Template Contents 1. Summary and Purpose ................................................................................................... 4 2. Scope ............................................................................................................................. 4 3. Policy Responsibilities .................................................................................................... 4 4. Associated Documents or Links ...................................................................................... 4 5. Guiding Standards & Frameworks .................................................................................. 4 6. Security .......................................................................................................................... 5 6.1. Approach ..................................................................................................................... 5 6.2. Responsibilities ........................................................................................................... 5 6.3. Incident Reporting ....................................................................................................... 5 6.4. Physical Security & Restricted Areas ........................................................................... 5 6.5. Passwords ................................................................................................................... 5 6.6. Penetration Testing ..................................................................................................... 6 7. Back-Up & Data Management ........................................................................................ 7 7.1. Available Storage Areas .............................................................................................. 7 7.2. Email Data & Personal Folders .................................................................................... 7 7.3. Portable Media ............................................................................................................ 7 7.4. Type and Content of Data............................................................................................ 7 7.5. Archiving of Data ......................................................................................................... 8 7.6. Disc Quotas ................................................................................................................. 8 7.7. Back-Up Methods ........................................................................................................ 8 7.8. Data Retention ............................................................................................................ 8 8. Virus Protection .............................................................................................................. 9 8.1. Unauthorised Software ................................................................................................ 9 8.2. Employee Awareness and Responsibility .................................................................... 9 8.3. Virus Prevention, Detection and Removal ................................................................... 9 9. Internet & Email .............................................................................................................. 10 9.1. Improper Use............................................................................................................... 11 9.2. Good Practice.............................................................................................................. 11 10. Third-Party Access ......................................................................................................... 12 11. Employee Remote Access .............................................................................................. 12 12. Account Administration ................................................................................................... 13 13. Shared Folders ............................................................................................................... 13 14. Email Distribution Lists.................................................................................................... 14 15. Procurement ................................................................................................................... 15 16. IS Service Continuity ...................................................................................................... 17 Page 3
  • 3. Dartview Consulting – IT Security & Governance Policy Template 6. Security This section should state the overall management approach towards Information Security, moving on to detail any specific areas. “Increasingly, the business and its information systems, processes and networks are faced with security threats from a range of sources including fraud, sabotage, fire and flood. Computer viruses, hacking and denial of service attacks are becoming more common and sophisticated as the connection of public and private networks to facilitate the sharing of information resources becomes the norm. Information is vital to the business and it must be safeguarded in order to help maintain competitiveness, ensure compliance with relevant legislation and maintain commercial image.” 6.1. Approach “Senior Management is committed to the goals and principles of Information Security, and will endeavour to ensure that the information assets of the business remain adequately secured against all relevant risks. This will be achieved through:      An appropriate risk assessment process and the production, maintenance and enforcement of policies relating to specific areas of IT risk The provision of best practice guidance on the management of risks Raising the profile of information security and increasing employee awareness through appropriate education and training Regular review of policy to ensure relevance Regular audits to ensure policy compliance” 6.2. Responsibilities “Overall responsibility for information security lies with the Board of Directors, whilst the Head of Information Services has specific responsibility for managing Information Security on a day-to-day basis. All employees are responsible for managing the security of any information they hold and preventing unauthorised access, modification, destruction or disclosure.” 6.3. Incident Reporting “All employees are responsible for reporting any security breaches, intrusions or incidents to the IS Service Desk. All security incidents will be investigated.” 6.4. Physical Security & Restricted Areas “Only members of the Information Services team will be given access to the Server Room and IT Stores. Access will be controlled by a swipe card system.” 6.5. Passwords “Employees must log onto the network with their own User-ID and password, and these must not be shared across multiple users. Page 5
  • 4. Dartview Consulting – IT Security & Governance Policy Template 7. Back-Up & Data Management This section should state the overall management approach towards data back-up and management, moving on to detail any specific areas. “Data stored on the <insert organisation name> network is Intellectual Property. It is extremely important that this data is secured, protected, and recoverable in a timeframe acceptable to the business. Data is distributed throughout the organisation on numerous servers. It is also stored in a number of formats (flat file, database, etc.). In order to protect this data, back-up copies will be taken to allow retrieval of lost or corrupt data, and in extreme circumstances, to allow data to be restored in support of Disaster Recovery or IS Service Continuity purposes. The purpose of this section is to define the back-up policy that will be used to achieve these goals.” 7.1. Available Storage Areas This sub-section should state what storages areas are available to the business. This may simply be a Windows Filing System with „drive letters‟ set aside for personal and shared storage, or may refer to the use of a formal Document Management System. If a Windows Filing System is being used, it is important to state any areas that will not be backed-up on a regular basis. Employees need to be advised specifically, where and where not to store their data. It is common to refer to a „Good Practice Guide‟ that goes into more detail. 7.2. Email Data & Personal Folders This sub-section should state the organisation‟s approach towards email data and the use of personal folders. It should state if Personal Folders are to be allow or not, and if so, where they should be stored. It should refer to any mailbox limits that will be enforced (single message size, mailbox size, etc.) and the protocol for mailbox archiving. Employees should be advised how to save attachments and where they should be stored. Employees using laptops, who come into the office environment only infrequently, need to be considered here. It is common to refer to a „Good Practice Guide‟ that goes into more detail. 7.3. Portable Media This sub-section should state the organisation‟s approach towards portable data. It should cover the use of USB sticks, USB hard-drives, CD‟s and DVD‟s. What this section says, is very much dependant on the type of organisation, the sector in which it operates, and the legalisation that applies. For organisations where data security and confidentiality is paramount, there will be a need to detail what encryption methods and protocols are to be used, and what processes are to be followed for authorised removal of data from the corporate environment. 7.4. Type and Content of Data This sub-section should state what type of data the organisation will allow to be retained on the corporate network, and who is responsible for ensuring compliance and reporting breach. It should state the process for reporting the discovery of non-business data (family pictures, etc.) and inappropriate content (pornography, racial, etc.) and should also outline any disciplinary actions that may follow discovery of such material. Page 7
  • 5. Dartview Consulting – IT Security & Governance Policy Template 8. Virus Protection This section should describe the controls that the organisation will use to ensure the protection, integrity and availability of its software and information assets. All software and information processing facilities are vulnerable to the introduction of malicious software such as computer viruses, trojans and worms. The organisation must ensure that all employees are aware of the dangers of using unauthorised software, and are appropriately trained in the safe use of Email and Internet access facilities. 8.1. Unauthorised Software This sub-section should state the organisation‟s stance with regard to unauthorised software. Why it places the organisation at risk, what measures will be put in place to prevent its installation, where processes will be followed in the event of its discovery. 8.2. Employee Awareness and Responsibility This sub-section should provide all employees with a degree of awareness, highlighting the risks associated with obtaining files from external sources (including via disk, file transfer, internet download, email or other medium), and the measures that can be taken to mitigate against these. Employee obligations, in terms of reporting suspicious activity/behaviour of systems and applications should also be covered. An internal programme of regular education is a good idea. 8.3. Virus Prevention, Detection and Removal This sub-section should details the measures that the organisation will take in order to prevent, detect, and remove virus. It should include:  Details of the software to be used for both Employee Hardware (PC‟s & Laptops) and for Infrastructure items such as Servers  How the software will be configured to operate (e.g. auto-scan on boot, scan on insertion of portable media, etc.)  Details of how software updates will be distributed and who will be responsible for making sure this happens.  Details of the processes to be adopted once a virus has been detected  Details of the processes to be adopted for virus removal  Details of any reports covering virus prevention, detection and removal that may be required at Board Level Page 9
  • 6. Dartview Consulting – IT Security & Governance Policy Template internet and email activities by law enforcement and regulatory bodies. As such, email and internet access will be monitored. The organisation restricts access to certain categories of site and has installed a variety of firewalls and other security systems. Employees must not attempt to disable or circumvent these systems. If an attempt is made to access a prohibited site, the employee‟s browser will be redirected to the organisation‟s own web page. Where an employee requires access to a restricted site, for business purposes, then a “Restricted Internet site access request” form must be completed and submitted to the IT Service Desk.” “It is not permitted to apply automated email forwarding from any organisation email account to any external email account.” 9.1. Improper Use This sub-section should detail the uses of the Internet and Email service deemed by the organisation as being „Improper‟. Engaging in any of the following activities is likely to result in disciplinary action and may result in civil liability or criminal prosecution.                   Viewing, downloading, sending or publishing material that may be considered offensive, illegal, obscene, profane, malicious, abusive or disparaging on the basis of age, sex, race, religion, disability or sexual orientation. Sending or publishing material that has the potential to embarrass, harass, or intimidate. Sending or publishing material that damages the reputation of any person or organisation (or its goods or services). Sending or publishing information that you know to be false or misleading. Making unauthorised contractual commitments. Failing to comply with project transmittal or security instructions. Divulging confidential information including any personal information about other individuals without appropriate authorisation. Downloading or distributing copyright material without permission to do so. Installing or distributing unauthorised or unlicensed software or data. Using an account other than your own without the delegated authority of its owner. Falsifying user information. Subscribing to information broadcast services that are unrelated to business activities. Forwarding chain letters or other forms of junk mail. Computer and network hacking. Deliberately propagating any virus or similar malicious code. Soliciting for personal gain or profit. Gambling. Conducting illegal activities. 9.2. Good Practice This sub-section should detail the uses of the Internet and Email service deemed by the organisation as constituting „Good Practice‟. The following good practice ensures efficient and productive use of the Internet and email systems. Failure to adhere to this good practice may result in access to these services being withdrawn or restricted.   Do not send trivial email messages. Use appropriate language at all times. Ensure that emails are addressed correctly and consider to whom messages should be copied or forwarded, keeping the number of addressees to a minimum. Page 11
  • 7. Dartview Consulting – IT Security & Governance Policy Template 12. Account Administration This section should state the control procedures that will be used with regard to the User Account Administration. It should include:  Details of the process that must be used by the business when requesting New Account Creation, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to an account being available for use)  Details of the process that must be used by the business when requesting Account Closure, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to an account being closed)  Details of the process that must be used by the business when requesting Account Modification, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to an account being modified)  Details of the process that will be followed by the Service Desk with regards to the data associated with Closed Accounts, and the authorisations required in making such data available to another person (e.g. a successor, the leaver‟s line manager, etc.)  Details of the process that must be used by the business, in order to ensure prompt return of any assets (e.g. laptop, mobile phone) that have been allocated to any employee now leaving the organisation. 13. Shared Folders This section should state the control procedures that will be used with regard to the use of Shared Folders (in a traditional Windows Filing System). It should include:  Details of the Drive Letter Mapping and Naming Convention that will be used.  Details of the types of access that will be available (Full and Read-Only are usual).  Details of the process that must be used by the business when requesting New Shared Folder Creation, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to a new shared folder being available for use).  Details of the process that must be used by the business when requesting Change of Access Rights for an existing Shared Folder, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to the change in access rights being implemented) Page 13
  • 8. Dartview Consulting – IT Security & Governance Policy Template 15. Procurement This section should outline the organisation‟s approach towards the procurement of IT Goods and Services. It should include:  Details of who is responsible for the actual placement of purchase orders.  Details of the process that must be used by the business when making requisitions, and the authorisations that are required  Details of the process that must be used by the business when receiving goods and or services  Details of any stock control and inventory procedures that will be used.  Details of the Asset Management & Tagging process that will be used for Hardware and Software (this should include details of how assets will be recorded into the CMDB‟s of Service Management System)  Details of the process to be used with regard to Disposal of Assets (consider the WEEE directive) “In order to ensure compliance with the organisation‟s technical infrastructure, and to maximise business assets, all procurement of hardware, software, and services, will be performed by Information Services.” “All requests for „day to day‟ IS expenditure must be made via the Service Desk Customer Portal. Where a need for expenditure has arisen from a discussion between the business and Information Services, a retrospective request will be logged by IS.” “All requests for IS expenditure are, on discretion, subject to authorisation by the Head of Information Service and the Chief Financial Officer.” “All Purchase Orders will be raised by Information Services using the vendor‟s online procurement process wherever available.” “All hardware and software will be delivered to the organisation‟s UK Head Office for the attention of the Information Services department. Information Services will be responsible for confirming receipt of delivery.” “All hardware items and software licences will be recorded as individual Configuration Items (CI‟s) within the Configuration Management Database (CMDB) of the Service Management System adopted by Information Services (<name of ITSM application>).” “In order to achieve Service Level Agreement commitments, Information Services will maintain a stock of hardware and software. Requests for expenditure will be met from stock wherever possible.” “Assets will not be deployed to individual users unless a request has been made via the Service Desk Customer Portal. Prior to deployment, all hardware will be „asset-tagged‟ and the CMDB updated to record that the asset has been deployed. Where assets are returned into stock, regardless of the circumstances, the following information must be provided to the Head of Information Services:”       Organisation Asset Reference Manufacturer Tag Reference Manufacturer Serial Number Previous User Software currently installed Page 15
  • 9. Dartview Consulting – IT Security & Governance Policy Template 16. IS Service Continuity This section should outline the organisation‟s stance with regard to IS Service Continuity, and as such should either be a detailed and comprehensive section, or more practically, refer to a separate “IS Service Continuity Plan”. Areas for consideration should be:  Identify & Assess the risks posed to the Infrastructure used to deliver services to the organisation  Identify & Assess the risks posed to the Network used to deliver services to the organisation  Identify & Assess the risks posed to the Resources used to deliver services to the organisation  Detail the planned responses to each risk, agree remedial action, assign ownership, and develop test scenarios.  Reference to any wider Risk Management Policy and Risk Management Strategy that the organisation may maintain. Suggested approach: Clearly define a Scope The term „IS Service Continuity‟ should be clearly understood as being only „a component‟ of the wider Business Continuity or Disaster Recovery topics. These wider topics are NOT discussed or addressed in this document as they do not fall within the remit of Information Services. For example, if a Transport Issue or a Viral Outbreak means that an organisation‟s Head Office becomes inaccessible, this does necessarily constitute a need for IS Service Continuity action to be taken, it may just be a Business Continuity issue provided services themselves can still be accessed. If however, the Service Desk staff are based in the same building, and cannot man the telephones; this is certainly an issue that must be dealt with. Provide some Background to set the scene The current IT Infrastructure could be described here (avoiding too much technical detail) and shown in graphical format. Make reference to any existing contractual agreements (e.g. Co-Location arrangements, External Data Centre services, or any other part of the provision of services to the organisation that has been outsourced). Physical Geography of the Organisation The physical distribution of the organisation‟s operational activities could be described here. Where are the offices located, how are they connected to the organisation‟s IT Infrastructure and Network, who many people are based at each location, which locations use which services, etc. Again, a graphical representation is always helpful. Identify & Assess the Risks A number of techniques and tools can be used to Identify & Assess risks. Some examples are:  Stakeholder Analysis  RACI Diagram  PESTLE Analysis  SWOT Analysis  Horizon Scanning Page 17

×