The purpose of this policy is to secure [organisation] information from misuse (whether this be intentional or unintentional), corruption, and unauthorised access. In addition, this policy outlines controls that will help ensure the integrity and availability of [organisation] information.
This policy applies to all employees, board members, contractors, consultants and visitors that use ICT systems and services provided by [organisation].
Responsibilities. The [owner role] is primarily responsible for implementing provisions detailed in this policy and for taking remedial action in the event of a potential or actual breach of this policy. In addition, the [owner role] is responsible for monitoring security controls and educating users on their role in ensuring [organisation] information remains secure.
The [sponsor role] is responsible for ensuring the provisions detailed in this policy and is the escalation point for reporting any breach of IT systems.
Reporting. All potential and actual breeches of any aspect of this policy must be reported to the [owner role] immediately. All breaches that have the potential of severely impacting [organisation] business operations must be in turn reported to the [sponsor role] as soon as possible. All other breaches must be reported to the [sponsor role] within two weeks of the breach or potential breach occurring.
Incident Response Plan. [organisation] have an approved plan that provides IT with a standard approach for dealing with security incidents, and includes the process to be followed in the event of an incident where a breach or potential breach of this policy has occurred that includes steps needing to be performed to protect [organisation] information assets and to contain the potential impact of a security threat. The plan also includes root cause analysis to identify the vulnerability used for the security breach and to apply changes to ensure this vulnerability is closed.
Business Continuity and Disaster Recovery Plans. [organisation] has a Business Continuity Plan that details the ICT systems needed to support critical business functions in the event that ICT services become significantly degraded or impacted by an event. The Business Continuity Plan also details the measures employed to minimise business impact.
In addition, [organisation] maintains a Disaster Recovery Plan that describes the process of restoring critical ICT systems and services in the event of a disaster. The Disaster Recovery Plan is supported by [organisation] backup and recovery infrastructure.
Backup and recovery. A comprehensive backup and recovery regime is in place that ensures that [organisation] can quickly recover from data corruption or loss. Daily incremental backups and weekly full backups are performed of all [organisation] data. Eight daily backups and five weekly backups are retained. Full monthly backups are to be retained for a minimum of 25 months. Annual backups are to be retained for a minimum of 8 years.
Independent security audits. [organisation] is committed to undertaking an information security audit by an independent and external organisation to uncover any vulnerabilities that may expose [organisation] to a security breach that may not be readily apparent. An independent security audit is conducted at least once every two years. This information security audit should include an external Penetration Test.
Detecting security incidents. [organisation] maintains tools and procedures for the detection of security incidents. These tools include virus detection and quarantine, intrusion detection and a regular review of event logs of [organisation] ICT systems to uncover anomalies.
Physical security of ICT assets. Physical access to the [organisation] central server farm is restricted to only those of the IT team that require access for changes and maintenance activity as required. Contractors and other individuals requiring access to the server farm must be accompanied by a member of the IT team.
The central server farm is housed in a facility that provides uninterruptable power in the event of a brown or black out. In addition, the facility is air conditioned. All removable media (eg backup tapes or drives) are physically secured from unauthorised access.
Network equipment is housed in a lockable cabinet that prevents unauthorised access. Keys to these cabinets are only to be held by members of the IT team.
[organisation] implements physical measures to prevent unauthorised people from observing ICT systems, in particular, displays and keyboards.
Network security. [organisation] corporate information must be encrypted to a sufficient level before it is transmitted over shared or public network infrastructure. VPN, Remote Desktop Services or ActiveSync are the only authorised methods for gaining remote access to [organisation] applications and data. Internet based content is filtered of unauthorised content. All internet and email communications are logged and monitored for unauthorised activity. More information on internet and email requirements can be found in the <Internet and Email Policy>.
Authorised applications. Only applications authorised by the [sponsor role] will be run on [organisation] ICT equipment (including within the central server farm and on end user PCs, laptops and ultrabooks). Administrator access to ICT end user equipment is only provided to the IT team.
Application patching. A regular regime is in place to monitor patch updates to [organisation] applications, to test these patches and to apply these patches in the Production environment. Note that any change in Production must comply with the <IT Testing and Change Management Policy>.
End user equipment. [organisation] end user equipment must only be used by [organisation] personnel (with the exception of public PCs and equipment that is segregated from the [organisation] corporate network). The transfer of files from USB drives to [organisation] equipment is monitored by IT.
Access control. All [organisation] ICT systems must provide controls to ensure that a user is correctly identified, that they can only access information that they are authorised to access and can perform only those functions that they are authorised to perform. These access controls may be performed by an ICT system, or through an auditable manual process. IT may be granted privileged access to perform maintenance and Users and their level of access must be audited at least every six months.
Please refer to the <ICT User Access Policy> for more information on password specific requirements.
Repurposing or retiring ICT equipment. All [organisation] ICT equipment that is to be repurposed or retired must have its fixed media sanitised of all [organisation] data.
Security Training and Education. IT provide ongoing and regular security training and education that highlights individual roles and responsibilities, and how everyone plays a role in security [organisation] information and ICT systems. In addition, security awareness is promoted across the organisation and includes a range of communication methods (for example logon banners, system access forms and departmental bulletins or memoranda).
Ensuring integrity of evidence. IT store raw audit trails onto media for secure archiving, as well as securing manual log records for retention. In the event that a security breach is uncovered, IT will ensure that all personnel involved in the investigation of the breach maintain a record of actions undertaken to support any remedial action. All audit logs and trails must be non-repudiable.
Exceptions to this policy. There may be extenuating circumstances where the provisions of this policy may be impractical to implement. In these rare circumstances, application may be made to the [sponsor role] for a specific exemption to provisions in the policy. This application must include an assessment of the risk that may be posed and any mitigating strategies to be employed. The [sponsor role] will approve or reject such an application based on this risk assessment and other information related to the proposed exemption.
4. Compliance and breaches
[organisation] may commence applicable disciplinary procedures if a person to whom this Policy applies breaches this Policy (or any of its related procedures). This disciplinary action may include dismissal.
5. Legislative and other references
- Information Security Manual 2013 (DSD)
- <Internet and Email Policy>
- <Information Management Policy>
- <User Access Policy>