Example of Policy and Procedure to Manage the Information Security Risks Associated with the ICT Products and Services Supply Chain

ICT Security Risk Management policy and Procedure

1. INTRODUCTION

1.1. Overview

XXX’s information and technology assets are highly valuable and must be closely safeguarded. XXX operate within an increasingly electronic, interconnected, and regulated environment that necessitates a consistent and standardized approach to securing technology and information assets. To ensure the continued protection of XXX information and to maintain a secure environment, the management team of XXX strongly believes that an ICT security approach aligned with industry standards is necessary.

1.2. Rationale
It is the mandate of XXX that the information assets are protected from all types of threat, whether internal or external, deliberate or accidental, such that:

  • Confidentiality of information is maintained;
  • Integrity of information can be relied upon;
  • Information is available when the business needs it; and
  • Relevant statutory, regulatory, and contractual obligations are met.

1.3. Purpose
This ICT Security Policy is the cornerstone of XXX’s ICT security program/strategy, aimed at securing the information assets of the institution. It is also the purpose of this document to outline the roles and responsibilities of relevant stakeholders that implement the security controls.

1.4. Scope
This policy is applicable to all employees, contractors, consultants, temporary and other workers at XXXincluding all personnel affiliated with external parties must adhere to this policy. This policy is applicable to information assets owned or leased by XXX or to devices that connect to XXX’s network or reside at XXX’s sites.

1.5 ICT Security Roles and Responsibilities

Line Manager Responsibilities
It is every Line Manager’s responsibility to ensure that both they and members of their team within their line management responsibility comply with this policy. Line Managers must inform the ICT Service Desk at least 5 working days before an employee who they are responsible for commences or ends their employment with the Combined Authority. Emails and personal data are retained for three months for all ex-employees unless the ICT Service Desk receives a line management request to vary this.
All Employee Responsibilities
It is the responsibility of every Combined Authority employee to ensure that they comply with and do not abuse the policy and procedure. All employees must ensure they complete the mandatory Human Focus training module covering ICT Security within 48 hours of starting with the Combined Authority and before access to personal and confidential data is granted.

Information Asset Owners
IAO’s should also ensure that when a system requires a password that differs from the network password, e.g Dream/Payrite/Haven, the system should follow the password guidance , such as complexity, length and expiration. ICT Services can assist with the configuration of the systems, but overall responsibility rests with the IAO.

2.0 ICT SECURITY POLICY STATEMENTS

2.1. ICT Security Governance and Management

2.1.1. Management and Direction for ICT Security
2.1.1.1. There shall be an ICT Security Governance Committee which may have members not necessary limited to XXX’s staff.
2.1.1.2. Single Point of Contact (SPOC) for ICT security Matters shall be appointed.
2.1.1.3. There shall be an ICT Security Strategy.
2.1.1.4. XXX’s shall allocate sufficient resources for effective ICT security management.

2.1.2. ICT Security Risk Management
2.1.2.1. XXX shall integrate ICT security risk management that include risk assessment, risk treatment, risk acceptance, risk communication and risk monitoring and evaluation into the Enterprise Risk Management Framework.

2.1.3. ICT Security Policies
2.1.3.1. XXX’s shall define a set of policies for ICT security, which shall be approved by management, published and communicated to employees and relevant external parties.

2.1.4. Review of the ICT Security Policies
2.1.4.1. The ICT security policies shall be reviewed at planned intervals or if significant changes occur, to ensure their continuing suitability, adequacy and Effectiveness.

2.1.5. Segregation of Duties
2.1.5.1. Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the XXX’s ICT assets.

2.1.6 Contact with Authorities
2.1.6.1. XXX shall maintain appropriate contacts with relevant authorities.

2.1.7. ICT Security in ICT Project Management
2.1.7.1. XXX shall ensure that ICT security is addressed in ICT related projects.

2.1.8. Mobile Devices and Teleworking
2.1.8.1. XXX shall adopt a policy and supporting ICT security measures to manage the risks relating to mobile devices.
2.1.8.2. XXX shall implement a policy and supporting ICT security measures to protect information accessed, processed or stored at teleworking sites.

2.2. ICT Security Operations

2.2.1. Documented Operating Procedures
2.2.1.1. Operating procedures shall be documented and made available to all users who need them.

2.2.2. Change Management
2.2.2.1. Changes to the organization, business processes, information processing facilities and systems that affect ICT security shall be controlled.

2.2.3. Capacity Management
2.2.3.1. The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

2.2.4. Separation of Development, Testing and Operational Environments
2.2.4.1. Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.

2.2.5. Protection from Malware
2.2.5.1. Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

2.2.6. Information Backup
2.2.6.1. Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed Backup policy.

2.2.7. Event Logging
2.2.7.1. Event logs recording user activities, exceptions, faults and CT security events shall be produced, kept and regularly reviewed.

2.2.8. Protection of Log Information
2.2.8.1. Logging facilities and log information shall be protected against tampering and unauthorized access.

2.2.9. Administrator and Operator Logs
2.2.9.1. System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

2.2.10. Clock Synchronization
2.2.10.1. The clocks of all relevant information processing systems within XXX shall be synchronized to a single reference time source.

2.2.11. Installation of Software on Operational Systems
2.2.11.1. Procedures shall be implemented to control the installation of software on operational systems.

2.2.12. Management of Technical Vulnerabilities
2.2.12.1. Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, XXX exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

2.2.13. Restrictions on Software Installation
2.2.13.1. A policy governing the installation of software by users shall be established and implemented.

2.2.14. Information Systems Audit Controls
2.2.14.1. ICT audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.

2.2.15. Network Controls
2.2.15.1. Networks shall be managed and controlled to protect information in systems and applications.

2.2.16. Security of Network Services
2.2.16.1. Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, irrespective of whether these services are provided in-house or outsourced.

2.2.17. Segregation in Networks
2.2.17.1. Groups of information services, users and information systems shall be segregated on networks.

2.2.18. Information Transfer Policy and Procedures
2.2.18.1. Formal transfer policy, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

2.2.19. Agreements on Information Transfer
2.2.19.1. Agreements shall be signed with relevant stakeholders to address the secure transfer of business information between the organization and external parties.

2.2.20. Electronic Messaging
2.2.20.1. Information involved in electronic messaging shall be appropriately protected.

2.2.21. Confidentiality and Non-Disclosure Agreements
2.2.21.1. Requirements for confidentiality or non-disclosure agreements reflecting the XXX needs for the protection of information shall be identified, regularly reviewed and documented.

2.3. Security of ICT Assets

2.3.1. Inventory of ICT Assets
2.3.1.1. ICT assets associated with information and information processing facilities at XXX shall be identified and an inventory of these assets should be drawn up and maintained.

2.3.2. Ownership of ICT Assets
2.3.2.1. ICT assets maintained in the inventory shall be owned by the relevant function or person at XXX.

2.3.3. Acceptable Use Policy for ICT Assets
2.3.3.1. Acceptable use policy of information, assets associated with information and information processing facilities shall be identified, documented and implemented.

2.3.4. Return of ICT Assets
2.3.4.1. All employees of XXXand external party users must return all XXXICT assets in their possession upon termination of their employment, contract or agreement.

2.3.5. Classification of Information
2.3.5.1. Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.

2.3.6. Labelling of Information
2.3.6.1. An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by XXX.

2.3.7. Handling of ICT Assets
2.3.7.1. Procedures for handling ICT assets shall be developed and implemented in accordance with the information classification scheme adopted by XXX.

2.3.8. Management of Removable Media
2.3.8.1. Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by XXX.

2.3.9. Disposal of Media
2.3.9.1. Media shall be disposed off securely when no longer required, using the formal procedures established at XXX as per government directives.

2.3.10. Physical Media Transfer
2.3.10.1. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation in and out of XXX.

2.3.11. Cryptographic Controls
2.3.11.1. XXX shall develop and implement cryptographic controls for protection of information and information processing facilities.

2.4. Identity and Access Management

2.4.1. Access Control Policy
2.4.1.1. Access Control Policy shall be established, documented and reviewed based on business and ICT security requirements of XXX.

2.4.2. Access to Networks and Network Services
2.4.2.1. Users at XXX shall only be provided with access to the network and network services that they have been specifically authorized to use.

2.4.3. User Registration and De-registration
2.4.3.1. A formal user registration and de-registration process shall be implemented at XXX to enable and disable assignment of access rights.

2.4.4. User Access Provisioning
2.4.4.1. A formal user access provisioning process shall be implemented at XXXto assign and revoke access rights for all user types to all systems and services.

2.4.5. Management of Privileged Access Rights
2.4.5.1. The allocation and use of privileged rights shall be restricted and controlled.

2.4.6. Management of Secret Authentication Information of Users
2.4.6.1. The allocation of secret authentication information shall be controlled through a formal management process.

2.4.7. Review of Access Rights
2.4.7.1. All ICT asset owners at XXX shall review users’ access rights at regular intervals.

2.4.8. Removal or Adjustment of Access Rights
2.4.8.1. The access rights of all staff at XXXand external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

2.4.9. Information Access Restriction
2.4.9.1. Access to information and application system functions shall be restricted in accordance with the Access Control Policy of XXX.

2.4.10. Secure Log-on Procedures
2.4.10.1. Where required by the Access Control Policy, access to systems shall be controlled through a secure log-on procedure.

2.4.11. Password Management System
2.4.11.1. Password management systems must be interactive and must ensure usage of strong passwords.

2.4.12. Use of Privileged Utility Programs
2.4.12.1. The use of utility programs that might be capable of overriding system and application controls must be restricted and tightly controlled.

2.4.13. Access Control to Program Source Code
2.4.13.1. Access to program source code shall be restricted.

2.5. ICT Security Incident Management

2.5.1. Responsibilities and Procedures
2.5.1.1. Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.

2.5.2. Reporting ICT Security Events
2.5.2.1. ICT security events shall be reported through appropriate management channels as quickly as possible.

2.5.3. Reporting ICT Security Weaknesses
2.5.3.1. Employees and contractors using the XXX information systems and services shall be required to note and report immediately after any observed or suspected ICT security weaknesses in systems or services.

2.5.4. Assessment of and Decision on ICT Security Events
2.5.4.1. ICT security events shall be assessed and it shall be decided if they are to be classified as information security incidents.

2.5.5. Response to ICT Security Events
2.5.5.1. ICT security incidents shall be responded to in accordance with the documented procedures.

2.5.6. Learning from ICT Security Incidents
2.5.6.1. Knowledge gained from analyzing and resolving ICT security incidents shall be used to reduce the likelihood or impact of future incidents.

2.5.7. Collection of Evidence
2.5.7.1. XXX shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

2.6. Information Systems Continuity Management

2.6.1. Planning ICT Security Continuity
2.6.1.1. XXX shall determine its requirements for ICT security and the continuity of ICT security management in adverse situations, e.g. during a crisis or disaster.

2.6.2. Implementing ICT Security Continuity
2.6.2.1. XXX shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for ICT security during an adverse situation.

2.6.3. Verify, Review and Evaluate ICT Security Continuity
2.6.3.1. XXXshall verify the established and implemented ICT security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

2.6.4. Availability of Information Processing Facilities
2.6.4.1. Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

2.7. Security of ICT Acquisition, Development and Maintenance

2.7.1. ICT Security Requirements Analysis and Specification
2.7.1.1. The ICT security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.

2.7.2. Securing Application Services on Public Networks
2.7.2.1. Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

2.7.3. Protecting Application Services Transactions
2.7.3.1. Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

2.7.4. Secure Development Policy
2.7.4.1. A policy for secure development of software and systems shall be established and applied to developments within the organization.

2.7.5. System Change and Control Procedures
2.7.5.1. Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

2.7.6. Technical Review of Applications after Operating Platform Changes
2.7.6.1. When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or ICT security.

2.7.7. Restrictions on Changes to Software Packages
2.7.7.1. Modifications to software packages shall be discouraged, limited to necessary changes and all changes should be strictly controlled.

2.7.8. Secure System Engineering Principles
2.7.8.1. Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.

2.7.9. Secure Development Environment
2.7.9.1. XXXshall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

2.7.10. Outsourced Development
2.7.10.1. XXX shall supervise and monitor the activity of outsourced system development.

2.7.11. System Security Testing
2.7.11.1. Testing of security functionality shall be carried out during development.

2.7.12. System Acceptance Testing
2.7.12.1. Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

2.7.13. Protection of Test Data
2.7.13.1. Test data shall be selected carefully, protected and controlled.

2.8. Human Resource Security

2.8.1. Screening
2.8.1.1. Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and perceived risks.

2.8.2. Terms and Conditions of Employment
2.8.2.1. The contractual agreements with employees and contractors shall state the employee’s and XXX’s responsibilities for information security.

2.8.3. Management Responsibilities
2.8.3.1. Management shall require all employees and contractors to apply information security in accordance with the established policy of XXX.

2.8.4. ICT Security Awareness, Education and Training
2.8.4.1. All employees of XXX and contractors shall receive appropriate awareness education and training and regular updates in XXX’s ICT security policy, as relevant to their job function.

2.8.5. Disciplinary Process
2.8.5.1. There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an ICT’s security breach.

2.8.6. Termination or Change of Employment Responsibilities
2.8.6.1. ICT security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to all employees and contractors of XXX, and shall be enforced.

2.9. Physical and Environmental Security

2.9.1. Physical Security Perimeter
2.9.1.1. Security perimeters shall be defined and used to protect information processing facilities and areas that contain either sensitive or critical information.

2.9.2. Physical Entry Controls
2.9.2.1. Secured areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

2.9.3. Securing Offices, Rooms and Facilities
2.9.3.1. Physical security for offices, rooms and facilities shall be designed and applied.

2.9.4. Protecting Against External and Environmental Threats
2.9.4.1. Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.

2.9.5. Working in Secure Areas
2.9.5.1. XXX shall design and apply procedures for working in secure areas.

2.9.6. Delivery and Loading Areas
2.9.6.1. Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

2.9.7. Equipment Sitting and Protection
2.9.7.1. Equipment shall be identified and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

2.9.8. Supporting Utilities
2.9.8.1. Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.

2.9.9. Cabling Security
2.9.9.1. Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.

2.9.10. Equipment Maintenance
2.9.10.1. Equipment shall be properly maintained to ensure its continued availability and integrity.

2.9.11. Removal of ICT Assets
2.9.11.1. Equipment, information or software shall not be taken off-site without prior authorization.

2.9.12. Security of Equipment and Assets Off-premises
2.9.12.1. Security shall be applied to off-site ICT assets taking into account the different risks of working outside XXX’s premises.

2.9.13. Secure Disposal or Re-use of Equipment
2.9.13.1. All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

2.9.14. Unattended User Equipment
2.9.14.1. Users at XXX shall ensure that unattended equipment has appropriate protection.

2.9.15. Clear Desk and Clear Screen Policy
2.9.15.1. A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.

2.10. ICT Security Compliance and Audit

2.10.1. Identification of Applicable Legislation and Contractual Requirements
2.10.1.1. All relevant legislative statutory, regulatory, contractual requirements and the XXX approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and for XXX.

2.10.2. Intellectual Property Rights
2.10.2.1. Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

2.10.3. Protection of Records
2.10.3.1. Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

2.10.4. Privacy and Protection of Personally Identifiable Information
2.10.4.1. Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

2.10.5. Independent Review of ICT Security
2.10.5.1. XXX approach to managing information security and its implementation (i.e. control objectives, controls, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.

2.10.6. Compliance with ICT Security Policy and Standards
2.10.6.1. XXX shall ensure that regular reviews are done, on the compliance of information processing and procedures with the appropriate ICT security policy, standards and any other ICT security requirements.

2.10.7. Technical Compliance Review
2.10.7.1. Information systems shall be regularly reviewed for compliance with the XXXinformation security standards and guidelines.

3.0 Procedure

3.1 Security Organization

3.1.1 Responsibilities

The ICT Manager is responsible for:

• assigning security roles and responsibilities;
• co-ordinating the implementation of the security policy across the XXX;
• reviewing and if appropriate updating the Security Policies and procedure;
• reviewing and monitoring security incidents;
• reviewing third party access and security arrangements;
• monitoring exposure to major threats to information assets;
• agreeing and supporting XXX-wide security initiatives;
• ensuring patch management of devices is performed on a monthly basis and monitored.

The security of all hardware situated in departments and sections is the responsibility of the departmental or service manager. The security of all other hardware, operating systems, PC application, networking, infrastructure and corporate software is the responsibility of the ICT Manager.

3. 1.2 Acquisition of Information and Communications Technology

All acquisitions of Information and Communications Technology (ICT) shall be in accordance with XXX’s Procurement Procedures and be co-ordinated by the ICT Manager who shall obtain specialist advice if he considers it appropriate.

  • All new acquisitions of a corporate nature shall be agreed by the Corporate Leadership Team.
  • Departmental acquisitions shall be agreed between the appropriate Head of Service and the ICT Manager.
  • The ICT Manager has delegated authority to replace obsolete equipment in accordance with an agreed replacement program and to upgrade/replace office productivity tools and software within an agreed programme.
  • All new projects will be in accordance with the XXX’s corporate project management policies, have associated business case / justification documents and be in accordance with the current ICT strategy / road map.

3.1.3 Security Information Advice

Specialist advice on information security is available internally from the ICT Manager or Internal Audit.

3.1.4 Security Incidents

All suspected and actual security incidents shall be reported immediately to the ICT Service desk. Each incident will be recorded, investigated and corrective action implemented where appropriate. If the incident is perceived to be of a serious or urgent nature it will be escalated to the ICT manager or the Head of Customer Services. The XXX has a separate ICT Security Incident Reporting Procedure which gives full details on how to report any security incidents and this includes a copy of the reporting form which you may be asked to complete by the ICT Service desk.

3.1.5 Independent Review of Information Security

The content, implementation and practice of this policy will be reviewed independently to provide assurance that organisation practices properly reflect the policy and that the policy is feasible and effective. Independent reviews will be carried out by the internal Audit team or one that has been appointed.

3.2 Identification of Risks from Third Party Connections

Where there is a business need for third party access to ICT facilities and information assets the security implications and requirements will be determined, and controls agreed with the third party. All new systems will be assessed for risks from third party connections and, where appropriate, controls will be defined in a contract with the third party. Arrangements involving third party access, e.g. Support engineers, subcontractors, consultants will be based on a formal contract or security agreement containing, or referring to, all of the necessary security conditions to ensure compliance with the XXX’s security policy including obtaining an indemnity in respect of any loss caused by erasure or alteration of data or incorrect alteration of programs. The contract should be in place before access to the ICT facilities is provided. The implementation of any changes to systems should be strictly controlled using formal change control procedures. Any third party organisation carrying out work for the XXX will be expected to comply with these change control procedures and will ensure that all system changes are documented. All third party access will be controlled and is available to service providers via a secure internet connection using an SSL (secured sockets layer) VPN appliance, or an application such as Team Viewer. Where reasonably possible, for all access will use multi factor authentication using a soft token delivered via SMS to the user’s mobile phone or a mobile app. The remote support user will be given an access code and a onetime use password for that session. All systems have passwords enabled to ensure only authorised parties can access the XXX’s ICT, at agreed times and that each third party can only access the relevant systems. All contractors, consultants or other temporary staff will be issued with a unique user code and password in line with current procedures for the particular system being used. Under no circumstances should XXX staff allow their own user code or password to be used by anyone else. In certain circumstances it may be necessary to divulge a password for access by technical support staff and in such cases, it must be changed immediately after the authorised activities are completed. A log of such activity is maintained by the ICT department. A log of all third party access will be recorded on the Service Desk management system, with a copy of the completed third party access control form. All third parties accessing XXX systems or data must have had their own IT Security tested by a trusted third party or hold a valid accreditation such as Cyber Essentials or ISO 27001.

3.3 Inventory of Assets

An inventory of ICT assets shall be maintained by the ICT Manager who shall promptly update it for all acquisitions, disposals, updates and management of our cyber assets (this include transfer of assets to another user).The accuracy of the inventory shall be verified annually in accordance with Financial Procedure Rules. This includes equipment at staff homes for those who are working in an agile manner. All users must notify ICT if they move an asset to another location, within the XXX Offices or a remote site.

3.4 PERSONNEL SECURITY

3.4.1 General

Security roles and responsibilities for all staff using ICT facilities will be included in job descriptions and contracts where appropriate by the relevant manager. Managers are responsible for ensuring job descriptions or codes of conduct address all relevant security responsibilities. All potential recruits will be screened by:

  • obtaining two satisfactory references;
  • confirming academic and professional qualifications.

All employees and third party users of ICT facilities will be required to sign a confidentiality (non-disclosure) undertaking. Revenue Services benefits staff will be subject to recruitment procedures included in the Benefits Anti-Fraud Strategy. The appointment of employees with access to information classified as PROTECT or RESTRICTED will be subject to the specific Baseline Personnel Security Standards available on request from the Human Resources department. All users are responsible for the equipment issued to them and information that they have access to. Third party access to ICT equipment and data, without prior arrangement with IT is prohibited. When accessing XXX information, they must ensure that they do so in a secure environment and that persons who are not authorised to view said information cannot view it.

3.4.2 ICT and Cyber Security Training

All users will need to undertake a cyber security user awareness e-learning training module. All ICT users will be briefed in security procedures and the correct use of ICT facilities by IT staff in order to minimise possible security risks to the confidentiality, integrity and availability of data or services through user error. Managers are responsible for ensuring such training is provided to their staff. New user accounts will only be established and issued to staff who have received appropriate ICT induction and have been authorised by the relevant Head of Service or Director. All new ICT users will be issued with either a paper copy of the current ICT Security Policy and procedure or given access to the document on the XXX’s intranet. They must read the document and sign to acknowledgement the terms and conditions within 2 working weeks otherwise network access will be denied. All new ICT users who will have access to the Government Connect Secure Extranet (GCSx) or Government Secure Internet (GSi) networks will be also be required to comply with a Personal Commitment Statement pertaining to those services. Access levels to review / amend / delete data will be determined by the relevant Head of Service in association with the system owner(s) of any ICT applications which the new user intends to use. All third party suppliers, contractors and temporary staff will be required to read and acknowledge the terms and conditions before being granted access to XXX ICT resources. In the case of third party support companies where individual users may not be easily identifiable a board level representative of the company will be required to acknowledge the terms and conditions.

3.4.3 Responding to Incidents

A security incident shall mean:

  • any event arising from negligence or deliberate default that has, or could have, resulted in loss or damage to the XXX’s IT systems or data;
  • a compromise to the confidentiality, integrity or availability of IT systems or data;
  • an action that is in breach of the security policy;
  • any cyber security threat or incident.

All security incidents shall be reported immediately to the ICT Service Desk who will pass the calls to the ICT Security Officer or ICT Manager who will instigate an investigation and report any incidents that cause serious loss or damage to the Head of Customer services and the Data protection officer. Any security incident that may have the potential to lead to disciplinary action will involve the appropriate involvement and consultation with the Head of Human Resources and Organisation Development and/or (depending upon the nature of the incident) the Audit Services Manager. The XXX has a separate ICT Security Incident Reporting Procedure which gives full details on how to report any incidents and this includes a copy of the reporting form which you may be asked to complete by the ICT Service desk. This document is available from within the IT section of the XXX Intranet. The security incident will also be logged on the ICT Service Desk system. Any security incident which leads to loss or damage, or wilful abuse of the conditions of this policy may be cause for investigation and, where appropriate, formal action, in accordance with the XXX’s agreed disciplinary policy. Any incident or suspected incident must be handled in the manner as laid out in the XXX’s Incident and Response Policy and Procedures. The above Incident Response Policy and Procedures will be reviewed on a yearly basis

3.5 Physical and Environmental Security

3.5.1 Secure Areas

ICT facilities such as servers, server rooms and hosting facilities, hubs and routers supporting critical or sensitive business activities shall be housed in secure areas, i.e. protected from unauthorized access, damage and interference. Except for systems specifically intended for public use, ICT facilities should only be available to authorized persons, and wherever possible should be kept away from public access, and preferably view. Specialised IT equipment should be further restricted to authorised staff only in areas of extra security. The following specific conditions will apply to such secure areas:

  • server rooms will be protected by electronic locking systems or digital locks on all entry points and will always be kept locked;
  • access to any hosted / Data Centre facility is only for ICT staff, with proof of identification and access granted via a request system or logging portal;
  • access to server rooms will be only to ICT support staff or to others acting under their close supervision;
  • server rooms will be protected with fire detection and control equipment. Such equipment will be integrated into the XXX’s overall fire detection system;
  • servers will be protected by Uninterruptible Power Supplies (UPS) enough to allow continuous working of equipment for a minimum of 2 hours in the event of loss of electrical supply to the rooms;
  • server rooms will be regularly monitored to ensure an adequate operating environment for the equipment contained;
  • network distribution cabinets will be protected with UPS enough to allow continuous working for a minimum of one hour;
  • network distribution cabinets will always be kept locked and access granted only to ICT network support staff or others acting under their close supervision;
  • remote access may be allowed to server, network and telephony equipment but will be limited to ICT support staff and specified third party support organisations. (Access by third parties will be subject to agreements specific to the software / equipment concerned and, always, will be with the express permission of ICT staff). This includes completing the Permit to work and Risk assessment documents, for all external contractors requiring access to the server room;
  • A complete log of remote access by third party support organisations will be maintained.

3.5.2 Equipment Security

ICT equipment and cabling should be protected from spillage or leaks and must be sited away from where staff or the public walk and also to minimise opportunities for unauthorised access or removal. Staff should also be warned of the dangers of spilling liquids or food on IT equipment. Except for laptop and portable computers only IT staff should move, or supervise the moving, of IT equipment. All critical ICT equipment shall be protected by an uninterruptible power supply (UPS). UPS equipment should be self-testing and shall also be manually tested by IT staff at least every six weeks and serviced as necessary. Officers and members should always ensure that computer equipment and screens are positioned to prevent unauthorised viewing of data. Any faulty ICT equipment shall be reported to the IT section who will arrange for its repair or replacement. Under no circumstances shall members of staff attempt to repair, move, change equipment or open casings except for printers to replace consumables or clear a paper jam. Computers provided by the XXX for use at home are for the sole use of that officer or member, no unauthorised third party is allowed access to the computer equipment for any reason. The officer or member will be responsible for ensuring that computer is, always, used in accordance with XXX conditions of use. Laptop, portable computers and smart phones (unless permanently assigned to an officer or member) may be borrowed, with the permission of the officer’s manager, from the IT section who will maintain a record of issue and returns. Such equipment must be transported in appropriate carrying cases, such equipment must be transported in appropriate carrying cases and must not be left in clear view. If left in a vehicle it MUST be out of sight. Officers should treat laptop, smart phones and portable computers as if it were their own possession and uninsured. Any laptops, smart phones or computers currently assigned on a permanent basis to an officer or member can be recalled for a software audit on a one-week notice. The officer or member must arrange a mutually convenient time when the computer can be returned to the IT department within that week period. Once the audit has been conducted the IT department will either return the computer or inform the officer or member and arrange a collection time and date.

3.5.3 Equipment and Data Destruction

Obsolete equipment shall be checked by IT staff and all hard disks will be thoroughly cleansed of data before disposal, whether by sale, donation or destruction. Equipment will normally be disposed of via a third party accredited data disposal organisation who will ensure recycling, where possible. Any PCs disposed of by sale / donation will not include the operating system installed and no application software. All ICT equipment will be disposed of in accordance with the relevant environmental legislation.

3.5.4 Remote Access to Systems and Data

Where there is a business need, the XXX will allow employees and members to have remote access to data and systems from locations not covered by the XXX local and wide area networks. This will include ‘roaming’ users who with suitable technology are able to access data anywhere and ‘fixed point’ users such as home workers. Access to systems from non-XXX devices, will be controlled via multi factor authentication. The XXX will allow such remote users to make use of their own PC equipment subject to meeting minimum security standards including having up to date anti-virus and firewall software. Remote access to XXX systems will only be granted on the Authority of the relevant Head of Service or Director. Remote access will be only available by using multi factor authentication (i.e. the use of a 2 part password). XXX operates soft tokens which require the use of a unique personal PIN either sent to the work mobile combination with a dynamically generated pass code or generated with a mobile app. Specific conditions and responsibilities will apply to those users:

  • data must not be stored on non-XXX devices used for remote access;
  • confidential data must be encrypted on storage devices supplied by the ICT department;
  • particular care should be taken with removable storage devices such as USB sticks, etc and if these are used to move or transfer data it must be stored in encrypted format using supplied “Safe Sticks”;
  • any XXX data downloaded or stored on employees’ remote users’ PC equipment must be kept secure and inaccessible to others. Data must be removed as soon as is practicable when it is no longer required;
  • any loss of equipment (own or XXX) must be reported immediately to the ICT Service Desk;
  • any actual or perceived security threat relating to remote use of XXX IT systems must be reported immediately to the ICT Service Desk;
  • no RESTRICTED information should ever be used on employees / members own equipment.

When undertaking video or conference calls discussing or displaying XXX information, they must ensure that no unauthorised person are privy to that information

3.6 Computer and Network Management

3.6.1 Operational Procedures and Responsibilities

The ICT Manager is responsible for the management and operation of all servers and networks and associated specialised hardware. Departmental managers are responsible for the safe day to day operation of portable and desktop computers and printers issued to them or their staff. Appropriate documented procedures for the management and operation of all servers and networks will be established by computer staff. Clearly documented procedures shall be prepared by computer staff and/or the system administrator for all operational computer systems to ensure their correct, secure operation.

3.6.2 System Planning and Acceptance

Advance planning and preparation are required to ensure the availability of adequate capacity and resources. Acceptance procedures for new systems will include the following:

  • performance and computer capacity;
  • preparation of error recovery and restart procedures;
  • preparation and testing of routine operating procedures;
  • evidence that the new system will not adversely affect existing systems, particularly at peak processing times
  • training in the operation or use of new systems;
  • formal consideration of the need for ongoing maintenance and support by a third party.

Emergency fall back arrangements should be identified for each system and adequate fall-back arrangements made wherever possible. Fall back arrangements for each system should be fully documented and responsibility for this lies with the relevant system administrator.

3.6.3 Configuration and Change Management

Operational changes must be controlled to reduce the risk of system or security failures. The ICT Manager is responsible for ensuring that changes to software or hardware are carried out in a controlled manner and appropriately documented. A formal change control (and authorisation) is in place which requires significant changes to software and hardware to be assessed, tested and verified before completion. This procedure will apply to anyone making such changes including permanent staff, temporary and contract staff, suppliers and third party support organisations. All PCs and servers are configured and installed with a standard security configuration, which may be changed only on the authority of the ICT Manager. Any attempts to amend the standard configuration will be logged and monitored.Specific protective measures are applied to servers accessed by users outside the XXX’s main network. Such servers are in a separate secure zone of the network known as a de-militarised zone or DMZ. Changes to software and hardware will, wherever possible, be applied in a test environment before being applied to operational systems.

3.6.4 Protection from Malicious and Unauthorised Software

It is essential that special measures, as detailed below, are implemented to prevent the introduction of malicious software such as computer viruses, ransomware and malware or the use of unauthorised software. Using unlicensed software can result in a raid (authorised by the courts) to identify the use of such unlicensed software which can result in a fine, adverse publicity and a block on the use of ANY computers until the licences are paid for or the offending software is removed, resulting in very serious disruption to the organisation’s activities. In extreme cases staff could face imprisonment. A computer virus or similar can cause severe damage to data and hence serious disruption. Every precaution must be taken to protect XXX data and programs. Unauthorised software is software that has not been purchased by, or whose purchase or use has not been agreed by the ICT Manager.To reduce the risks of infection or use of unauthorised software the following preventive, detective and corrective measures will be instituted:

  • the introduction and/or use of unauthorised software, including screensavers, is prohibited and may lead to the application of relevant, formal disciplinary action;
  • software licences will be complied with at all times;
  • Reputable, up to date anti-virus software will be used to detect and remove or isolate viruses and malware;
  • staff or members must not transfer data from their home PC to the XXX computers, whether by removable storage media or e-mail, unless their home PC has up to date (i.e. definitions updated within the previous week) anti-virus software and firewall installed. The anti-virus software used must be one verified by the XXX’s ICT support staff;
  • removable storage media devices are blocked from being connected to corporate devices;
  • any suspected viruses must be reported immediately to the computer section and, where appropriate, logged as a security incident;
  • except where there is a justifiable business reason that has been expressly agreed with the ICT Manager, users should not open unsolicited e-mails from unverifiable sources and especially any attachments as there is a significant risk, they may contain a virus;
  • users must not attempt to download executable files, i.e. program software, from the Internet without prior specific clearance from IT staff;
  • any incoming e-mail that contains executable or compressed attachments will be automatically quarantined and routed to IT staff for checking before delivery to the intended recipient.

USB devices and removable media are not allowed on any machine. Device management software is in place to detect and block this type of activity. ICT can provide encrypted USB “safe sticks” for transfer of data, which is prohibited on all machines.

3.6.5 Housekeeping

Housekeeping measures are required to maintain the integrity and availability of services. Routine procedures will be established by computer staff for taking back-up copies of data, logging events and, where appropriate, monitoring the equipment environment. Documented procedures for each system shall include:

  • data back-up,
  • operator logs,
  • fault logging,
  • environmental monitoring,
  • network and application restart procedures,
  • change request logs,
  • system updates / upgrades.

3.6.6 Network Management

Appropriate controls must be implemented to ensure the security of data in networks and the protection of connected services from unauthorised access. Each authorised user will be allocated a unique logon identifier by ICT Support staff and a password that the user must change at least every 90 days. The password must contain at least eight characters including a mixture of three of the following four elements (a complex password):

  • lower case alpha characters,
  • upper case alpha characters,
  • numbers,
  • special characters.

Access to the network is automatically barred after four successive unsuccessful attempts to logon. Users are responsible for ensuring the secrecy and quality of their password and shall be held responsible for all actions recorded against their unique logon identifier. The ICT Manager is responsible for ensuring the security of the networks.

3.6.7 Media Handling and Security

Computer media containing data shall be controlled and physically protected. Appropriate operating procedures will be established to protect computer media (tapes, disks, cassettes) input / output data and system documentation from damage, theft and unauthorised access. At least one copy of all computer media containing data or critical software will be stored in media fire safes. A copy of all such media should also be kept securely offsite. Computers that rarely physically connect to the network such as laptops or computers provided to members and some officers are not covered under our backup policy and data backups of these computers is the responsibility of the member or officer. A means of backing up the computer and a lesson on how to backup data will be provided by the ICT department

3.6.8 Data and Software Exchange

Exchanges of data or software between the XXX and third parties should be managed in accordance with the Information classification policy. For critical or sensitive data and software, formal agreements, (including software escrow agreements where appropriate) for exchange of data and software (whether electronic or manual) between organisations should be established. These agreements should specify appropriate security conditions which reflect the sensitivity of the information involved, including:

  • management responsibilities for controlling and notifying transmission, despatch and receipt,
  • minimum technical standards for packaging and transmission,
  • courier identification standards,
  • responsibilities and liabilities in the event of loss of data,
  • data and software ownership and responsibilities for data protection, software copyright compliance and similar considerations,
  • technical standards for recording and reading data and software,
  • any special measures required to protect very sensitive items
  • The use of personal e-mails for sharing of data is prohibited

In order to ensure security of physical media in transit reliable transport couriers should always be used. Packaging should be sufficient to protect the contents from any physical damage during transit and should be in accordance with manufacturers’ instructions. Data in transit should be sealed with tamper proof or evidence devices and have accompanying documentation to list package contents. All electronic commerce should be in accordance with the XXX’s Contract Procedure Rules / Financial Procedure Rules and subject to formal contract(s) drawn up between the XXX and the trading partner(s), including the specialised areas of communication processes, transaction message security and data storage. Managers will need to obtain the appropriate specialised advice upon, identify and take into account all external and internal requirements affecting this activity. These requirements are likely to include the acts and directives listed in section 9.1 of this policy. Also relevant will be international and local (to other countries) laws and directives, any national or international professional regulations such as accounting practice and tax regimes, any conditions specified by the XXX’s insurers, fair trade and human rights standards, and the requisite information and technology standards and controls to preserve the timeliness, accuracy and integrity, security, recoverability and processing of this activity.

3.6.9 Connection to Other Networks

For operational purposes, the XXX will sometimes require access to external networks both to make use of business applications and to exchange data. Access to such networks is only allowed under the following conditions:

  • must be authorised by the relevant Head of Service;
  • must be agreed by the ICT manager or ICT Security Officer;
  • must be protected by a firewall configured to provide protection of all networks concerned;must be subject to a suitable data sharing agreement / contract;
  • must have protocols in place to protect data in transit and at rest.

3.6.10 Electronic Mail

Controls to reduce the security risks associated with electronic mail (e-mail) should be implemented covering:

  • vulnerability to unauthorised interception or modification. Confidential data should only be sent in encrypted form;
  • vulnerability to error, for example incorrect addressing;
  • legal considerations such as the need for proof of origin, despatch, delivery and acceptance;publication of directory entries;
  • remote access to e-mail accounts.

All staff have internal e-mail facilities, and external e-mail will be made available to all members and those officers with the authorisation of their director or head of service.Users shall avoid responding to unsolicited e-mails from unverifiable sources, and in particular, except where there is a justifiable business reason that has been expressly agreed with the ICT Manager, shall not open such mail or any attachments in such circumstances as there is a significant risk they may contain a virus. IT staff shall monitor usage of e-mail and report any concerns to the appropriate director or head of service. All e-mail sent to external parties shall contain a standard disclaimer inserted by the e- mail system and in a form approved by the XXX’s Legal Officer. All e-mail inbound and outbound will be subject to security scans for spyware, malware and viruses.Electronic e-mail is not to be used via the Outlook App installed on personal devices. Forwarding of e-mails to personal e-mail accounts is prohibited. The use of personal e-mails for sharing of data is prohibited.

3. 6.11 Internet

The use of the Internet on the XXX’s computer systems shall be controlled and monitored to prevent:

  • users wasting time and public resources by playing or “surfing” when they are paid to work;
  • users accessing sites and importing material which the XXX, as a matter of policy, may find unacceptable;
  • users accessing sites and importing illegal material;
  • users importing a virus or other malicious software and hence compromising the accuracy, availability and confidentiality of XXX systems;
  • users committing the XXX to expenditure in an unauthorised fashion.

Internet access is to be used only for access to sites relevant to work or vocational training during an individual’s working hours . Personal use of the internet is permitted outside of staff’s working hours and is subject to compliance with the XXX’s “Internet and E-mail Access – Conditions of Use” policy document. Internet access and e-mail is provided via a central connection to the internet which incorporates security features (intrusion detection and intrusion prevention) to safeguard the security and integrity of the XXX’s IT systems and data. This connection will always be used by Officers and members located at XXX offices unless specifically authorised to use other methods. The key terms and conditions are as follows:

  • Authority to use the Internet and/or e-mail facility will only be granted by the Chief Executive, Directors, Heads of Service or Service Managers.
  • All Officers and Members using the facility will be required to sign the “Conditions of Use” document to confirm that they have read and agree to abide by its conditions. A breach of the conditions of use may result in disciplinary action and/or criminal proceedings.
  • All “Conditions of Use” forms must be countersigned electronically or manually, by a designated authorising supervisor and completed documents will be held by the IT section and Human Resources section.
  • All users of the facility will be issued with their own unique User ID and password and users will be deemed responsible for any activity logged against the user ID so User IDs and passwords should not be disclosed to other persons.
  • The XXX maintains logs of activity on our central Internet connection and may analyse and monitor those logs and all internet traffic.

All access to the Internet will be traceable to an originating user ID, both currently and retrospectively. All access and attempted access to the Internet will be logged by the IT section, and comprehensive information on usage, including the time and length of visits, will be supplied on request or in the event of concerns by the ICT Manager, to a user’s director or head of service or Chief Executive in the case of members. The IT section has implemented and maintains an automatic method for restricting which Internet sites may be accessed. No user shall attempt to access an Internet site which, from its address, may reasonably be considered to contain pornographic material or any other material prohibited by the “Conditions of use” policy. The corporate leadership team will define which sites are not to be accessed and any deliberate attempt to access such site/s will be considered in accordance with the disciplinary procedure. Intrusion protection system (IPS) is in place, to detect, monitor, analyse and alert on attempted cyber-attacks. Access to restricted and prohibited sites is automatically monitored and reports of activity will be made available to the user’s director or head of service. A monthly security review will be conducted to ensure security and compliance, led by the ICT security officer. The IT section has implemented and maintains a resilient security gateway device or “firewall” (software and hardware facilities) to control and vet and filter, incoming data to guard against recognized forms of Internet assaults and malicious software. Only IT staff may download software, including freeware from the Internet. This does not apply to documents, i.e. Word, Excel, PDF format.

3.7.1 System Access Control

3.7.1 Business Requirements for System Access

Access to computer services and data should be controlled on the basis of business requirements, but accesses granted to a system should not compromise situations where separation (segregation) of duties is important. Each system administrator will set up the system access rights of each user or group of users according to authorised business needs. Update access rights should be restricted to the minimum number of people commensurate with the need to maintain service levels. System access controls are reviewed by Internal Audit during their routine systems audit work program. Domain privileged access will be reviewed periodically.

3.7.2 User Access Management

Formal procedures will be developed for each system by the system administrator to cover the following:

  • formal user registration and de-registration procedure for access to all multi-user IT services;
  • restricted and controlled use of special privileges;
  • Allocation of passwords securely controlled;ensuring the regular change and where appropriate quality and complexity of passwords;regular review of user access rights and privileged access rights;
  • controlled availability of master passwords in emergencies.

User access will be suitably administered to ensure that the type of account granted to employees is such that it allows them to perform their day-to-day user activities and prevents access to any sensitive information not required for the purpose of undertaking their duties. Ensuring members of staff, contractors and third party access to information systems does not exceed the needs of the role on a ‘need to know’ basis; that their use of ICT is appropriate and the starter, leaver and amendments changes are properly processed and authorised. Network accounts which have not been logged into for 90 days will be reviewed and actioned taken. This activity will occur every 90 days to ensure accounts are disabled in quick and secure manner.

3.7.3 User Responsibilities

Effective security requires the co-operation of authorised users. Users must comply with XXX policies, standards and procedures regarding access controls, in particular the use of passwords and the security of equipment. In order to maintain security users must:

  • not write passwords down where others may readily discover them;
  • not tell anyone else their password/s;
  • not use obvious passwords such as their name;
  • not let other people observe when entering their password;
  • use a password with at least eight characters in it including numeric or special characters;
  • promptly change their password if they suspect anyone else may be aware of it;log out of applications if they will be away from their desk for any length of time;
  • ‘lock’ their PC when away from their desk to prevent it being used by others (by using Ctrl + Alt + Del keys or the Windows key + L key);
  • if working at home the device must be shut down at the end of the day, so that security polices can be applied on next start up and stored in a secure location, when not in use;
  • follow the XXX’s ICT security policy (including reading and signing confidentiality and conditions of use agreements);
  • restart PCs and laptops as required after the application of security updates;
  • report security incidents to the ICT Service Desk;
  • not to open e-mails containing suspicions attachments;check e-mail and names of people they received a message from to ensure they are legitimate;report scams, privacy breaches and hacking attempts;
  • do not re-use password from other systems.

Staff will be held responsible for all activities logged to their unique user ID.

3.7.4 Network Access Control

Connections to networked services shall be controlled in order to ensure that connected users or services do not compromise the security of any other networked services. The ICT Manager is responsible for the protection of networked services. All machines including servers are patched every month, this is the patch management cycle, to keep our estate up to date and protected. A daily operations check is carried out as part of the daily checks procedure to ensure Antivirus, Antimalware and Anti Spyware updates are up to date on all PCs laptops and desktops. Devices not purchased by the ICT department are not to be plugged into or connected wirelessly to the XXX’s corporate network unless authorised by the ICT Manager or ICT Security officer. All mobile devices and including tablets, laptops and smartphones will be encrypted using device management software.

3.7.5 Computer and Application Access Control

Access to computer facilities should be restricted to authorised users. Computer facilities that serve multiple users should be capable of:

  • identifying and verifying the identity of each authorised user, particularly where the user has update access;
  • recording successful and unsuccessful attempts to access the system including files and folders;
  • providing a password management system which ensures quality passwords;
  • where appropriate restricting the connection times of users;controlling user access to data and system functions;
  • restricting or preventing access to system utilities which override system or application controls;
  • complete ‘lock out’ of user access after a pre-agreed number of unsuccessful attempts to access data.

3.8 Systems Development and maintenance

3.8.1 Security Requirements in Systems

All security requirements, including a risk analysis and the need for fall back arrangements, should be identified at the requirements phase of a project by the officer requesting the system in consultation with computer and audit staff. Security requirements should be justified, agreed and documented. The analysis of security requirements should:

  • consider the need to safeguard the confidentiality, integrity and availability of information assets;
  • identify controls to prevent, detect and recover from major failures or incidents;
  • when specifying that a system requires a particular security feature, the quality of that feature must be specified, e.g. Password controlled – “the password must be held in encrypted format. Passwords must expire after a number of days set by the system administrator, passwords should not be reusable, the system administrator should be able to specify a minimum length and other rules concerning password composition”.

In order to ensure IT staff and users are aware of security controls in place, controls must be explicitly defined by the relevant system administrator in all relevant documentation.

3.8.2 Security of Application System Files

Access to application software, data files and system management files should be formalised and documented according to the sensitivity and importance of the system. Maintaining the integrity of applications is the responsibility of the system administrator who will ensure that:

  • strict control is exercised over the implementation of software on the operational system;
  • test data is protected and controlled.

3.8.3 Security in Development and Support Environments

All proposed system changes must be reviewed to ensure they do not compromise the security of either the system or operating environment. The ICT Manager is responsible for all operating systems and the appropriate system administrator is responsible for the application. It is essential that both parties work together to ensure the security of application software and data is maintained. Unsupported modifications to packaged software will only be authorised in exceptional circumstances. Wherever possible the required changes should be obtained from the vendor as standard program updates. The implementation of any changes to systems should be strictly controlled using formal change control procedures. All system changes will be documented. It should be a standard that any operational system has separate and secure test, training and development environments.

3.9 Compliance

3.9.1 Compliance with Legal Requirements

The XXX’s statutory obligation to have sound information and cyber security arrangements in place originates in the Indian IT Act 2000, The XXX depends on the confidentiality, integrity and availability of its information and ICT to such an extent however, that a serious breach of information security could impact on the XXX’s ability to deliver a wide range of statutory services. In addition the XXX has contractual obligations to ensure sound security if it is to use the Government Public Services Network (PSN) or receive or share information with partner agencies under information sharing arrangement

3.9.2 Control of Proprietary Software Copying

Proprietary software is usually supplied under a licence agreement which limits the number of users and/or limits the use to a specified machine. Copyright infringement can lead to legal action, fines and adverse publicity. It is XXX policy that no copyright material is copied without the owner’s consent.

3.9.3 Use of Unlicensed Software

Except for freeware, the use of unlicensed software amounts to theft and the XXX’s policy is only to use licensed software. The introduction and/or use of unlicensed software is prohibited and may be treated as gross misconduct.

3.9.4 Safeguarding of the XXX’s Records

Important records must be protected from loss, destruction and falsification. All financial records need to be retained for seven years or more to meet audit requirements. All historic data should be periodically archived by the relevant system administrator with copies being retained in media fire safes on and off site, in accordance with Goverment regulations.

3.9.5 Auditing and logging the use of ICT resources

The XXX maintains audit logs of events taking place across its complete network. This includes, but not limited to:

  • user login times;
  • details if failed login attempts;
  • details of access to data files and software applications (user ID, times);
  • details of any privileged access to system;software and hardware configuration changes;
  • details of internet web usage and restricted access reports;
  • details of files, folder and network access to objects.

3.9.6 Prevention of Misuse of IT Facilities

The XXX’s computer facilities are provided for XXX business or in connection with approved study courses. Staff and members are allowed to use the XXX’s computer facilities for personal use for the following:

  • personal use of e-mail in accordance with the “Internet and E-Mail Access – Conditions of Use” policy document;
  • access to the Internet, if granted for work purposes, in accordance with the Internet and E-Mail Access – Conditions of Use” policy document;
  • limited use of PC software, particularly word processing, in their own time.

The following conditions will apply:

  • all private printing must be paid for unless an agreement has been reached with the ICT Manager or the printing service;
  • unauthorised or excessive personal use may be subject to disciplinary action;
  • The Computer Misuse Act 1990 introduced three criminal offences:
  • unauthorised access;
  • unauthorised access with intent to commit a further serious offence;
  • unauthorised modification of computer material, i.e. alteration, erasure or addition to programs or data.

Users should not attempt to gain access to systems they are not authorised to use or see, as they could face criminal prosecution.

3.9.7 Security Reviews of IT Systems

The internal and external security of IT systems including external penetration testing, will be regularly reviewed and subject to cyber security and penetration testing. The review of security processes will be carried out by Internal Audit, External Audit and managers. ICT will use specialist third parties to perform external and internal security and cyber security health checks, annually in order to maintain the Cyber Essential PLUS accreditation as well as meeting out PSN security obligations. Annual reviews will ensure compliance and assurance with the security policy, standards and best practice.

3.9.8 System Audit Considerations

Audit requirements and activities involving checks on operational systems shall be carefully planned and agreed to minimise the risk of disruptions to business processes. There should be controls to safeguard operational systems and audit tools during system audits. The following are to be observed:

  • audit requirements to be agreed with the appropriate manager;
  • the scope of any checks to be agreed and controlled;
  • checks to be limited to read only access to software and data wherever possible;
  • access, other than read only, only to be allowed for isolated copies of system files which must be erased when the audit is completed;
  • IT resources for performing checks should be identified and made available;requirements for special or additional processing should be identified and agreed with service providers;
  • wherever possible access should be logged and monitored;
  • all procedures and requirements should be documented.

Access to system audit tools should be controlled

4.0 IMPLEMENTATION, REVIEWS AND ENFORCEMENT

4.1. Implementation and Reviews

4.1.1. This document shall come into operation once tabled and agreed in management meeting, and approved in its first page, and then shall be considered mandatory for all XXX’s business operations.
4.1.2. XXX’s staff found to have violated this policy may be subject to disciplinary action in accordance with rules defined by XXX’s administrative regulations.
4.1.3. This document shall be reviewed within three years, or whenever business environment of XXXchanges in a way that affects the current policy.

4.2. Exceptions

4.2.1. In case of any exceptions to this policy, it shall be thoroughly documented and follow through a proper channel of authorization using the same authority which approved this document.

Example of Procedures to Manage the Information Security Risks Associated with the Use of Supplier’s Products or Services

Supplier chain risk management procedure

1.0 Purpose

This Procedure establishes the means with which to assess the risks and opportunities associated with use of supplier’s product or services such as the contracting, procurement, and provision of supplies and services on a corporate and project level, as well as the development of sustainable commercial relations. As part of this commitment, XXX considers it a priority to prevent all risks originating from its supply chain or the goods and services produced or supplied by the companies in its supply chain. The scope XXX, its Group companies, and all operations conducted in countries where the Group is present in a concession business model that intervenes in the entire value chain of the infrastructure sector. This Procedure covers our management approach to the supply chain and reflects our commitment and that of our suppliers

2.0 Scope

These standards apply to all information and information systems that support the operations and assets of the XXX, including those provided or managed by supplier, contractor, or other source, as well as services that are either fully or partially provided, including XXX’s hosted, outsourced, and cloud-based solutions. Principal Offices, employees, contractors, external service providers and system users are required to comply with these supply chain risk management procedure

3.0 Principles of supply chain security

3.1. Understand what needs to be protected and why

You should know:

  • The sensitivity of the contracts you let or will be letting.
  • The value of your information or assets which suppliers hold, will hold, have access to, or handle, as part of the contract.

Think about the level of protection you need suppliers to give to your assets and information, as well as the products or services they will deliver to you as part of the contract.

3.2. Know who your suppliers are and build an understanding of what their security looks like

You should know:

  • Who your suppliers are. You will need to think about how far down your supply chain you need to go to gain understanding and confidence in your suppliers.You may have to rely on your immediate suppliers to provide information about sub-contractors, and it may take some time to ascertain the full extent of your supply chain.
  • The maturity and effectiveness of your suppliers’ current security arrangements. For example you could use CPNI Personnel Security Maturity Model to assess the maturity of your suppliers’ people security arrangements.
  • What security protections you have asked your immediate suppliers to provide, and what they, in turn, have asked any sub-contractors to do:
    • Determine whether or not your suppliers and their sub-contractors have provided the security requirements asked of them.
    • Understand what access (physical and logical) your suppliers have to your systems, premises and information and how you will control it.
    • Understand how your immediate suppliers, control access to, and use of, your information and/or assets – including systems and premises, by any sub-contractors they employ.
  • You should focus your efforts in this area on those parts of your suppliers’ business or systems that are used to handle your contract information, or to deliver the contracted product or service.

3.3. Understand the security risk posed by your supply chain

Assess the risks these arrangements pose to your information or assets, to the products or services to be delivered, and to the wider supply chain.

Sources of risk

Risks to and from the supply chain can take many forms. For example, a supplier may fail to adequately secure their systems, may have a malicious insider, or a supplier’s members of staff may fail to properly handle or manage your information. It could be that you have poorly communicated your security needs so the supplier does the wrong things, or the supplier may deliberately seek to undermine your systems through malicious action (this may be under state influence for national security applications). Use the best information you can to understand these security risks. For example:

  • Common cyber attacks – reducing the impact
  • Insider data collection report
  • Insider risk assessment
  • CPNI Holistic Management of Employee Risk (HomER).

Understanding the risk associated with your supply chain is key to ensuring security measures and mitigations are proportionate, effective and responsive. Use this understanding to decide the appropriate levels of protection you will expect suppliers across your supply chain to provide for any contract information, and contracted products or services.

Plan of action

It may be useful to group different lines of work, contracts or suppliers into different risk profiles, based on considerations such as: the impact on your operations of any loss, damage or disruption, the capability of likely threats, the nature of the service they are providing, the type and sensitivity of information they are processing etc. Each profile will require slightly different treatment and handling to reflect your view of the associated risks. This may make things easier to manage and control. You should document these decisions and share them with suppliers. For example, you may decide that contracts which provide basic commodities such as stationery, or cleaning services require very different approaches to management to those that provide critical services or products.

3.4. Communicate your view of security needs to your suppliers

Ensure that your suppliers understand their responsibility to provide appropriate protection for your contract information and contracted products and services and the implications of failing to do so. Ensure your suppliers adhere to their security responsibilities and include any associated security requirements in any sub contracts they let. You should decide whether you are willing to permit your suppliers to sub-contract and delegate authority to do so appropriately. Give your suppliers clear guidance on the criteria to use for such decisions (e.g. the types of contract that they can let with little/no recourse to you, and those where your prior approval and sign-off must always be sought).

3.5. Set and communicate minimum security requirements for your suppliers

You should set minimum security requirements for suppliers which are justified, proportionate and achievable. Ensure these requirements reflect your assessment of security risks, but also take account of the maturity of your suppliers’ security arrangements and their ability to deliver the requirements you intend to set. It may also be sensible to identify circumstances where it would be disproportionate to expect suppliers to meet the minimum security requirements. For example, this may only be relevant for those suppliers who only need ad hoc, or occasional access to limited and specific data, and/or access to your premises. You should document these considerations and provide guidance on the steps you intend to take to manage these engagements. This approach could help reduce your workload and avoid creating additional, unnecessary work for these parties.

Case by case

Consider setting different protection requirements for different types of contracts, based on the risk associated with them – avoid situations where you force all your suppliers to deliver the same set of security requirements when it may not be proportionate or justified to do so. Explain the rationale for these requirements to your suppliers, so they understand what is required from them. Include your minimum security requirements in the contracts you have with suppliers and in addition, require that your suppliers pass these down to any sub-contractors they might have.

3.6. Build security considerations into your contracting processes and require that your suppliers do the same

Build security considerations into your normal contracting processes. This will help you to manage security throughout the contract, including termination and the transfer of services to another supplier.

Evidence
Require prospective suppliers to provide evidence of their approach to security and their ability to meet the minimum security requirements you have set at different stages of the contract competition.

Providing support
Develop appropriate supporting guidance, tools and processes to enable the effective management of the supply chain by you and your suppliers, at all levels.

You should:

  • Ensure the security considerations you build into your contracts are proportionate and align with the various stages of the contracting process.
  • Require their adoption in contracts and train all parties on their use.
  • Check that your supporting guidance, tools and processes are being used throughout the whole of your supply chain.
  • Require contracts to be renewed at appropriate intervals, and require reassessment of associated risks at the same time.
  • Seek assurance that your suppliers understand and support your approach to security and only ask them to take action or provide information where it is necessary to support the management of supply chain security risks.
  • Ensure that contracts clearly set out specific requirements for the return and deletion of your information and assets by a supplier on termination or transfer of that contract.

3.7. Meet your own security responsibilities as a supplier and consumer

Ensure that you enforce and meet any requirements on you as a supplier. Provide upward reporting and pass security requirements down to sub-contractors. Welcome any audit interventions your customer might make, tell them about any issues you are encountering and work proactively with them to make improvements. Challenge your customers if guidance covering their security needs is not forthcoming, and seek assurance that they are they happy with the measures you are taking.

3.8. Raise awareness of security within your supply chain

Explain security risks to your suppliers using language they can understand. Encourage them to ensure that key staff (e.g. procurement, security, marketing) are trained on, and understand these risks, as well as their responsibilities to help manage them.

  • Set goals: Establish supply chain security awareness and education for appropriate staff.
  • Information sharing:Promote and adopt the sharing of security information across your supply chain to enable better understanding and anticipation of emerging security attacks..

3.9. Provide support for security incidents

Whilst it is reasonable to expect your suppliers to manage security risks in accordance with the contract, you should be prepared to provide support and assistance if necessary where security incidents have the potential to affect your business or the wider supply chain.

Make requirements clear
You should clearly set out requirements for managing and reporting security incidents in the contract. These should clarify supplier’s responsibilities for advising you about such incidents – reporting timescales, who to report to etc. Suppliers should also be clear about what support they can expect from you if an incident occurs – required ‘clean up’ actions, losses incurred, etc.

Propagate lessons learned
Where lessons have been learnt from security incidents, communicate these to all your suppliers, to help them becoming victims of ‘known and manageable’ attacks.

3.10. Build assurance activities into your supply chain management

  • Require those suppliers who are key to the security of your supply chain, via contracts, to provide upward reporting of security performance and to adhere to any risk management policies and processes.
  • Build the ‘right to audit’ into all contracts and exercise this. Require your suppliers to do the same for any contracts that they have let that relate to your contract and your organisation. (Note that this might not always be possible or desirable, particularly where this relates to a Cloud service).
  • Build, where justified, assurance requirements such as Cyber Essentials Plus, penetration tests, external audit or formal security certifications into your security requirements.
  • Establish key performance indicators to measure the performance of your supply chain security management practice.
  • Review and act on any findings and lessons learned.
  • Encourage suppliers to promote good security behaviours.

3.11. Encourage the continuous improvement of security within your supply chain

  • Encourage your suppliers to continue improving their security arrangements, emphasising how this might enable them to compete for and win future contracts with you. This will also help you to grow your supply chain and choice of potential suppliers.
  • Advise and support your suppliers as they seek to make these improvements.
  • Avoid creating unnecessary barriers to such improvements: acknowledge and be prepared to recognise any existing security practices or certifications they might have that could demonstrate how they meet your minimum security requirements.
  • Allow time for your suppliers to achieve security improvements, but require them to provide you with timescales and plans that demonstrate how they intend to achieve them.
  • Listen to and act on any concerns highlighted through performance monitoring, incidents, or upward reporting from suppliers that may suggest that current approaches are not working as effectively as planned.

3.12. Build trust with suppliers

  • Seek to build strategic partnerships with key suppliers, sharing issues with them, encouraging and valuing their input. Gain their buy-in to your approach to supply chain security, so that it takes account of their needs as well as your own.
  • Let them manage sub-contractors for you, but require them to provide you with appropriate reporting to confirm the status of these relationships.
  • Maintain continuous and effective communications with your suppliers.
  • Look at supply chain management as a shared issue.

4.Procedures

All information assets that process, store, receive, transmit or otherwise could impact the confidentiality, integrity, and accessibility of XXX information must meet the required security controls defined in this procedure that are based on the ISMS Risk assessment procedure.

4.1 Supply Chain Risk Management Plan

The following shall be implemented:

a. Develop a plan for managing supply chain risks associated with acquisition, delivery, integration, operations and maintenance, and disposal of the information systems and services:

  1. The Supply Chain Risk Management (SCRM) plan should provide the basis for determining whether a technology, service or information system is fit for purpose and as such the controls need to be tailored accordingly.
  2. The SCRM plan shall include the following:
    • an expression of the supply chain risk tolerance for the agency;
    • acceptable supply chain risk mitigation strategies or controls;
    • a process for consistently evaluating and monitoring supply chain risk;
    • approaches for implementing and communicating the plan;
    • a description of and justification for supply chain risk mitigation measures taken; and associated roles and responsibilities..

b. Review and update the supply chain risk management plan on an annual basis or as required, to address threat, organizational or environmental changes.
c. Protect the supply chain risk management plan from unauthorized disclosure and modification.

4.2 Establish SCRM Team

The following shall be implemented:
a. Establish a supply chain risk management team that consists of the defined roles and is responsible for identifying, assessing, and managing risks while using coordinated efforts.
b. The SCRM team shall consist of personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executives, information technology, contracting, information security, privacy, mission, or business, legal, supply chain and logistics and acquisition.
c. The SCRM team shall be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.

4.3 Supply Chain Controls and Processes

The following shall be implemented:

  1. Establish processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of information systems in coordination with the identified supply chain personnel.
    • Supply chain elements include organizations, entities, or tools employed for the acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components.
    • Supply chain processes include hardware, software, and firmware development processes;
    • shipping and handling procedures; personnel security and physical security programs;
    • configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components.
  2. Employ the following controls to protect against supply chain risks to information assets, systems, system components, or system services and to limit the harm or consequences from supply chain related events (examples):
    • Control Assessments
    • External System Services
    • Acquisition Process
    • Controlled Maintenance
    • Component Authenticity
    • Component Disposal
  3. Document the selected and implemented supply chain processes and controls in an agencydefined document such as a SCRM plan.

4.4 Acquisition Strategies, Tools, and Methods

Acquisition strategies, contract tools, and procurement methods shall be employed to protect against, identify, and mitigate supply chain risks. Examples are as follows:

  • Including incentive programs to system integrators, suppliers, or external services providers to ensure that they provide verification of integrity as well as traceability.
  • Requiring tamper-evident packaging.
  • Using trusted or controlled distribution.
  • stablish compliance standards for all third-party vendors, including manufacturers, suppliers, and distributors.
  • Define user roles and implement security controls to restrict who is able to access your system and what level of clearance they’ve given.
  • Perform a thorough vendor risk assessment prior to signing any contracts.
  • Implement data stewardship standards that define who owns certain data and what they’re to do with that data.
  • Provide comprehensive training for all employees about cyber security protocols.
  • Implement a software solution that provides you with total visibility into your supply chain, so you can quickly identify unusual activity.
  • Work with vendors in your supply chain network to develop a unified disaster recovery plan to ensure business continuity.
  • Establish backup controls to safeguard your data backups.
  • Regularly update your company’s anti-virus, anti-spyware, and firewall software solutions, as well as look into more advanced cyber security measures, such as DNS filtering and network access control.

4.5 Supplier Assessments and Reviews

Supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide shall be assessed and reviewed annually. An assessment and review of supplier risk should include security and supply chain risk management processes, foreign ownership, and the ability of the supplier to effectively assess subordinate second tier and third-tier suppliers and contractors. The reviews shall consider documented processes, documented controls, and publicly available information related to the supplier or contractor.

4.6 Notification Agreements

Agreements and procedures with entities involved in the supply chain shall be established for the notification of supply chain compromises including security incident and a privacy breach and the notification of assessment or audit results.

4.7 Inspection of Systems or Components

A process to inspect information systems annually or upon any indications of the tampering of information systems shall be implemented. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

4.8 Component Authenticity

The following shall be implemented:
a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and
b. Report counterfeit system components to the agency-defined personnel.
Organizations should include in their anti-counterfeit policy and procedures, a means to help ensure that the components acquired and used are authentic and have not been subject to tampering.

4.9 Component Authenticity | Anti-Counterfeit Training
The following agency-defined roles shall be trained to detect counterfeit system components (including hardware, software, and firmware).

  • Personnel conducting configuration management activities
  • System administrators
  • Database administrators
  • Network administrators
  • Procurement personnel

4.10 Component Authenticity | Configuration Control for Component

Configuration control shall be maintained over system components awaiting service or repair and serviced or repaired components awaiting return to service. Organizations shall manage risks associated with component repair including the repair process and any replacements, updates, and revisions of hardware and software components within the supply
chain infrastructure.

4.11 Component Disposal

Defined data, documentation, tools, or system components shall be disposed of without exposing sensitive or operational information, which may lead to a future supply chain compromise. Examples include the following:
a. Monitoring and documenting the chain of custody through the destruction process.
b. Training disposal service personnel to ensure accurate delivery of service against disposal policy and procedures.
c. Implementing assessment procedures for the verification of disposal processes with a frequency that fits agency needs.
d. Using Media Sanitization techniques—including clearing, purging, cryptographic erase, deidentification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal.

5. Enforcement

Violations of this policy or failure to implement provisions of this policy may result in disciplinary action up to and including termination, civil litigation, and/or criminal prosecution.

Example of Procedures to protect intellectual property rights.

1. Purpose

This procedure defines intellectual property and outlines the responsibilities of the XXX’s employees and key processes in managing the creation, procurement and use of intellectual property rights (IPR).

2. Scope

This procedure outlines what department employees must do to avoid infringing the copyright and IP of others, and meet obligations under the Copyright Act 1957. Intellectual Property (IP) covers a range of intangible property that results from creative and intellectual effort including literary and artistic works, computer programs, databases, film and sound recording, trademarks, and designs. The most common type of IP that departmental employees will create, acquire and/or use in their work is copyright.

Copyright exists in content developed or acquired by the XXX whether for public use or for limited use such as training, as well as in works created or owned by others (i.e. third-party materials) used by the XXX. Copyright is automatic, and creators or owners do not need to register their copyright or display a copyright symbol for their work to be protected. XXX(as the employer) owns the copyright in material created by its employees in the course of their duties unless otherwise agreed between the employer and employee. It does not matter that the employee creates the material (either wholly or in part) outside normal work hours and without using XXX facilities or equipment. Generally, the deciding factor is whether the materials created relate to the employee’s official duties. Creators as an employee of XXX also have moral rights which are additional to copyrights and include the right to attribution, the right against false attribution, and the right to have the integrity of their work respected.

3. Responsibilities

3.1 All employees

  • Avoid infringing the IP rights or moral rights of others.
  • Use, to the maximum extent possible, third-party materials that have a Creative Commons or a similar open licence to:
    • minimise the costs of seeking permission and managing third-party licences
    • reduce costs of statutory licences for copying within the organization
  • Ensure that copying or adaptation of third-party materials is either permitted or permission has been obtained.
  • Ensure all third-party materials in departmental publications are attributed and to any licence conditions.
  • Maintain appropriate records of copyright materials created, used or procured in accordance with the XXX’s Handling of Information and other asset policy.
  • Comply with the requirements of the statutory and voluntary licences, when copying and communicating third-party materials for purposes of their work.
  • Participate in copyright sampling surveys as required to meet statutory licence agreements.

3.2 Copyright team, Information and Governance Management

Provide guides, tools and advice to XXX employees in relation to creation and use of IP, including:

  • location and use of Creative Commons, other openly licensed or public domain materials
  • finding alternatives, workaround or in-house solutions to using third-party materials
  • requesting and managing permissions to use third-party materials (i.e. licences)
  • adopting best practice copyright record keeping and management
  • Respond to external parties who request permission to copy department works.
  • Liaise with the unit who is custodian of the work, to confirm the XXX’s copyright in the materials.
  • Ensure records relating to the creation, procurement and use of copyright material are appropriately stored, monitored and maintained.
  • Ensure significant IP (e.g. trademarks, published content such as online courses, teaching materials, posters, videos, ebooks, apps) with public, strategic or innovative value is recorded in the XXX’s Intellectual property register

4.0 Procedure

  1. Company shall respect intellectual property (IP) and conduct its business in compliance with the IP-related laws as applicable in the jurisdiction of Republic of India and its agreements with other companies.
  2. Company shall actively protect its own IP.
  3. Company shall maintain an effective system of IP asset management, including maintaining an inventory and records of IP-related assets and agreements.
  4. Company shall not knowingly infringe a third party’s intellectual property in its products, services, or components, or disclose or use a third party’s trade secrets without the express or implied consent of the owner or as permitted by law.
  5. Company shall not knowingly purchase or use counterfeit or other infringing goods and services in running its business, including counterfeit trademark goods or infringing copyright material (such as software, publications, video, audio, or other content).
  6. Company shall document and maintain written records of all substantial transactions and uses that involve the exercise of IP rights. (This includes, for example, licenses or assignments of rights; manufacture, reproduction or distribution of patented, trademarked or copyrighted items; and disclosure and use of trade secrets.)
  7. Company shall require, through binding policies or agreements with employees and contractors that its personnel comply with the applicable IP laws and the Company’s IP policies and IP-related provisions in agreements with other companies.
  8. Company shall develop and implement a management system to help ensure that all personnel follow its IP policies. This management system shall encompass all IP-related policies, procedures and adequate and accurate records necessary to implement, measure, and improve Company’s IP protection and compliance program.

5. Using third-party material

All employees seeking to use third-party material must follow these steps:

Step 1: Assess if the material is protected by copyright

  • If yes – go to step 2
  • If no – go to step 3

Step 2: Assess if the use is permitted or if permission is required
Ensure that copying or adaptation of third-party materials is either permitted or permission has been obtained.

If use is permitted
Some creators permit the use of their work without further permission, as long as the user adheres to their conditions. .

Forward all requests received from third parties, to use the XXX’s owned copyright materials not licensed with a CC licence, to the Information Management team.

If permission is required
If it is not clear that the employee can use the material, then they must request permission (a licence) from the copyright owner in writing.

The copyright owner may give permission under certain conditions, such as payment (licence fee), a time limit (term), and/or a specific attribution. Contact the Copyright team for help with permission requests.

Step 3: Attribute and adhere to any conditions
Ensure all third-party materials in departmental publications are attributed and adhere to any licence conditions.

All third-party materials must be attributed (i.e. acknowledged) in XXX publications (whether print, video, audio or online), even attribution is not a requirement of the licence or the material is in the public domain. An attribution is essential because it tells everyone that copyright in the attributed material is not owned by the XXX.

Adhering to any conditions is essential for use of third-party material to be legal. In addition to attribution, other conditions may include, but are not limited to:

  • non-commercial use only
  • no derivatives (i.e. no changes or editing)
  • share alike (i.e. share under same licence as original)
  • remuneration (a licence fee)
  • who can access ( publicly available)
  • a time limit which states when the licence expires (a licence term)
  • the number of copies (e.g. print run) or downloads a person can make.
  • Apply an appropriate copyright licence

6. Maintain records for copyright and other IP

Step 1: Record copyright elements used in significant publications
When developing significant assets (e.g. projects, reports, websites, training and professional development materials), the author must record the incorporated copyright elements (e.g. material sourced under open licences, content for which specific permission has been obtained, department-created diagrams and illustrations). The Copyright register template can be used to record copyright elements in an asset.

Step 2: Save and maintain records relating to use, creation and procurement of copyright and other IP
CISO and dept Head must ensure all records relating to copyright and IP are saved in the relevant records management system and materials acquired under limited terms (e.g. a time-limited licence) are monitored and use discontinued when terms expire. Saved records should include any copyright licences, permission emails, contractor agreements, assignment of copyright, MOUs with other organisations, and the copyright register .

Step 3: Record significant copyright or other IP in the department’s IP register
CISO and dept Head must ensure significant IP with public, strategic or innovative value created by their business unit is recorded in the XXX’s Intellectual property register

7. Security And Confidentiality Management

  • Company shall maintain physical security designed to effectively protect trade secrets(where applicable) and other confidential information, and IP-related records, masters, tools, inventory and related materials.
  • Company shall maintain computer and network security effective for protecting trade secrets, other confidential and proprietary information, and IP related records, and for discouraging violations of Company’s IP policies on the Company’s computers and networks.
  • Company and its personnel shall only make trade secrets and other proprietary information available to third parties on a “need to know?? basis, and subject to company procedures and written agreements containing adequate confidentiality and other protections.
  • Company shall execute written confidential or Non-disclosure agreements with third parties prior to disclosure of any confidential information of the Company to any third party(ies).
  • Any IP generated, created or developed by any of the employees/representatives and agents of the Company and/or consultants engaged by the Company, during the term of their employment or engagement as the case may be, for and/or on behalf of the Company, shall be “work made for hire?? and shall be assigned by such persons to the Company. Further, the Company shall have the sole and exclusive ownership to such IP generated, developed or created unless otherwise agreed by the Company by way of a written contract or as may be applicable by the relevant IP law.

8. Training And Capacity Building

  • Company shall provide ongoing appropriate level training on IP protection and management to all relevant personnel.
  • Company shall provide specialized training to those personnel responsible for the development and implementation of the IP protection, management, and compliance program
  • Company shall provide appropriate level training on IP protection and management for relevant supply chain members.

9. Monitoring And Measurement

  • Company shall establish and operate a system to monitor its performance in meeting the Company’s relevant IP policies.
  • Company shall incorporate the information gained from the IP compliance team through the monitoring system into the overall evaluation of its departments.

10. Corrective Actions And Improvements

  • Company shall maintain a system to track and deal with problems in IP protection, management and compliance found through the monitoring process. The tracking system will identify the corrective action to be taken, the timeline, and the responsible party.
  • Company shall develop and implement an annual or other regular improvement plan for IP protection, management, and compliance.
  • In case of violation/infringement of any IPR such as trademark infringement by any employee/representative or any third party infringing upon the IPR of the Company, the Compliance Team of the Company would first investigate the matter in association with its Advocates and make recommendations to the Director/CFO for resolution of such violation/infringement including need for any legal course of action.

11. IP Licensing and Transfer

  • The Company may license its IP to any of its Subsidiaries, Affiliates or a third party (ies) through various modes of licensing strategy such as: Exclusive licensing, Sole licensing, Non-Exclusive Licensing, Sub-licensing and licensing in general. The Company shall document such IP licensing through a license Agreement where each such license agreement shall define the terms and conditions for the proper use of IP of the Company.
  • The Company may transfer its IP to any of its Subsidiaries, Affiliates or a third party (ies) through a signed IP transfer agreement on the conditions as may be deemed to be fit and proper to the Company.

12. Jurisdiction

  • This Policy shall be governed by the laws of Republic of India and the courts at Pune Maharashtra shall have the jurisdiction to the same.

Example of Information transfer procedure.

Overview

There are many occasions when information is transferred between departments, to third-party service providers, to other public bodies, commercial organisations and individuals. This is done using a wide variety of media and methods, in electronic and paper format. In every transfer there is a risk that the information may be lost, misappropriated or accidentally released. XXX has a duty of care in handling information. For legal reasons such as confidentiality or data protection, and to maintain the trust of our service users and partners it is essential that the transfer is performed in a way that adequately protects the information. It is the role of the Sender to assess the risks and ensure that adequate controls are in place. This policy outlines the responsibilities attached and the minimum security requirements for transfer.

Scope

This procedure states the minimum security requirements for physical transfer of information into, across and out of the organisation, in any format. For the purpose of this document, Information refers to both textual information (e.g. word-processed documents, reports and spreadsheets), and raw unformatted data (e.g. backup tapes), in any format and on any medium. This policy applies to all employees of the XXX and any Third-party that processes the organisation
information.

Procedure

4.1. The sender’s responsibility
With each information transfer there is a risk that the information may be lost, misappropriated or accidentally released. It is the responsibility of the sender to assess all risks and ensure that adequate controls are in compliance with this policy. This section contains some of the things that must be considered before transferring information.

4.2. Is the transfer legal and necessary?
It is dangerous to assume that because someone asks for information that they are necessarily authorized or legally entitled to have it. If you are in doubt then you should check with your manager. Once you are sure that the transfer is legal and necessary then you must decide what kind of information you are dealing with. This will determine what security is appropriate. To transfer personal or confidential information without these checks may leave XXX open to Legal and Reputational damage and the sender may be subject to disciplinary action.

4.3. Is it Personal information?

Personal information is about a living, identifiable individual. If it contains details of racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, commission of offences, court appearances and sentences it is further classified as sensitive personal information. Anything we do with personal information must comply with the Data Protection Act. Before you make any transfer you must:

  • Ensure transfers to Media organisations are approved by the Communications Department.
  • Obtain and document the approval of the Information Owner for transfer
  • Ensure that the transfer is legal (in particular under the Data Protection Act. See Appendix below)
  • Ensure that the transfer is necessary (is there a less intrusive way)
  • Remove or blackout anything that is not essential for the recipient’s purpose
  • Have a documented agreement in place to ensure the recipient understands their responsibilities under the law, particularly what to do with the transfer file after they have extracted the information to their system

4.4. Is it confidential information?
Confidential information is that for which the XXX has a duty of confidentiality. This may include information that affects the business interests of a third party, or for which the sender does not hold copyright e.g. bank details, salary details, contracts, agreements. Unauthorised release of confidential information can leave the XXX open to legal sanction or litigation. It can also erode the trust of the Public and its Partners in the XXX itself. Before you transfer you must:

  • Obtain and document the approval of the information owner for transfer
  • Ensure that you are not breaching a Duty of Confidentiality
  • Ensure that the transfer is necessary (is there a less intrusive way)
  • Remove anything that is not essential for the recipient’s purpose
  • Have a documented agreement in place to ensure the recipient understands their responsibilities under the law, particularly what to do with the transfer file after they have extracted the information to their system

4.5. Does Public information need any special controls?
Public information is any information that is freely released or exchanged and presents minimal risk to the organization in terms of content, quality or timeliness e.g. promotional brochures. In general there are no special security requirements for transfer of Public information because their release represents no special risk. Public information will be transferred in the most cost-effective method available. Before you transfer you must seek the permission of the Department that produced or owns this information before making any transfer, even if the transfer appears harmless.

4.6 Transfer Principles
The following principles apply to all Information transfer in, out and within the XXX scope:

  1. Formal arrangement and agreements that surround the sharing must be set up prior to data transfer
  2. Agreements should, where it is not covered by other arrangements, define ‘type’, ‘fair processing’, ‘usage – what for and how’, ‘accuracy’, ‘handling duration’, and the ‘remit for transfer’
  3. Information transfer must be in accordance with any ethical, legal, or governance requirements held upon the data, and justifiable in this context. CISO/ Dept Heads will make all reasonable attempts to ascertain and log these requirements prior to transfer
  4. Transfer of personal Information must be undertaken in line with data protection legislation.
  5. Transfer volume and frequency must be in accordance with the minimum required.
  6. Transfer arrangements must minimise any risk associated with the loss or improper use of the information being transferred
  7. It is the ‘ norm’ to perform handling under a Information Sharing Agreement or Open-Use Licence
  8. Manual or automated steps must be in place to check that transfers are in accordance with these principles

5.0 Requirements for Transferring Personal or Confidential Information
Having decided what kind of information you have, and prepared it for transfer, the sender must consider the various methods of transfer available and whether they are appropriate. For all transfers of Personal or Confidential information it is essential that the identity and authorisation of the recipient has been appropriately authenticated by the sender.
5.1. Electronic Mail
Information must be enclosed in an attachment and encrypted using a product approved by the XXX set at an appropriate strength. Minimum standard for encryption is AES (256 bit). WINZIP 11.1 and above offer this.

  • Any password must be to Organisation standard. 7 characters, mix of alpha and numeric. Further details of the password policy can be found in secure Authentication procedure. § Any password to open the attached file must be transferred to the recipient using a different method than e-mail, e.g. a telephone call to an agreed telephone number, closed letter.
  • E-mail message must contain clear instructions on the recipient’s responsibilities and instructions on what to do if they are not the correct recipient.
  • An accompanying message and the filename must not reveal the contents of the encrypted file.
  • Check with the recipient that their e-mail system will not filter out or quarantine the transferred file.
  • The sender must check at an appropriate time that the transfer has been successful, and report any issues to their line manager.

5.2. Electronic Data Transfer (FTP, Secure FTP, BACS, DCSF’s COLLECT)
Standard FTP without encryption is inherently insecure and should not be used for transmitting personal or confidential information. SFTP file transfers are acceptable but such transfers must be set up and administered by the Information Services department. External secure transmission systems such as BACS or DCSF’s COLLECT system are designed to be secure provided that they are implemented configured and used correctly. However, it is the responsibility of the sender to ensure that the use of such a system is appropriate for the use they propose. If in doubt, advice should be sought from the system owner.

5.3. Electronic memory, (CD, DVD, Floppy, USB drive, Memory Card)
Information must be enclosed in a file and encrypted using a product approved by the XXX set at an appropriate strength. Minimum standard for encryption is AES (256 bit). WINZIP 11.1 and above offer this.

  • Any password must be to Organisation standard. 7 characters, mix of alpha and numeric. Further details of the password policy can be found in Chapter 7 of the Information Security policy.
  • Any password to open the attached file must be transferred to the recipient using a different method than e-mail, e.g. a telephone call to an agreed telephone number, closed letter.
  • An accompanying message should contain clear instructions on the recipient’s responsibilities, and instructions on what to do if they are not the correct recipient.
  • An accompanying message and the filename must not reveal the contents of the encrypted file.
  • The sender must check at an appropriate time that the transfer has been successful, and report any issues to their line manager.

5.4. FAX Transmission
FAX is inherently insecure and is not recommended for transfer of sensitive information. However it is acknowledged that certain circumstances demand it.

  • Sender must check that the Fax number is correct and that the receiver is awaiting transmission.
  • For high sensitivity information the number must be double-checked by a colleague before transmission, and telephone contact should be maintained throughout transmission.
  • Both sender and receiver must have an agreed process to avoid their copy being left on the Fax machine, and a clear requirement to securely destroy the message when no longer required.
  • The message should contain clear instructions on the recipient’s responsibilities and instructions on what to do if they are not the correct recipient.
  • The sender must check at an appropriate time that the transfer has been successful, and report any issues to their line manager.

5.5. Delivery by Post or by Hand
It is essential that the file, whether electronic or paper is kept secure in transit, tracked during transit, and delivered to the correct individual.

  • An appropriate delivery mechanism must be used.
  • Package must be securely and appropriately packed, clearly labelled and have a seal, which must be broken to open the package.
  • Package must have a return address and contact details.
  • The label must not indicate the nature or value of the contents.
  • Package must be received and signed for by addressee.
  • The sender must check at an appropriate time that the transfer has been successful, and report any issues to their line manager.

5.6. Telephone/Mobile Phone
As phone calls may be monitored, overheard or intercepted either deliberately or accidentally, care must be taken as follows.

  • § Transferred information must be kept to a minimum.
  • § Personal or Confidential information must not be transferred over the telephone unless the identity and authorisation of the receiver has been appropriately confirmed.

5.7 Internet Based Collaborative Sites
Must not be used for Personal or Confidential information.

5.8. Text messaging (SMS), instant Messaging (IM)
Must not be used for Personal or Confidential information.

Example of Procedure for use of cloud service

1 Purpose

To establish the processes that IT must follow when considering the engagement of Cloud Computing services and service providers.

2 Scope

This procedure applies to all XXX’s Information or Information Systems which are stored with or hosted by any party other than the XXX within one of its Data Centres.

3 Classification

This procedure provides the process to be followed when considering and before making a decision to contract Cloud Computing services such as:

Applications As A Service (AaaS)/Software As-A-Service (SaaS)
Platform-As-A-Service (PaaS)
Infrastructure-As-A-Service (IaaS).

Classification Description:

  1. Level One Data – “Confidential”
  2. Level Two Data – “Restricted”
  3. Level Three Data – “Internal Use”
  4. Level Four Data – “General”

4 Procedures

Consistent with the principles provided in the Enterprise Architecture Policy, it is the XXX’s preferred position to adopt and use Cloud Computing services first, with all new services deployed in the cloud where possible.

4.1 Risk assessment
The CISO must conduct a risk assessment when considering the use of Cloud Computing services. The extent of the ‘risk assessment’ must be commensurate with the Information Security Classification (Ref: Risk assessment Procedure)

As a first step, the CISO must consider whether the selection of a Cloud Computing service is appropriate given the Information Security Classification (Ref: Risk assessment Procedure) associated with the Information System under consideration. With reference to the Cloud Service Use Inherent Risk Schedule determine whether the XXX should be considering a Cloud Computing service and the level of rigor that should be applied in this and subsequent processes before selecting a Cloud Computing provider.

The CISO should also consider the cost to manage the associated risks and its impact on the value proposition.The following risk categories should be used when identifying risks:

  • quality – does the cloud solution meet stakeholder needs
  • financial – does the cloud solution provide value for money
  • organisational – does the cloud solution work within the XXX’s culture
  • integration – can the cloud solution meet objectives without business or technical integration difficulties
  • compliance – does the cloud solution comply with XXX’s legal, regulatory and policy obligations
  • business continuity – can the cloud solution recover from outages or disaster situation
  • external – is the Cloud Service Provider’s performance adequate.

The Cloud Computing service provider and all subcontractors in the service provision supply chain must be subject to the risk assessment and conditions on the service agreement/contract. Each of the factors below should be addressed when preparing a risk assessment for proposed Cloud Computing deployments.

4.1.1 Evaluation process

CISO should use the Information security policy for supplier relationship as the basis for evaluating the implementation of a potential Cloud Computing solution. When deciding to use a Cloud Computing service or to store Information or data in a facility which is not owned by the XXX, it is the responsibility of the CICO to consult with other appropriate Information System Custodians, process owners, stakeholders, and subject matter experts during the evaluation process.

4.1.2 Intellectual property and copyright
CISO should refer to the Intellectual Property Policy and Procedure to ensure that Information or data is not stored in any facility where the XXX’s intellectual property, copyright, trademarks or patents may be compromised. Information or data must not be stored in such a way that allows unauthorised parties to claim ownership of the Information or data.

4.1.3 Location of provider and relevant infrastructure
Due to the nature of web-based services, providers or their equipment will often be based interstate or overseas. If any data is to be hosted or stored outside the organziation, CISO must check where this will be, who will have access, who will be managing this and how. Depending on the response, additional terms and conditions may need to be included in the legal contracts to mitigate any potential risks. Providers should notify the XXX if any of these conditions change during the agreement. Data must not be allowed to be stored outside the country as it may be subject to different laws, which could affect XXX compliance requirements, such as privacy. Use of three-way encryption (upload, download and storage) should be considered to improve data security.

4.1.4 Privacy and Data Security
The University is subject to the Indian IT Act 2000 which specifies conditions regarding the use and handling of Personal Information as defined in that Act. If any Personal Information is to be collected by, or disclosed or transferred to the service provider, CISO needs to make sure it meets these requirements. The Information System Custodian can assess these requirements by undertaking a Privacy Threshold Assessment (PTA) and, if required, a Privacy Impact Assessment (PIA). Performing a PTA enables the CISO to quickly assess whether Personal Information is involved. If Personal Information is involved, a PIA should be completed (effort commensurate with the risk) . To fulfill its privacy obligations the XXX must take reasonable steps to protect Personal Information from misuse, loss, unauthorized access, modification or disclosure. XXX will retain ownership of its Information irrespective of where it is stored. Information and Communication Technology (ICT) Services should be consulted where any security issues are unclear. Relevant data security issues for the CISO to consider include:

  • data control
  • data encryption
  • blending of data with other customer data
  • business process if a security breach does occur or if data is damaged or destroyed
  • data backup frequency/conventions/standards/accessibility
  • availability of an audit trail to demonstrate that data is reliable.

Relevant data access issues for the CISO to consider include:

  • quick and easy access
  • format useability
  • process to follow if data cannot be accessed or access is delayed
  • ease with which the data can be amended or deleted if required.
  • Information or data that has been marked as Restricted or Confidential, Information must be stored in a way that minimises the likelihood that the Information or data can be accessed by any unauthorised parties.

4.1.5 Records retention and availability
All XXX records must be stored, retained and accessed in accordance with relevant legislation and XXX’s Information classification and Handling policy.

4.1.6 Data classification

Storing or transmitting of level 1 data is prohibited on all cloud services unless:

  • A contract with vendor contains appropriate Information Security Supplemental Language
  • Utilization of the service is approved by the appropriate data owner
  • Approval is granted by the CISO and approved by the CEO
  • The cloud service must be configured to utilize the multi-factor service Duo or other approved multi factor solution.

2. Storing or transmitting of level 2 and Level 3 data Levels is prohibited on all cloud services unless:

  • A contract with vendor contains appropriate Information Security Supplemental Language
  • Utilization of the service is approved by the appropriate data owner
  • Approval is granted by the CISO and approved by the CEO
  • The cloud service must be configured to utilize the multi-factor service Duo or other approved multi factor solution.

3. Cloud application administrators are responsible for maintaining accurate and timely user account status

  • Terminated users must have their account to the cloud service disabled no later than the day of termination.
  • Accounts should be provisioned with the Principle of Least Privilege

4. Cloud application administrators are responsible for reviewing all accounts and their associated level of application access on a quarterly basis

  • Active accounts should be compared to employee records.
  • Any terminated users should have their accounts removed or disabled.

5. Cloud application administrators are required to provide an annual report of compliance with this policy.

  • Once a year any administrator of a cloud-based SaaS application will be required to provide a listing showing all the accounts and their associated rights or privilege level associated to that account to the CISO.
  • Application Owners of applications that manage Level one data must work with the cloud application vendor to get the updated SOC 2 audit and cyber liability insurance certificate of insurance (COI) on an annual basis and post those documents with the CISO

Failure to maintain these reporting requirements will lead to the violating application being blocked from running on the network.

4.1.7 Business continuity
CISO must ensure the continuity of service for every system with a Cloud Computing provider. This requires CISO to:

  • determine if the Cloud Computing provider’s business continuity and disaster recovery plan is acceptable
  • determine the impact of outages
  • ensure the availability of data in the event of any and all types of outage (e.g. through off site backup data that is accessible to the organisation)
  • prepare a business continuity plan for both short and long term
  • include scheduled outages in service level agreements
  • arrange a guarantee of availability
  • consider the use of multiple Cloud Computing providers depending on the business criticality of the system deployed to the cloud
  • determine whether Information is able to be retrieved or disposed of in compliance with the Indian IT act 2000 during or at the conclusion of a contract with the Cloud Computing provider.

4.1.8 Legal issues
Prior to approaching the market, CISO should determine the contractual terms required, even when it is anticipated that a standardised ‘click wrap’ agreement will be the only option. A prior understanding of the XXX’s terms will provide a basis to ensure the final contract will meet business requirements, security requirements and adequately address the risks associated with the cloud solution.

At a minimum the SLA will include:

  • clear definition of services
  • agreed upon service levels including service availability time, service outages, routine maintenance timeframes, upgrades and changes to the cloud computing services
  • clearly defined physical and logical security conditions
  • performance measurement
  • problem management
  • customer duties
  • disaster recovery
  • termination of agreement
  • protection of sensitive Information and intellectual property
  • agreement of the disposal of Information when required
  • definition of vendor versus customer responsibilities, especially pertaining to backups, incident response, and data recovery.

An exit strategy for disengaging from the vendor and/or service should be planned before committing Information or data to a Cloud Computing or outsourced service. The exit strategy should outline how the relevant records will be preserved and maintained, and how the service can be discontinued or transitioned to another provider. Contracts and/or agreements are to cover the Cloud Computing provider and all subcontractors involved in providing the Cloud Computing service. XXX should consider including the need for vulnerability assessment/penetration testing in any contracts/agreements with Cloud Computing service providers. This is mandatory when Restricted Information is involved.

Example of Digital Signature Acceptance Policy

1.     Purpose

The purpose of this policy is to provide guidance on when digital signatures are considered accepted means of validating the identity of a signer in XXX electronic documents and correspondence, and thus a substitute for traditional “wet” signatures, within the organization.  Because communication has become primarily electronic, the goal is to reduce confusion about when a digital signature is trusted.

2.     Scope

This policy applies to all XXX employees and affiliates. This policy applies to all XXX employees, contractors, and other agents conducting XXX business with a XXX-provided digital key pair.  This policy applies only to intra-organization digitally signed documents and correspondence and not to electronic materials sent to or received from non-XXX affiliated persons or organizations.

3.     Policy

A digital signature is an acceptable substitute for a wet signature on any intra-organization document or correspondence, with the exception of those noted on the site of the Chief Financial Officer (CFO) on the organization’s intranet:  <CFO’s Office URL>

The CFO’s office will maintain an organization-wide list of the types of documents and correspondence that are not covered by this policy.

Digital signatures must apply to individuals only.  Digital signatures for roles, positions, or titles (e.g. the CFO) are not considered valid.

Responsibilities

Digital signature acceptance requires specific action on both the part of the employee signing the document or correspondence (hereafter the signer), and the employee receiving/reading the document or correspondence (hereafter the recipient).

1. Signer Responsibilities

  • Signers must obtain a signing key pair from CEO/CFO.  
  • This key pair will be generated using XXX’s Public Key Infrastructure (PKI) and the public key will be signed by the XXX’s Certificate Authority (CA),
  • Signers must sign documents and correspondence using software approved by XXX IT organization.Signers must protect their private key and keep it secret.
  • If a signer believes that the signer’s private key was stolen or otherwise compromised, the signer must contact XXX Identity Management Group immediately to have the signer’s digital key pair revoked.

2. Recipient Responsibilities

  • Recipients must read documents and correspondence using software approved by XXX IT department.
  • Recipients must verify that the signer’s public key was signed by the XXX’s Certificate Authority (CA), by viewing the details about the signed key using the software they are using to read the document or correspondence.
  • If the signer’s digital signature does not appear valid, the recipient must not trust the source of the document or correspondence.
  • If a recipient believes that a digital signature has been abused, the recipient must report the recipient’s concern to XXX Identity Management Group.

4.     Policy Compliance

4.1 Compliance Measurement

The IT team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

4.2  Exceptions

Any exception to the policy must be approved by the IT team in advance.

4.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Example of Secure Authentication Procedure

Purpose

To define security requirements for user identification and authentication controls required to safeguard access to XXX’s information and information systems.

Scope

This procedure applies to all XXX users who access the organization’s systems, applications, services, and technology resources. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these
procedures.

Responsibilities:

Chief Information Security Officer (CISO):

The CISO is responsible for, but not limited to the following activities:

  • Revisions, implementation, workforce education, interpretation, and enforcement of this procedure.
  • Ensuring system passwords are changed whenever there is a security incident that indicates a password compromise.

System/Application Administrators:

System/application administrators are responsible for, but not limited to the following activities:

  • Configuring systems or implementing technical controls that comply with the requirements of this procedure.
  • Maintain a list of commonly used and compromised (or expected of) passwords, and review and updates the list at least every 180 days. Implement a system that checks for and rejects the use of these passwords by users.
  • Configuring the password management system to allow for long passwords and passphrases, including spaces and all printable characters.
  • Configuring the password management system to assist workforce members in selecting strong passwords and authenticators.
  • Ensuring default passwords across all organizational systems are changed.

General Requirements:

Access to covered information will be traceable to an individual using a unique user identification (userID) code. The use of generic, shared, or group userIDs, and passwords, or any other type of access that could lead to actions being performed that would not require individual authentication or identification is prohibited. These requirements apply to ANY user with access to XXX’s information systems including non-organizational user such as customers, clients, and/or contractors. Certain types of user support transactions, like resetting passwords, whether by the Help Desk, system administrator, or self-provisioning tool, will require positive verification of the requestor’s identity. Positive verification can be accomplished through one of the following:

  • In person, face-to-face verification.
  • Responding correctly to “secret” questions that the requestor previously provided the answers to. The questions are used by the Help Desk or a self-provisioning tool to verify the requestor’s identity if face-to-face verification is not possible or feasible. At least two questions will be asked by the Help Desk or the self-provisioning tool before providing the requestor with a temporary password.
  • Cell phone verification: Technology used to send a one-time temporary code to a predefined cell phone number. The code is used to gain access to a screen where the requester is prompted to create a new password. used to send a one-time temporary code to a predefined cell phone number. The code is used to gain access to a screen where the requester is prompted to create a new password.
  • Workforce members are required to send acknowledgement whenever a password is successfully received or reset to confirm the information was sent to the correct user and the account has not been compromised.

Authentication Requirements:

Authentication requirements defined by this procedure will be required in all information technology (e.g., workstations, laptops, mobile devices, servers, routers, etc.) configuration standards. If application specific identification and authentication controls are needed those will be defined in a separate standard. Information technology password configuration requirements are as follows:

  • Passwords will be (8) eight characters in length.
  • Passwords will be comprised of at least three of the following: uppercase alpha character; lowercase alpha character; numeric character; and special character (i.e., !, @, #, $, %, &, *, ?).
  • Passwords will not be the same as a user’s ID/logon.
  • Passwords will not be included in automated log-on processes.

For all initial, first-time, log-on’s or under any circumstance that requires a user to change their password (e.g., account recovery), users will be provided a secure (i.e., not guessable) temporary password to use to login. Upon login, the user will be immediately prompted (i.e., forced) to change the temporary password to something only they know that meets the previously mentioned composition requirements. Temporary/default passwords will:

  • Be one time use only
  • Follow same composition rules as regular passwords

Electronic Signatures:

Electronic signatures used in conjunction with passwords for the purposes of authentication and system access will be protected by ensuring the following:

  • The organization requires that electronic signatures are unique to one individual and cannot be reused by, or reassigned to, anyone else. Workforce members will be held accountable to all actions initiated under their electronic signatures.
  • Identity verification of the individual is required prior to establishing, assigning, or certifying an individual’s electronic signature or any element of such signature.
  • Electronic signatures based upon bio metrics are designed to ensure that they cannot be used by any individual other than their genuine owners.
  • Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records.
  • Signed electronic records shall contain information associated with the signing in human readable format.
  • If relevant, ensure that all legal considerations related to the use of electronic signatures are addressed.
  • For any electronic signatures that are not based upon bio metrics, these instances shall employ at least two distinct identification components that can be administered and evaluated for authorized authentication.

Documentation Retention:

Documentation of compliance assessments will be retained for a period of no less than 6 years from the date of the assessment.


Applicability:

All employees, volunteers, trainees, consultants, contractors, and other persons (i.e., workforce) whose conduct, in the performance of work for XXX, is under the direct control of XXX, whether or not they are compensated by XXXX.

Compliance:

Workforce members are required to comply with all information security policies/procedures as a condition of employment/contract with XXX. Workforce members who fail to abide by requirements outlined in information security policies/procedures are subject to disciplinary action up to and including termination of employment/contract.

ISO 27001:2022 ISMS Internal Audit Checklist

The following checklist can be used for both internal audits as well as Gap Analysis tools.

ISO 27001:2022 Checklist
Clause 4: Context of the organization
4.1 Understanding the organization and its context
Has the organization determined external and internal issues that are relevant to your purpose and that affected its ability to achieve the intended outcomes of your information security management system?
4.2 Understanding the needs and expectations of interested parties
Has the organization determined the interested parties that are relevant to the information security Management System?
Has the organization determined the relevant requirements of these interested parties?
Has the organization determined which of these requirements will be addressed through the information security management
system?
4.3 Determining the scope of the Environment management system
Has the organization established the boundaries and applicability of the information security management system to establish its scope?
When determining the scope of the information security management system has the organization considered the external and internal issues referred to clause 4.1 and also considered the relevant ISMS requirements of interested parties as referred in clause 4.2?
While determining the scope, has the organization determined the interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.?
Is the organization’s scope made available as a Documented Information?
4.4 Environment management system 
Have the organization establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of ISO 27001:2022?
Clause 5 Leadership
5.1 Leadership and commitment
Does the top management demonstrate leadership and commitment by taking accountability for the effectiveness of its ISMS?
Has the top management ensured that the information security policy and information objective are established?
Are the information security policy and information security objective compatible with the strategic direction of the organization?
Has the organization integrated the requirements of ISMS into the organization processes?
Is the top management ensuring that the resources needed for the Information security management system are available?
Is the importance of the effectiveness of ISMS and conformance of ISMS requirements communicated?
Does the top management ensure that the ISMS is achieving its intended results?
Does the Top Management direct and supports the persons to contribute to the effectiveness of the ISMS?
Is Top Management promoting continual improvements?
Is Top Management supporting other relevant management roles to demonstrate their leadership as it applies to their area of responsibilities?
5.2 Policy
Has top Management established an information security Policy that is appropriate to the purpose to the purpose of the organization?
Does the information security policy includes information security or provide the framework for setting information objective?
Does the information policy include a commitment to satisfy applicable requirements related to information security?
Does the information policy include a commitment to continual improvement of the information security management system?
Is the information policy available as documented information, communicated within the organisation and available to interested parties?
5.3 Organizational roles, responsibilities and authorities
Has the Top management ensured that the responsibilities and authorities for relevant roles of Information security are assigned and communicated within the organization?
Has top management assigned the responsibility and authority for ensuring that the information security management system conforms to the requirements of ISO 27001:2022?
Has top management assigned the responsibility and authority for reporting on the performance of the information security management system to top management?
6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the information security management system, have the organization considered the issues referred to in 4.1, the requirements referred to in 4.2, and determined the risks and opportunities that needs to be addressed to ensure the information security management system can achieve its intended outcomes?
When planning for the information security management system, have the organization considered to prevent or reduce undesired effects, and achieve continual improvement?
Has the organisation planned action to address these risks and opportunities and evolved a mechanism to integrate and implement the actions into its information security management system processes and evaluate the effectiveness of these actions ?
6.1.2 Information security risk assessment
Has the organisation defined and applied an information security risk assessment process that establishes and maintains information security risk criteria that includes the risk acceptance criteria and the criteria for performing information security risk assessments?
Has the organisation defined and applied an information security risk assessment process that ensures that repeated information security risk assessments produce consistent, valid and comparable results?
Does the organization identifies the information security risks to apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system and identify the risk owners;?
Does the organizations analyses the information security risks to assess the potential consequences that would result if the risks identified were to materialize, assess the realistic likelihood of the occurrence of the risks identified and determine the levels of risk?
Does the organization evaluates the information security risks to compare the results of risk analysis with the risk criteria established and prioritize the analysed risks for risk treatment?
Does the organization retain documented information about the information security risk assessment process?
6.1.3 Information security risk treatment
Has the organization defined and applied an information security risk treatment process to select appropriate information security risk treatment Options, taking account of the risk assessment results?
Has the organization determined all controls that are necessary to implement the information security risk treatment option chosen ? Has the organization taken into account the controls given in Annex 1 of ISO 27001:2022 so that no necessary controls have been omitted?
Has the organization produced a Statement of Applicability that contains the necessary controls , justification for their inclusion, whether the necessary controls are implemented or not and the justification for excluding any of the ISO 27001:2022 Annex A controls?
Has the organization formulated an information security risk treatment plan and obtained risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks?
Are information security risk treatment process retained as documented information?
6.2 Information security objectives and planning to achieve them
Has the organization established information security objectives at relevant functions and levels?
Are the information security objectives consistent with the Information security policy?
Are information security objective measurable ( if applicable) and Monitored?
While establishing Information security objective does the organization take into account applicable information security requirements, and results from risk assessment and risk treatment?
Are environment objectives communicated and updated as required?
Does the organization retains and make available documented information on the information security objectives?
For achieving information security objectives does the organization determines what will be done, what resources are required, who will be responsible, when will it be completed and how are the result to be evaluated?
6.3 Planning of change
Have the organization considered how actions to achieve your environmental objectives can be integrated into your business processes?
7 Support
7.1 Resources
Has the organization determined and provided the resources needed for the establishment, implementing, maintaining and continual improvement of the Information Security Management System?
7.2 Competence
Does the organization determine the necessary competence of persons doing work under its control that affects its information security performance;?
Does the organization ensure that these persons are competent on basis of appropriate education, training or experience?
Does the organization take applicable actions to acquire the necessary competence and evaluate the effectiveness of action taken?
Does the organization retain the appropriate documented information as evidence of competence?
7.3 Awareness
How does the organization ensure that persons doing work under their control are aware of the the information security policy?
How does the organization ensure that persons doing work under their control are aware of the their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance?
How does the organization ensure that persons doing work under their control are aware of the implications of not conforming with the information security management system requirements.?
7.4 Communication
How does the organization determine the internal and external communications relevant to the information security management system, including on what to communicate, when to communicate, with whom to communicate and how to communicate?
7.5 Documented Information
7.5.1 General
Does the organization’s ISMS include documents required by ISO 27001:2022 and documents determined by the organization necessary for the effectiveness of theISMS?
7.5.2 Creating and updating
While creating and updating documented information, does the organization ensure it is appropriate in terms of identification and descriptions(e.g. a title, date, author, or reference number)?
While creating and updating documented information does the organization ensure that it is in proper format (e.g. language, software version, graphics) and in the correct media(e.g. paper, electronic)?
While creating and updating documented information, does the organization ensure that there is appropriate review and approval for suitability and adequacy?
7.5.3 Control of documented information
How does the organization control its documented information to ensure that it is available and suitable for use, when and where it is needed?
How is the documented information adequately protected(e.g. from loss of confidentiality, improper use, or loss of integrity)?
How is the distribution, access, retrieval and use of documented information adequately controlled?
How is the documented properly stored and adequately preserved and it is legible?
How is there control of changes (e.g. version control)?
Are adequate control in place for retention and disposition?
How are external origin documented information necessary for planning and operation of ISMS appropriately identified and controlled?
8 Operations
8.1 Operation planning and control
Does the organization plan, implement and control the processes needed to meet the requirements of the information management system and to implement the actions determined in Clause 6, by establishing criteria for the processes?
Has the organization implemented control of the processes in accordance with the criteria?
How does the organization control planned changes and review the consequences of unintended changes, including taking action to mitigate any adverse effects, as necessary?
How does your organization ensure that externally processes products or services that are relevant to the information security management system are controlled?
How does the organization make available  documented information to the extent necessary to have the confidence  that processes have been carried out as planned?
8.2 Information security risk assessment
How is the organization performing information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established?
How does the organization retain  documented information of the results of the information security risk assessments?
8.3 Information security risk treatment
How does the organization implement the information security risk treatment plan?
How does the organization retain  documented information of the results of the information security risk treatment?
9. Performance evaluation
9.1 Monitoring, measurement, analysis, and evaluation
9.1.1 General
How does the organization determines what needs to be monitored and measured, including information security processes and controls?
How does the organization determine the methods for monitoring, measurement, analysis and evaluation  as needed to ensure valid results?
Does the methods selected produce comparable and reproducible results to be considered valid?
How does your organization determine when the monitoring and measurement shall be performed and who shall be monitor and measure ?
How does your organization determine when the results from monitoring and measurement shall be analysed and evaluated and who shall analyse and evaluate?
How does the organization evaluates the information security performance and the effectiveness of the information management system?
How does the organization make available the appropriate documented information as evidence of  monitoring, measurement, analysis and evaluation results?
9.2 Internal Audit
9.2.1 General
Does the organization conduct internal audits at planned intervals to provide information  on whether the ISMS conforms to its own requirement for ISMS, ISO 27001:2022 requirements and ISMS is effectively implemented and maintained  ?
9.2.2 Internal audit program
Did the organization plan, establish, implement, and maintain an audit program?
Did the audit program include the frequency, methods, responsibilities, planning requirements, and reporting of its internal audit?
Does the audit program take into consideration the importance of the process concerned, and the results of previous audits?
Did the organization define the audit criteria and scope of each audit?
Does the organization ensure that the audit is conducted by the auditors to ensure objectivity and impartiality of the audit process?
Does the organization ensure that the results of the audits are reported to relevant management?
Does documented information made available as evidence of the implementation of the audit program and the audit results ?
9.3 Management review
9.3.1 General
Does the Top Management review the organization ISMS at planned intervals  to  ensure its continuing suitability, adequacy and effectiveness?
9.3.2 Management review inputs
Does the review take into consideration the status of actions from previous management reviews?
Are the changes in external and internal issues relevant to ISMS considered?
Are the changes in the needs and expectations of interested parties relevant to ISMS considered?
Does the review take into consideration Feedback for information security performance including the trends in nonconformity and corrective actions, monitoring and measurement results, the audit results and fulfillment of information security objectives?
Does the review take into consideration feedback from interested parties?
Does the review take into consideration results of risk assessment and status of risk treatment plan?
Does the review take into consideration the opportunities for continual improvement?
9.3.3 Management review results
Do the outputs of the management review include decisions related to continual improvement opportunities and any needs for changes to the information security management system?
Does the organization make available documented information as evidence of the result of the management review?
10 Improvement
10.1 Continual improvement
Does the organization continually improve the suitability, adequacy, and effectiveness of the ISMS ?
10.2 Nonconformity and corrective action
When any nonconformity occurs, how does the organization reacts to it by taking action to control and correct it and deal with the consequences ?
When any nonconformity occurs, does the organization evaluate the need for action to eliminate the causes of the nonconformity in order that it does not recur or occur elsewhere?
How does the organization reviews  the nonconformity?
How does the organization determine the causes of the nonconformity?
How does the organization determine similar nonconformity exist or could potentially exist?
How does the organization implemented any action needed?
How does the organization reviewed the effectiveness of the corrective action taken?
Has the organization made changes to the ISMS if necessary?
Are the corrective actions appropriate to the significance of the effects of the nonconformities encountered ?
Does the organization retain documented information on the nature of the nonconformities, any subsequent actions taken and the result of any corrective action?

Annex A Information security controls

A 5 Organizational controls

ClauseControlIs the control applicable ? If yes how it it applied and is it effective
5.1 Policies for information securityInformation security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
5.2 Information security roles and responsibilitiesInformation security roles and responsibilities shall be defined and allocated according to the organization needs.
5.3 Segregation of dutiesConflicting duties and conflicting areas of responsibility shall be segregated.
5.4 Management responsibilitiesManagement shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.
5.5 Contact with authoritiesThe organization shall establish and maintain contact with relevant authorities.
5.6 Contact with special interest groupsThe organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.
5.7 Threat intelligenceInformation relating to information security threats shall be collected and analysed to produce threat intelligence.
5.8 Information security in project managementInformation security shall be integrated into project management.
5.9 Inventory of information and
other associated assets
An inventory of information and other associated assets, including owners, shall be developed and maintained.
5.10 Acceptable use of information and other associated assetsRules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
5.11 Return of assetsPersonnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.
5.12 Classification of informationInformation shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
5.13 Labeling of informationAn appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
5.14 Information transferInformation transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.
5.15 Access controlRules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
5.16 Identity managementThe full life cycle of identities shall be managed.
5.17 Authentication informationAllocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.
5.18 Access rightsAccess rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.
5.19 Information security in supplier relationshipsProcesses and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
5.20 Addressing information security within supplier agreementsRelevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.
5.21 Managing information security in the information and communication technology (ICT) supply chainProcesses and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
5.22 Monitoring, review and change management of supplier servicesThe organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
5.23 Information security for use of cloud servicesProcesses for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.
5.24 Information security incident management planning and preparationThe organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.
5.25 Assessment and decision on information security eventsThe organization shall assess information security events and decide if they are to be categorized as information security incidents.
5.26 Response to information security incidentsInformation security incidents shall be responded to in accordance with the documented procedures.
5.27 Learning from information security incidentsKnowledge gained from information security incidents shall be used to strengthen and improve the information security controls.
5.28 Collection of evidenceThe organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
5.29 Information security during
disruption
The organization shall plan how to maintain information security at an appropriate level during disruption.
5.30 ICT readiness for business continuityICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
5.31 Legal, statutory, regulatory and contractual requirementsLegal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.
5.32 Intellectual property rightsThe organization shall implement appropriate procedures to protect intellectual property rights.
5.33 Protection of recordsRecords shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
5.34 Privacy and protection of personal identifiable information (PII)The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
5.35 Independent review of information securityThe organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.
5.36 Compliance with policies, rules and standards for information securityCompliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
5.37 Documented operating proceduresOperating procedures for information processing facilities shall be
documented and made available to personnel who need them.

A 6 People controls

ClauseControlIs the control applicable ? If yes how it it applied and is it effective
6.1 ScreeningBackground verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
6.2 Terms and conditions of employmentThe employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security.
6.3 Information security awareness,
education and training
Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
6.4 Disciplinary processA disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
6.5 Responsibilities after termination
or change of employment
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.
6.6 Confidentiality or non-disclosure agreementsConfidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
6.7 Remote workingSecurity measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.
6.8 Information security event reportingThe organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

A 7 Physical controls

ClauseControlIs the control applicable ? If yes how it it applied and is it effective
7.1 Physical security perimetersSecurity perimeters shall be defined and used to protect areas that contain information and other associated assets.
7.2 Physical entrySecure areas shall be protected by appropriate entry controls and access points.
7.3 Securing offices, rooms and facilitiesPhysical security for offices, rooms and facilities shall be designed and implemented.
7.4 Physical security monitoringPremises shall be continuously monitored for unauthorized physical access.
7.5 Protecting against physical and environmental threatsProtection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.
7.6 Working in secure areasSecurity measures for working in secure areas shall be designed and implemented.
7.7 Clear desk and clear screenClear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.
7.8 Equipment siting and protectionEquipment shall be sited securely and protected.
7.9 Security of assets off-premisesOff-site assets shall be protected.
7.10 Storage mediaStorage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.
7.11 Supporting utilitiesInformation processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.
7.12 Cabling securityCables carrying power, data or supporting information services shall be protected from interception, interference or damage.
7.13 Equipment maintenanceEquipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
7.14 Secure disposal or re-use of equipmentItems of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

A 8 Technological controls

ClauseControlIs the control applicable ? If yes how it it applied and is it effective
8.1 User end point devicesInformation stored on, processed by or accessible via user end point devices shall be protected.
8.2 Privileged access rightsThe allocation and use of privileged access rights shall be restricted and managed.
8.3 Information access restrictionAccess to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.
8.4 Access to source codeRead and write access to source code, development tools and software libraries shall be appropriately managed.
8.5 Secure authenticationSecure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.
8.6 Capacity managementThe use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
8.7 Protection against malwareProtection against malware shall be implemented and supported by appropriate user awareness.
8.8 Management of technical vulnerabilitiesInformation about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
8.9 Configuration managementConfigurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
8.10 Information deletionInformation stored in information systems, devices or in any other
storage media shall be deleted when no longer required.
8.11 Data maskingData masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
8.12 Data leakage preventionData leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
8.13 Information backupBackup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
8.14 Redundancy of information processing facilitiesInformation processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
8.15 LoggingLogs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
8.16 Monitoring activities Networks, systems and applications shall be monitored for anomalous
behaviour and appropriate actions taken to evaluate potential infor-
mation security incidents.
8.17 Clock synchronization The clocks of information processing systems used by the organization
shall be synchronized to approved time sources.
8.18 Use of privileged utility programs The use of utility programs that can be capable of overriding system
and application controls shall be restricted and tightly controlled.
8.19 Installation of software on operational systems
Procedures and measures shall be implemented to securely manage
software installation on operational systems.
8.20 Networks security Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
8.21 Security of network services Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.
8.22 Segregation of networks Groups of information services, users and information systems shall
be segregated in the organization’s networks.
8.23 Web filteringAccess to external websites shall be managed to reduce exposure to malicious content.
8.24 Use of cryptography Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
8.25 Secure development life cycle Rules for the secure development of software and systems shall be established and applied.
8.26 Application security requirements
Information security requirements shall be identified, specified and
approved when developing or acquiring applications.
8.27 Secure system architecture and engineering principles
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.
8.28 Secure coding Secure coding principles shall be applied to software development.
8.29 Security testing in development and acceptance
.
Security testing processes shall be defined and implemented in the development life cycle
8.30 Outsourced development The organization shall direct, monitor and review the activities related to outsourced system development.
8.31 Separation of development, test and production environmentsDevelopment, testing and production environments shall be separated and secured.
8.32 Change management Changes to information processing facilities and information systems shall be subject to change management procedures.
8.33 Test informationTest information shall be appropriately selected, protected and managed.
8.34 Protection of information systems during audit testing
Audit tests and other assurance activities involving assessment of op-
erational systems shall be planned and agreed between the tester and
appropriate management.

Example of Bluetooth security policy

Purpose

The purpose of this policy is to provide a minimum baseline standard for connecting Bluetooth enabled devices to the XXX network or XXX owned devices. The intent of the minimum standard is to ensure sufficient protection Personally Identifiable Information (PII) and confidential XXX data.

Scope

This policy applies to any Bluetooth enabled device that is connected to XXX network or owned devices.

Policy

Insecure Bluetooth connections can introduce a number of potential serious security issues. Hence, there is a need for a minimum standard for connecting Bluetooth enable devices.

3.1 Version

No Bluetooth Device shall be deployed on XXX equipment that does not meet a minimum of Bluetooth v2.1 specifications without written authorization from the IT Team. Any Bluetooth equipment purchased prior to this policy must comply with all parts of this policy except the Bluetooth version specifications.

3.2 Pins and Pairing
When pairing your Bluetooth unit to your Bluetooth enabled equipment (i.e. phone, laptop, etc.), ensure that you are not in a public area where you PIN can be compromised. If your Bluetooth enabled equipment asks for you to enter your pin after you have initially paired it, you must refuse the pairing request and report it to IT, through your Help Desk, immediately.

3.3 Device Security Settings

  • All Bluetooth devices shall employ ‘security mode 3’ which encrypts traffic in both directions, between your Bluetooth Device and its paired equipment.
  • Use a minimum PIN length of 8. A longer PIN provides more security.
  • Switch the Bluetooth device to use the hidden mode (non-discoverable)
  • Only activate Bluetooth only when it is needed.
  • Ensure device firmware is up-to-date.

3.4 Security Audits

The IT Team may perform random audits to ensure compliancy with this policy. In the process of performing such audits, IT Team members shall not eavesdrop on any phone conversation.

3.5 Unauthorized Use

The following is a list of unauthorized uses of XXX-owned Bluetooth devices:

  • Eavesdropping, device ID spoofing, DoS attacks, or any form of attacking other Bluetooth enabled devices.
  • Using XXX-owned Bluetooth equipment on non-XXX-owned Bluetooth enabled devices.
  • Unauthorized modification of Bluetooth devices for any purpose.

3.6 User Responsibilities

  • It is the Bluetooth user’s responsibility to comply with this policy.
  • Bluetooth mode must be turned off when not in use.
  • PII and/or XXX Confidential or Sensitive data must not be transmitted or stored on Bluetooth enabled devices.
  • Bluetooth users must only access XXX information systems using approved Bluetooth device hardware, software, solutions, and connections.
  • Bluetooth device hardware, software, solutions, and connections that do not meet the standards of this policy shall not be authorized for deployment.
  • Bluetooth users must act appropriately to protect information, network access, passwords, cryptographic keys, and Bluetooth equipment.
  • Bluetooth users are required to report any misuse, loss, or theft of Bluetooth devices or systems immediately to IT.

4. Policy Compliance

4.1 Compliance Measurement
The IT Team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
4.2 Exceptions
Any exception to the policy must be approved by the IT Team in advance.
4.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Example of ISO 27001:2022 ISMS Internal audit procedure

1 Purpose

This procedure is intended to ensure that:

  • the organization continually operates in accordance with the specified policies, procedures and external requirements in meeting company goals and objectives in relation to information security.
  • improvements to the Information Security Management System (ISMS) are identified, implemented and suitable to achieve objectives.

2 Scope

This procedure:

  • includes planning, execution, reporting and follow–up of ISMS internal audits; and
  • applies to all departments/business units within scope of the organization’s ISMS.

3 Roles and responsibilities

3.1 Information Security Management Representative (ISMR)

  • Appoints the Lead Auditor and the Audit Team (note: the Lead Auditor and ISMR may be the same person).
  • Together with the Lead Auditor, reviews the corrective and preventive actions and the follow-up.
  • Maintains confidentiality of the audit evidence, analysis and findings/results.

3.2 Lead Auditor

  • Prepares an Audit Plan/Notification as a basis for planning the audit and for disseminating information about the audit.
  • Leads the ISMS internal audit activities.
  • Co-ordinates the audit schedule with concerned department/section heads.
  • Plans the audit, prepares the working documents and briefs the audit team.
  • Consolidates all audit findings and observations and prepares internal audit report.
  • Reports critical non-conformities to the auditee immediately.
  • Report to the auditee the audit results clearly and without delay.
  • Conducts the opening and closing meeting.

3.3 Audit Team Member

  • Supports the Lead Auditor’s activities (may be the same person).
  • Performs the audit using the consolidated audit checklist.
  • Reports any non-conformities and recommends suggestions for improvement.
  • Retains the confidentiality of audit findings.
  • Acts in an ethical manner at all times.

3.4 Auditee

▪ Receives, considers and discusses the audit report.
▪ Determines, resources, drives and completes corrective actions as necessary.
▪ Is and remains accountable for protecting information assets.

4 Procedure

4.1 General

4.1.1 An ISMS audit programme shall be created that contains all scheduled and potential audits for the whole calendar year. This shall include schedule of internal audits, audits of suppliers, audits to be performed by clients and third-party audits, asappropriate.
4.1.2 Internal audits shall be scheduled twice a year or as the need arises.
4.1.3 Only competent personnel who are truly independent of the subject area shall perform audits.
4.1.4 Members of the Internal Audit Team shall be appointed and supervised by the Lead Auditor.
4.1.5 Auditees are notified at least three working days in advance of the audit, ideally up to a month before giving them ample time to prepare.

4.2 Planning and Preparing the Audit

4.2.1 An annual ISMS internal audit programme shall be prepared by the Lead Auditor and approved by top management. It should be revised to reflect any changes in the priorities or schedule during the year.
4.2.2 Based on the audit programme, the Lead Auditor shall prepare the respective audit plans.
4.2.3 The Audit Plan/Notification shall be prepared by the Lead Auditor, reviewed and approved by the ISMR. It shall be communicated to the auditor/s and the auditees. It shall be designed to be flexible in order to permit changes based on the information gathered during the audit. The plan shall include:

  • Audit objective and scope.
  • Department/Section and responsible individuals in charge.
  • Audit team members. The number of auditors depends on the audit area size.
  • Management system/s to be audited (possibly more than one at once i.e. combined audits).
  • Date, place and timescale for the audit fieldwork, planned distribution date of the audit report and some indication of the anticipated date of the clearance meeting.

4.3 Pre-audit meeting

4.3.1 One or more pre-audit meetings between the ISMR, Lead Auditor and auditors shall take place not later than one day prior to the audit proper. Objectives are as follows:

  • To ensure the availability of all the resources needed and other logistics that may be required by the auditor.
  • The scope of the audit is verified from the Audit Plan

4.4 Opening meeting

4.4.1 An opening meeting, where deemed appropriate by the ISMR and Lead Auditor, shall be held on the day of the audit but before the audit proper. The following may be discussed during the opening meeting:

  • The purpose and scope of the audit.
  • Confirmation of the audit plan
  • Clarification of other matters must be settled before the audit takes place.

4.5 Audit Execution

4.5.1 The auditor/s will perform the ISMS internal audit using several checklists:

  • ISMS Internal Audit Checklist/Observation Form: contains specific items that are particular to the organizational unit to be audited. The assigned auditors are responsible for generating the questions and checks on this form.
  • Mandatory Requirements Checklist: describes checks relating to the mandatory requirements from the main body of the applicable version of ISO/IEC 27001.
  • Discretionary Requirements Checklist: describes checks pertaining to the information security controls outlined in Annex A of ISO/IEC 27001. The organization chooses which – if any – of the Annex A controls are applicable i.e. are necessary to mitigate its unacceptable information risks.

4.5.2 Audit findings are collected through interviews, examination of documents and observation of activities and conditions in the areas of concern and noted on the checklists, referencing the supporting audit evidence (e.g. interview notes and ISMS documents reviewed).
4.5.3 Evidence suggesting other non-conformities should be noted if they seem significant, even though not covered by the checklist, along with other objective evidence and/or observations reflecting positively or negatively on the information security management system.

4.6 Audit Reporting

4.6.1 The auditor/s shall allow time for analysing, drafting and discussing the audit findings e.g.:

  • Review and analysis of evidence leading to reportable findings.
  • Consolidation of findings including grouping of related issues and tabulation.
  • Classification/prioritization of findings according to their significance and/or urgency (see section 4.6.4).
  • Drafting of audit report including recommendations.

4.6.2 The audit team shall review all of their findings whether they are to be reported as non-conformities or as observations. Essentially:

  • Everything significant enough to be ‘reportable’ should indeed be reported; and
  • Everything reported should be supported by sufficient objective evidence to withstand reasonable scrutiny.

4.6.3 The Lead Auditor typically consolidates everything into the audit report, or at least checks and challenges the content of a report drafted by the team.
4.6.4 Classification of findings shall be:

  • Major non-conformity – a significant deficiency in the ISMS, typically a point of absolute non-conformity with one of the mandatory requirements in the main body of ISO/IEC 27001 (e.g. a missing required document or one that substantially fails to address the specified content) or a serious error in the identification, assessment or treatment of information risks (such as missing or ineffective ‘necessary’ controls). These are show-stoppers, preventing certification unless/until resolved.
  • Minor non-conformity – a minor deficiency or technical non-conformity with a limited or indirect effect on information risk and security.
  • Improvement potential – a suggested ISMS improvement which may or may not be adopted by the organization, perhaps with modifications, drawing on the auditor’s independent perspective and experience.
  • Positive findings – something that goes beyond what is required by the standard, included for the sake of presenting a fair and balanced opinion that acknowledges good practice.

4.6.5 Both major and minor non-conformities require appropriate corrective actions to be documented using the corrective action policy/procedure within the ISMS (or, if absent, an equivalent process).
4.6.6 Improvement potentials concerning information security weaknesses require appropriate preventive actions to be documented, ideally entering the organization’s continual improvement process.
4.6.7 The Lead Auditor shall prepare a standard internal audit Report containing the following information:

  • Audit Reference Number
  • Date of Audit
  • Department/Section Audited/Process Name
  • Name of Auditee and auditors
  • Statement of findings (all non-conformities found)
  • Reference to the information security management system and standard
  • Corrective and Preventive Actions with completion date
  • Follow-up actions for non-conformities
  • Verification of follow-up actions

4.6.8 Auditors shall follow a code of conduct in the manner of reporting as stated in this document:

  • The report should be concise but factual and presented in a constructive manner.
  • The findings should be within the scope of audit and shows the relationship of the standard used.
  • The report should not show bias by the individual auditor.

4.6.9 The Lead Auditor shall issue a formal Audit Report to the ISMR (if the ISMR is not the Lead Auditor).
4.6.10 The internal audit report shall be maintained and controlled by the ISMR.

4.7 Clearance Meeting

4.7.1 The Lead Auditor shall preside over the clearance meeting attended by the audit team and auditees.
4.7.2 The auditor/s shall report the findings and observations, summarising the good points before discussing non-conformities supported by the audit evidence and (if applicable) recommendations and improvement opportunities to be considered.
4.7.3 All parties shall safeguard the confidentiality of the ISMS internal audit report.

5 Audit Follow-up and Closure

5.1.1 Whereas the auditors are responsible for identifying non-conformities, auditees are responsible for resolving non-conformities.
5.1.2 Approved corrective actions shall be based on time scales agreed with the auditors.
5.1.3 The Lead Auditor shall follow-up to check the implementation of corrective action as stated on the Non-conformity/Corrective and Preventive Action report or NCPAR. Normally, follow-ups will use an abbreviated form of this audit procedure to verify the completion and effectiveness of the agreed corrective or preventive actions according
to the agreed timescales.
5.1.4 The lead auditor shall issue a new NCPAR if corrective actions are not fully implemented by the committed date, and/or are not effective.
5.1.5 “Re-issue” shall be noted on the remarks column of the NCPAR log if any of the situations noted here become apparent.
5.1.6 An audit will not be considered complete and closed until all corrective actions or measures have been successfully implemented to the satisfaction of the Lead Auditor.

6 Auditors’ Qualifications

6.1 Personal attributes

6.1.1 Auditors shall possess the personal attributes, skills and competencies necessary to uphold the principles of auditing. An auditor should be:

  • Ethical: fair, truthful, sincere, honest and discreet;
  • Open-minded: willing to consider alternative ideas or points of view;
  • Diplomatic: tactful in dealing with people, particularly those who are senior or over-committed;
  • Observant and perceptive: actively aware of physical surroundings, activities, body-language, instinctively aware of and able to understand complex situations;
  • Versatile: able to adjust readily to different situations;
  • Tenacious: persistent, focused on achieving objectives;
  • Decisive: reaches timely conclusions based on logical reasoning and analysis; and
  • Self-reliant and self-motivated: acts and functions independently while interacting effectively with others.

6.2 General knowledge and skills of an ISMS auditor

6.2.1 Auditors should have knowledge and skills
6.2.2 Audit principles, procedures and techniques: to enable the auditor to apply those appropriate to different audits and ensure that audits are conducted consistently and systematically. An auditor should be able to:

  • Apply audit principles, procedures and techniques;
  • Plan and organize the work effectively;
  • Conduct the audit within the agreed time schedule;
  • Prioritize and focus on matters of significance;
  • Collect information through effective interviewing, listening, observing and reviewing documents, records and data;
  • Understand the appropriateness and consequences of using sampling techniques for auditing;
  • Verify the accuracy of collected information;
  • Confirm the sufficiency and appropriateness of audit evidence to support audit findings and conclusions;
  • Assess those factors that can affect the reliability of the audit findings and conclusions;
  • Use work documents to record audit activities;
  • Prepare audit reports of suitable quality and professionalism;
  • Maintain the confidentiality and security of information, and
  • Communicate effectively, either through personal linguistic skills or through an interpreter.

6.2.3 Management system and reference documents: to enable the auditor to comprehend the scope of the audit and apply audit criteria. Knowledge and skills in this area should cover:

  • Interaction between the parts of the management system;
  • ISMS standards, applicable procedures or other documents used as audit criteria;
  • Recognizing differences between and priority of the reference documents;
  • Application of the reference documents to different audit situations, and
  • Information systems and technology for, authorization, security, distribution and control of documents, data and records.

6.2.4 Organization/business context: to enable the auditor to comprehend the organization’s operational context. Knowledge and skills in this area should cover aspects such as:

  • Organization size, structure, functions and relationships,
  • General business processes and related terminology, and
  • Cultural and social customs of the auditee.

6.2.5 Applicable laws, regulations and other obligations: to enable the auditor to work within, and be aware of, various obligations towards information security, privacy, governance and other requirements that apply to the organization being audited. Knowledge and skills in this area should cover relevant:

  • Local, regional and national codes, laws and regulations;
  • Contracts and agreements;
  • International treaties and conventions; and
  • Other compliance requirements such as applicable standards.

6.3 Lead Auditors’ Qualifications

6.3.1 Audit team leaders should have additional knowledge and skills in audit leadership to facilitate the efficient and effective conduct of the audit. An audit team leader should be able to:

  • Plan the audit and make effective use of resources during the audit;
  • Represent the audit team in communications with the audit client and auditee;
  • Organize, direct and motive audit team members;
  • Mentor and provide guidance to auditor team members;
  • Lead the audit team to reach the audit conclusions;
  • Prevent or resolve conflicts; and
  • Prepare and complete the audit report.

6.4 Specific Knowledge and Skills of ISMS Auditors.

6.4.1 Information security management system auditors should have knowledge and skills in Information security-related methods and techniques. To enable the auditor to examine information security management systems and to generate appropriate audit findings and conclusions. Knowledge and skills in this area should cover

  • Information security terminology and concepts;
  • Information security management principles and their application; and
  • Information security management tools and their application.

6.4.2 Processes and products, including services: to enable the auditor to comprehend the technological context in which the audit is being conducted. Knowledge and skills in this area should cover:

  • Industry-specific terminology;
  • Technical characteristics of processes and products, including services, and industry-specific processes and practices.

7 Records

7.1.1 As well as miscellaneous audit evidence (such as copies of documents, audit notes, records of interviews, system printouts etc.), ISMS internal audits generate the following formal records:

  • Audit programme
  • Audit plan/Notification
  • Audit checklist/Observation sheet
  • Mandatory requirements checklist
  • Discretionary requirements checklist
  • Internal audit report
  • Nonconformity and corrective reports (if required)
  • ISMS improvement suggestions (if appropriate)

7.1.2 All information shall be appropriately secured given its often confidential nature.
7.1.3 All information shall be properly filed and indexed, providing a starting point or background context for the next ISMS audit.