Communication with the appropriate authorities must be kept open at all times. Processes should be put in place to define when and with whom officials should communicate and how identified information security violations will be reported as soon as possible by organisations.Organisations that have been attacked over the internet may compel authorities to take counter-measures. Maintaining these connections may also be required in information security to assist incident management or business continuity and contingency planning operations. Contacts with regulatory authorities are also beneficial in predicting and planning for any changes in the rules or regulations that the organisation must enforce. You can consider to contact with your data protection regulator that is likely mandated in law, utility companies for power and water, health and safety if relevant, fire departments for business continuity and incident management, perhaps your telecoms provider for routing if lines go down.You are going to have to ensure that:
you identify and document what authorities apply to you
in what circumstances you would contact them
how information security incidents should be reported if relevant
understand what expectations these authorities have, if any
include relevant contact steps in your incident management processes
include relevant contact steps in your business continuity and disaster recovery processes
A 5.5 Contact with authorities
Control
The organization should establish and maintain contact with relevant authorities.
Purpose
To ensure appropriate flow of information takes place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities.
Guidance
The organization should specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner. Contacts with authorities should also be used to facilitate the understanding about the current and upcoming expectations of these authorities (e.g. applicable information security regulations).
Other information
Organizations under attack can request authorities to take action against the attack source. Maintaining such contacts can be a requirement to support information security incident management or the contingency planning and business continuity processes. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety [e.g. fire departments (inconnection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment)].
The organization needs to maintain useful contact information with appropriate authorities.The purpose is to ensure appropriate flow of information take place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities. An appropriate forum for dialogue and cooperation between the Company and relevant legal, regulatory and supervisory authorities must be in place.Obviously, with more significant organizations, the need for this is greater as the interruption of service to a larger part of the population increases. Particularly relevant to utilities, telecoms, banking organizations, and emergency services (and for smaller companies these might be on your list). It covers the requirement, purpose and implementation instructions on how to identify and report information security events in a timely way, as well as who and how to contact in the event of an incident.Where attacks stem from the internet various authorities and providers may need to be called to action in order to divert /suppress/mitigate the threat. You can’t fix everything, but you can be ready should the need arise. This will help with business continuity and security incident management. The objective is to identify which stakeholders (e.g., law enforcement, regulatory bodies, supervisory authorities) would need to be contacted in the event of a security event. It is important that you have already identified these stakeholders before an incident occurs.A protocol for engagement with law enforcement can be a part of the security incident response plan or a broader crisis management procedure for the organization. The plan should be clear about which situations require working with law enforcement, such as when laws are broken. The plan should also clearly state who contacts authorities and under what circumstances (e.g., when law enforcement should be contacted by the information security officer or safety officer). Contact with Authorities means that the organisation should establish and implement informal communication with authorities concerning information security issues, including:
Ongoing communication with relevant authorities to ensure that the organisation is aware of current threats and vulnerabilities.
Informing relevant authorities of vulnerabilities discovered in the organisation’s products, services or systems.
Receiving information from relevant authorities about threats and vulnerabilities.
The main objective of control is to establish the organisation’s relationship with law enforcement agencies as it relates to managing information security risks.To meet the requirements, it is expected that if an information security incident is discovered, the organisation should specify when and by which authorities (such as law enforcement, regulatory bodies, and supervisory authorities) should be notified, as well as how identified information security incidents are to be reported in a timely manner. The exchange of information with authorities should also be used to gain a better knowledge of the existing and forthcoming expectations of these agencies (e.g. applicable information security regulations). This requirement is designed to ensure that the organisation has a coherent strategy for its relationship with law enforcement agencies and that it has identified the most appropriate point of contact in these agencies. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organisation.
Appropriate contacts with relevant authorities must be maintained and the legal responsibilities for contacting authorities such as the Police, the Information Commissioner’s Office or other regulatory bodies should always be continued particularly relevant to utilities, telecoms, banking organisations and the emergency services. Where attacks stem from the internet various authorities and providers may need to be called to action in order to divert /suppress / mitigate the threat. All authorities can be listed and retained in an appropriately shared and access controlled repository. The ISMS coordinator can keep records up to date and identify which and when contact is made by the appropriate relationship owner with specific contact circumstances, and the nature of the information provided. It should clearly identify who is responsible for contacting authorities (e.g. law enforcement, regulatory bodies, supervisory authorities), which authorities should be contacted (e.g. which region/country), and in what cases this needs to happen. Specification of the manner and timing in which breaches shall be communicated to external authorities so as to ensure appropriate reporting.
The purpose of segregation of duties in ISO 27001 is to ensure that a single point of compromise does not have significant impacts on the business.Conflicts can occur when two or more employees have similar or different responsibilities towards a particular task. When this happens, the employees may end up doing the same thing twice, or doing different things that cancel out each other’s efforts. This wastes corporate resources and reduces productivity, which affects both the company’s bottom line and morale.In order to make sure that your organisation does not suffer from this problem, it is important to understand what conflicting areas of responsibilities are, why they happen and how you can prevent them from occurring in your organisation. For the most part, this means separating duties so that different people handle different roles in the organisation.
Conflicting duties and areas of responsibility must be segregated in order to reduce the opportunities for unauthorized or unintentional modification or misuse of any of the organisation’s assets.The risk being that if a single post is responsible for highly privileged actions and is not monitored or controlled, then compromise of that role could result in disastrous impacts to the organisation. For example, malicious system or network admins managing the network could greatly disrupt or leak highly sensitive data if not controlled and monitored through controls. The organisation needs to ask itself whether or not the segregation of duties been considered and implemented where appropriate.To be compliant with this requirement, the organisation must be able to demonstrate that highly privileged role functions and conflicting duties/areas of responsibility are sufficiently segregated. For example, this may be achieved by providing additional layers of authorization for privileged tasks such as issuing or revoking user accounts, or system management functions. A two-man rule might be appropriate in certain circumstances, in others it may be appropriate to provide an extra layer of authorization before a task can be carried out supported by enhanced monitoring of user operations. This provides a defense in depth approach and means that any unauthorized activity can be tracked, monitored and alerted upon.
A 5.3 Segregation of Duties
Control
Conflicting duties and conflicting areas of responsibility should be segregated.
Purpose
To reduce the risk of fraud, error and bypassing of information security controls.
ISO 27002 Implementation Guidance
Segregation of duties and areas of responsibility aims to separate conflicting duties between different individuals in order to prevent one individual from executing potential conflicting duties on their own. The organization should determine which duties and areas of responsibility need to be segregated. The following are examples of activities that can require segregation:
initiating, approving and executing a change;
requesting, approving and implementing access rights;
designing, implementing and reviewing code;
developing software and administering production systems;
using and administering applications;
using applications and administering databases;
designing, auditing and assuring information security controls.
The possibility of collusion should be considered in designing the segregation controls. Small organizations can find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls should be considered, such as monitoring of activities, audit trails and management supervision. Care should be taken when using role-based access control systems to ensure that persons are not granted conflicting roles. When there is a large number of roles, the organization should consider using automated tools to identify conflicts and facilitate their removal. Roles should be carefully defined and provisioned to minimize access problems if a role is removed or reassigned.
Segregation of duties reduces the risk of intentional manipulation or error and increases the element of checking. Functions that should be separated include those of authorization, execution, custody, and recording and, in the case of a computer-based accounting system, systems development, and daily operations. Segregation of duties is the concept of having more than one person required to complete a task. Today’s automated solutions and information and communication technologies allow a few people to handle a great deal of information and processes (e.g., stock exchange operators and air traffic controllers). While this is good to improve productivity, a potential side effect is that these few people may end up gathering excessive knowledge and/or privilege over the operating environment and, in case they are absent or have malicious intent, this can prove to be an unacceptable risk, which must be handled. This is a best practice, especially in cases where sensitive data is being handled. This is seemingly obvious, but often difficult to do in practice. Essentially try to eliminate processes or situations where someone can access, change or use information assets without detection. For example network access and logging should be conducted by someone different from those authorized to use the data. If in doubt – no-one holds the keys to something from which they could gain.
Segregation of duties is a control put in place by many organizations to mitigate the risk of an insider threat or accidental employee mistakes. Sometimes this isn’t practical or possible, but the institution should be aware of the risks of a single person having too much access. Ideally, critical processes or activities should be split up between multiple people. For example, the initiation of a process, its execution, and authorization should be separated when possible. When this is not possible, monitoring and auditing critical processes are very important. Segregation of duties refers to practices where the knowledge and/or privileges needed to complete a process are broken up and divided among multiple users so that no single one is capable of performing or controlling it by himself.
The main reason to apply segregation of duties is to prevent the perpetration and concealment of fraud and error in the normal course of the activities, since having more than one person to perform a task minimizes the opportunity of wrongdoing and increases the chances to detect it, as well as to detect unintentional errors. Wrongdoing requires three factors to be possible: means, motive, and opportunity. Extremely lean processes increase the risk of wrongdoing by concentrating means and opportunity (access to and privileges over the process). By implementing segregation of duties, an organization minimizes the risk by splitting knowledge and privileges. However, the benefits of segregation of duties to security must be balanced with the increased cost/effort required. By using the ISO 27001 requirements for risk assessment, an organization can identify the most vulnerable and the most mission-critical elements of the business to which segregation of duties will represent real added value to the business and other interested parties.
The principles that can be applicable to segregation of duties are:
Sequential separation, when an activity is broken into steps performed by different persons (e.g., solicitation, authorization and implementation of access rights)
Individual separation, when at least two persons must approve an activity before it is done (e.g., contractor payment)
Spatial separation, when different activities are performed in different locations (e.g., locations to receive and store raw material)
Factorial separation, when several factors contribute to activity completion (e.g., two-factor access authentication).
These principles can be used in isolation or together, depending upon the security an organization requires to protect its processes.
Segregation can be implemented by:
1.Identification of functions that are indispensable to the organization’s activities, and potentially subject to abuse, considering either business drivers or regulatory compliance (e.g., SOX)
2.Division of the function into separate steps, either considering the knowledge necessary for the function to work or the privileges that enable that function to be abused
Definition of one or more segregation principles to be applied to the functions. Examples of functions and segregation principles to be applied are:
authorization function (e.g., two people need to authorize a payment)
documentation function (e.g., one person creates a document and another approves it)
custody of assets (e.g., backup media creation and storage in different sites)
reconciliation or audit (e.g., one person takes inventory and another validates it )
Sometimes the segregation of duties is impractical because the organization is too small to designate functions to different persons. In other cases, breaking down tasks can reduce business efficiency and increase costs, complexity, and staffing requirements. In these situations, compensating controls should be in place to ensure that even without segregation of duties the identified risks are properly handled. Examples of compensating controls are:
Monitoring activities: these allow activities to be supervised while in progress, as a way to ensure they are being properly performed.
Audit trails: these enable the organization to recreate the actual events from the starting point to its current status (e.g., who initiated the event, the time of day and date, etc.).
All information security and its responsibilities need to be defined and approved by the management. The responsibilities can be general (e.g. protecting information) or specific (e.g. the responsibility for accessing particular permissions). Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Access to information security should be granted to relevant staff members for eg; CEOs, Business Owners, General Manager; HR managers; and Internal auditors. The auditor will be looking to gain confidence that the organization has made clear who is responsible for, and what is adequate according to the size and nature of the organization. For smaller organisations, it is generally unrealistic to have full-time roles associated with these roles and responsibilities. To protect information security one can choose relevant authority with in the organisation to-hold the responsibly and implementing the process.
A.5.2 Information security roles and responsibilities
Control
Information security roles and responsibilities should be defined and allocated according to the organization needs.
Purpose
To establish a defined, approved and understood structure for the implementation, operation and management of information security within the organization.
ISO 27002 Implementation Guidance
Allocation of information security roles and responsibilities should be done in accordance with the information security policy and topic-specific policies. The organization should define and manage responsibilities for:
protection of information and other associated assets;
carrying out specific information security processes;
information security risk management activities and in particular acceptance of residual risks (e.g. to risk owners);
all personnel using an organization’s information and other associated assets.
These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Individuals with allocated information security responsibilities can assign security tasks to others. However, they remain accountable and should determine that any delegated tasks have been correctly performed. Each security area for which individuals are responsible should be defined, documented and communicated. Authorization levels should be defined and documented. Individuals who take on a specific information security role should be competent in the knowledge and skills required by the role and should be supported to keep up to date with developments related to the role and required in order to fulfill the responsibilities of the role.
Other information
Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of risks and mitigating controls. However, responsibility for resourcing and implementing the controls often remains with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection. Depending on the size and resourcing of an organization, information security can be covered by dedicated roles or duties carried out in addition to existing roles.
All information security responsibilities need to be defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission). Information security is the responsibility of everyone at the organization. It is important to establish roles and responsibilities for staff, managers, and contractors/vendors so that everyone knows what is expected of them when handling information.Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Some examples of the business roles which are likely to have some information security relevance include; Departmental heads; Business process owners; Facilities manager; HR manager; and Internal Auditor. Leadership is also very important, and many institutions have at least one person who is primarily responsible for organizing the information security program. Typically this is a Chief Information Security Officer (CISO), Information Security Officer (ISO), Director of Information Security, although the title may vary depending on the Organization.As such, clarifying specific information security responsibilities within existing job roles is important e.g. the Operations Director or CEO might also be the equivalent of the CISO, the Chief Information Security Officer, with overarching responsibility for all of the ISMS. The CTO might own all the technology related information assets etc. No matter what title is selected, there should be someone at the organization who can provide a high level of decision-making support to leadership when considering information security issues and solutions. It is also important to establish data ownership and data handling roles (e.g., data owners, stewards, custodians, and users). Many institutions formally identify and document these roles within their information security policies and data management frameworks. The auditor will be looking to gain assurance that the organisation has made clear who is responsible for what in an adequate and proportionate manner according to the size and nature of the organisation.
Here are some of the vital IT security roles and the responsibilities associated with them. Don’t be surprised that sometimes, different roles share some responsibilities.
1) Information Security Board of Review
The Information Security Board of Review (ISBR) may an appointed administrative authority whose role is to provide oversight and direction regarding information systems security and privacy assurance campus-wide. In collaboration with the Chief Information Officer (CIO), the ISBR’s specific oversight responsibilities include the following:
Oversee the development, implementation, and maintenance of a strategic information systems security plan.
Oversee the development, implementation, and enforcement of information systems security policy and related recommended guidelines, operating procedures, and technical standards.
Oversee the process of handling requested policy exceptions
Advise the management on related risk issues and recommend appropriate actions in support of the risk management programs.
2) CISO
A CISO (Chief Information Security Officer) is the one whose task is to oversee corporate security strategy. The typical CISO’s responsibilities include:
Planning long-term security strategy
Planning and implementing data loss prevention measures
Managing access
Ensuring that the company implements proper safeguards to meet compliance requirements
Investigating any incidents and preventing them in the future
Assessing security risk
Arranging security awareness training
3) Security and Information Compliance Officers
The Security and Information Compliance Officers may oversee the development and implementation of the ISP. Specific responsibilities can include:
To ensure related compliance requirements are addressed, e.g., privacy, security, and administrative regulations associated with federal and state laws.
To ensure appropriate risk mitigation and control processes for security incidents as required.
To document and disseminate information security policies, procedures, and guidelines
To coordinate the development and implementation of a information security training and awareness program
To coordinate a response to actual or suspected breaches in the confidentiality, integrity or availability of information assets.
4) Data Owner
A Data Owner is an individual or group or people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, location or administrative unit .The role of the data custodians is to provide direct authority and control over the management and use of specific information. These individuals might be department heads, managers, supervisors, or designated staff. Responsibilities of a Data Owner include the following:
Ensure compliance with Organizational polices and all regulatory requirements. Data Owners need to understand whether or not any Organizational policies govern their information assets. Data Owners are responsible for having an understanding of legal and contractual obligations surrounding information assets within their functional areas.
Assign an appropriate classification to information assets. All information assets are to be classified based upon its level of sensitivity, value and criticality to the Organization.
Determine appropriate criteria for obtaining access to sensitive information assets. A Data Owner is accountable for who has access to information assets within their functional areas. This does not imply that a Data Owner is responsible for day-to- day provisioning of access. Provisioning access is the responsibility of a Data Custodian.
A Data Owner may decide to review and authorize each access request individually or may define a set of rules that determine who is eligible for access based on business function, support role, etc. Access must be granted based on the principles of least privilege as well as separation of duties. For example, a simple rule may be that all staff members are permitted access to their own health benefits information. A Data Custodian should document these rules in a manner that allows little or no room for interpretation.
Approve standards and procedures related to management of information assets.While it is the responsibility of the Data Custodian to develop and implement operational procedures, it is the Data Owner’s responsibility to review and approve these standards and procedures. A Data Owner should consider the classification of the data and associated risk tolerance when reviewing and approving these standards and procedures. For example, high risk and/or highly sensitive data may warrant more comprehensive documentation and, similarly, a more formal review and approval process.
Understand how information assets are stored, processed, and transmitted.Understanding and documenting how information assets are being stored, processed and transmitted is the first step toward safeguarding that data. Without this knowledge, it is difficult to implement or validate safeguards in an effective manner. One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed and how the data traverses the network. Data flow diagrams can also illustrate security controls as they are implemented. Regardless of approach, documentation should exist and be made available to the appropriate Data Owner.
Implement appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of information assets. Data Custodians should work with Data Owners to gain a better understanding of these requirements. Data Custodians should also document what security controls have been implemented and where gaps exist in current controls. This documentation should be made available to the appropriate Data Owner.
Document and disseminate administrative and operational procedures to ensure consistent storage, processing and transmission of information assets. Documenting administrative and operational procedures goes hand in hand with understanding how data is stored, processed and transmitted. Data Custodians should document as many repeatable processes as possible. This will help ensure that information assets are handled in a consistent manner and will also help ensure that safeguards are being effectively leveraged.
Provision and de-provision access as authorized by the Data Owner. Data Custodians are responsible for provisioning and de-provisioning access based on criteria established by the appropriate Data Owner.
Understand and report security risks and how they impact the confidentiality, integrity and availability of information assets. Data Custodians need to have a thorough understanding of security risks impacting their information assets. For example, storing or transmitting sensitive data in an unencrypted form is a security risk. Protecting access to data using a weak password and/or not patching vulnerability’s in a system or application are both examples of security risks.
Security risks need to be documented and reviewed with the appropriate Data Owner so that he or she can determine whether greater resources need to be devoted to mitigating these risks. Information Technology dept can assist Data Custodians with gaining a better understanding of their security risks.
5) Data Users
All users have a critical role in the effort to protect and maintain information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider of the who is authorized to access Information Systems and/or information assets. Responsibilities of data users include the following:
Adhere to policies, guidelines and procedures pertaining to the protection of information assets.
Users are also required to follow all specific policies, guidelines, and procedures established with which they are associated and that have provided them with access privileges.
Report actual or suspected security and/or policy violations or breaches to IT. During the course of day-to-day operations, users may come across a situation where they feel the security of information assets might be at risk. For example, a user comes across sensitive information on a website that he or she feels shouldn’t be accessible. If this happens, it is the users responsibly to report the situation.
6) Application Security Engineer
The job of an app security engineer has two major aspects. Firstly, you will need to help developers to create more secure apps. Secondly, you’ll need to control third-party apps used by your company and ensure their safety. Some of the typical responsibilities and tasks include:
Configuring technical security controls
Conducting an app risk assessment
Whitelisting/blacklisting apps
Performing penetration testing
For app security engineers, it’s vital to control SaaS apps and the risks related to them. Risky and insecure apps should be blacklisted. To automate the job and remain time-efficient, he will probably need specialized software that helps with app security assessment and whitelisting/blacklisting.
7) Data Protection Officer(DPO)
Having a DPO may be one of the compliance requirements. A DPO must be appointed in organizations working with large-scale systematic monitoring or processing of sensitive data. Officers oversee corporate data protection measures and their effectiveness. A specialist, appointed to the DPO role, controls whether corporate security is of a sufficient level to meet compliance requirements, and recommends security upgrades if needed. That’s why an in-depth understanding of data security and compliance are essential skills. The DPO orchestrates, manages, and supervises all the activities that are aimed at protecting users’ data and communicates the status to both internal and external parties. This includes:
Creating an effective step-by-step privacy program
Supervising the entire implementation process of the program at all stages
Assuring that all the data processes are being conducted
Reporting to the management, stakeholders, and all the parties involved on how the implementation process goes
Reporting to the management on the potential threats to data security and general integrity, and what can be done to eliminate them
Educating employees on the matters of data privacy and data protection
Training staff that is directly related to or involved in the data collection, processing, or storing
Keeping track of and recording all the operations that involve users’ personal data and the reasons for these operations to take place
Auditing the data processes to assess their performance and address possible problems proactively
Reporting on the progress of the implementation and maintenance of the data privacy program in the company to the authorities, stakeholders, and public/customers
Being a connective link between the organization and data subjects (users/customers). Communicating with data subjects on how their data are being handled, what rights do they have, and addressing all their requests concerning their data
Communicating with supervisors and being a connecting link between the organization and authorities
8)Network Security Engineer
As the name suggests, a network security engineer’s job is to protect corporate networks from data breaches, human error, or cyberattacks. Engineers are responsible for:
Configuring network security settings
Performing penetration testing
Developing and implementing sufficient measures to detect cyber threats
Implementing network security policies
Installing and maintaining security software like firewalls or backups
Also, a deep understanding of cloud security may be required.
9)Security Administrator
An IT security admin is a role that includes a wide range of skills and responsibilities to manage the protection of the company’s data. Some of the most common admin’s responsibilities include:
Managing access
Ensuring that data migration is secure
Configuring security software
Monitoring data behavior for abnormal activities
Implementing security policies
Testing company’s systems to locate potential risks and vulnerabilities
Reporting security statuses and incidents (if any)
Using software tools to automate some of the tasks
An admin’s role is more significant than it may seem at first glance. An admin has to keep the whole organization’s security landscape in mind and ensure that even the tiniest processes are executed correctly. After all, even one careless click may be enough to initiate a cyberattack.
10) Security Analyst
What is the role of an information security analyst? This role is related to protecting corporate information against cyber attacks and insider threats. Generally, an analyst has to determine potential risks and vulnerabilities inside the system, so a deep understanding of data security threats and ways to prevent them is a must. As a security analyst, your responsibilities will include:
Analyzing and configuring corporate systems to improve their security
Analyzing data loss prevention measures
Looking for system vulnerabilities and ways to fix them
Monitoring data behavior for abnormal activities
Verifying security, availability, and confidentiality of corporate data
Also, the security analyst’s role requires an understanding of white hat hacking to design more advanced protection against cyber attacks. Analysts often work together with security architects.
11) Security Architect
A security architect is one of the senior-level IT security positions. An architect is focused on creating a secure-by-design environment. Unsurprisingly, this position requires a solid understanding of network, app, and hardware security, as well as experience with various systems. Generally, an architect’s responsibilities include:
Assessing the system’s security controls and processes to find potential security gaps
Planning changes and upgrades for corporate IT infrastructure
Maintaining system integrity
Implementing insider threat control measures
Choosing new security software if needed
Implementing disaster recovery measures
Analyzing previous incidents and creating an incident response plan
Analyzing the costs and benefits of security solutions
Of course, the exact scope of your tasks as an architect will vary depending on each organization’s unique infrastructure and needs. Often, an architect needs to assess corporate systems for meeting security compliance standards to decide what changes are needed to become compliant.
12) Security Specialist
An IT security specialist is a person responsible for keeping corporate data safe. Security specialists maintain and upgrade systems and procedures to prevent data loss or leakage. IT specialists have many sub-specializations. Depending on a specific environment, an information security specialist will have a stronger focus on cloud, network, app, database or device security. In some cases, especially in small businesses, an IT security specialist is an all-rounder with responsibilities combining many cyber security roles at the same time. That’s why a security specialist must have strong IT skills and a deep understanding of both software and hardware—and, of course, an ability to locate potential vulnerabilities and fix them.
The objective of this procedure to identify type of information , classification and labeling at XXX so that all the personnel follow a common framework and understanding of Information security.The purpose of this procedure is to establish a framework for classifying data based on its level of sensitivity, value and criticality to XXX as required by the information security policy. Classification of data will aid in determining baseline security controls for the protection of data.
2.0 Scope :
This procedure applies to all the business processes, its information and information system.
3.0 Responsibility:
IT dept.
Users
Process Owners/HOD
4.0 Procedure :
The following procedures cover how to label, store, dispose of, communicate, physically transfer or copy different types of information, depending on its classification and media (e.g. paper, electronic transmission (email) or electronic storage/transfer).
The distribution of data should be kept to a minimum. However when data is required to be distributed it is required to be validated and have appropriate marking:
To the authorized recipient (a formal record shall be maintained and reviewed at appropriate intervals by the authorized recipients of data); and
Commensurate to its classification. That classification of data is split in to three categories as defined in the Information Classification and Handling Policy.
All information assets must be classified into one of three categories. The information asset must be appropriately labelled to ensure that its classification is readily identifiable.
Where information is grouped together, the highest classification shall be applied to all information in the group.
The agreed classification categories are:
Category
Information Category
Description
1
Confidential
Information is restricted to management approved internal access and protected from external access. Unauthorized access could influence XXX’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence or customer confidentiality clause. Information integrity is vital.
2A
Controlled (Internal – Department)
Information collected and used by respective department of XXX to the conduct its process and fulfill customer / client requirements. Access to this information is very restricted within the department. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
2B
Controlled (Internal – XXX)
Information that can be made shared to other departments within XXX without any implications for XXX, this information is not be shared outside XXX without authorizations. Integrity within XXX is important.
3
Public
Information is not confidential and can be made public without any implications for XXX. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.
LABELING
Document authors will need to ensure that classification status markings are applied manually to all documents using the appropriate classifications of ‘PUBLIC’,‘INTERNAL’ or ‘CONFIDENTIAL’.
All data must be marked with the appropriate classification clearly as a minimum in the document header prior to printing. If the material is already printed or has not been word-processed, the marking ‘PUBLIC’, ‘INTERNAL’ or ‘CONFIDENTIAL’ as appropriate, must be written, at the top of every page as a minimum. Multiple page documents must be stapled together.
Any information that is not specifically marked as being ‘INTERNAL’ or ‘CONTROLLED’ will be deemed to be ‘PUBLIC’. Therefore, the person responsible for processing or handling a document, particularly if consideration is being given as to whether a document should be disclosed, MUST consider the content of the document in determining how that document should be processed and not rely on its classification under this policy. The labeling of a document as Internal, Confidential or public does not override the XXX’s duties under the Data Protection Act or Information Act
Removable media such as CDs or DVDs, USB data sticks etc. used to store XXX information must always be classified as ‘CONFIDENTIAL’ and do not require individual labeling or marking.
STORAGE
Information should be stored in accordance with contractual or legislative requirements and in a manner commensurate to its classification, as follows:
PUBLIC data: Does not require any access restrictions or specific safe storage.
INTERNAL data: If information is removed from the xxx for use by home employee it must not be left unsecured in employee’s vehicles or left in public places. Information and data must be stored wherever possible, in a lockable area when at the employee’s home that cannot be accessed by any unauthorized person, including family members.
CONFIDENTIAL data: This information is sensitive information of which access must be restricted – securely locked away at the end of each working day or when no longer needed. This applies regardless of the format which this information is held on e.g. paper, disk, files, tapes, faxes, post.
When stored in an electronic format, data must be protected by the use of both technical and physical access controls. The following must be in place for:
CONFIDENTIAL Data stored on servers:
Servers must be located within secure rooms at XXX premises and access must be restricted to authorized personnel only.
Logical access controls must be used with authorized user ID and strong passwords.
Data stored in defined areas of the network must only be available to those authorized users with a need-to-know
Encryption must be employed wherever possible
CONFIDENTIAL Data processed on laptops:
Laptop hard drives must have full disk encryption applied
Only authorised users with XXX network domain credentials are authorised to use laptops.
Authorised users viewing restricted data on a computer screen must observe the XXX guidance with particular attention to preventing the possibility of ‘Shoulder Surfing’ or casual viewing by unauthorised people
Data must be moved from the laptop to a secure area on the XXX network as soon as possible
CONFIDENTIAL Data held in hard copy:
Within XXX buildings must be locked away in secure storage
Within Employees homes must be stored, wherever possible, in a lockable area that cannot be accessed by any unauthorised person, including family members
At premises other than XXX locations if used for reference by third parties must remain within the XXX employee’s line of sight/possession and only made available to those with a need-to-know before retrieval
In transit must not be left unsecured in employee’s vehicles or left in public places.
Data held on portable (removable) media, such as (but not limited to) CD, DVD, USB and Tape (including backup media) must have protection and encryption measures in order to protect against loss, theft, unauthorised access and unauthorised disclosure or;
When stored in an other form, must be stored only in a locked drawer or room or an area where access control measures exist to provide adequate protection and prevent unauthorised access by members of the public, visitors, or other persons without a need-to-know.
When verbally discussing Confidential information in public places or on public transport (including mobile phone conversations) care should also be taken in order that the conversation is not overheard. These rules also apply to verbal messages that might be left on answering machines or voicemail and also to information which is sent or received by email, fax, text or multimedia messages sent by mobile phone or other messaging services.
DISPOSAL OF INFORMATION
Information which is no longer required must be disposed of safely and securely and in accordance with its protective marking. There are many reasons why care must be taken when sensitive information is to be disposed as follows:
It may cause damage to the Council’s reputation if the information fell into the wrong hands;
It would be a breach of the Data Protection Act .
It could result in costly litigation and financial loss to the XXX
It could cause irreparable damage to individuals and families.
The ways in which we can prevent the above scenarios from occurring include the following disposal methods:
To ensure that all information other than PUBLIC is securely shredded
Any media (tapes, USB memory sticks etc.) must be securely destroyed through the XXX’s disposal procedure
Records must be maintained of all media disposals and must be made readily available
COPYING
Employees should be aware that they should not copy by any means, information which is marked ‘INTERNAL’ or ‘CONFIDENTIAL’ unless they are authorized to do so, under the ‘need-to-know’ principle.
This procedure applies to all information and documents produced by the XXX which have been deemed to have a security classification applied to them. The information covered in this procedure includes, but is not limited to, information that is either stored or shared via any means. This includes electronic information, information on paper, and information shared orally or visually (e.g. telephone conversations or video conferencing).
All XXX information has a value to the organisation, however not all of the information has an equal value or required the same level of protection. Being able to identify the value of information assets is key to understanding the level of security that they require. Once the appropriate level of security is identified the appropriate control can be implemented to prevent loss, damage of compromise of the asset, disruption of business activities, and prevention of the compromise or theft of information and information processing facilities. Incorrect classification of assets might result in inadequate or incorrect controls being implemented to protect them.
If you need assistance or have any doubt and need to ask questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.
The following diagram shows the process flow for risk assessment as part of the overall ISMS framework.
1. Risk Assessment Definitions
For a given information asset, Risk is defined is a probability of a threat materializing as a result of a vulnerability compromise resulting in the undesired impact. In other words the assessment of risk includes the following key elements:
An Asset (1)
Applicable Threat category (2)
Threat & Impact (3)
Threat & Vulnerability (4)
Threat & Probability (5)
Overall Risk (to an asset against a specific threat)
This is illustrated in Table 1.
For the process of Risk assessment the following table has been used:
Probability (V) (1- Low, 2- Medium, 3 – High, 4 – Very High)
Risk (VI) (1 – 64)
Examples (Personnel,
(Breach of) Confidentiality (Intentional or Accidental)
paper, Business Applications)
(Breach of) Integrity (Intentional, Accidental)
(Source: Asset Master)
(Breach of) Availability (Intentional, or Accidental)
Table 1: Risk Assessment Formula
Asset Groups
Threat
Impact
Vulnerability
Probability
Risk Value
This includes all forms of assets including personnel, paper, software, hardware, internal service providers, external service providers
Any disaster event due to loss of confidentiality, integrity, and/or availability (CIA) (not exhaustive)
Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the impact value represents the scale of business impact to the organization in the event of security compromise
Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the vulnerability value represents the state of control for a given asset. Management takes action on all vulnerability greater than equal to 2.
Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the probability value represents the likelihood of a threat realization in the near future (next year). For all probabilities greater than equal to 3, management defines a continuity plan.
Measured on a 64-point scale (>12-High, 8-12 – Med, <8-Low), the risk value represents the state of risk for a given asset.
Table 2: Risk Assessment Terminology explained
(Information) Asset Groups
An Asset is defined as any business asset, which has information contents. Examples of asset (not exhaustive) are listed below:
Each department head creates and maintains their asset masters.
1.2 Risk Assessment Formula
Risk Assessment for each asset is carried out using the following formula.
Risk = Threat X Business Impact or loss of “Value” X Vulnerability X Probability. Each component of the risk assessment also undergoes a qualitative valuation based on the judgment of the risk analyst.
Listed below is an explanation of each of these terms.
1.1.1 Threat X (Business) Impact (valuation)
Each asset undergoes three major classifications of threat analysis – Confidentiality, integrity and availability. The risk analyst defines the appropriateness of the asset and the commensurate threat applicable to the asset. Each threat so chosen also undergoes a business impact or “valuation” on a range of 1(one) to 4(four) based on the following guideline. The risk analyst takes into consideration the worst scenario for valuation purposes:
Information Valuation/Rating
Information
Confidentiality Rating
New Business & Project opportunities
4
Company Risk Register
4
Joint Operations Agreement – JOA
3
Production Sharing Contracts – PSC
3
Sales Purchase Agreement
3
G & G data including Seismic data
3
Skills & Competency matrix of people (competitive advantage)
3
Oil & Gas Reserve data numbers (competitive advantage)
3
Oil & Gas sales report
2
Employee compensations & employee personal information (privacy of information)
4
Reservoir Data (e.g. Eclipse)
3
Table 3: Confidentiality Rating
Availability Rating
Availability Requirement
Availability Rating
< 4 Hours IT infrastructure and communication services and supporting utilities (Air-conditioning, Power etc.) Active directory serversShare pointFirewall and VPN servicesAll data & voice supporting network devicesCloud Services – Microsoft office 365 suite, Email
4 = Very High Essential Infrastructure Services # XXX is more connectivity driven as they need to remain in contact with their area & regional offices to fulfill all their requirements.
< 8 hours Oracle e-business suits
3 = High # Access to and availability of data stored on server mapped G: drive is paramount to XXX business operations in additions to specific business applications they connect to
> 8 hours and within 1 day (24 hours) – Shared drive – LiveQuest – Petrel, G & G, Petrel RE – REP 5, Pansystem, – Rose, Questor – Geoframe
2 = Medium Delayed Start Service
All other information that does not fall in the above categories
1 = Low
Table 4: Availability Rating
Integrity Rating
Information
Integrity Rating
Inaccuracy in content accessible to employees concerning health & safety
4
Inaccuracy results in financial loss to company or its employees or legal/regulatory reporting obligations
4
Inaccuracy in content accessible to public
3
Inaccuracy in content accessible to employees but not financial/health/safety in nature
3
No available category
2 & 1
Table 5: Integrity Rating
The asset ‘impact’ rating is performed based on enterprise context.
1.3 Threat X Vulnerability
Vulnerability is by definition, an inherent weakness by which a treat can be exploited. Vulnerability is the base factor and covers absence (or existence) of controls or countermeasures. Vulnerability is rated on the following 4-point scale:
Impact Value
Purport
Guideline
4
Very High Vulnerability
Rate 4 where there is more than 1 vulnerability but in the opinion of the analyst, the vulnerability is easy to exploit.
3
High Vulnerability
Rate 3 where there is more than 1 vulnerability
2
Medium Vulnerability
Rate 2 where there is at least one vulnerability.
1
Low Vulnerability
Rate 1 where there are no identified vulnerability.
Typical assessment (not exhaustive) made are presence of preventive, detective, maintenance and/or monitoring controls present to prevent the threat materialization. The risk owner and the risk analyst jointly agree on the valuation of asset.
1.4 Threat X Probability
Probability is the likelihood of a threat materializing for the given asset. The asset owner and the risk analyst jointly agree on the valuation of asset. Probability is rated on the following 4-point scale:
Impact Value
Purport
Guideline
4
Very High Probability
Rate 4 when there are more than 2 incidents in the last one year.
3
High Probability
Rate 3 when there has been two incidents in the past one year.
2
Medium Probability
Rate 2 when there has been one incident in the past one year.
1
Low Probability
Rate 1 when there has been no incident in the past, nor likely in the future.
For a given asset the risk is therefore calculated by a measure of threat, business impact, vulnerability and probability.
1.5 Justification
Each element of risk assessment i.e. Impact, vulnerability and probability is provided with justification of their valuation or reference to Very High, High, Medium and Low probabilities.
2. Risk Assessment Process
The process of risk assessment for a given asset consists of three stages as explained below:
Asset Definition
The Asset owner (typically HOD) creates and maintains an Asset master. The Asset master contains provision to captures all forms of information asset (paper, people, documents, hardware, business applications, and external service providers)
CIA Impact Valuation
Each asset owner conducts an Impact valuation on the loss of Confidentiality, Integrity and Availability (CIA) to a given asset. While doing he/she looks at the CIA reference table to assess whether the asset correlates to the CIA criteria.
Risk Valuation
Assets with a value of 4 as a result of either C,I and/or A, where the impact of the security violation is Very High, has mandatory requirement to be assessed for the other values of risk, namely vulnerability and probability.
Risks that cannot be treated is considered to be ‘Residual Risks’ and subject to approval by risk owner.
2.2 Risk Assessment Worksheets
All assets which have an impact value of 4 are rated with their vulnerability and probability in a centralized record called – XXX-ISMS-RA record.
A risk revaluation is done for those assets where a decision has been identified as closed.
3. Risk Treatment Process
Risk treatment process has the following parameter – All weakness areas are reported in a centralized vulnerability dashboard. ISMS QA/MR discusses each area of the weakness and reports to the applicable departments for closure.
ISMS QA/MR discusses the vulnerability or the associated risk with the risk owner.
Decisions to close an identified vulnerability are taken by either Head of Department. When the decision for implementation cannot be made by the department, the decision is moved up the chain of command, for senior management for final decision.
Each decision so made are ensured implementation through allocation of responsibilities, which in turn is coordinated with Head of Departments/applicable enforcer,
Areas wherein senior management/head of department does not take decisions or the implementation totality takes a certain period of time, it is considered as residual risk. However reference to senior management decision either as closed, work in progress (WIP) or residual risk (RR) is referred in the Gap dashboard.
An annual plan of future initiatives is made available demonstrating the senior management commitment to ensure effective implementation of existing security framework.
Reassessment of Risk values is done for those assets wherein decisions have been taken to reduce their Risk. This is an ongoing activity and ISMS QA/MR keeps track of all such Risk areas.
All risk values are rated on the 64-point scale. All attempts are being made to reduce the value of risk to the extent possible. However the following rule applies:
Risk Acceptance criteria is vulnerability value 1. When an asset’s vulnerability value is more than 1, it means that the asset has vulnerability. A vulnerability value of 1 reflects no known vulnerability, and is therefore becomes the benchmark for risk acceptance.
All vulnerabilities equal to 2 and above are presented to the management for reduction. Management includes department heads, and top management – depending on the areas of the risk.
All values of risk equal to greater than 12 are presented to the management
Upon the introduction of controls, there could be risks whose values do not come down below 12 and therefore, continue to remain on the higher side. Such values are part of the residual risk.
Risks are classified as High – if the value of the risk is >=12, Medium – if the value is =>8 and <12, and Low <8. Except for personnel assets, the objective of all remaining assets is to bring down the vulnerability value to <=2. For personnel, a HIGH Risk is acceptable, as they may be an operational requirement.
Residual risk are reflected against each asset group where risk assessment is performed.
4. Risk Communication
For those risks, where the vulnerability is 1, risk owners are communicated. The risk owner is required to own and accept the residual risk.
5. Supporting Worksheets/reports
XXX – Department-wise ISMS Compliance sheet
XXX-ISMS-Risk Assessment record (Also includes revised RA values),
Latest Statement of Applicability – reflects references to existing controls
Management review records includes residual risk and future plan of action.
Information Asset/ infrastructure-Management (Risk Area)
Form / Nature of Asset
Applicable Threats (NEW)
RA Date
Impact Rating
Justification
Existing Controls (=Strengths)
Missing Controls (=Weaknesses)
Vulnerability
Justification
Probability
Justification
Revised Risk Value
Recommendation (Yes or No)
Revised Risk Category
Residual Risks
xxx-RA-01
All Departments
xxx Employees (All personnel)
Personnel – Internal
Leak of Sensitive / Critical Data
01.01.1900
4
Teams has category 4 information
1. Background Screening in place, 2. Most Employee undergo induction training, 3. All employees sign code of conduct,
1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?)
3
One major vulnerability identified, however the ‘ease’ factor has high impact
2
Human behaviour is unpredictable
24
Yes – DLP verification is WIP
High
One major vulnerability identified, however the ‘ease’ factor has high impact
xxx-RA-02
All Departments
xxx Employees (All personnel)
Personnel – Internal
Critical Business activities get impacted
01.01.1900
4
Several teams are crucial for availability
1.Leave control management in place, 2. Whenever there is an additional manpower requirement, it is addressed as part of HR planning
Unauthorized access leading to information theft (by outsider)
Access Controls in placed. Central AD protects primary authentication followed by application specific controls.
No known weakness
1
No weakness identified
1
No incidents in the past one year, unlikely opportunity in the next year
4
No
Low
No weakness identified
xxx-RA-04
All Departments
Common User Applications (Active Directory/IP Telephony Oracle HRMS/Sharepoint Portal/Asset Management System/Enterprise Document Management System/Share drive (G: Drive)/Cogness/RPSystem/Discover/Global Tax Management System (GTMS)/Sun System/Hyperion/Website)
Business Applications
Information leakage and misuse, Virus impact on data/servers
01.01.1900
4
Applications are critical to business operations. Most information is rated as 3
Most products deployed are standard tools from recognized vendors/OEM.
1. OFI in change management process, 2. OFI in better access control
3
2 Identified vulnerabilities
1
No suspected incidents of application performance or misuse in the last year
12
Yes
High
1. OFI in change management process, 2. OFI in better access control
xxx-RA-05
IT Support
Switch configurations
LAN Management
Network down / impact day to day business operations
01.01.1900
4
Internal connectivity outage
Redundant network, secure configuration
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-06
IT Support
Router Configurations
WAN Management
impact day to day business operations
01.01.1900
4
External connectivity outage
Redundant network, secure configuration
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-07
IT Support
Wireless Configurations
Wireless Management
Data Leakage due to unauthorized access
01.01.1900
3
Office connectivity of mobile users
Alternate network based controls exist, limited access
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
3
No
Low
No weakness identified
xxx-RA-08
IT Support
All Servers (Unix and Windows) (Windows XP SP3/Windows 2003/Windows 2008/Solaris/Linux)
Server Management
Data Loss
01.01.1900
4
High Availability, High confidentiality
Combination of policies exist that include patch management, and vulnerability in place, certified staff handling the changes
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-09
IT Support
Database Management (SQL and Oracle)
Database Management
Impact day to day business operations
01.01.1900
4
High Availability, High confidentiality
Combination of policies exist that include patch management, and vulnerability in place, certified staff handling the changes
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-10
IT Support
Security Applications (Access Point – Card System/Access Point – Biometrics/Checkpoint-VPN/Firewall (Checkpoint)/AV (McAfee)/IPS/IDS (Cisco MARS)/Spam Filter (Symantec)/backup Management (Tivoli))
Security Applications
Data Leakage / corrupt due to unauthorized access
01.01.1900
4
Security Controls protecting the network
Combination of policies exist that include patch management, and vulnerability in place, certified staff handling the changes
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-11
IT Support
Desktop Management (Dell)
Desktop Management
Daily business activities impacted / delayed
01.01.1900
4
End user infrastructure
Standard list of software installed, malware protection that combines gateway and end user malware protection
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-12
IT Support
Laptop Management (Dell / Apple)
Laptop Management
Impact day to day business operations
01.01.1900
4
End user infrastructure
Standard list of software installed, malware protection that combines gateway and end user malware protection
No known weakness
1
No known weakness
2
Laptop theft is an opportunity
8
No
Medium
No weakness identified
xxx-RA-13
General Services
Physical Access Management (Building, Floors, Work area, Server Room/s, generator Areas)
Physical Access Management
People / business information or data impacted
01.01.1900
4
Availability infrastructure
Combination of controls including manpower, CCTV, Access controls in place
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Medium
No weakness identified
xxx-RA-14
IT Support
Document Management System (Share drives/Folders/Enterprise Document Management System)
Document Management
Data Leakage / corrupt / loss
01.01.1900
4
Storage areas for sensitive files/documents
Access Controls in placed. Central AD protects primary authentication followed by application specific controls.
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Medium
No weakness identified
xxx-RA-15
Legal
External Service providers (OEMs providing technical problem and patch management support)
External Service providers – IT
Financial Loss
01.01.1900
4
High Availability, their service are critical to application up time
SLA in place, most vendors are global, and provide 24-7 support
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Medium
No weakness identified
xxx-RA-16
Legal
External Service providers (IT Consultants)
External Service providers – Legal
Financial / reputation Loss
01.01.1900
4
Teams has configurations which in turn has category 4 information
1. Background Screening in place, 2. All vendors staff sign NDA
1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?), 2. Consider bring vendor staff under the scope of induction on information security
3
Two major vulnerably identified
2
Human behaviour is unpredictable
24
Yes – DLP verification is WIP + Training on induction
High
1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?), 2. Consider bring vendor staff under the scope of induction on information security
xxx-RA-17
IT Support
External Service providers – IT + Hasibat information technology
External Service providers – IT
Financial Loss
01.01.1900
4
Several teams are crucial for availability
1. SLA including manpower availability is in place. 2. Vendors whose support in the form of patch/problem exist, are covered in SLA/NDA
Disaster Prevention refers to steps to protect your building and collections before a disaster occurs.
Establish security routines, including an annual building inspection and seasonal maintenance.
Inspect wiring regularly.
Inspect roofs and drains regularly.
Follow local and state fire codes. The presence of fire alarms, smoke detectors, fire extinguishers, and a sprinkler system are strongly recommended for personal safety and collection preservation. Map their locations.
Select a storage space least vulnerable to fire, flood, and harsh weather patterns.
Establish and practice fire evacuation and tornado response procedures. Map evacuation routes and designated tornado shelters.
Install water detectors and alarms. Map their locations.
Locate water pipes and water shut-off valves. Map their locations.
Install alarms to prevent intrusion, deliberate, or random violence.
Install emergency lighting.
Store records at least 6 inches off the ground.
Prohibit smoking in storage areas.
Limit small appliances in the collection storage area.
Limit unauthorized access to the storage area.
Limit the number of records a patron may view at one time.
Consider microfilming records that receive high use, and limit access to the originals that may be stored off-site.
Check your insurance coverage regularly.
Determine how you will have access to emergency funds: a supply of purchase orders to be used only during an emergency, or a disaster emergency fund.
Purchase emergency supplies to keep on hand, inventory them regularly, and map their locations.
Train staff in salvage techniques.
Label vital and historical records, and create an inventory or locator map that will allow you quick access to these records when needed. Regularly update your finding aids and keep copies off-site
Buildings and collections are particularly vulnerable during periods of construction, so increase security during these times.
Improving collection storage areas, when possible, will help prevent disasters and security problems.
Keep duplicates of your disaster plan, policies, lists, and record inventories off-site.
Disaster Plan
A Disaster Plan guides your organization through the proper responses to various types of disasters. This section highlights some of the elements of a disaster plan.
Create a written disaster preparedness plan or policy, which includes disaster recovery, damage assessment, and post disaster evaluation procedures.
Identify and prioritize the most important records. This includes records needed to resume business, historical records, and collections. Determine which record media and collections are more vulnerable or valuable than others.
Analyze your building, site, and collection storage areas. Include building and site maps in your disaster plan.
Establish responses to all potential geographic and climatic hazards, and other risks which could jeopardize your employees, building, and collections: tornadoes; floods; fires, which will include water damage from fire-hoses; pest infestation; mold; vandalism; and accidents.
Contact local civil defense offices to understand their disaster response procedures.
Identify sources of assistance, and develop contacts with appropriate consultants, suppliers, and vendors beforehand. Check your local Yellow Pages for contacts in your area, and make a list including names and telephone numbers. Update the list annually.
Establish contact with a freezer service; verify contact annually.
Special conservation efforts may be necessary with water or fire-damaged records, have phone numbers and addresses available of people or agencies to contact.
Include a copy of your collection inventory and vital records locator map in your disaster plan.
Include a supply list and locations in your disaster plan.
Create a telephone tree of staff and volunteers to help in the event of a disaster.
Establish a chain of command among staff members. All staff should know who they report to, and who they notify in case of disaster.
Know what your insurance carrier will require as evidence of damage: photographs, written documentation.
Establish salvage procedures for all collections, records, paper, and record media.
The following section outlines the roles and responsibilities for a two-pronged approach to disaster response: damage assessment and damage recovery. When establishing assessment and recovery teams for your disaster plan, it is important to detail specific responsibilities, outline clear lines of authority, and remember that a person may have more than one role.
Facilities Manager: responsible for seeing that the building is safe, damage to the building is evaluated, and measures formulated and implemented to remedy or correct problems. Upon notification of a problem establishes that no threat exists to personnel safety, secures the affected area and/or building, and alerts Assessment Director. Establishes priorities for facility repairs, and follows the progress of repairs once begun.
Assessment Manager: organizes and manages the process by which damage is evaluated. Responsible for notifying and instructing Assessment Team Leaders, and enlisting the assistance of in-house or outside experts/resource people as required. Evaluates findings and recommendations, and contacts the Recovery Director with recovery recommendations.
Assessment Team Leader: selects and assembles the teams members, and directs their operations. Instructs the team on what to do and how to do it, including methods of inspection and sampling, assessing damaged material, and documenting the process. Monitors the damage investigation, reporting recommendations to the Assessment Director.
Assessment Team: consists of people most knowledgeable about the collection or material involved. Responsibilities include recording observations and decisions made by the team; photographing damage; investigating where damage exists, the type of damage, and the importance and significance of the affected material; estimating the extent of damage to the collection; and establishing initial priorities for recovery of damaged items.
Recovery Manager: organizes and manages the recovery process. Sets priorities based on information received from the Assessment Director, assigns recovery teams, reports on progress, actions taken, problems encountered, and future risks. In many cases, the Assessment Director and Recovery Director may be the same person.
Recovery Team Leader: appoints team members, instructs the team on what they will be doing and how they will do it. Monitors the recovery process, and updates the Recovery Director.
Recovery Team: may include all staff members. Responsible for separating collections and other material to be salvaged, moving material to be recovered from affected areas to work or other storage spaces, drying materials, and packing materials that will require shipment to another facility. Other responsibilities include maintaining records and photographs of the recovery effort, including inventories and dates when items are sent out of the building to off-site storage or other facilities; what items have been frozen, treated or dried; where items have been relocated; and items in need of additional attention. The Recovery Team may also label items that have lost inventory numbers, label or re-label boxes with locator information, and label boxes ready for shipment.
Disaster Recovery
Disaster Recovery refers to the response and actions your organization takes after a disaster occurs.
Always place human safety first.
In the event of an emergency, prevent staff and volunteers from entering the building until city officials (fire or police department), or a building inspector determines the building is safe to enter.
Allow only authorized staff and volunteers into the damaged area, use check-in/out sheets to monitor access.
Contact your insurance carrier.
Stabilize temperature and relative humidity.
In the instance of a disaster, a recovery plan may include the following steps:
locate and establish a recovery site.
establish a designated storage area for removed material.
retrieve vital records.
maintain building security.
set up systems necessary to continue operations, such as workspace for employees, telephones, financial services, clerical support, office supplies, equipment, food, drink, and restrooms.
plan for building repair, and the replacement of equipment and furnishings.
determine what has been lost and what records and collections are salvageable.
If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.
A business continuity plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service. It’s more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human resources, and business partners – every aspect of the business that might be affected. Plans typically contain a checklist that includes supplies and equipment, data backups, and backup site locations. Plans can also identify plan administrators and include contact information for emergency responders, key personnel, and backup site providers. Plans may provide detailed strategies on how business operations can be maintained for both short-term and long-term outages.
A key component of a business continuity plan (BCP) is a disaster recovery plan that contains strategies for handling IT disruptions to networks, servers, personal computers and mobile devices. The plan should cover how to reestablish office productivity and enterprise software so that key business needs can be met. Manual workarounds should be outlined in the plan, so operations can continue until computer systems can be restored. There are three primary aspects to a business continuity plan for key applications and processes:
High availability: Provide for the capability and processes so that a business has access to applications regardless of local failures. These failures might be in the business processes, in the physical facilities or in the IT hardware or software.
Continuous operations: Safeguard the ability to keep things running during a disruption, as well as during planned outages such as scheduled backups or planned maintenance.
Disaster recovery: Establish a way to recover a data center at a different site if a disaster destroys the primary site or otherwise renders it inoperable.
Example of Business Continuity Plan
Section I: Introduction
A. How to Use This Plan
In the event of a disaster which interferes with <ORGANIZATION NAME>’s ability to conduct business from one of its offices, this plan is to be used by the responsible individuals to coordinate the business recovery of their respective areas and/or departments. The plan is designed to contain, or provide a reference to, all of the information that might be needed at the time of business recovery. This plan is not intended to cover the operations of <ORGANIZATION NAME>’s separately structured Emergency Response Team. Index of Acronyms: (EOC) Emergency Operations Center – (EMT) Emergency Management Team – (ERT) Emergency Response Team – (BCP) Business Continuity Plan – (IT) Information Technology Section I, Introduction, contains general statements about the organization of the plan. It also establishes responsibilities for the testing (exercising), training, and maintenance activities that are necessary to guarantee the ongoing viability of the plan. Section II, Business Continuity Strategy, describes the strategy that the <Department Name> Department will control/implement to maintain business continuity in the event of a facility disruption. These decisions determine the content of the action plans, and if they change at any time, the plans should be changed accordingly. Section III, Recovery Teams, lists the Recovery Team functions, those individuals who are assigned specific responsibilities, and procedures on how each of the team members is to be notified. Section IV, Team Procedures, determines what activities and tasks are to be taken, in what order, and by whom in order to affect the recovery. Section V, Appendices, contains all of the other information needed to carry out the plan. Other sections refer the reader to one or more Appendices to locate the information needed to carry out the Team Procedures steps.
B. Objectives
The objective of the Business Continuity Plan is to coordinate the recovery of critical business functions in managing and supporting the business recovery in the event of a facilities (office building) disruption or disaster. This can include short or long-term disasters or other disruptions, such as fires, floods, earthquakes, explosions, terrorism, tornadoes, extended power interruptions, hazardous chemical spills, and other natural or man-made disasters. A disaster is defined as any event that renders a business facility inoperable or unusable so that it interferes with the organization’s ability to deliver essential business services. The priorities in a disaster situation are to:
Ensure the safety of employees and visitors in the office buildings. (Responsibility of the ERT)
Mitigate threats or limit the damage that threats can cause. (Responsibility of the ERT)
Have advanced preparations to ensure that critical business functions can continue.
Have documented plans and procedures to ensure the quick, effective execution of recovery strategies for critical business functions.
The <Department Name> Business Continuity Plan includes procedures for all phases of recovery as defined in the Business Continuity Strategy section of this document.
C. Scope
The Business Continuity Plan is limited in scope to recovery and business continuance from a serious disruption in activities due to the non-availability of <ORGANIZATION NAME>’s facilities. The Business Continuity Plan includes procedures for all phases of recovery as defined in the Business Continuity Strategy of this document. This plan is separate from <ORGANIZATION NAME>’s Disaster Recovery Plan, which focuses on the recovery of technology facilities and platforms, such as critical applications, databases, servers, or other required technology infrastructure (see Assumption #1 below). Unless otherwise modified, this plan does not address temporary interruptions of duration less than the time frames determined to be critical to business operations. The scope of this plan is focused on localized disasters such as fires, floods, and other localized natural or man-made disasters. This plan is not intended to cover major regional or national disasters such as regional earthquakes, war, or nuclear holocaust. However, it can provide some guidance in the event of such a large-scale disaster.
D. Assumptions
The viability of this Business Continuity Plan is based on the following assumptions:
That a viable and tested IT Disaster Recovery Plan exists and will be put into operation to restore data center service at a backup site within five to seven days.
That the Organization’s facilities management department has identified available space for relocation of departments which can be occupied and used normally within two to five days of a facilities emergency.
That this plan has been properly maintained and updated as required.
That each department has their own Business Continuity Plan.
The functions and roles referenced in this plan do not have to previously exist within an organization; they can be assigned to one or more individuals as new responsibilities, or delegated to an external third party if funding for such services can be arranged and allocated.
E. Changes to the Plan/Maintenance Responsibilities
Maintenance of the <Department Name> Business Continuity Plan is the joint responsibility of the <Department Name> management, the Facilities Management Department, and the Business Continuity Coordinator.
Department Name management is responsible for:
Periodically reviewing the adequacy and appropriateness of its Business Continuity strategy.
Assessing the impact on the <Department Name> Business Continuity Plan of additions or changes to existing business functions, <Department Name> procedures, equipment, and facilities requirements.
Keeping recovery team personnel assignments current, taking into account promotions, transfers, and terminations.
Communicating all plan changes to the Business Continuity Coordinator so that the organization’s IT master Disaster Recovery Plan can be updated.
Facilities Management Department management is responsible for:
Maintaining and/or monitoring offsite office space sufficient for critical <Department Name> functions and to meet the <Department Name> facility recovery time frames.
Communicating changes in the “Organization IT Disaster Recovery Plan” plan that would affect groups/departments to those groups/departments in a timely manner so they can make any necessary changes in their plan.
Communicating all plan changes to the Business Continuity Coordinator so that the master plan can be updated.
The Business Continuity Coordinator is responsible for:
Keeping the organization’s IT Recovery Plan updated with changes made to <Department Name> facilities plans.
Coordinating changes among plans and communicating to <Department Name> management when other changes require them to update their plans.
F. Plan Testing Procedures and Responsibilities
<Department Name> management is responsible for ensuring the work ability of their Business Continuity Plan. This should be periodically verified by active or passive testing.
G. Plan Training Procedures and Responsibilities
<Department Name> management is responsible for ensuring that the person who would carry out the Business Continuity Plan is sufficiently aware of the plan’s details. This may be accomplished in a number of ways including. practice exercises, participation in tests, and awareness programs conducted by the Business Continuity Coordinator.
H. Plan Distribution List
The <Department Name> Business Continuity Plan will be distributed to the following departments and/or individuals, and will be numbered in the following manner:
Plan ID No
Location
Person Responsible
Section II: Business Continuity Strategy
A. Introduction
This section of the <Department Name> Business Continuity Plan describes the strategy devised to maintain business continuity in the event of a facility disruption. This strategy would be invoked should the <ORGANIZATION NAME> <Department Name> primary facility somehow be damaged or inaccessible. It is assumed that each critical business function at your location also has its own group/department Business Continuity Plan, which is similar to this plan except the recovery procedures and appendices have been customized for each respective group/department based on size, and complexity.
B. Business Function Recovery Priorities
The strategy is to recover critical <Department Name> business functions at the alternate site location. This can be possible if an offsite strategy has been put into effect by Office Services and Disaster Recovery/IT Teams to provide the recovery service. Information Systems will recover IT functions based on the critical departmental business functions and defined strategies. Business Functions by Location are listed in Appendix B (Recovery Priorities for Critical Business Functions). “Time Critical Business Functions,” i.e., those of which are of the most critical for immediate recovery at the secondary location is: Reference: Appendix B – Recovery Priorities for Critical Business Functions
C. Relocation Strategy and Alternate Business Site
In the event of a disaster or disruption to the office facilities, the strategy is to recover operations by relocating to an alternate business site. The short-term strategies (for disruptions lasting two weeks or less), which have been selected, include:
Primary Location
Alternate Business Site
<Office Address>
TBD
For all locations, if a long-term disruption occurs (i.e. major building destruction, etc.); the above strategies will be used in the short-term (less than two weeks). The long-term strategy will be to acquire/lease and equip new office space in another building in the same metropolitan area.
D. Recovery Plan Phases
The activities necessary to recover from a <ORGANIZATION NAME> facilities disaster or disruption will be divided into four phases. These phases will follow each other sequentially in time.
1. Disaster Occurrence
This phase begins with the occurrence of the disaster event and continues until a decision is made to activate the recovery plans. The major activities that take place in this phase include emergency response measures, notification of management, damage assessment activities, and declaration of the disaster.
2. Plan Activation
In this phase, the Business Continuity Plans are put into effect. This phase continues until the alternate facility is occupied, critical business functions reestablished, and computer system service restored to <ORGANIZATION NAME>’s Departments. The major activities in this phase include notification and assembly of the recovery teams, implementation of interim procedures, and relocation to the secondary facility/backup site, and re-establishment of data communications.
3. Alternate Site Operations
This phase begins after secondary facility operations are established and continues until the primary facility is restored. The primary recovery activities during this phase are backlog reduction and alternate facility processing procedures.
4. Transition to Primary Site
This phase consists of any and all activities necessary to make the transition back to a primary facility location.
E. Vital Records Backup
All vital records for <Department Name> that would be affected by a facility’s disruption are maintained and controlled by either <Department Name> or Disaster Recovery/IT. Some of these files are periodically backed up and stored at an offsite location as part of normal <Department Name> operations. When <Department Name> requires on-site file rooms, scanning, and organization offsite storage locations, best practices advise using one near-by Records Warehouse and another secure site for vital records and data back-up. All vital documents are typically located in files within the office complex and the most current back-up copies are in a secure off-site storage facility.
F. Restoration of Hardcopy Files, Forms, and Supplies
In the event of a facility disruption, critical records located in the <Department Name> Department may be destroyed or inaccessible. In this case, the last backup of critical records in the secure warehouse would be transported to the secondary facility. The number of critical records, which would have to be reconstructed, will depend on when the last shipment of critical records to the offsite storage location occurred.<Department Name> management will arrange the frequency of rotation of critical records to the offsite storage site. The following categories of information can be exposed to loss:
Any files stored on-site in file cabinets and control file rooms.
Information stored on local PC hard drives.
Any work in progress.
Received and un-opened mail.
Documents in offices, work cubes and files.
Off-site records stored in the Records Warehouse (if this is not a secure, hardened facility).
G. On-line Access to <ORGANIZATION NAME> Computer Systems
In the event of a facility disruption, the IT Disaster Recovery Plan strategy should be to assist in re-establishing connectivity to the <ORGANIZATION NAME> departments and to establish remote communications to any alternate business site location. If the data center is affected by a disaster or disruption, the IT Disaster Recovery Plan should include recovering processing at a pre-determined alternate site. Services covered would include; phones, cellular phones, pagers, communications, and all other services required for restoring limited emergency service to the organization. In this case, data communications will be rerouted from the data processing hot or cold site to the respective alternate business site locations.
BCP Representatives – It will be necessary to contact your respective Information Technology department in order to complete this section. You should understand, and enter here, what the recovery time frame is for systems recovery (i.e. will have critical systems restored within hours or days) and what the strategy is for acquisition, installation, and connection of PC’s/terminals. Acquisition and recovery of critical standalone personal computer capabilities should also be considered here. You should also understand the Information Technology strategy for recovery of applications, either AS/400 based and/or those on desktop systems, which <Department Name> relies on.
H. Mail and Report Distribution
During the time that <ORGANIZATION NAME> department operations are run from the secondary facilities, output reports and forms will have to be delivered to that location. The data center may or may not have the same print capability if the disruption affected the data center as well, so it may be necessary to prioritize printing of output. The EOC Administration Team in conjunction with designated delivery/courier services will distribute mail to all <ORGANIZATION NAME> alternate business sites. Due to the possibility of multiple alternate business sites and the additional travel time required for mail service activities, the number of mail pickups and deliveries could possibly be decreased from the normal daily routine to once daily. Mail pickup and delivery schedules, including overnight mail, will be established and communicated to each alternate business site. Overnight mail/package delivery carriers should be contacted directly by a business function for items requiring pickup after the last scheduled pickup by the EOC Administration Team. All overnight mail service vendors will be notified by the EOC Administration Team of appropriate alternate office addresses to redirect deliverables to <ORGANIZATION NAME> personnel or provide for pick up at the post office by a Team member.
Section III: Recovery Teams
A. Purpose and Objective
This section of the plan identifies who will participate in the recovery process for the <Department Name> Business Continuity Plan. The participants are organized into one or more teams. Each team has a designated team leader and an alternate for that person. Other team members are assigned either to specific responsibilities or as team members to carry out tasks as needed.
The information in this section is organized into several subsections.
B. Recovery Team Descriptions
This section lists the team definitions for the <Department Name> Team and gives a short explanation of the function of each team or function.
<Department Name> Recovery Team:
Responsible for oversight of the <Department Name> recovery functions.
C. Recovery Team Assignments
This section identifies the team roles and the specific responsibilities that have been assigned to the team.
Team leader-Overall coordination of <Department Name> Recovery Team
Backup Team Leader – Duties to be assigned based on Recovery Team areas of responsibility.
Team Member – Duties to be assigned based on Recovery Team areas of responsibility
D. Personnel Notification
This section specifies how the team members are to be notified if the plan is to be put into effect by identifying who calls whom, and in what order. Notification can also be made by using tools such reverse 911 or other notification systems.
References: Appendix A – Employee Telephone Lists
E. Team Contacts
This section identifies other people or organizations outside of the <Department Name> Team who might need to be contacted during the recovery process. Their names and telephone numbers are provided.
Reference: Appendix A – Employee Telephone Lists
F. Team Responsibilities
Departmental Recovery Teams
Name
Department/Position
Floor
Comments
Business Continuity Coordinator – <Insert Name>
In the event of a disaster, the Business Continuity Coordinator is responsible for ensuring that the following activities are successfully completed:
Works with the <ORGANIZATION NAME> Emergency Management Team to officially declare a disaster, and start the Disaster Recovery/Business Continuation process to recover <ORGANIZATION NAME>’s business functions at an alternate site.
Alert <ORGANIZATION NAME>’s Senior Management that a disaster has been declared.
Assist in the development of an official public statement concerning the disaster. The <ORGANIZATION NAME>’s EOC Communications Team Leader is the only individual authorized to make public statements about organization affairs.
Monitor the progress of all Business Continuity and Disaster Recovery teams daily.
Present Business Continuity Plan recovery status reports to Senior Management on a daily basis.
Interface with appropriate work management personnel throughout the recovery process.
Communicate directions received from <ORGANIZATION NAME>’s Senior Management to the EOC and Departmental Business Continuity Team Leaders.
Provide on-going support and guidance to the Business Continuity teams and personnel.
Review staff availability and recommend alternate assignments, if necessary.
Work with <ORGANIZATION NAME>’s Senior Management to authorize the use of the alternate recovery site selected for re-deploying critical <ORGANIZATION NAME> resources.
Review and report critical processing schedules and backlog work progress, daily.
Ensure that a record of all Business Continuity and Disaster Recovery activity and expenses incurred by <ORGANIZATION NAME> is being maintained.
EOC Communications Team –
This team is responsible for providing information regarding the disaster and recovery efforts to:
<ORGANIZATION NAME> and organization offices Senior Management
Customers
Vendors/Contracts
Media
Regulatory Agencies
Other Stakeholders
Coordinating, submitting, and tracking any and all claims for insurance.
EOC Human Resources Team –
This team is responsible for:
Providing information regarding the disaster and recovery efforts to employees and families.
Assisting in arranging cash advances if out of area travel is required.
Notifying employee’s emergency contact of employee injury or fatality.
Ensuring the processing of all life, health, and accident insurance claims as required.
Ensuring the recovery/restoration personnel has assistance with clerical tasks, errands, and other administrative activities.
Arranging for the availability of necessary office support services and equipment.
Providing a channel for authorization of expenditures for all recovery personnel.
Arranging travel for employees.
Tracking all costs related to the recovery and restoration effort.
Identifying and documenting when repairs can begin and obtaining cost estimates.
Determining where forms and supplies should be delivered, based on damage to the normal storage areas for the materials.
Contacting vendors to schedule specific start dates for the repairs.
Taking appropriate actions to safeguard equipment from further damage or deterioration.
Coordinating the removal, shipment, and safe storage of all furniture, documentation, supplies, and other materials as necessary.
Supervise all salvage and cleanup activities.
Coordinating required departmental relocations to the recovery sites.
Coordinating relocation to the permanent site after repairs are made
Assuring that arrangements are made for meals and temporary housing facilities, when required, for all recovery personnel.
Assuring order placement for consumable materials (forms, supplies, etc.) for processing based upon input from the other teams.
Notifying the United States Postal Service of delivery disruption.
Establishing internal mail delivery procedures and process.
Assuring that mail, and reports are redirected to the proper location as required.
Emergency Response Team –
This team is responsible for:
The safety of all employees.
Inspecting the physical structure and identifying areas that may have sustained damage.
Expanding on and/or revising the findings of the Preliminary Damage Assessment.
Providing management with damage assessment reports and recommendations.
Information Technology Recovery Team (See also Disaster Recovery Plan) –
This team is responsible for:
Activating the IT Technology Recovery Plan (See also Disaster Recovery Plan).
Managing the IT disaster response and recovery procedures.
Mobilizing and managing IT resources.
Coordinating all communications related activities, as required, with telephone & data communications, PC, LAN support personnel, and other IT related vendors.
Assisting, as required, in the acquisition and installation of equipment at the recovery site.
Ensuring that cellular telephones, and other special order equipment and supplies are delivered to teams as requested.
Participating in testing equipment and facilities.
Participating in the transfer of operations from the alternate site as required.
Coordinating telephone setup at the EOC and recovery site.
Coordinating and performing restoration or replacement of all desktop PCs, LANs, telephones, and telecommunications access at the damaged site.
Coordinating Disaster Recovery/IT efforts between different departments in the same or remote locations.
Training Disaster Recovery/IT Team Members.
Keeping Senior Management and the EOC Business Continuity Coordinator appraised of recovery status.
Section IV: Recovery Procedures
A. Purpose and Objective
This section of the plan describes the specific activities and tasks that are to be carried out in the recovery process for <Department Name>. Given the Business Continuity Strategy outlined in Section II, this section transforms those strategies into a very specific set of action activities and tasks according to the recovery phase.
The Recovery Procedures are organized in the following order: recovery phase, activity within the phase, and task within the activity.
The recovery phases are described in Section II.D of the Plan. In the Recovery Procedures document, the phases are listed in the order in which they will occur. The description for each recovery phase begins on a new page.
Each activity is assigned to one of the recovery teams. Each activity has a designated team member who has the primary assignment to complete the activity. Most activities also have an alternate team member assigned. The activities will only generally be performed in this sequence.
The finest level of detail in the Recovery Procedures is the task. All plan activities are completed by performing one or more tasks. The tasks are numbered sequentially within each activity, and this is generally the order in which they would be performed.
B. Recovery Activities and Tasks
PHASE I: Disaster Occurrence
ACTIVITY: Emergency Response and Emergency Operations Center Designation
ACTIVITY IS PERFORMED AT LOCATION: Main Office or Emergency Operations Center
ACTIVITY IS THE RESPONSIBILITY OF THIS TEAM: All Employees
TASKS:
After a disaster occurs, quickly assess the situation to determine whether to immediately evacuate the building or not, depending upon the nature of the disaster, the extent of damage, and the potential for additional danger.
Note: If the main office is total loss, not accessible or suitable for occupancy, the remaining activities can be performed from the Emergency Operations Center (EOC), after ensuring that all remaining tasks in each activity have been addressed. This applies to all activities where the Main Office is the location impacted by the disaster. The location(s) of the EOC are designated in Appendix D – Emergency Operations Center (EOC) Locations. The EOC may be temporarily setup at any one of several optional locations, depending on the situation and accessibility of each one. Once the Alternate site is ready for occupancy the EOC can be moved to that location.
Quickly assess whether any personnel in your surrounding area are injured and need medical attention. If you are able to assist them without causing further injury to them or without putting yourself in further danger, then provide what assistance you can and also call for help. If further danger is imminent, then immediately evacuate the building.
If appropriate, evacuate the building in accordance with your building’s emergency evacuation procedures. Use the nearest stairwells. Do not use elevators.
Outside of the building meet at (XXXXXXXX XXXXXXXXXX)Do not wander around or leave the area until instructed to do so.
Check in with your department manager for roll call. This is important to ensure that all employees are accounted for.
ACTIVITY: Notification of Management
ACTIVITY IS PERFORMED AT LOCATION:At Any Available Phone
ACTIVITY IS THE RESPONSIBILITY OF:<Department Name> Management Team PRIMARY: <INSERT NAME> ALTERNATE: <INSERT NAME> TASKS:
Team leader informs the members of the <Department Name> management team and notifies the <Department Name> senior management if they have not been informed.
<Department Name> personnel are notified of the disaster by following procedures as included in Section III. D. – Recovery Personnel Notification.
Depending upon the time of the disaster, personnel are instructed what to do (i.e. stay at home and wait to be notified again, etc.)
ACTIVITY: Preliminary Damage Assessment
ACTIVITY IS PERFORMED AT LOCATION: Main Office Location
ACTIVITY IS THE RESPONSIBILITY OF: <Department Name> Management Team
TASKS:
Contact the Organization Emergency Response Team Leader to determine responsibilities and tasks to be performed by the <Department Name> Management Team or employees.
If the Organization Emergency Response Team requests assistance in performing the Preliminary Damage Assessment, caution all personnel to avoid safety risks as follows:
Enter only those areas the authorities give permission to enter.
Ensure that all electrical power supplies are cut to any area or equipment that could posses a threat to personal safety.
Ensure that under no circumstances is power to be restored to computer equipment until the comprehensive damage assessment has been conducted, reviewed, and authority to restore power has been expressly given by the Emergency Management Team.
Inform all team members that no alteration of facilities or equipment can take place until the Risk Management representatives (this is a function provided through the Department of Central Services as a statewide service) have made a thorough assessment of the damage and given their written agreement that repairs may begin.
Instruct the Organization Emergency Response Team Leader to deliver the preliminary damage assessment status report immediately upon completion.
Facilitate retrieval of items (contents of file cabinets — petty cash box, security codes, network backup tapes, control books, etc.) needed to conduct the preliminary damage assessment.
Ensure that administrative support is available, as required.
Arrange a meeting with the Emergency Management Team and Management Teams from other GROUPS/DEPARTMENTS in your facility (location) to review the disaster declaration recommendation that results from the preliminary damage assessment and to determine the course of action to be taken. With this group, determine the strategy to recommend to Senior Management (the Emergency Management Team Leader will be responsible for communicating this to Senior Management).
ACTIVITY: Declaration of a Disaster
ACTIVITY IS PERFORMED AT LOCATION:Main Office Location or Alternate Site/Emergency Operations Center
ACTIVITY IS THE RESPONSIBILITY OF: <Department Name> Management Team
TASKS:
Actual declaration of a disaster is to be made by the Emergency Management Team, after consulting with senior management. The <Department Name> Management Team should wait for notification from the Emergency Management Team that a disaster has been declared and that groups/departments are to start executing their Business Continuity Plans and relocate to their Alternate Business Site Location.
The person contacted verifies that the caller is someone who is authorized to do the notification.
The person contacted notifies the <Department Name> Senior Management, if they have not yet been contacted.
In the event the Emergency Management Team cannot be assembled or reached, the Team Leaders from each <Department Name> Management Team at the location should assemble, gather appropriate information, consult with senior management, and make the decision whether to declare the disaster.
Because of the significance, disruption, and cost of declaring a disaster, appropriate facts should be gathered and considered before making the decision to declare a disaster. Individual groups/department personnel or the respective <Department Name> Management Teams should not unilaterally make a decision to declare a disaster. This is responsibility of the Emergency Management Team.
PHASE II: Plan Activation
ACTIVITY: Notification and Assembly of Recovery Teams and Employees
ACTIVITY IS PERFORMED AT LOCATION:Alternate Site/Emergency Operations Center
ACTIVITY IS THE RESPONSIBILITY OF: <Department Name> Management Team
TASKS:
The team leader calls each member of the management team, instructs them of what time frame to assemble at the <Department Name> Emergency Operations Center (to be decided at the time), and to bring their copies of the Plan. The location(s) of the EOC are designated in Appendix D – Emergency Operations Center (EOC) Locations. The EOC may be temporarily setup at any one of several optional locations, depending on the situation and accessibility of each one. Once the Alternate site is ready for occupancy the EOC can move to that location, if preferred.
Review the recovery strategy and action plan with the assembled team.
If necessary, adjust the management team assignments based on which members are available.
The Management Team contacts critical employees and tells them to assemble at the alternate site. If the alternate site is a long distance from the primary site (i.e. out-of-state), then individuals should make their own travel arrangements to the alternate site. Non-critical employees should be instructed to stay at home, doing what work is possible from home, until notified otherwise.
In the event of a disaster that affects telecommunications service regionally, the Management Team should instruct critical employees to proceed to the alternate site even if they have not been contacted directly. Delays in waiting for direct communications can have a negative impact on <ORGANIZATION NAME>’s ability to recover vital services.
ACTIVITY:Relocation to Alternate Site
ACTIVITY IS PERFORMED AT LOCATION: Alternate Site
ACTIVITY IS THE RESPONSIBILITY OF: All Critical Personnel
TASKS:
When instructed by the <Department Name> Management Team, make arrangements to commute or travel to the alternate site. Reference item #5 under Notification and Assembly Procedures for exception to this step.
The <Department Name> Management Team needs to consult with the Emergency Management Team and the Organization Emergency Response Team to determine if access can be gained to the primary (damaged) site to retrieve vital records and other materials. The Organization Emergency Response Team will only allow access to the primary site if the authorities grant access. This will be dependent upon the nature of the disaster and the extent of damage.
If allowed access to the primary site to retrieve vital records and other materials, perform some pre-planning to determine what is most important to retrieve. This may be necessary since the time you may be allowed access to the primary site may be minimal.
Depending on the amount of vital records and other materials you are able to retrieve from the primary site, make arrangements to transport this material to the alternate site. If the material is not too great, this could be accomplished by giving to employees to carry along with them. If the material is a large amount, then make arrangements for transport services and/or overnight courier services.
Management and critical employees travel to alternate site.
ACTIVITY:Implementation of Interim Procedures
ACTIVITY IS PERFORMED AT LOCATION: Alternate Site
ACTIVITY IS THE RESPONSIBILITY OF: <Department Name> Management Team
TASKS:
After arrival at the alternate site, map out locations that can be used for workspace. This should include unused offices and cubicles, conference rooms, training rooms, lunch/break areas, and open space in hallways or in other areas.
Obtain additional tables and chairs, either from the office or from outside rental agencies to provide additional workspace. Place in any available open areas, but be cautious of not blocking exits for fire evacuation purposes.
Determine flexible working schedules for staff to ensure that client and business needs are met, but also to enable effective use of space. This may require that some employee’s work staggered shifts or may need to work evening or nightshifts.
Gather vital records and other materials that were retrieved from the primary site and determine appropriate storage locations, keeping in mind effectiveness of workgroups.
Determine which vital records, forms, and supplies are missing. Obtain from off-site storage location or from other sources, as needed, per Appendices E & F.
Developed prioritized work activities, especially if all staff members are not available.
ACTIVITY:Establishment of Telephone Communications
ACTIVITY IS PERFORMED AT LOCATION: Alternate Site
ACTIVITY IS THE RESPONSIBILITY OF: IT Liaison
TASKS:
Contact the Organization Disaster Recovery/IT Team to determine what activities they are taking to reroute telephone communications to the alternate site. Do not directly contact the telephone company – this will be handled by the Organization Disaster Recovery/IT Team.
If your alternate site is at another <ORGANIZATION NAME> office, prepare a list of phone extensions which your staff will be temporarily using and provide this list to the alternate site switchboard attendant.
If your primary office phones will not be switched to the alternate site, let the Organization Disaster Recovery/IT Team know that the phones need to be transferred to the phone numbers you will be using at the alternate site.
Coordinate with the Organization Communications Team regarding contacting customers to notify them of the disaster situation, how <ORGANIZATION NAME> is responding, and how you can be reached. Do not contact customers until the Organization Communications Team has given you directions.
ACTIVITY:Restoring Data Processing and Data Communications with Primary or Secondary Backup Data Center ACTIVITY IS PERFORMED AT LOCATION: Alternate Site
ACTIVITY IS THE RESPONSIBILITY OF THIS TEAM: IT Liaison
TASKS:
Contact the Organization Disaster Recovery/IT Team to determine when the data center is to be recovered, if affected by the disaster. Also, discuss when data communications will be established between the primary or secondary backup data center and your alternate site.
If your alternate site is another <ORGANIZATION NAME> office, determine if that site has access to the computer systems that <Department Name> uses. If so, work with local office management to determine how workstations can be shared between personnel from their groups/departments and <Department Name>. This may involve using flexible hours or multiple shifts for your personnel.
Discuss with the Organization Disaster Recovery/IT Team when and how replacement PC’s and/or terminals will be provided to you at the alternate site and when they will be connected.
Discuss with the Organization Disaster Recovery/IT Team when the files from your normal PC/LAN servers and applications will be restored and how you can access those files. Also, work with other <ORGANIZATION NAME> management at your alternate site to discuss using their LAN servers.
Discuss with the Organization Disaster Recovery/IT Team your normal application report distributions, such as when you can expect to receive standard computer reports and how they will be distributed to your alternate site.
Communicate the IT recovery status to all <Department Name> personnel who regularly use the systems.
PHASE III: Alternate Site Operations
ACTIVITY:Alternate Site Processing Procedures
ACTIVITY IS PERFORMED AT LOCATION: Alternate Site
ACTIVITY IS THE RESPONSIBILITY OF: Alternate Site Operations Team
TASKS:
Communicate with customers regarding the disaster and re-solicit phone contacts (in conjunction with the Organization Communications Team)
Acquire needed vital documents
Access missing documents and files and reconstruct, if necessary
Set up operation
ACTIVITY: Manage work backlog reduction.
ACTIVITY IS PERFORMED AT LOCATION: Alternate Site
ACTIVITY IS THE RESPONSIBILITY OF:Alternate Site Operations Team
TASKS:
Determine priorities for work backlogs to ensure the most important backlogged tasks are resolved first.
Set an overtime schedule, if required, based on staff and system availability.
Set backlog priorities, establish a backlog status reports if necessary, and communicate this to the <Department Name> supervisor.
Report the backlog status to <Department Name> management on a regular basis.
If backlogs appear to be very large or will take a significant time to recover, determine if temporaries could be used for certain tasks to help eliminate the backlogs. If justified, arrange for temporaries to come in.
PHASE IV: Transition to Primary Operations
ACTIVITY:Changing Telephone and Data Communications Back to Primary Site
ACTIVITY IS PERFORMED AT LOCATION: Alternate Site
ACTIVITY IS THE RESPONSIBILITY OF: IT Liaison
TASKS:
Coordinate with the Organization Disaster Recovery/IT Team to determine when <Department Name> will be relocating back to the primary site. Verify that they have a schedule to ensure that telephone and data communications are rerouted accordingly.
Discuss when and how PC’s, terminals, and printers, if brought into the alternate site, will be de-installed, moved back to the primary site and re-installed.
ACTIVITY:Terminating Alternate Site Procedures
ACTIVITY IS PERFORMED AT LOCATION: Alternate Site and Primary Site
ACTIVITY IS THE RESPONSIBILITY OF: <Department Name> Team
TASKS:
Determine which alternate site operating procedures will be suspended or discontinued and when.
Communicate the changes in procedures to all affected staff.
Determine if additional procedures are needed upon return to the primary site, such as to continue resolving work backlogs.
ACTIVITY IS PERFORMED AT LOCATION: Alternate Site and Primary Site
ACTIVITY IS THE RESPONSIBILITY OF: <Department Name> Management Team
TASKS:
In conjunctions with the Emergency Management Team and the Organization Emergency Response Team, determine when <Department Name> will be scheduled for relocating back to the primary site.
Communicate this schedule to all <Department Name> personnel.
Inventory vital records, equipment, supplies, and other materials, which need to be transported from the alternate site to the primary site.
Pack, box, and identify all materials to be transported back to the primary site.
In conjunction with the Organization Administration Team, make arrangement for a moving company or courier service to transport the boxes back to the primary site.
Section V: Appendices
Appendix A – Employee Telephone Lists
Employee
Title/ Function
Office Phone #
Home Phone #
Cellular/ Pager #
Email
Time Called
Arrival Time
Comment
*
**
**
Fire, Police, Emergency
* Indicates Team Leader ** Indicates Alternate Team Leader
Appendix B – Recovery Priorities for Critical Business Functions
Department
Priorities
Maximum
Allowable
Downtime
<Department Name>
1-2 Days
3-5 days
1-2 weeks
> 2 weeks
Contracts
Critical
X
Appendix C – Alternate Site Recovery Resource Requirements
General Requirements
#
Description
CurrentNumber
BCPNumber
Comments
1.
Number of people
2.
Square footage needed
3.
Power Outlets 110V
4.
Power Outlets 220V
5.
Telephones
6.
Telephone lines
7.
Desks
8.
Chairs
9.
Tables
10.
Typewriters
11.
Photocopiers
12.
Calculators
13.
Microfiche Viewers
14.
File Cabinets (specify type)
15.
Other – Please attach list
Technical Requirements
#
Description
CurrentNumber
BCPNumber
Comments
1.
Telephone Lines (regular)
2.
Telephone Lines (800 or special)
3.
Single Line Telephone Sets
4.
Other Type Telephone Sets TWO LINE
5.
Stand-alone FAX Machines
6.
PC’s
7.
LAN/WAN Connections
8.
Printers – LAN
9.
Printers – Direct attach to PC
10.
PC Connectivity outside <ORGANIZATION NAME>* (Internet)
11
Other Computers
12.
Fax – Stand alone
13.
Other – Please attach list
Appendix D – Emergency Operations Center (EOC) Locations
Disaster Affecting Which Area/BuildingEOC Location
<ORGANIZATION NAME> Home Community City
Recovery Locations and Travel Directions
Alternate Sites
Critical Function
Alternate Site
Desktop and Personnel
EOC Emergency Management Team
NOTE – Provide directions to all alternate sites. Include address and phone number of site. Include Maps and Floor Plans.
Appendix E – Vital Records
Description
Primary Location of Records
Alternate (Backup) Location of Records
Other Sources to Obtain Records
Settlement Agreements
Department File Cabinets
Vault
Scanned images on Network drive/Other Parties
Litigation Files
Department File Room
Scanned Images of pleadings on Network drive
Outside Counsel/Courts
Appendix F – Forms and Supplies
Form/Supply Name/Description
Primary Locations Where Stored
Alternate Sources to Obtain Form/Supply
Vendor’s Name/Phone
No special form or supplies other than standard office supplies.
Appendix G – Vendor Lists
Vendor Name
Goods/Service Provided
Contact Name
Address
Phone #
Master Service Agreements and other contractors – lists available on network Master Service Agreement and Insurance databases
Appendix H – Desktop Computer Configurations
Description of Desktop: Dell, etc
Used By: All <Department Name> Employees
Business Activity Supported:
Connected to Which LAN’s:
Used for Host Access (Which Applications): network printing
Special Features, Boards, Memory Size, Etc.: over 20 Gigs HD, over 128MB Memory _____
Over 850 MHz Processor(s)
Ethernet Net Cards, Fax/Modems
Proprietary Software required (indicate release number, version and/or level, as applicable:
The IT Department maintains records on all desktop systems.
Appendix I – Computer System Reports
Report Name
Report Description
System Produced From
Alternate Sources of Report or Information
No special computer reports required.
Appendix J – Critical Software Resources
Software Application
Publisher or Vendor
Platform
Recovery Criticality
Appendix K – Alternate Site Transportation Information
Employees will be notified (by team members), if a disaster is declared, as to the location and when to report. Since recovery site is local, transportation to the work location is up to the employee unless directed otherwise. Directions will be supplied at the time of notification, if necessary.
Appendix L – Alternate Site Accommodations Information
Should alternate site accommodations be required team members will be notified. Employees will be contacted (by team members), if a disaster is declared, as to the location and where to go. Since accommodations are local, transportation to the work location is up to the employee unless directed otherwise. Directions will be supplied at the time of notification, if necessary.
Appendix M – Severity Impact Assessments
<Department Name>
Severity
of
Impact
Least
——>
to
——>
Greatest
Impact Area
1
2
3
4
5
Comments
1
Cash Flow Interruption
2
Inoperative Billing Systems
3
Inoperative Financial Controls
4
Loss of Customers
5
Financial Reporting (Banks, IRS, etc.)
6
Increases in Liability
7
Loss of Public Image
8
<Department Name> and Regulatory Violations
9
Contractual Violations
10
Vendor Liabilities & Relations
11
Customer Liability & Relations
12
Effect on Employee Morale
13
Staff Resignations
Appendix N – <ORGANIZATION NAME> Business Impact Assessment
Department or Function:<ORGANIZATION NAME>
Number of Employees in HOME COMMUNITY :
Primary Business Function:
What’s at Stake: $ Millions Plus
STRENGTHS Example Able to work from home if access to e-mail and system is available through dial-up access. Will need records and files as well.
WEAKNESSES Example Unable to work remotely if access to records and files is restricted.
Loss Impact Example Our department would not be able to perform >95% of its work without access to our computers or work areas. It would take time and effort to recreate the contracts and other information (to the extent they can be recreated) before we could work on them.
Maximum Allowable Downtime:> 24 – 48 Hours
Appendix O – Recovery Tasks List
Recovery Activation Date: ________
Task No.
Task Description
Estimated Time
Actual Time
Assigned To
Assigned Time
Completed Time
Comments
10
Receive Communication on emergency Situation
20
Identify recovery site
30
Retrieve Business Continuity Plans
40
Notify department members identified in Appendix A
50
Retrieval of department Vital Records
60
Oversee delivery and placement of office equipment.
70
Oversee delivery and placement of office supplies.
If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.
To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure that all technical vulnerabilities that exist in the IT systems are identified and managed. IT systems contain inherent weaknesses that are termed vulnerabilities. Threats exploit vulnerabilities to cause harm to IT systems. Hence, it is imperative to regularly identify and plug those vulnerabilities and prevent the occurrence of security incidents.
2 Purpose
The purpose of the Technical Vulnerability Management Policy is to establish rules and principles for identifying and managing vulnerabilities in IT systems.
3 Scope
3.1 IT Assets
This policy applies to all hardware, software, and network assets.
3.2 Documentation
The documentation shall consist of Technical Vulnerability Management Policy and related procedures & guidelines. The Technical Vulnerability Management Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.
3.3 Records
Records being generated as part of the Technical Vulnerability Management Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
3.4 Distribution and Maintenance
The Technical Vulnerability Management Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and website administrator.
4 Privacy
The Technical Vulnerability Management Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.
5 Responsibility
The CISO / designated personnel and system administrator are responsible for the proper implementation of the Technical Vulnerability Management Policy.
6 Policy
It is the stated goal of XXX to provide secure IT systems and services in order to protect organizational information assets, as well as the privacy of employees, contractors, and third-party employees. The timely and consistent application of vendor-supplied security patches or mitigation of a reported vulnerability is a critical component in protecting the network, systems, and data from damage or loss due to threats such as worms, viruses, data loss, or other types of external or internal attacks. XXX shall conduct routine scans of its website, servers (including those hosted at ABC), and devices connected to its networks to identify operating system and application vulnerabilities on those devices. XXX requires its system administrators to routinely review the results of vulnerability scans and evaluate, test, and mitigate operating system and application vulnerabilities appropriately. Should an administrator identify a reported vulnerability as a potential false positive, the CISO should be notified immediately.
7Enforcement
Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.
If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.
To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure integrity, availability, and authenticity of its website and all information contained within. An organization’s website is its interface with the external world. Information contained within the website is deemed as authentic statements from the management of the organization. It is imperative to publish only authenticated content on the website and maintain its integrity and availability.
2 Purpose
The purpose of the Website Security Policy is to establish rules for preserving the integrity, availability, and authenticity of XXX’s website.
3 Scope
3. 1 Employees
This applies to all permanent employees, contractual employees, trainees, privileged customers and all other visitors.
3.2 Documentation
The Website Security Policy documentation shall consist of Website Security Policy and related procedures & guidelines.
3.3 Document Control
The Website Security Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.
3.4 Records
Records being generated as part of the Website Security Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
3.5 Distribution and Maintenance
The Website Security Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the Website Security Policy document shall be with the CISO and website administrator.
4. Privacy
The Website Security Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.
5 Responsibility
The CISO / designated personnel and website administrator are responsible for the proper implementation of the Website Security Policy.
6 Policy
Following are the policies defined for maintaining Security of the website:
The website shall be developed and maintained as per relevant guidelines of Govt. of Kuwait
User registration for secured access to the website shall be required when i) a web application or internal link requires user identification before processing, or ii) accessed data has been classified as “sensitive” and requires further authorization.
To facilitate site management, the information shall be collected for statistical purposes. XXX shall employ software programs to compile summary usage statistics, which may be used for assessing what information is relevant to users. The data so accumulated may be used to help determine technical design specifications, identify system performance, or pinpoint problem areas.
Except for authorized security investigations and data collection, no attempts shall be made to identify individual users or their usage habits. Accumulated data logs will be scheduled for regular deletion in accordance with schedules set by the web administrators.
Unauthorized attempts to upload information or change website information are strictly prohibited and may be punishable under relevant cyber laws.
Access to sensitive or proprietary business information on the websites shall be limited to employees, customers, clients, and vendors who have been determined to have an appropriate business reason for having access to such data. All registered website users, who are granted security access, will be identified by a user name (referred to as the User ID). All actions performed with a User ID will be the responsibility of the ID’s registered owner.
Individuals who are granted password access to restricted information on the website are prohibited from sharing those passwords with or divulging those passwords to, any third parties. User will notify XXX immediately in the event a User ID or password is lost or stolen or if the user believes that a non-authorized individual has discovered the User ID or password.
XXX’s records shall be final and conclusive in all questions concerning whether or not a specific User ID or password was used in connection with a particular action.
Any data or document upload to social networking sites shall be duly authorized by the competent authority and shall be done by designated persons authorized to do so.
7 Enforcement
Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.
If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.
