The following procedures refer to the preparation required to ensure new employees gain access to network and e-mail facilities as quickly and safely as possible on commencement of employment. It also details the process required when removing an individual from the system e.g. when an individual leaves their employment with XXX.

User Registration

• The IT Department helpdesk should be contacted at least 2 days before a new user commences employment by that person’s line manager.
• Required information will be the user’s full name, where they are based, start date, and whether they will need access to any specific systems. When the registration is processed, the helpdesk will contact the individual requesting the new registration, to inform them of the user’s username and password.
• The user will be prompted to change this password on commencement of employment as they access the system for the first time.
• If the user will be working with a new PC, laptop or other device, each manager should ensure that the device is set up/processed by the IT Department. The IT Department should be given at least one week’s notice that a PC or other device requires setting up.
• On commencement of employment, the new user should contact the IT helpdesk to be guided through how to set up their e-mail ‘profile’. For users with limited IT experience, another authorized individual can help with this.

De-registration

• Network and e-mail access privileges should be removed when an individual leaves employment with KDCC(or in some cases before) to ensure system security is maintained.
• Within 24 hours of an individual leaving employment, the individual’s line manager should contact the helpdesk to inform them of the following:
• The individual’s full name
• Whether any new e-mails should be forwarded to another account and if so, the name of the holder of this account
• Whether old e-mails should be transferred to another account or just deleted
• Whether old files on an individual’s personal folder on the server should be transferred to another account or just deleted.

Once this process is complete the account will be deleted.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

1 Policy Statement

All contracts with external suppliers for providing services to XXX  shall be monitored and reviewed to ensure that information security requirements are being satisfied. Contracts shall include appropriate provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another party. Outsourcing and Supplier Policy sets out the conditions that are required to maintain the security of the information and systems when third parties other than the organization’s own staff are involved in their operation. This may occur in at least three distinct circumstances:

1. When third parties (for example, contractors) are involved in the design, development, or operation of information systems for the organization. There may be many reasons for this to happen, including developing and installing bespoke software, third party maintenance or operation of systems, to full outsourcing of an IT facility;
2. When access to the organization’s information systems is granted from remote locations where computer and network facilities may not be under the control of the organization;
3. When users who are not members of the organization are given access to information or information systems.

Each of these circumstances involves a risk to the organization’s information, which should be assessed before the third party is granted access. Such access must be subject to appropriate conditions and controls to ensure that risks can be managed.

2 Purpose

The Outsourcing and Supplier Policy sets out the conditions that are required to maintain the security of the organization’s information and systems when third parties are involved in their operation.

3 Policy axioms

• The commercial benefits of outsourcing non-core business functions must be balanced against the commercial and information security risks.
• The risks associated with outsourcing must be managed through the imposition of suitable controls, comprising a combination of legal, physical, logical, procedural, and managerial controls

4 Scope

4.1 Employees

This policy applies to all Suppliers, Contractors, and Third Parties who provide IT-related services .

4.2 IT Assets

This policy is applicable for all network systems, services and information systems.

4.3 Documentation

The documentation shall consist of Outsourcing and Supplier Policy, and related procedures & guidelines. The Outsourcing and Supplier Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.

4.4 Records

Records being generated as part of the Outsourcing and Supplier Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

4.4 Distribution and Maintenance

The Outsourcing and Supplier Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and system administrators.

5 Privacy

The Outsourcing and Supplier Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

6 Responsibility

The Outsourcing and Supplier Policy shall be implemented by the CISO / designated personnel.

7 Policy

7.1 Choosing an outsourcer

Criteria for selecting an outsourcer shall be defined and documented, taking into account the:

• company’s reputation and history;
• quality of services provided to other customers;
• number and competence of staff and managers;
• financial stability of the company and commercial record;
• retention rates of the company’s employees;
• Quality assurance and security management standards currently followed by the company (e.g. certified compliance with ISO 9000 and ISO/IEC 27001).

Further information security criteria may be defined as the result of the risk assessment.

7.2 Assessing outsourcing risks

Management shall nominate a suitable owner for each business function/process outsourced. The owner, with help from the local Information Risk Management Team, shall assess the risks before the function/process is outsourced, using XXX’s standard risk assessment processes. In relation to outsourcing, specifically, the risk assessment shall take due account of the:

• nature of logical and physical access to information assets and facilities required by the outsourcer to fulfill the contract;
• sensitivity, volume, and value of any information assets involved;
• commercial risks such as the possibility of the outsourcer’s business failing completely, or of them failing to meet agreed service levels or providing services to XXX’s competitors where this might create conflicts of interest; and
• security and commercial controls are known to be currently employed by XXX and/or by the outsourcer.

The result of the risk assessment shall be presented to management for approval prior to signing the outsourcing contract. Management shall decide if XXX will benefit overall by outsourcing the function to the outsourcer, taking into account both the commercial and information security aspects. If the risks involved are high and the commercial benefits are marginal (e.g. if the controls necessary to manage the risks are too costly), the function shall not be outsourced.

7.3 Contracts and confidentiality agreements

A formal contract between XXX and the outsourcer shall exist to protect both parties. The contract shall clearly define the types of information exchanged and the purpose for so doing.  If the information being exchanged is sensitive, a binding confidentiality agreement shall be in place between XXX and the outsourcer, whether as part of the outsource contract itself or a separate non-disclosure agreement (which may be required before the main contract is negotiated). Information shall be classified and controlled in accordance with XXX policy. Any information received by XXX from the outsourcer who is bound by the contract or confidentiality agreement shall be protected by appropriate classification and labeling.  Upon termination of the contract, the confidentiality arrangements shall be revisited to determine whether confidentiality has to be extended beyond the tenure of the contract. All contracts shall be submitted to the Legal for accurate content, language, and presentation.
The contract shall clearly define each party’s responsibilities toward the other by defining the parties to the contract, effective date, functions or services being provided (e.g. defined service levels), liabilities, limitations on use of sub-contractors, and other commercial/legal matters normal to any contract. Depending on the results of the risk assessment, various additional controls should be embedded or referenced within the contract, such as:

• Legal, regulatory, and other third party obligations such as data protection/privacy laws, money laundering, etc.;
• Information security obligations and controls such as:
  • Information security policies, procedures, standards, and guidelines, normally within the context of an Information Security Management System such as that defined in ISO/IEC 27001;
  • Background checks on employees or third parties working on the contract;
  • Access controls to restrict unauthorized disclosure, modification, or destruction of information, including physical and logical access controls, procedures for granting, reviewing, updating, and revoking access to systems, data, and facilities, etc.;
  • Information security incident management procedures including mandatory incident reporting;
  • Return or destruction of all information assets by the outsourcer after the completion of the outsourced activity or whenever the asset is no longer required to support the outsourced activity;
  • Copyright, patents, and similar protection for any intellectual property shared with the outsourcer or developed in the course of the contract;
  • Specification, design, development, testing, implementation, configuration, management, maintenance, support, and use of security controls within or associated with IT systems, plus source code escrow;
  • Anti-malware, anti-spam and similar controls;
  • IT change and configuration management, including vulnerability management, patching, and verification of system security controls prior to their connection to production networks;
• The right of XXX to monitor all access to and use of facilities, networks, systems, etc., and to audit the outsourcer’s compliance with the contract, or to employ a mutually agreed independent third party auditor for this purpose;
• Business continuity arrangements including crisis and incident management, resilience, backups, and IT Disaster Recovery.

Although outsourcers that are certified compliant with ISO/IEC 27001 can be presumed to have an effective Information Security Management System in place, it may still be necessary for XXX to verify security controls that are essential to address KDCC’s specific security requirements, typically by auditing them.

7.4 Hiring and training of employees

Outsource employees, contractors, and consultants working on behalf of XXX shall be subjected to background checks equivalent to those performed on XXX employees. Such screening shall take into consideration the level of trust and responsibility associated with the position and (where permitted by local laws):

• Proof of the person’s identity (e.g. passport);
• Proof of their academic qualifications (e.g. certificates);
• Proof of their work experience (e.g. résumé/CV and references);
• Criminal record check;
• Credit check.

Companies providing contractors/consultants directly to XXX or to outsourcers used by XXX shall perform at least the same standard of background checks as those indicated above.  Suitable information security awareness, training, and education shall be provided to all employees and third parties working on the contract, clarifying their responsibilities relating to  XXX information security policies, standards, procedures, and guidelines (e.g. privacy policy, acceptable use policy, the procedure for reporting information security incidents, etc.) and all relevant obligations defined in the contract.

7.5 Access controls

In order to prevent unauthorized access to XXX’s information assets by the outsourcer or sub-contractors, suitable security controls are required as outlined in this section. The details depend on the nature of the information assets and the associated risks, implying the need to assess the risks and design suitable controls architecture. Technical access controls shall include:

• User identification and authentication;
• Authorization of access, generally through the assignment of users to defined user roles having appropriate logical access rights and controls;
• Data encryption in accordance with XXX’s encryption policies and standards defining algorithms, key lengths, key management, and escrow, etc.
• Accounting/audit logging of access checks, plus alarms/alerts for attempted access violations where applicable.

Procedural components of access controls shall be documented within procedures, guidelines, and related documents and incorporated into awareness, training, and educational activities. This includes:

• Choice of strong passwords;
• Determining and configuring appropriate logical access rights;
• Reviewing and if necessary revising access controls to maintain compliance with requirements;

Physical access controls shall include:

• Layered controls covering the perimeter and internal barriers;
• Strongly-constructed facilities;
• Suitable locks with key management procedures;
• Access logging through the use of automated key cards, visitor registers, etc.;
• Intruder alarms/alerts and response procedures;

If parts of XXX’s IT infrastructure are to be hosted at a third-party data center, the data center operator shall ensure that XXX’s assets are both physically and logically isolated from other systems. XXX shall ensure that all information assets handed over to the outsourcer during the course of the contract (plus any copies made thereafter, including backups and archives) are duly retrieved or destroyed at the appropriate point on or before termination of the contract. In the case of highly classified information assets, this normally requires the use of a schedule or register and a process whereby the outsourcer formally accepts accountability for the assets at the point of hand-over.

7.6 Security audits

If XXX has outsourced a business function to an outsourcer based at a different location, it shall audit the outsourcer’s physical premises periodically for compliance with XXX’s security policies, ensuring that it meets the requirements defined in the contract. The audit shall also take into consideration the service levels agreed in the contract, determining whether they have been met consistently and reviewing the controls necessary to correct any discrepancies. The frequency of audit shall be determined by management on advice from functions such as Internal Audit, Information Security Management, and Legal.

8 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

1 Policy Statement

To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure the protection of its network services. To support its business functions, XXX encourages the use of, and provides access to, information technologies and network resources. This enables employees to access global information resources, as well as the ability to communicate with other users worldwide. In keeping with its role and values, XXX supports the use of electronic communication for the conduct of official business and for individual professional needs.

2 Purpose

The purpose of this policy is to protect the integrity and availability of networked services. This represents the company-wide guidelines and responsibilities required to maintain acceptable and proper use of all network resources and services. The intent of this policy is to educate users about their responsibilities regarding computing resources and services while identifying certain unacceptable uses of network resources and services.

3 Scope

3.1 IT Assets

This policy applies to all organizational network systems, end devices which access networks and information systems.

3.2 Documentation

The documentation shall consist of Network Services Security Policy, and related procedures & guidelines. The Network Services Security Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.

3.3 Records

Records being generated as part of the Network Services Security Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.4 Distribution and Maintenance

The Network Services Security Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and system administrators.

4 Privacy

The Network Services Security Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5 Responsibility

The Network Services Security Policy shall be implemented by the CISO / designated personnel and network administrator.

1. Courtesy and respect for the rights of others.
   The XXX campus community has the responsibility to foster a positive and secure campus community by respecting and valuing the right of privacy and the diversity of the population and opinion in the community. In addition, all are responsible for complying with Company policy and all laws and contracts regarding the use of information.
2. Use of resources.
   Users are responsible for knowing what information resources are available including those shared by the campus community. Users should refrain from all acts that waste or prevent others from using these resources. Users have a responsibility to ensure the security and integrity of the computer and network resources and services they use or access. Responsibilities include performing regular data backups, controlling physical access to information and computer equipment, using virus protection software, and keeping the virus definition file (DAT file) up to date. Responsibilities may also include updating Windows Critical Updates as requested by Computer and Information Services.
3. Information integrity.
   Users are responsible for the accuracy, completeness, trustworthiness, timeliness, and relevance of the data they enter into and extract from information systems. Users should not unconditionally depend on information or communications to be correct when they appear contrary to expectations. It is important to verify the integrity of the data entered into information systems because the information contained on information systems may be used for reporting at a future date.

6. Policy

The organizational network shall be designed and configured to deliver high performance and reliability to meet the needs of the business whilst providing a high degree of access control and a range of privilege restrictions. Suitably qualified staff shall be designated to manage the organization’s network, and preserve its integrity in collaboration with the nominated individual system owners. The networks and networked services, which are allowed to be accessed, shall be clearly specified. There shall be an authorization process for determining who shall be allowed to access which networks and networked services. Unauthorized access to network connections and network services shall be minimized.

7. Rules

1. Users shall not place confidential information on the computer’s local hard drive without protecting the information appropriately. Employee, Client and Vendor/Supplier details to be kept confidential. If you store confidential or sensitive information on your computer, you are required to take all precautionary steps to safeguard the information.
2. Users are responsible for adhering to the Internal Network Equipment Policy when connecting any devices to the XXX. Devices include, but are not limited to computers, laptops, servers, routers, switches, hubs, wireless devices.
3. No one shall use any Company network resources or services without proper authorization. No one shall assist in, encourage or conceal any unauthorized use or attempt at unauthorized use of any of the Company’s network resources and services.
   • Use of network resources and services without permission is theft of services and is illegal under state and company law.
   • Authorized use of XXX-owned or operated computing and network resources use consistent with the academic and service missions of the Company.
4. No one shall knowingly endanger the security of any network resource, nor willfully interfere with others’ authorized network usage.
5. No one shall use XXX’s network resources or services to attempt unauthorized use, nor to interfere with others’ legitimate use, of any network facility anywhere.
   • The ability to use a remote computer does not constitute permission.
   • Users are not permitted to run software that searches for means of obtaining unauthorized access (ie. port scans, password crackers, etc.) even if the user does not plan to make unauthorized access after finding an access point.
   • Users are not permitted to run software that burdens the network with unnecessary traffic or intentionally degrades the performance of the network. (i.e.. unnecessary repetitive pings and traceroutes)
6. No one shall connect any computer or network equipment to any of the Company’s network resources or services until the equipment has been registered with the IT Infrastructure Department. Users are responsible for adhering to the Internal Network Equipment Policy when connecting any devices to the XXX. One improperly configured computer or network device on a network can cause company-wide disruption. Devices include, but are not limited to computers, laptops, servers, routers, switches, hubs, wireless devices.
7. No one without specific authorization shall use any Company network resource or service for non-Company business. By law, the Company can only provide computer resources and services for its own work, not for private use. Therefore, using Company resources or services to establish, run or support a personal and/or non-Company related business venture (e.g. via email, web site, listserv, etc.) is prohibited.  Users in need of computing/printing resources for private or personal purposes will need to contact local computer vendors for procurement options.
8. No one shall create, install or knowingly distribute a computer virus or other surreptitiously destructive program on any network resource, regardless of whether any demonstrable harm results.
9. File sharing software is not permitted.

8. Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

1 Policy Statement

To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure the physical security of all information assets and human assets. Physical security is an essential part of a security plan. It forms the basis for all other security efforts, including personnel and information security. A balanced security program must include a solid physical security foundation. A solid physical security foundation protects and preserves information, physical assets, and human assets.

2 Purpose

The purpose of the Physical Security Policy is to:

• establish the rules for granting, control, monitoring, and removal of physical access to office premises;
• to identify sensitive areas within the organization; and
• to define and restrict access to the same.

3 Scope

3.1 Employees

This applies to all employees, contractual employees, trainees, privileged customers and all other visitors.

3.2 Documentation

The Physical Security Policy documentation shall consist of Physical Security Policy and related procedures & guidelines.

3.3 Document Control

The Physical Security Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.

3.4 Records

Records being generated as part of the Physical Security Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.5 Distribution and Maintenance

The Physical Security Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the Physical Security Policy document will be with the CISO and system administrators.

4. Privacy

The Physical Security Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5. Responsibility

The CISO / designated personnel is responsible for the proper implementation of the Physical Security Policy.

6. Policy

Following are the policies defined for maintaining Physical Security:

1. Physical access to the server rooms/areas shall completely be controlled and servers shall be kept in the server racks under lock and key.
2. Access to the servers shall be restricted only to designated Systems and Operations Personnel. Besides them, if any other person wants to work on the servers from the development area then he/she shall be able to connect to the servers only through Remote Desktop Connection with a Restricted User Account.
3. Critical backup media shall be kept in a fireproof off-site location in a vault.
4. Security perimeters shall be developed to protect areas that contain information systems to prevent unauthorized physical access, damage, and interference.
5. A list of personnel with authorized access to the facilities where information systems reside shall be maintained with appropriate authorization credentials. The access list and authorization credentials shall be reviewed and approved by authorized personnel periodically.
6. All physical access points (including designated entry/exit points) to the facilities where information systems reside shall be controlled and access shall be granted to individuals after verification of access authorization.
7. Physical access to the information systems shall be monitored to detect and respond to physical security incidents.
8. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural and man-made disasters shall be designed and applied.
9. Physical protection and guidelines for working in the areas where information systems reside shall be designed and applied.
10. Information systems and their components shall be positioned within the facility to minimize risks from physical and environmental hazards and opportunities for unauthorized access.
11. Information systems shall be protected from power failure and other disruptions caused by a failure in supporting utilities.
12. Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage.
13. The real-time physical intrusion alarm and surveillance equipment shall be monitored.
14. Physical access control to information systems shall be independent of the physical access control to the facility. This control can be applicable to server rooms or information systems with a higher impact level than that of the majority of the facility.
15. Automated mechanisms to recognize potential intrusion shall be employed to initiate appropriate response actions.
16. Physical access to the information systems shall be granted only after authenticating visitors before authorizing access to the facility where the information systems reside other than areas designated as “publicly accessible”.
17. The access records of the visitors shall be maintained.
18. Visitors shall be escorted by the designated personnel and their activities, if required, shall be monitored.
19. Systems Personnel shall examine laptops of visitors for the latest anti-virus definition, latest patches and updates, and any sort of vulnerability that could be harmful to the network.
20. Any user who needs to connect to the external network for official work shall be able to do so after an official sanction from the Management and Security Team. This team shall evaluate security risks before issuing any sanction.
21. A record of all physical accesses by both visitors and authorized individuals shall be maintained.
22. All policies stated above shall be monitored for any changes from time to time.

6.1 Physical Security Parameter

1.The choice and application of physical access controls shall be made according to the classification of the protected system such as:

1. Perimeter fences or walls, bounds and checkpoints.
2. Key locks to be opened with ordinary keys (i.e., non-electronic).
3. Electronic access control systems:
   • Option 1 – Cipher lock (also known as programmable lock use keypads to control access).
   • Option 2 – Card based access control:
     • Memory card (e.g., magnetic card).
     • Smart card (includes microchip).
   • Option 3 – Biometric systems (e.g., fingerprint, hand geometry and face recognition).
   • Any combination of option 1, 2 or 3 (i.e., a multi-factor authentication method).

2. Sites that host sensitive information and critical systems shall have additional physical security zones to provide additional protection to those assets.

3. Access rights to secure areas shall be regularly reviewed and updated.

4. Main Datacentre area within XXX’s environment:

• Shall require a much greater level of control than other restricted XXX’s spaces.
• Individuals who are granted authorization from ICT’s Manager may enter this area.
• . Access privileges shall only be granted to individuals who have legitimate business needs.
• Shall be entered only to conduct authorized business works.
• Employees having access shall familiarize themselves thoroughly with this policy.

5. All doors to Datacentre shall remain locked at all times; and may only be temporarily opened for periods not to exceed that is minimally necessary in order to:

• Allow officially approved and logged entrance and exit of authorized individuals.
• Permit the transfer of supplies / equipment as directly supervised by a person with controlling access to the area.
• Prop open a door to Datacentre only if it is necessary to increase airflow into it if an air conditioning fails.

6.2 Physical Entry Controls

1. Information Security Department in cooperation with ICT manager and Information Security Officer shall be responsible for defining the necessary policies and procedures regarding physical access to buildings and areas where XXX’s systems are sited (e.g., Datacentre), according to the classification of the protected systems.
2. The entry and exit of visitors shall be controlled. Before a visitor enters a building, the security guards at the reception desk or gate shall verify the visitor identity using generally accepted credential (e.g., an Identity Card or Passport). Entry shall be allowed only after notifying the employee to whom the visitor is visiting and verifying the purpose of the visit.
3. Supporting services contractors’ personnel shall be granted a restricted access to secure areas or Datacentre’s facilities only when required; and it shall be monitored.
4. For employee’s identification, the followings shall be considered:

• All XXX’s employees shall wear visible identification (e.g., ID badge).
• Persons who are not XXX’s employees shall wear a “Visitor” badge.
• ID badges shall only contain names, photographs and badge numbers.
• Access cards shall not contain any description of access privilege levels granted to that card.

5. ICT Manager in cooperation with Information Security Department shall be responsible for managing and monitoring CCTV cameras and access doors systems within Datacenter.
6. All entries to Datacenter shall be recorded and maintained for at least 6 months. All access logs shall record the following details:
   • The date and time of the access attempt.
   • Whether the attempt was successful or not.
   • Where access was granted (which door for example).
   • Who attempted the access.
   • Who modified the access privileges at the supervisor level.

7. Personnel who do not require continuing access to Datacenter shall be escorted by an authorized employee at all times and shall be required to sign a visitor control log.
8. A facility-wide access card control system shall be deployed with the following features:
   • Employee identification and/or access card with picture.
   • Logging activity associated with each computerized card.
   • Assign access rights based upon job requirements.
   • Ability to disable lost or stolen cards.

6.3 Securing Offices, Rooms and Facilities

1. Facilities security shall be provided at all XXX’s departments, units and offices. This shall include, but not be limited to:

• Site perimeter protection (e.g., smart cards).
• Facility management.
• Parking lot security.

2. The facilities where sensitive information and critical systems are stored or processed shall be constructed and arranged in a way that they are adequately protected from physical and environmental threats.

3. Intrusion detection alarms shall be in place to cover external doors and accessible windows and other access points to XXX’s buildings.

4. Hazardous or combustible materials shall be stored securely at a safe distance from a secure area.

6.4 Protecting against External and Environmental Threats

1. Information security Safety Department shall observe personnel safety as a high priority and take the necessary steps to ensure a safe workplace.
2. Proper procedures regarding the safe evacuation of areas or building in case of fire, flood, earthquake or other disasters shall be developed and documented in order to protect XXX’s employees and systems.
3. Environmental controls shall be designed and applied to minimize the damage resulting from fire, flood, earthquake, explosion, civil unrest and other forms of natural or human-caused disasters.
4. XXX’s facilities shall contain emergency equipment (e.g., emergency lighting, and fire extinguishers) to establish an adequate level of safety for those working within a facility. This equipment shall be inspected in annual basis in order to ensure their operational capabilities.
5. Areas where Datacenter is located shall have appropriate external and environmental controls in place (e.g., temperature, humidity, dust particle content, atmospheric pressure, electromagnetic radiation, or static electricity) according to the manufacturer’s recommendations.
6. ICT Manager shall be responsible for the physical monitoring of Datacenter. In particular, the following assets shall be centrally monitored:
   • Physical access control.
   • Ventilation and Air-Conditioning.
   • Emergency power supply (i.e. power generator) and UPS.
   • Fire detection and suppression systems.
   • Water detection system.
   • CCTV.
   • Racks.

6.5 Working in Secure Areas

1. Information Security Department in cooperation with ICT Manager and Information Security Officer shall define what areas are (e.g., Datacenter) to be treated as secure areas in order to minimize unauthorized access, damage and interference to assets.
2. Areas that host sensitive information, critical information systems and infrastructure shall be continuously monitored via security guards, Closed Circuit TV (CCTV), intrusion detection systems or a combination of them.
3. All storage media (e.g., hard disk drives, CD-ROMs or DVDs), printouts, manuals and generally information in printed form containing sensitive information shall be physically secured in locked drawers and cabinets when not in use.
4. Controls for individuals working in secure areas shall include, but not be limited to:
   • Un-staffed secure areas are physically locked and periodically monitored.
   • No photographic, video, audio, smart phones or other recording equipment is allowed unless specifically authorized.
   • Third party support services personnel are granted access to secure areas only when required, authorized and supervised.

6.6 Delivery and Loading Areas

1. Delivery and loading areas shall be controlled and, if possible, isolated from ICT facilities to avoid unauthorized access or causing destruction to sensitive areas. Security requirements that control delivery and loading area shall include, but not be limited to:
   • Access to a loading area from outside of XXX’s premises shall be restricted to identified and authorized personnel.
   • The loading area shall be designed in which supplies can be unloaded without delivery staff gaining access to other areas of XXX’s premises.
2. All incoming packages to XXX’s premises shall be received by reception staff to be inspected. Also, they shall be recorded in a register.

6.7 Equipment Siting and Protection

1. Based on information and/or systems classification, equipment shall be protected to reduce risks from environmental threats and hazards; and to reduce the risk of unauthorized access to information.
2. The followings controls shall be considered to secure all critical systems:
   • Equipment is located in a physically secure location to minimize unauthorized access.
   • Environmental conditions are monitored for conditions that could adversely affect the operation of computer systems.
   • System owners need to consider potential impact of a disaster happening in nearby premises (e.g., a fire in a neighbouring building or water leaking from the roof or in floors below ground level or an explosion in the street).

3. ICT facilities shall be located based on the following, but not be limited to:
   • Not at locations accessible by public.
   • Not at locations prone to natural disasters or damage caused by individuals such as vandalism, fires and accidents (e.g., from water supply system failures or water entering from external windows).

4. All ICT equipment (e.g., servers and network devices) shall be physically located within the protected confines of Datacentre.
5. Unauthorized system access via bypass booting of the device (to defeat password authentication) shall be prevented.
6. Security measures shall be implemented to minimize the risk of information leakage from equipment processing sensitive information.

6.8 Supporting Utilities

1. ICT Manager in cooperation with Operation and Maintenance Department shall provide power protection to ensure the availability of XXX’s systems.
2. To achieve continuity of power supplies, the followings shall be considered, but not be limited to:
   • Multiple feeds to avoid a single point of failure in the power supply.
   • Uninterruptable Power Supply (UPS) to support orderly close down or continuous running is recommended for equipment supporting critical systems and business operations. UPS shall be regularly tested, as per vendor’s instructions, to ensure reliable functionality.
   • A backup generator is considered when processing and business continuity is required.

3. All critical systems shall be configured to switchover to an alternate power source immediately upon loss of power.
4. Equipment shall be protected from power failures and other electrical anomalies. A suitable electrical supply shall be provided in accordance with equipment manufacturer’s specifications.
5. Supporting infrastructure (e.g., air conditioning systems and security alarm systems), where applicable, shall have a dependable and consistent electrical power supply that is free from surges and interference that shall affect operation of the equipment (e.g., power-conditioning strips could reduce the threat of power surges).
6. UPS shall be regularly tested, as per vendor’s instructions, to ensure reliable functionality.

6.9 Cabling Security

1. Power, voice and telecommunication cables shall be protected against physical damage and destruction.
2. Cabling protection shall include, but not be limited to:
   • Telecommunication cabling is protected against wiretapping.
   • Telecommunication cabling is not passed through areas where third parties have access.
   • Data network cabling is adequately isolated and protected from unauthorized interception or damage via routing them through protected areas.
   • Power supply cabling is adequately isolated.
   • Installation of armoured conduit and locked rooms or boxes at inspection and termination points.
   • Use of alternative routings or transmission media.
   • Use of fiber optic cabling.
   • Initiation of sweeps for unauthorized devices being attached to the cables.

3. Where possible, cabling shall be run underground, avoid public areas, and use conduit protective shielding.

6.10 Equipment Maintenance

1. ICT Manager in cooperation with Operations and Maintenance Department shall properly maintain technical equipment (e.g., hardware servers, network devices, racks, patch panels, communication devices, cables, etc.) to ensure their continued availability and integrity. Equipment maintenance controls shall include, but not be limited to:
   • Maintaining equipment in accordance with the manufacture’s recommended service intervals and specifications.
   • Permitting only authorized maintenance personnel to carry out repairs and service.
   • Recording and updating all suspected or actual equipment faults and all preventive and corrective maintenance.

2. Any preventive and corrective maintenance conducted by the manufacture’s personnel to ICT equipment shall be supervised and a formal approval shall be obtained.
3. The followings shall be considered for ICT equipment:
   • All ICT equipment, if possible, shall have a mandatory maintenance contracts to ensure availability and continuity of business.
   • Maintenance contracts shall cover regular and emergency checks.
   • ICT equipment shall have a valid maintenance contracts which covers regular checks, support and spare parts.
   • Maintenance activities shall be supervised by respective personnel.
   • Vendors shall provide XXX with maintenance reports on monthly basis to ensure proper health status of the equipment.
   • Data centre maintenance schedule and a log shall be maintained by ICT Manager to ensure on time maintenance and tracking of any related issues.

6.11 Removal of Assets

1. ICT equipment, assets or software shall not to be taken off-site XXX without a proper authorization. Where necessary and appropriate, the followings shall be considered:
   • Personal shall obtain a proper authorization to take equipment off-site XXX.
   • Equipment is logged out.
   • Time limits are set.
   • When returned, equipment is logged back in.

6.12 Security of Equipment and Assets Off-Premises

1. ICT Manager shall implement appropriate controls when sending ICT equipment off XXX’s premises for maintenance. Appropriate controls shall include, but not be limited to:
   • Proper packaging and sealing of containers.
   • Storage in safe and secure places.
   • Clear and complete shipping and tracking instructions.

2. Assets shall not be moved off XXX’s premises for use maintenance or repair purpose unless authorization has been obtained from the relevant owner of the information asset. All movement of such asset shall be recorded.
3. All portable ICT equipment (e.g., laptops and mobile phones):
   • Shall be secured by means of a locked cabinet, credenza, vinyl-covered steel cable or office.
   • Shall be physically secured via an appropriate security device during any period that the unit is left unattended in XXX’s offices.

4. Portable ICT equipment connected to the network shall store sensitive information on file server drives as much as possible. Information stored on floppy disks, CD-Rooms, external drives or tapes shall be physically secured in a manner appropriate to its sensitivity level.

6.13 Secure Disposal or Re-use of Equipment

1. ICT Manager shall develop appropriate procedures for the followings:
   • a. Disposal of confidential documents.
   • b. Destruction of computer equipment that may contain sensitive information.
   • c. Sanitization (i.e., object reuse) of equipment that might be sold or transferred to other organization.
   • d. Destruction of various types of media.

2. Storage media (e.g., CD-ROMs, tapes and flash memories) that contains sensitive information that no longer needs to be kept shall be physically destroyed as follows:
   • a. Rewriteable media is erased using a secure procedure (e.g., through multiple overwrites, may be three or more times) to prevents the data from later being scavenged.
   • b. Paper document is destroyed using paper shredders.
3. ICT Manager shall maintain disposal records which include the information owner’s disposal request and the corresponding department director’s approval.
4. ICT equipment and storage media shall be checked prior to disposal or re-use to ensure that sensitive information and licensed software has been removed or securely overwritten.
5. Destruction of sensitive information captured on storage media shall only be performed after approval has been obtained for the method of destruction.

6.14 Unattended User Equipment

1. ICT Manager shall enable screen saver password on all servers and workstations to prevent unauthorized access. The screen saver timer shall be set to 10 minutes of inactivity or less.
2. Each user shall terminate active sessions when activities are finished.
3. Each user shall lock his equipment before leaving his desk.

6.15 Clear Desk and Clear Screen Policy

1. At a minimum, the following guidelines shall be followed and implemented by all users to promote clear desk and clear screen policy:
   • Paper and information media shall be stored in suitable locked cabinets and/or other forms of security furniture when not in use, especially outside normal working hours.
   • Sensitive or critical business documentations shall be locked away (ideally in a fire- resistant safe or cabinet) when not required, especially when the office is vacated.
   • Workstations and printers shall not be left logged on when unattended; and shall be protected by password protected screen savers.
   • Photocopiers and faxes shall be locked (e.g., protected from unauthorized use through PIN code function) outside normal working hours.
   • Confidential information, when printed, shall be immediately cleared from printers.
2. Department Managers shall communicate the clear desk and clear screen policy to the employees in their own areas; and shall periodically monitor their activities to ensure users compliance.
3. Information Security Officer in cooperation with Personnel Affairs Department shall ensure that proper awareness training addresses clear desk and clear screen policy is delivered to all XXX’s employees.

7. Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

1 Policy Statement

Incident Management policy shall enable the response to a major incident or disaster by implementing a plan to restore the critical business functions of XXX. The number of computer security incidents and the resulting cost of business disruption and service restoration rise with the increase in dependence on IT-enabled processes. Implementation of sound security policies, blocking of unnecessary access to networks and computers, improvement in user security awareness, and early detection and mitigation of security incidents are some of the actions that can be taken to reduce such risks and decrease the cost of security incidents.

2 Purpose

The purpose of the incident management policy is to provide organization-wide guidance to employees on the proper response to, and efficient and timely reporting of, computer security-related incidents, such as computer viruses, unauthorized user activity, and suspected compromise of data. It also addresses non-IT incidents such as power failure. Further, this policy provides guidance regarding the need for developing and maintaining an incident management process within XXX.

3 Scope

3.1 Employees

This policy applies to all  Employees, Contractors, and Third Party Employees, who use, process, and manage information from individual systems or servers.

3.2 Documentation

The documentation shall consist of Incident Management Policy, and related procedures.

3.3 Document Control

The Incident Management Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.

3.4 Records

Records being generated as part of the Incident Management Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.5 Distribution and Maintenance

The Incident Management Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and system administrators.

4 Privacy

The Incident Management Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5 Responsibility

The Incident Management Policy shall be implemented by the CISO / designated personnel. The primary responsibilities associated with incident management are to identify and respond to suspected or known security incidents, contain or limit the exposure to lose, and mitigate (to the extent practical) the harmful effects of security incidents. The XXX’s Division will manage incidents at the facility level and will alert the XXX’s CISO to potential company-wide threats. Where facilities are leased or ITS support is provided by an affiliate(s), a XXX’s Division/Office security representative shall be assigned to facilitate the handling of security incidents. The nature of the incident may require the assignment of staff from other divisions/offices. In all cases, division/office management shall be informed of the incident and the steps recommended or taken to mitigate the incident.

6 Policy

The organizational management shall ensure that:

1. Incidents are detected as soon as possible and properly reported.
2. Incidents are handled by appropriate authorized personnel with ‘skilled’ backup as required.
3. Incidents are properly recorded and documented.
4. All evidence is gathered, recorded and maintained in the Security Incident Reporting form that will withstand internal and external scrutiny.
5. The full extent and implications relating to an incident are understood.
6. Incidents are dealt with in a timely manner and service(s) restored as soon as possible.
7. Similar incidents will not recur.
8. Any weaknesses in procedures or policies are identified and addressed.
9. The risk to FCI’s reputation through negative exposure is minimized.
10. All incidents shall be analyzed and reported to the designated officer(s).
11. Learning from the incidents are recorded.

The policy shall apply throughout the organization, including information resources, data stored and processed on those systems, data communication and transmission media, and personnel who use information resources.

7. Implementation

This shall develop, maintain and implement an incident management and response plan that addresses information technology security incidents. The following paragraphs specify the incident management plan requirements. These requirements shall be in compliance with relevant State and policies and standards.

1. Incident Management Training: This shall provide incident management training to the Divisions/Offices on how to identify and report security incidents.
2. Identifying and Prioritizing Types of Incidents: This will develop and maintain guidelines for identifying and prioritizing security incidents. The Divisions/Offices or their affiliated staff designated by agreement or assignment shall evaluate the potential for the occurrence of certain types of incidents. All security incidents shall be classified by severity level and type. The following five event severity levels as defined in the ITS Incident Response Standard shall be used for classification purposes. In addition, each incident shall be identified as to type: email, hacking, virus/worm, inappropriate use, social engineering and other.
3. Incident Monitoring: The CISO shall develop and maintain guidelines on how to monitor for security incidents. The Divisions/Offices or their affiliated staff designated by agreement or assignment, as part of their risk management program, shall continuously monitor for security incidents (both physical and ITS – related incidents) according to the guidelines listed above.
4. Incident Detection: The CISO shall develop and maintain enterprise-wide procedures for collecting, analyzing and reporting data. The integrity of all data relating to criminal acts must be preserved as possible evidence and will be collected using generally accepted forensic procedures. The forensic procedures to be followed will be developed and disseminated by the CISO.
5. Incident Reporting: The CISO shall define the basic procedure to be followed for reporting incidents. The procedure shall be expanded upon by the Divisions/Offices as necessary to include the internal communications and escalation procedures that will be used.  Security incidents classified as level 3, 4, or 5 shall be reported to the CISO and the division/office information security official within a period of 24 hours from the time the incident was discovered. The CISO is responsible for reporting the incidents to ITS and the Assistant Secretary for the OPP and Compliance within 24 hours of receiving the report. The Assistant Secretary for OPP and Compliance will be responsible for letting appropriate departmental staff know about the issue. The division should not report directly to ITS, as it could result in duplicate incidents being reported. A manual form may be completed and forwarded to the division/office information security official for processing. An incident reporting template is Available with the CISO and IT Manager. Reporting of security instances classified as level 2 or greater should be reported, at a minimum, to the division/office security official. Division/office specific procedures may require all levels of security incidents to be reported to the CISO. If there is a question regarding classification level, the division/office security official should consult with the CISO.
6. Security Incident Response Team (SIRT): The CISO shall establish and utilize an SIRT. The CISO will work with the Divisions/Offices to develop a cross-functional incident response team that will handle a variety of incidents. The roles and responsibilities of the team members will be clearly defined.  The SIRT shall be adequately staffed and trained to handle the incident(s). Since incidents may be far-reaching, requiring expertise or authority that does not reside within a division/office, the SIRT may include outsourced vendors, internal and external entities, as well as other key facility/agency personnel.
7. Organization Protocols: Security incidents may occur across network boundaries. The CISO shall define the protocols for handling these incidents and the contacts between Divisions/Offices, state agencies and outsourced entities.
8. Impact Assessment: The CISO shall evaluate the impact of security incidents. Assessments may be required at various stages of the incident life cycle to assist management in deploying the proper risk management strategy.
9. Incident Handling and Escalation Procedures: The CISO shall develop and maintain the primary procedures for handling the containment, eradication and recovery aspects of incidents and the guidelines for development of an escalation procedure. The Divisions/Offices shall develop escalation procedures that are tailored to their individual circumstances.
10. Documentation: All security incidents shall be thoroughly documented by the Divisions/Offices with as much detail as possible to describe the incident, time discovered and impacted area for subsequent investigation. The incident report shall indicate who was notified and what actions were taken. The CISO may be called on to assist in the documentation process.
11. Record Retention: Divisions/Offices shall maintain the incident logs and corresponding documentation for a minimum of one year following the discovery of an incident or until an investigation is completed. Incident logs should be stored in a secure location.
12. Post-Incident Analysis: The post-mortem analysis provides feedback to improve the existing process and its related procedures. Following actions taken to resolve each security incident, an analysis shall be performed by the CISO and the impacted division or office, with assistance of their affiliated staff designated by agreement or assignment, to evaluate the procedures taken and what further steps could have been taken to minimize the impact of the incident.
13. Emergency Planning: If an incident occurs that impacts the safety of citizens, personnel, facilities or results in a situation where agency services are interrupted for an extended period of time, the incident may be declared an emergency. The KDCCCISO shall work with the Disaster Response Team to provide guidelines regarding the criteria for identifying an emergency and notification procedures. The Divisions/Offices shall develop the appropriate procedures for identifying and declaring emergencies using the established Business Continuity and Disaster Recovery Policy.
14. Media Relations: Serious security incidents that are likely to result in media attention shall be reported immediately to the Department of Public Affairs Office.

Sr.No.	Incident Reporting Form for breaches of security or confidentiality	Form No:
1	Details of security or confidentiality incident
2	Place of discovery
3	Who discovered
4	Date of discovery
5	Action taken by discoverer
6	Reported to
7	Date of Report
8	Seriousness/classification of incident
9	Date reported to Head of Information Security
10	Action taken by Head of Information Security
11	Follow-up check undertaken by
12	Date of Follow-up

8 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Change management has become more complex and includes more terms, such as change management processes, policies, and procedures. At the core, change management is the method and process of making changes to an organization’s IT systems. The change management process is designed to reduce errors when changes are made to IT systems. When disruptions occur, organizations are negatively impacted, which is why writing a change management policy is so important. Writing a change management policy is necessary for security-minded organisations to develop a thorough Information Security Policy. You can ensure that your organization minimizes disruption and reduces risk by implementing a clear change management process. It’s about creating policies and procedures that work for your organization and not against it.

Example of Change Management Policy and Procedure.

1 Policy Statement

The Change Management Policy shall help to communicate the Management’s intent that changes to Information and Communication Technology (ICT) supported business processes will be managed and implemented in a way that shall minimize risk and impact to XXX  and its operations. All changes to IT systems shall be required to follow an established Change Management Process. This requires that changes to IT systems be subject to a formal change management process that ensures or provides for a managed and orderly method by which such changes are requested, approved, communicated prior to implementation (if possible), and logged and tested.

2: Definition

 Change Management: ‘Any change which may affect financial reporting, operations or compliance. This includes the Control Environment (i.e. all systems business processes including IT which may impact the above). The key activities required are;
• Monitoring,
• Informing and communicating,
• Control activities (reviews and reports).
• Risk Assessments
• Control environment (i.e. passwords, user access).

3 Purpose

The purpose of this policy is to establish management direction and high-level objectives for change management and control. This policy will ensure the implementation of change management and control strategies to mitigate associated risks such as:
i. Information being corrupted and/or destroyed;
ii. Computer performance being disrupted and/or degraded;
iii. Productivity losses being incurred; and
iv. Exposure to reputation risk.

4 Scope

4.1 Employees

This policy applies to all parties operating within the organization’s network environment or utilizing Information Resources. No employee is exempted from this policy.

4.2 IT Assets

This policy covers the data networks, local servers, and personal computers (stand-alone or network-enabled), located at offices and depots, where these systems are under the jurisdiction and/or ownership of the organization, and any personal computers, laptops, mobile devices, and servers authorized to access the organization’s data networks.

4.3 Documentation

The Policy documentation shall consist of Change Management Policy and related procedures and guidelines.

4.4 Document Control

The Change Management Policy document and all other referenced documents shall be controlled. Version control shall be used to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.

4.5 Records

Records being generated as part of the Change Management Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

4.6 Distribution and Maintenance

The Change Management Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and system administrators.

5 Privacy

The Change Management Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

6 Responsibility

The CISO / designated personnel is responsible for the proper implementation of the Policy. The Department Manager ensures that changes follow the Change Management Process. The Director of Central Services reviews the Change Management Schedule monthly to ensure all changes follow the Change Management Process. The Management Executive Committee reviews the Change Management Schedule quarterly to ensure changes follow the Change Management Process.

7 Policy

Changes to information resources shall be managed and executed according to a formal change control process. The control process will ensure that changes proposed are reviewed, authorized, tested, implemented, and released in a controlled manner; and that the status of each proposed change is monitored. In order to fulfil this policy, the following statements shall be adhered to:

1. A current baseline configuration of the information system and its components shall be developed, documented and maintained.
2. A current inventory of the components of the information system along with the owner shall be developed, documented and maintained.
3. The baseline configuration of the information system shall be updated as an integral part of the information system component installation.
4. Changes to the information system shall be authorized, documented and controlled by the use of formal change control procedure.
5. Changes in the configuration of the information system shall be monitored through configuration verification and audit processes.
6. The information system shall be configured to provide only essential capabilities and shall prohibit and /or restrict the use of specific functions, ports, protocols, and/or services. A list of prohibited and/or restricted functions, port, protocols etc. shall be defined and listed.
7. The inventory of the information system components shall be updated as an integral part of the component installation.
8. Automatic mechanism/tools shall be employed to maintain an up-to-date, complete, reliable, accurate and readily available configuration of the information system.
9. Automatic mechanism/tools shall be employed to initiate changes/change request, to notify the appropriate approval authority and to record the approval and implementation details.
10. The information system shall be reviewed at a defined frequency to identify and eliminate unnecessary functions, ports, protocols, and/or services.

8. Change Procedure:

For compliance purposes all communications need to be in writing, i.e. by email, meetings need to have minutes taken, etc. This documentation will be retained by the Change Management Controller and filed with the Change Documentation relating to the change. For this reason, verbal requests and authorization are not acceptable.

8.1 Risk

If not properly controlled changes could be made which negatively impact the business and prevent people from fulfilling their roles. Changes could be made by individuals who are not fully aware of the impact on other areas of the business. If change is not controlled the Business could be exposed to fraudulent activities.

8.2 Roles

It is the Change Management Controllers’ role to facilitate communications between the Department Manager requesting the change and any other affected Department Managers, these will be referred to as the Stakeholders. The Change Management Controller will coordinate all of the documentation, acquisition of requirements, formulations of plans, and scheduling of projects and tasks. It is the role of the requesting Department Manager and other Stakeholders to review, comment on and authorize documents relating to the change, instruct staff, and participate in meetings to ensure that the change goes as smoothly as possible and that compliance is retained.

8.3 Submit The Change Request Form

• Complete a Change Request Form. This form and information about how to complete it can be found IT Manager.
• Enter as much detail as possible in the Request Details section. If this change will affect other departments please enter the names of the Department Managers in the Other Departments Affected section.
• Once the form has been completed use the office or branch scanner to scan the authorized form and email it to the IT Help desk. They will log the form and pass it to the Change Management Controller so that the change can be scheduled.

8.4 Review The Specification

The Change Request Form will be reviewed by the Change Management Controller who will gather additional information, add Department Managers deemed to be affected, and arrange meetings. Then the Change Management Controller creates a Specification detailing exactly what is being changed, which is sent to all Stakeholders. The Specification should incorporate all the requirements.
• The Change Stakeholders carefully review the Specification to ensure that all the requirements and their particular interests are covered.
• The Change Stakeholders will need to approve the specification by email.

Note regarding the Change Rating:
The Change Management Controller will discuss what the appropriate Change Rating should be with all the Stakeholders. In essence, the Change Rating indicates the level of compliance required by the change and the priority that the change is being given.

8.5. The Risk Assessment

The Change Management Controller will conduct a risk assessment based on the agreed specification. They will check all the systems and processes affected by the proposed change and list any risk areas. The Risk Assessment is used to create a change Recommendation to ensure that any risk to the business has been identified and mitigated. The Recommendation will include items such as specific training and testing requirements. A copy of the Risk Assessment, including the recommendation, will be sent to the Stakeholders.

• Check the Risk Assessment and Recommendation carefully to make sure that nothing has been missed.
• Notify the Change Management Controller, by email, of any missing risks or if there are problems with the Recommendation.
• Authorize the Risk Assessment and Recommendation by email.

8.6 The Implementation Plan

The Implementation Plan details all the stages that are required in order to successfully manage the change and includes a Test Plan and Roll Back Strategy. In more complicated changes this may also include a project schedule and timeline.

• Review the Implementation Plan.
• Make the Change Management Controller aware of any amendments or changes.
• Make note of the timeline and any training or testing and how this will affect department staff.
• Make note of any dependent tasks (i.e. if one department is unable to make a change until another has completed theirs).
• Authorize the Implementation plan by email.

8.7 Pre-Change

Once the Implementation Plan has been approved it is vital that the staff in each department are made aware of what needs to happen, when and by whom. The Department Manager:

• Notifies affected Staff of the change and assigns actions and makes them aware of the Roll Back Strategy.
• Ensures that Staff who have been allocated Test Actions have copies of the Test Plan and are aware that all test documentation is to be retained.
• Leases with other Stakeholders and the Change Management Controller to ensure that all aspects of the change are progressing as planned.

8.8 . Change

To minimize unnecessary disruption ensure that the plan is followed as closely as possible and any issues are highlighted to the Change Management Controller as soon as possible. The Change Management Controller will coordinate communications between all the Stakeholders. Ensure all staff follows the Implementation Plan.

8.9 Post Implementation Review:

Once a change has been implemented it is important that the situation is reviewed to identify any problems that could be prevented in the future or improvements that could be made. The Stakeholders will carry out a Post Implementation Review one month after the change has been promoted to Live (unless problems or issues present themselves more immediately). Two months after the change has been implemented the Stakeholders will conduct a further review. The Management Executive Committee will review Change Documentation and follow up material quarterly. The minutes and action points of these reviews are held on file with the Change Documentation. The Internal and External Auditors will examine the Change Management Documentation on a half-yearly and End Year basis and their comments and recommendations will be acted upon.

9 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

1 Policy Statement

To meet the enterprise business objectives, respond to a major incident or disaster, and restore the organization’s critical business functions, XXX shall adopt and follow well-defined and time-tested plans and procedures. Disaster recovery policy is required to respond to a major incident or disaster by implementing a plan to restore XXX’s critical business functions.

2 Purpose

The purpose of this policy is to ensure that IT resource investments made by XXX are protected against service interruptions, including large-scale disasters, by the development, implementation, and testing of disaster recovery/business continuity plans (DR/BCP).

3 Scope

3.1 IT Assets

This policy applies to all facilities of XXX that operate, manage, or use IT services or equipment to support critical business functions.

3.2 Documentation

The documentation shall consist of Disaster Recovery Policy, and related procedures and guidelines.

3.3 Document Control

The Disaster Recovery Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.

3.4 Records

Records being generated as part of the Disaster Recovery Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.5 Distribution and Maintenance

The Disaster Recovery Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and system administrators.

4 Privacy

The Disaster Recovery Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5 Responsibility

The Disaster Recovery Policy shall be implemented by the CISO / designated personnel.

6 Policy

a. Plans for disaster recovery/business resumption/business continuity shall be developed by organizational management.
b. Disaster recovery/business resumption plans shall be updated at least annually and following any significant changes to computing or telecommunications environment of XXX.
c. Employees of XXX  shall be trained to execute the disaster recovery plan.
d. Annual certification, updating and testing of the disaster recovery/business resumption plan shall be done.
e. A competent auditor shall audit disaster recovery/business resumption plans.

7 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

1 Policy Statement

To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, build redundancy in teams and infrastructure and manage a quick and efficient transition to the backup arrangement for business systems and services. Business Continuity Management (BCM) Policy reiterates the commitment of XXX towards delivering the fastest transition and the highest quality of services through backup arrangements ensuring that the customers, business activities, and services do not suffer in any way. The Business Continuity Management Procedure, Backup Policy, and Backup Procedure shall be referred. The plan shall be available to the CISO and BCM team members of XXX.

2 Purpose

The main objective of Business Continuity Management is to minimize/eliminate the loss to an organization’s business in terms of revenue loss, loss of reputation, loss of productivity, and customer satisfaction. The Business Continuity Policy intends to:
a. establish a systematic approach for business continuity;
b. create awareness amongst the concerned employees, about the business continuity aspects of ISMS and its importance; and
c. test and review the business continuity plan for the organization.

3 Scope

3.1 IT Assets

BCM covers all IT assets and applications for a business transaction that are owned or utilized by XXX.

3.2 Documentation

The BCM documentation shall consist of Plans and Resumption procedures for each service.

3.3 Document Control

The BCM document and all other referenced documents shall be controlled. The version control shall be used to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.

3.4 Records

Records being generated as part of the BCM shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.5 Distribution and Maintenance

The BCM document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the BCP document will be with the CISO and BCM team.

4 Privacy

The BCM document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5 Responsibility

Role of BCM Leader shall be performed by CISO and include the following:
a. Coordinate the development and maintenance of the Organizational BCM policy manual and get approval from MISF (Management Information Security Forum).
b. Identify and declare disaster-scenarios according to the gravity of the disaster.
c. Enforce BCM among teams as per disaster scenarios.
d. Review and audit BCM Policy at planned intervals.
e. Test and update Business Continuity Plan at planned intervals.
f. Facilitate functional training of the members for BCM execution.
g. Co-ordinate with outsourcing partners wherever applicable.

Following are the primary roles of BCM Team Members:
a. Execute BCM activities as per respective procedures.
b. Co-ordinate with outsourcing partners wherever applicable.

6 Policy

a. For catastrophic and major disasters, the BCM Leader shall invoke the BCM process in consultation with the BCM Team Members.
b. It is the responsibility of the BCM Leader to ensure that adequate spare resources are available for recovering from a disaster in the infrastructure level.
c. It is mandatory for all BCM Team Leaders to maintain the BCM document in an easily accessible and secure location.
d. The BCM Policy shall be updated whenever major additions, upgrades, deletions take place to the underlying hardware, network environment, office infrastructure or key personnel.
e. The BCM Policy and Plan testing process for vital services shall be done at least once in a year.

7 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

1 Policy Statement

To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure timely and reliable backup of its IT assets. The Backup Policy reiterates the commitment of XXX towards delivering the fastest transition and highest quality of services through the backup arrangement ensuring that its customers, business activities, and services do not suffer in any way. The policy shall be available to the CISO and BCP (Business Continuity Plan) team members of XXX.

2 Purpose

The purpose of this policy is to provide means to:
i. restore the integrity of the computer systems in the event of a hardware/software failure or physical disaster; and
ii. provide a measure of protection against human error or the inadvertent deletion of important files.

3 Scope

3.1 Employees

This policy applies to all  Employees, Contractors, and Third Party Employees, who have access to IT assets of XXX and may be bound by contractual agreements.

3.2 IT Assets

This policy applies to the entire IT infrastructure of XXX.

3.3 Documentation

The Policy documentation shall consist of Backup Policy and related procedures and guidelines.

3.4 Document Control

The Backup Policy document and all other referenced documents shall be controlled. Version control shall be used to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.

3.5 Records

Records being generated as part of the Backup Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.6 Distribution and Maintenance

The Backup Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and system administrators

4 Privacy

The Backup Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5 Responsibility

The CISO / designated personnel is responsible for proper implementation of the Policy.

6 Policy

1. All user-level and system-level information maintained by XXX shall be backed up periodically. The backup media shall be stored with sufficient protection and proper environmental conditions.
2. The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.
3. The Information Resources backup and recovery process for each system must be documented and periodically reviewed.
4. Any vendor(s) providing offsite backup storage must be cleared to handle the highest level of information stored.
5. Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Additionally, backup media must be protected in accordance with the highest sensitivity level of information stored.
6. A process must be implemented to verify the success of the KDCC electronic information backup.
7. Backup copies of operating systems and other critical information system software shall not be stored in the same location as the operational software.
8. The system backup information shall be provided with protection from unauthorized modification and environmental conditions.
9. Backups must be periodically tested to ensure that they are recoverable. To confirm media reliability and information integrity, the back-up information shall be tested at some specified frequency.
10. Signature cards held by the offsite backup storage vendor(s) for access to backup media must be reviewed annually or when an authorized individual leaves XXX.
11. Backup information shall be selectively used to restore information system functions as a part of the business continuity process.
12. Procedures between KDCC and the offsite backup storage vendor(s) must be reviewed at least annually.
13. Backup tapes must have at a minimum the following identifying criteria that can be readily identified by labels and/or a bar-coding system:
    a. System name
    b. Creation Date
    c. Sensitivity Classification [Based on applicable electronic record retention regulations.]
    d. Contact Information

7. Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

1 Policy Statement

To meet the enterprise business objectives and ensure continuity of its operations,  XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure the protection of IT assets from malware and virus attacks. IT assets must be employed in ways that achieve the business objectives of XXX. IT assets shall be protected in a way that ensures that they are resistant to virus and malware attacks and that all preventive and protective measures shall be used to resist such malware attacks. The policy and respective procedures, guidelines, and forms such as facilities allocation forms shall be available to the CEO,  GMs,  AGMs, managers, and CISO of XXX.

2. Purpose

The purpose of this policy is to promote the use of anti-virus and other anti-malware software and educate the employees regarding the policies that are widely followed to use anti-malware effectively. Besides, this policy provides direction to ensure that legal regulations are followed.

3. Scope

3.1 Employees

This policy applies to all  Employees, Contractors, and Third Party Employees, who have access to IT assets of XXX and may be bound by contractual agreements.

3.2 IT Assets

This policy applies to all workstations and servers that are owned or leased by XXX.

3.3 Documentation

The Policy documentation shall consist of Anti-malware Policy and related guidelines.

3.4 Document Control

The Anti-Malware Policy document and all other referenced documents shall be controlled. Version control shall be used to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.

3.5 Records

Records being generated as part of the Anti-Malware Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.6 Distribution and Maintenance

The Anti-Malware Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and system administrators.

4 Privacy

The Anti-Malware Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5 Responsibility

The CISO / designated personnel is responsible for the proper implementation of the Policy. The Virus/malware Prevention Policy applies equally to all individuals that use any XXX Information Resources.

6 Policy

XXX shall adopt certain practices to prevent malware/Virus problems:
i. All workstations whether connected to XXX network, or standalone, must use XXX-approved anti-virus and anti-malware software and configuration.
ii. The anti-virus and anti-malware software must not be disabled or bypassed.
iii. The settings for the anti-virus and anti-malware software must not be altered in a manner that will reduce the effectiveness of the software.
iv. The automatic update frequency of the anti-virus and anti-malware software must not be altered to reduce the frequency of updates.
v. Each file server attached to the XXX network must utilize XXX-approved anti-virus and anti-malware software and set up to detect and clean malware that may infect file shares.
vi. Every virus/malware that is not automatically cleaned by the anti-virus and anti-malware software constitutes a security incident and must be reported to the Help Desk.
vii. The organization shall adopt suitable controls to prevent and detect the introduction of malicious code and unauthorized mobile code.
viii. The information system automatically updates malicious code protection mechanisms e.g. automatic updates of anti-virus and anti-malware software.
ix. Each E-mail gateway must utilize XXX-approved e-mail anti-virus software and must adhere to the ISMS rules for the setup and use of this software.

7 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.