Information Security Policy Template
Total Page:16
File Type:pdf, Size:1020Kb
Information Security Policy Template Sample
{The Organization}
Developed by
Version 1.0 Information Security Policy {The Organization}
Document Control
Version: v1.0
Date: 2009
Author(s): Fortrust Limited
Distribution: All
© Copyright. Developed by Fortrust Limited 2/9 Not for resale. Internal Client use only. Information Security Policy {The Organization}
1 Corporate ISMS Policy...... 8 2 Introduction...... 11 2.1 Need for a Security Policy...... 11 2.2 Legal Requirements...... 11 2.3 Purpose and Scope of the Policy...... 11 2.4 Who is affected by the Policy...... 12 2.5 Where the Policy Applies...... 12 2.6 Security Policy Objectives...... 12 2.7 Review and Audit...... 13 3 Acceptable Use...... 14 4 Security Management and Responsibilities...... 15 4.1 Objective...... 15 4.2 {The Organization}...... 15 4.3 Head of Information Compliance & Policy...... 15 4.4 Data Owner...... 15 4.5 Systems Development...... 16 4.6 Management Responsibilities...... 16 4.7 Employees Responsibilities...... 17 4.8 System Managers...... 17 5 Enabling the flow of information...... 18 5.1 Objective...... 18 5.2 Sharing data/information with other organisations...... 18 5.3 Sharing data/information with non-partner organisations...... 18 5.4 Objective...... 19 5.5 Network Security...... 19 5.6 Telephone Security...... 19 5.7 Email (see also specific Email section)...... 19 5.8 Internet...... 19 5.9 Fax security...... 19 5.10 Verbal Communications...... 19 6 Risk Management...... 19
© Copyright. Developed by Fortrust Limited 3/9 Not for resale. Internal Client use only. Information Security Policy {The Organization}
6.1 Objective...... 19 7 Awareness...... 20 8 Confidentiality Agreements...... 22 9 Business Continuity...... 23 9.1 Objective...... 23 9.2 Need for effective plans...... 23 9.3 Planning process...... 23 9.4 Planning framework...... 23 10 Equipment and Software Registers...... 25 10.1 Objectives...... 25 10.2 Equipment Inventory...... 25 10.3 Software Register...... 25 11 Access control to secure areas...... 26 11.1 Objective...... 26 11.2 Physical security...... 26 11.3 Entry controls...... 26 12 Security of Third Party Access...... 27 12.1 Objective...... 27 12.2 Access control...... 27 13 User Access Control...... 28 13.1 Objective...... 28 13.2 Access to Systems...... 28 13.3 Eligibility...... 28 13.4 Registering users...... 28 13.5 User password management...... 28 13.6 Employees leaving {The Organization}’s employment...... 29 13.7 Visitors and Contractors...... 30 13.8 The Internet...... 30 14 Housekeeping...... 31 14.1 Objective...... 31 14.2 Data Backup...... 31 14.3 Equipment, Media and Data Disposal...... 31 15 Software and Information Protection...... 33
© Copyright. Developed by Fortrust Limited 4/9 Not for resale. Internal Client use only. Information Security Policy {The Organization}
15.1 Objective...... 33 15.2 Licensed software...... 33 15.3 Unauthorised Software...... 33 15.4 Virus control...... 34 15.5 Time-out procedures...... 34 16 Equipment Security...... 35 16.1 Objective...... 35 16.2 Equipment sitting and protection...... 35 16.3 Power supplies...... 35 16.4 Network Security...... 35 16.5 Use of ‘modems’ and other communications equipment...... 36 16.6 Portable & Hand-held Computing Equipment...... 36 16.7 System Documentation...... 37 17 Incident Management...... 38 18 Electronic Mail (Email) Policy...... 39 18.1 Policy...... 39 18.2 Care in drafting Emails...... 39 18.3 Viruses and Attachments...... 39 18.4 Information Confidentiality...... 39 18.5 Intent to enforce and monitor...... 39 18.6 Retention and Purging...... 39 18.7 Junk mail...... 39 18.8 Very large files...... 40 18.9 Protection of your terminal...... 40 18.10 Mail Storms...... 40 19 Employee, Customer, Financial, Research and Corporate Record Storage & Transportation...... 41 19.1 Objective...... 41 19.2 Storage...... 41 19.3 Offices...... 41 19.4 Elsewhere...... 41 19.5 Transportation...... 41 19.6 Responsibility...... 41
© Copyright. Developed by Fortrust Limited 5/9 Not for resale. Internal Client use only. Information Security Policy {The Organization}
20 Home working Information Security Standards...... 42 20.1 Objective...... 42 20.2 Authorisation to remove data files...... 42 20.3 Transfer of personal data files...... 42 20.4 Protecting data files...... 42 20.5 Use of Privately owned Computers at Home...... 42 20.6 Transportation of data or confidential documents...... 42 20.7 Storage of equipment...... 43 20.8 Storage of confidential data or reports...... 43 21 Appendix A: The Policy Review Process...... 44 21.1 Periodic reviews of policy documents...... 44 21.2 What the policy review should include...... 44 21.3 The review committee...... 44 22 Appendix B: Legal Requirements...... 45 22.1 Data Protection Act (UK) 1998...... 45 22.2 Copyright, Designs and Patents Act 1988...... 45 22.3 Computer Misuse Act 1990...... 45 22.4 Freedom of Information Act (2000)...... 46 22.5 Caldicott Report 1997 (Appropriate for Institute of Health Sciences)....46 22.6 ISO 27000...... 46 22.7 Human Rights Act...... 47 23 Appendix C: Antivirus Guidelines...... 48 23.1 What is a Virus?...... 48 23.2 What does {The Organization} do to prevent the spread of viruses?....48 23.3 Avoid Unauthorised Software...... 48 23.4 Treat All Attachments with Caution...... 48 23.5 Avoid Unnecessary Macros...... 49 23.6 Be Cautious With Encrypted Files...... 49 23.7 Suspicious Filename Extensions...... 50 24 Glossary & Abbreviations...... 51 25 References...... 54
© Copyright. Developed by Fortrust Limited 6/9 Not for resale. Internal Client use only. Information Security Policy {The Organization}
1 Corporate ISMS Policy
Purpose
The purpose of this policy is to protect from all threats, whether internal or external, deliberate or accidental, the information assets of:
{The Organization};
Customers;
Suppliers;
Objectives
The implementation of this policy is important to maintain and demonstrate our integrity in our dealing with customers and suppliers.
It is the policy of {The Organization} to ensure:
Information is protected against unauthorised access Confidentiality of information is maintained Information is not disclosed to unauthorized persons through deliberate or careless action Integrity of information through protection from unauthorised modification Availability of information to authorized users when needed Regulatory and legislative requirements will be met Business continuity plans are produced, maintained and tested as far as practicable Information security training is given to all Employees All breaches of information security and suspected weaknesses are reported and investigated
Applicability
All {The Organization} personnel and suppliers, employed under contract, who have any involvement with information assets covered by the scope of the Information Security Management System, are responsible for implementing this policy and shall have the support of the {The Organization} Management who have approved the policy.
© Copyright. Developed by Fortrust Limited 7/9 Not for resale. Internal Client use only. Information Security Policy {The Organization}
Goals
To identify through appropriate risk assessment, the value of information assets, to understand their vulnerabilities and the threats that may expose them to risk.
To manage the risks to an acceptable level though the design, implementation and maintenance of a formal Information Security Management System.
To comply with legislation including;
Companies Act 1985 Health and Safety Act Interception of Communication Act 1985 The Data Protection Act (1998) Copyright, Designs and Patents Act (1988) Computer Misuse Act (1990) Regulation of Investigatory Powers Act (2000) Freedom of Information Act (2000) Human Rights Act (2000)
To comply with any customer contract conditions relating to information security.
Commitment to comply with ISO 27001-2005
Commitment to achieve and maintain certification to ISO27001-2005
Specific Policies
Specific policies exist to support this document including:
Physical Security Site access control policy (key holders, wearing of badges, visitor controls) Computer usage policy (email, internet access, access control, software download) Password controls (frequency of change, length, complexity) Data backup Virus control policy (frequency of updates, control of external media) Communications policy Business Continuity Management
© Copyright. Developed by Fortrust Limited 8/9 Not for resale. Internal Client use only. Information Security Policy {The Organization}
Security breach and incident management policy
Responsibilities
The management of {The Organization} create and review this policy.
The Information Security Manager facilitates the implementation of this policy through the appropriate standards and procedures.
All personnel and contracted suppliers follow the procedures to maintain the information security policy.
All personnel have a responsibility for reporting security incidents and any identified weaknesses.
Any deliberate act to jeopardise the security of information that is the property of {The Organization} or their customer or suppliers will be subject to disciplinary and/or legal action as appropriate.
Review
The policy is reviewed bi-annually and in case of influencing changes to ensure it remains appropriate for the business and our ability to serve our customers.
Signed
CEO
Date:
ISMS Policy Owner: “Mr. Security Manager”
© Copyright. Developed by Fortrust Limited 9/9 Not for resale. Internal Client use only.