Cyber_Security_Policy
- 1. Responsibility for Company Data Continually emphasize the critical nature of data security and the responsibility to protect company data. Employees have legal and regulatory obligations to respect and protect the privacy of information and its integrity and confidentiality. Document Management and Notification Procedures Your data incident reporting procedure in the event an computer becomes infected by a virus or is operating outside its norm (e.g., unexplained errors, running slowly, changes in desktop configurations, etc.). In such cases, you should immediately report the incident so your IT team can be engaged to mitigate and investigate the threat. Unauthorized Software You are not allowed to install unlicensed software on any company computer. Unlicensed software downloads could make your computer susceptible to malicious software downloads that can attack and corrupt your company data. Internet Use Avoid emailed or online links that are suspicious or from unknown sources. Such links can release malicious software, infect computers and steal company data. You should establish safe browsing rules and limits on Internet usage in the workplace (Unwanted Web Pages). Social Media Policy You are not authorizes to use company email address to register, post or receive social media. Outsourcing and Third Party Access All access to the organization’s information systems, whether suppliers, customers or otherwise, must agree to follow the organization’s information handling, retention and security policies. A copy of the information security policies and the third party’s role in ensuring compliance will be provided to any such third party, prior to their being granted access. Physical Access to information Areas and offices where Confidential or Restricted information is processed shall be given an appropriate level of physical security and access control. Staff with authorization to enter such areas are to be provided with information on the potential security risks in the area and the measures used to control them. Duties and areas of responsibility shall be segregated to reduce the risk and consequential impact of information security incidents that might result in financial or other material damage to the organization. System Control Equipment supporting systems shall be planned to ensure that adequate processing power, storage and network capacity are available for current and projected needs, all with appropriate levels of resilience and fault tolerance. Equipment shall be correctly maintained. Equipment supporting systems shall be given adequate protection from unauthorized access, environmental hazards and failures of electrical power or other utilities.
- 2. Access controls for all information and information systems are to be set at appropriate levels in accordance with the value and classification of the information assets being protected. Access to operating system commands and application system functions is to be restricted to those persons who are authorized to perform systems administration or management functions. Where appropriate, use of such commands should be logged and monitored. Information Inventory An Information Inventory is maintained of all the organization’s major information assets and the ownership of each asset will be clearly stated. Within the Information Inventory, each information asset is classified according to sensitivity using the organization’s agreed information classification scheme. Classified information and outputs from systems handling classified data must be appropriately labeled according to the output medium. Archiving The archiving of information and documents must take place with due consideration for legal, regulatory and business issues, with liaison between technical and business staff, and in keeping with the organization’s Retention Policy. Storage media used for the archiving of information must be appropriate to its expected longevity. The format in which the data is stored must also be carefully considered, especially where proprietary formats are involved or long-term access may be required. Storage and deletion or destruction of information All users of systems must manage the creation, storage, amendment, copying and deletion or destruction of data files, records and information in a manner which safeguards and protects the confidentiality, integrity and availability of such files and with due regard to the defined procedures. Off-site Storage/ Removal Removal off site of the organization’s Confidential or Restricted information assets, either printed or held on computer storage media, should be properly authorized by management. Prior to authorization, a risk assessment based on the criticality of the information asset shall be carried out. Confidential or Restricted material, handling Confidential or Restricted information must be stored in a central storage file and not on portable media unless encrypted. Copies of such material must be protected and handled according to the distribution and authorization levels specified for that information. All employees must be made aware of the risk of breaching confidentiality associated with the transfer, storage, and copying of information. Confidential or Restricted material, disposal All information of a Confidential or Restricted nature is to be shredded or similarly destroyed when no longer required. The relevant information owner must authorize or initiate this destruction. Records must be disposed of in accordance with Disposal of Information. Compliance The Terms and Conditions of Employment and the organization’s Code of Conduct set out all employees’ responsibilities with respect to their use of computer systems and all sets of data, computer-based or otherwise.
- 3. The organization’s Code of Conduct which sets out responsibilities with respect to use of computer- based information systems and data. All members of the organization will comply with the Information Security Policy and any applicable laws. Where appropriate their compliance will be monitored. Failure to comply will be dealt with under the appropriate disciplinary procedure. Before any new systems are introduced, a risk assessment process will be carried out which will include an assessment of the legal obligations that may arise from the use of the system. These legal obligations will be documented and a named system controller, with responsibility for updating that information, will be identified. The organization’s Code of Conduct forbids the use of information systems to send or publish derogatory remarks about people or organizations. The organization will only process personal data in accordance with the requirements of the data protection legislation. Personal or confidential information will only be disclosed or shared where an employee has been authorized to do so. Where it is necessary to collect evidence from the information systems, it shall be collected and presented to conform to the relevant rules of evidence. Expert guidance will normally be sought. All of the organization’s systems will be operated and administered in accordance with the documented procedures. Regular compliance checks will be carried out to verify this compliance.