Information Security Policy

Version: 1.00Issue Date: 9/8/2014

1.0 Overview

This policy establishes general roles and responsibility for information security. It establishes authority for the Information Security Committee to create and enforce information security policies.

2.0 Purpose

This policy defines organization wide appropriate access to, integrity of organizational information, and appropriate access to organizational information technology assets. It defines the roles and responsibilities of:

  1. Employees and authorized users
  2. The departmental information security officer
  3. Information Security Committee
  4. Security Officer
  5. Chief Information Security Officer (CISO)
  6. Communications Officer

3.0 Scope

This policy is organization wide and all parts of the organization are subject to it. This policy defines basic organizational security standards and provides information about roles and responsibilities of those involved. Departments may establish departmental policies but may not override enterprise policies. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Policy Description

Security of organizational resources including networks, computer systems, software, and data must be protected from unauthorized use and disclosure. The following must be provided:

  • Data confidentiality
  • Data integrity
  • Data and system availability
  • Appropriate use of data and systems
  • Authentication
  • Ability to audit
  • Recoverability of lost data or systems
  • Business continuity

Organizational policies and procedures shall be used to guide organization wide information security. Organizational department management are required to be sure their departments adhere to the organizational policies and procedures. Department managers may develop departmental policies and procedures so long as they do not conflict with organizational wide policies and procedures. Individual departments should have an information security officer responsible for overseeing and managing security inside the department. This person will also represent the department in enterprise wide meetings and efforts regarding information security.

5.0 Security Officer

Each department shall have a security officer responsible for ensuring security. The Information Security Officer will:

  1. Manage departmental security.
  2. Create departmental security policy.
  3. Be sure security policy is being enforced by coordinating audits.
  4. Coordinate the emergency response team for the department.
  5. Represent the department on the Enterprise wide organizational security committee.

6.0 Employees

All authorized users, staff members, or employees whether volunteeers or contractors with access to organizational resources are responsible for understanding and abiding by security policies and other organizational policies. All users are required to protect organizational data and resources from unauthorized disclosure and modification to the best of their ability.

7.0 Chief Information Security Officer (CISO)

Chief Information Security Officer duties:

  • Lead the Information Security Committee
  • Coordinate and oversee development of enterprise wide computer information security policies.
  • Coordinate efforts regarding information security between departments.
  • Direct information security education and training.
  • Provide leadership related to information security including technical issues, policies, and regulations.
  • Lead the Organizational Security Committee.
  • Encourage the awareness and use of the security strategy.
  • Determine the data classification scheme for the organization and be responsible for it. (Eg public, internal use only, confidential)

8.0 Information Security Committee

The information Security Committee will consider the business needs and security concerns as they perform the following responsibilities:

  • Develop, update, approve, and ensure communication of information security policies.
  • Develop, update, and communicate related procedures.
  • Develop, update, and communicate related standards.
  • Review and approve or deny deviations from standards or policies.
  • The Information Security Committee must create and maintain a technical security plan. The plan must define roles and responsibilities of managers and employees including job descriptions. All employees must be qualified to fulfill their job roles.
  • The Information Security Committee must include consideration of ownership responsibilities in the security plan and policies. Owner roles and responsibilities must be defined.
  • Develop a process for communication of the technical security plan.
  • Develop an approval process for certification of new information technology equipment and facilities to be sure security protection meets requirements.
  • Technology developments and new threats must be evaluated at least once per year and modifications must be made to the technical security plan to use new technology and meet threats. Reports from auditors shall be used to determine additional security needs including awareness programs, changes to the security framework, or actions due to non-compliance.

9.0 Communications Officer

The Communications Officer will communicate new or revised policies, procedures, and standards on behalf of the Information Security Committee.

10.0 Technical Security Plan

  • The Information Security Committee must create and maintain the technical security plan.
  • The technical security plan must be approved by the Chief Information Security Officer.
  • The technical security plan must be reviewed by appropriate staff in appropriate divisions prior to implementation. Comments and modifications must be discussed, agreed upon, and any changes made before the plan is implemented. External advice about the plan should be obtained prior to plan implementation.
  • The technical security plan must be based on a formal risk analysis which covers the organization and business processes. An example would be the risk of using email to support business processes considering what attachments should be allowed. Threats, vulnerabilities, risks, costs, and probabilities should be considered.
  • The technical security plan must be in line with the strategic business plan considering the organizational business objectives. The technical security plan must be reviewed at least annually to be sure it is aligned with the strategic business plan.
  • Controls specified by the security plan and policies must be cost effective. Priorities must be set based on risk, costs, and alternatives.
  • The technical security plan and framework must state its purpose and objectives.
  • The technical security plan must call out measurable metrics that can be used to determine whether security goals are being obtained. Metrics should be compared with industry trends and scores. Metrics and scores should be evaluated by independent reviewers.
  • The technical security plan must be documented and communicated so the security strategy is implemented. Documentation and communication of the plan will improve system protection through the organization.

11.0 Security Awareness and Guidelines

  • Information security officers and advisers must be able to advise information technology and business management about information security issues.
  • Security awareness must be part of the employee orientation plan.
  • Security awareness must be included in performance appraisals and a training program must be available for staff members.
  • The goals and scope of the security awareness program must be clearly defined.
  • Upper management must support the security awareness program.
  • Security awareness trainers must be well qualified in the areas they teach and be excellent communicators.
  • The security awareness program must be modified annually to consider technological changes and changes in security needs.
  • The training program must include training for applications required by users. Employees and contractors should be trained based on work assignments and need.
  • Surveys should be regularly conducted to determine the effectiveness of the training program. Feedback should be used by the trainers to improve training methods.

12.0 Security Requirements

  • Security policies, procedures, and standards must be documented and published so all affected members of the organization are aware of them.
  • All Security policies, procedures, and standards must comply with and support laws, regulations, and contracts that apply.
  • Minimum security requirements for all operating systems approved for use in the organization must be defined. Testing must be done to be sure the requirements are met and effective. Any deviations from requirements must be approved and have compensating controls.
  • Only approved operating systems may be used in the organization.
  • All systems must have adequate authentication mechanisms for all users which must include a unique user identifier and a user authentication mechanism (Eg password, token, biometrics) for access.
  • Access to system and equipment diagnostic ports must be controlled using adequate security mechanisms to prevent unauthorized use or access.
  • The Information Security Committee must review information about new types of security threats. The security officer must review information about new security vulnerabilities and exploits.
  • Third parties should evaluate security architecture and policies annually to independently determine effectiveness. Practices actually used must be evaluated to be sure they are in line with the policies.

13.0 Auditing

Auditors shall support this policy by auditing various departments for compliance as coordinated with the Information Security Committee and the Chief Information Security Officer. Auditors shall provide reports to management including the Information Security Committee and the Chief Information Security Officer detailing compliance and shortfalls through the organization.

14.0 Enforcement

All activity that does not comply with this Information Security Policy and other policies and procedures is investigated. Organizational members that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

15.0 Other Requirements

  • Procedures must be created to keep authentication mechanisms effective in providing access control.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________