Information Security Management Policy

aurorabellyNetworking and Communications

Nov 21, 2013 (3 years and 11 months ago)

120 views


Information Security
Management Policy


© Copyright 20
10

The State of Western Australia


Page
1

of
12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

Purpose

This policy defines the objectives, accountabilities and application of
information security management in the
Department of . . .
.

Replaces

<Previous Policy Document>

Commences

<date>

File:

<file referen
ce or policy number>

Scope

This policy covers the management of security for Department
information including technology infrastructure, information systems,
business information systems, and the systems and services that store,
process and communicate De
partment information.

Principle

The <Director General/Chief Executive Officer/Commissioner> is
accountable for use of Department resources and to ensure the
requirements for information security are satisfied in accordance with the
principles of risk mana
gement, including:



protecting the availability, confidentiality and integrity of information;



control of access to and proper use of information and information
systems;



authentication of users; and



non
-
repudiation of electronic transactions

Responsibi
lity

The Department’s Corporate Executive Committee is responsible to
oversee this policy.

Staff members, including contractors and consultants, are responsible to
ensure they comply with this policy.

Custodian





Director, Information Services


Date

Approver





Executive
Director
, Corporate Services


Date

Endorser





Director General


Date

Department of . . .


Information Security Management Policy

© Copyright 20
1
0 The State of Western Australia


Page
2

of 12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

1.

Policy

The
Department of . . .

is responsible for the security of its information and
information systems.

2.

Objectives

To ensure that Department requirements for information security

are satisfied in
accordance with the principles of risk management
:

a.

the control of access to and proper use of infor
mation and information
systems

b.

the availability, confidentialit
y and integr
ity of information

c.

the authentication of users

d.

the non
-
repudiation of electronic transactio
ns

3.

Definition

Interpretation:
‘Department
information’

means

e.

any official information, government record or personal information
(see the
Criminal Code
, the State Records Act 2000 (
WA), Freedom
of Information Act 1992)

f.

which is created or obtained by the Department, stored by the
Department or on Department facilities

Interpretation:
‘Department resources’

includes

g.

official information, equipment and facilities
(see

the
Public Sector
Management Act (1994), section 9(b)
)

4.

Application

a.

The Department will adopt relevant standards for information security
management a
nd risk management,
including WA
Gove
rnment
guidelines

b.

The compliance with these guidelines is to be managed by

the
Information Security Group

c.

Compliance mean
s
:



regula
r reviews of security exposures



investigation of security infringements, as required



an o
ngoing action plan to achieve con
tinuous improvement in
security,
within th
e operational budget allocation

d.

The
Department’s
framework for information security management is
summarised in the appendices
.

<Departments should include, policy
lists, and delega
tions>

5.

Accountabilities and Responsibilities

5.1.

The Director General

a.

Is accountable for Department compliance with this informa
tion
security management policy

Department of . . .


Information Security Management Policy

© Copyright 20
1
0 The State of Western Australia


Page
3

of 12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

b.

Shall establish a management group to app
rove information security
policies
, standards and procedure
s, and
to
supervise the
management of the information security management process.

5.2.

Director, Information Services

Director, Information Services

is responsible for:

a.

Information

b.

Information infrastructure

c.

Information policies

5.3.

Information Security Group

The
Information Security Group is responsible for:

a.

formulating and managing the Departmen
t’s information security
policy

b.

Coordinat
ing

the implementation of security across the Department.

5.4.

Information Security Manager

The Information Security Manager,
<Section>
, is responsible for:

a.

establishing and maintaining a management system for the
information securit
y process within the Department

b.

maintaining the
Department’s information and
security polic
ies, such
as

the Computer and Telecommunications Facility Policy.

5.5.

S
taff

Department
staff

are responsible

to:

c.

understand and comply with the Department’s information security
policies, standards and procedures, such as:



the Computer and Telecommunications Facilities Policy



the Intellectual Property Policy



the Backup and Re
covery Policy



the Virus and Vulnerability Patching Policy

d.

never subvert or attempt to subvert any security measures related to
the protection of
Department
information systems and assets

e.

report immediately any actual or suspected security incidents,
weakne
sses or failures to the Service Desk, Line Manager or
Information Security Manager

5.6.

System Owners

a.

Are responsible for
ensuring

the compliance of their systems with this
Information Security Management Policy.

5.7.

Divisional Heads, Executive Directors,
Directors


a.

Are responsible for managing the risks to their business processes
and assets

b.

Must manage the information and information systems that belong to
thei
r business processes and assets

Department of . . .


Information Security Management Policy

© Copyright 20
1
0 The State of Western Australia


Page
4

of 12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

c.

Must ensure that the security requirements that are justified for their
p
ro
cesses and assets are satisfied

d.

Are responsible for managing the risks to their info
rmation and
information systems

e.

Are responsible for authorising, controlling access to and
administerin
g their information and systems

f.

Must identify and justify security
requirements for their info
rmation
and information systems

g.

Are responsible for the development, management and maintenance
of jurisdiction specific information security management system
including p
olicy, standards and procedures

h.

Are responsible for their
staff and contractors being properly educated
about relevant Department information security policy, standards and
procedures and being properly trained and authorised to use the
information and information systems necessary to perform their work.

6.

Policy P
romulgation

Commencement date

Communication process

7.

Policy Review

The
Department

reviews and updates this policy
as needed.

8.

Contact

Questions related to this policy document may be directed to the Director
,
In
formation
Services on (08) 9
999
-
9999
.

Department of . . .


Information Security Management Policy

© Copyright 20
1
0 The State of Western Australia


Page
5

of 12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

9.

Appendix


Minim
um

Standards

(
per ISO
AS/NZS ISO/IEC
17799:2006
)

Information security is the protection of information from a wide range of threats in order to
ensure business continuity, minimize business risk, and maximize return on investments
and business oppor
tunities.

Information security is achieved by implementing a suitable set of controls, including
policies, processes, procedures, organizational structures and software and hardware
functions.

9.1.

How to establish security requirements

It is essential that an
organization identifies its security requirements. There are three
main sources of security requirements.

1. One source is derived from assessing risks to the organization, taking into account
the organization’s overall business strategy and objectives. Th
rough a risk
assessment, threats to assets are identified, vulnerability to and likelihood of
occurrence is evaluated and potential impact is estimated.

2. Another source is the legal, statutory, regulatory, and contractual requirements that
an organizatio
n, its trading partners, contractors, and service providers have to
satisfy, and their socio
-
cultural environment.

3. A further source is the particular set of principles, objectives and business
requirements for information processing that an organization

has developed to
support its operations.

9.2.

Assessing Security Risks

Security requirements are identified by a methodical assessment of security risks.
Expenditure on controls needs to be balanced against the business harm likely to result
from security fail
ures.

9.3.

Selecting Controls

Once security requirements and risks have been identified and decisions for the treatment
of risks have been made, appropriate controls should be selected and implemented to
ensure risks are reduced to an acceptable level

[for the
Department]
.

9.4.

Minimum Controls

[Protections or Objectives]

Controls considered to be essential to an organization from a legislative point of view
include, depending on applicable legislation
[, must address]
:

a) data protection and privacy of personal infor
mation (see 15.1.4);

b) protection of organizational records (see 15.1.3);

c) intellectual property rights (see 15.1.2).

9.5.

[Recommended]
Common Controls

Controls considered to be common practice for information security include:

a) information security polic
y document (see 5.1.1);

b) allocation of information security responsibilities (see 6.1.3);

Department of . . .


Information Security Management Policy

© Copyright 20
1
0 The State of Western Australia


Page
6

of 12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

c) information security awareness, education, and training (see 8.2.2);

d) correct processing in applications (see 12.2);

e) technical vulnerability management (see

12.6);

f) business continuity management (see 14);

g) management of information security incidents and improvements (see 13.2).


10.

Appendix


Information Security Categories

(delete as needed)

The International standards define

the following information sec
urity categories
:

Category

Summary

Risk assessment


Security policy

management direction

Organization of information security

governance of information security

Asset management

inventory and classification of
information assets

Human resources sec
urity

security aspects for employees joining,
moving and leaving an organization

Physical and environmental security

protection of the computer facilities

Communications and operations management

management of technical security
controls in systems an
d networks

Access control

restriction of access rights to networks,
systems, applications, functions and
data

Information systems acquisition, development
and maintenance

building security into applications

Information security incident management

an
ticipating and responding
appropriately to information security
breaches

Business continuity management

protecting, maintaining and recovering
business
-

critical processes and
systems

Compliance

ensuring conformance with information
security policies,
standards, laws and
regulations

AS/NZS ISO/IEC 17799:2006

is
identical with and has been reproduced from ISO/IEC
17799:2005.

ISO/IEC 27002:2005 comprises ISO/IEC 17799:2005 and ISO/IEC
17799:2005/Cor.1:2007. Its technical content is identical to that of I
SO/IEC 17799:2005.
ISO/IEC 17799:2005/Cor.1:2007 changes the reference number of the standard from
17799 to 27002.


Information Security
Management Policy


© Copyright 20
10

The State of Western Australia


Page
7

of
12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

11.

Appendix


Information Security
C
ontrols

(delete as needed)

AS/NZS ISO/IEC 17799:2006

defines 39
information security
controls in twelve cat
egories
.

Category

Section

Purpose

Sub
-
section
s

4 Risk Assessment

4.1 Assessing Security
risks

Risk assessments should identify,
quantify, and pri
oritize risks against
criteria
relevant to the organization.



4.2 Treating Security risks

Controls to mana
ge or reduce the risk
or its impact


5 Security Policy

5.1 Information Security
Policy

To provide management direction and
support for information security in
accordance with business
requirements and relevant laws and
regulations.


6 Organization Of
Inf
ormation Security

6.1 Internal Organization

To manage information security within
the organization.

6.1.1 Management Commitment To Information Security

6.1.2 Information Security Co
-
Ordination

6.1.3 Allocation Of Information Security Responsibilities

6.1.4

Authorization Process For Information Processing
Facilities

6.1.5 Confidentiality Agreements

6.1.6 Contact With Authorities

6.1.7 Contact With Special Interest Groups

6.1.8 Independent Review Of Information Security


6.2 External Parties

To maintain the
security of the
organization’s information and
information processing facilities that
are accessed, processed,
communicated to, or managed by
external parties.

6.2.1 Identification Of Risks Related To External Parties

6.2.2 Addressing Security When Dealing

With Customers

6.2.3 Addressing Security In Third Party Agreements

7 Asset Management

7.1 Responsibility For
Assets

To achieve and maintain appropriate
protection of organizational assets.

7.1.1 Inventory Of Assets

7.1.2 Ownership Of Assets

7.1.3 Accepta
ble Use Of Assets


7.2 Information
Classification

To ensure that information receives
an appropriate level of protection.

7.2.1 Classification Guidelines

7.2.2 Information Labelling And Handling

Department of . . .


Information Security Management Policy

© Copyright 20
1
0 The State of Western Australia


Page
8

of 12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

Category

Section

Purpose

Sub
-
section
s

8 Human Resources
Security

8.1 Prior To Employment

To ensur
e that employees,
contractors and third party users
understand their responsibilities, and
are suitable for the roles they are
considered for, and to reduce the risk
of theft, fraud or misuse of facilities.



8.2 During Employment

To ensure that employees
,
contractors and third party users are
aware of information security threats
and concerns, their responsibilities
and liabilities, and are equipped to
support organizational security policy
in the course of their normal work,
and to reduce the risk of hum
an error

8.2.1 Management Responsibilities

8.2.2 Information Security Awareness, Education, And
Training

8.2.3 Disciplinary Process


8.3 Termination Or Change
Of Employment

To ensure that employees,
contractors and third party users exit
an organization o
r change
employment in an orderly manner.

8.3.1 Termination Responsibilities

8.3.2 Return Of Assets

8.3.3 Removal Of Access Rights

9 Physical And
Environmental
Security

9.1 Secure Areas

To prevent unauthorized physical
access, damage, and interference to
the organization’s premises and
information.

9.1.1 Physical Security Perimeter

9.1.2 Physical Entry Controls

9.1.3 Securing Offices, Rooms, And Facilities

9.1.4 Protecting Against External And Environmental
Threats

9.1.5 Working In Secure Areas

9.1.6 Publi
c Access, Delivery, And Loading Areas


9.2 Equipment Security

To prevent loss, damage, theft or
compromise of assets and
interruption to the organization’s
activities.

9.2.1 Equipment Siting And Protection

9.2.2 Supporting Utilities

9.2.3 Cabling Security

9.2.4 Equipment Maintenance

9.2.5 Security Of Equipment Off
-
Premises

9.2.6 Secure Disposal Or Re
-
Use Of Equipment

9.2.7 Removal Of Property

Department of . . .


Information Security Management Policy

© Copyright 20
1
0 The State of Western Australia


Page
9

of 12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

Category

Section

Purpose

Sub
-
section
s

10 Communications
And Operations
Management

10.1 Operational
Procedures And
Responsibilities

To ensure the correct

and secure
operation of information processing
facilities.

10.1.1 Documented Operating Procedures

10.1.2 Change Management

10.1.3 Segregation Of Duties

10.1.4 Separation Of Development, Test, And Operational
Facilities


10.2 Third Party Service
Delivery
Management

To implement and maintain the
appropriate level of information
security and service delivery in line
with third party service delivery
agreements.

10.2.1 Service Delivery

10.2.2 Monitoring And Review Of Third Party Services

10.2.3 Managing Chang
es To Third Party Services


10.3 System Planning And
Acceptance

To minimize the risk of systems
failures.

10.3.1 Capacity Management

10.3.2 System Acceptance


10.4 Protection Against
Malicious And Mobile Code

To protect the integrity of software
and info
rmation.

10.4.1 Controls Against Malicious Code

10.4.2 Controls Against Mobile Code


10.5 Back
-
Up

To maintain the integrity and
availability of information and
information processing

facilities.

10.5.1 Information Back
-
Up


10.6 Network Security
Managemen
t

To ensure the protection of
information in networks and the
protection of the supporting
infrastructure

10.6.1 Network Controls

10.6.2 Security Of Network Services


10.7 Media Handling

To prevent unauthorized disclosure,
modification, removal or destruc
tion of
assets, and interruption to business
activities.

10.7.1 Management Of Removable Media

10.7.2 Disposal Of Media

10.7.3 Information Handling Procedures

10.7.4 Security Of System Documentation


10.8 Exchange Of
Information

To maintain the security of

information and software exchanged
within an organization and with any
external entity.



10.9 Electronic Commerce
Services

To ensure the security of electronic
commerce services, and their secure
use.

10.9.1 Electronic Commerce

10.9.2 On
-
Line Transactio
ns

10.9.3 Publicly Available Information

Department of . . .


Information Security Management Policy

© Copyright 20
1
0 The State of Western Australia


Page
10

of 12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

Category

Section

Purpose

Sub
-
section
s


10.10 Monitoring

To detect unauthorized information
processing activities.

10.10.1 Audit Logging

10.10.2 Monitoring System Use

10.10.3 Protection Of Log Information

10.10.4 Administrator And Operator Logs

10.10.5
Fault Logging

10.10.6 Clock Synchronization

11 Access Control

11.1 Business Requirement
For Access Control

To control access to information.

11.1.1 Access Control Policy


11.2 User Access
Management

To ensure authorized user access
and to prevent unautho
rized access
to information systems.

11.2.1 User Registration

11.2.2 Privilege Management

11.2.3 User Password Management

11.2.4 Review Of User Access Rights


11.3 User Responsibilities

To prevent unauthorized user access,
and compromise or theft of
infor
mation and information
processing facilities.

11.3.1 Password Use

11.3.2 Unattended User Equipment

11.3.3 Clear Desk And Clear Screen Policy


11.4 Network Access
Control

To prevent unauthorized access to
networked services.

11.4.1 Policy On Use Of Network

Services

11.4.2 User Authentication For External Connections

11.4.3 Equipment Identification In Networks

11.4.4 Remote Diagnostic And Configuration Port Protection

11.4.5 Segregation In Networks

11.4.6 Network Connection Control

11.4.7 Network Routing Con
trol


11.5 Operating System
Access Control

To prevent unauthorized access to
operating systems.

11.5.1 Secure Log
-
On Procedures

11.5.2 User Identification And Authentication

11.5.3 Password Management System

11.5.4 Use Of System Utilities

11.5.5 Session T
ime
-
Out

11.5.6 Limitation Of Connection Time


11.6 Application And
Information Access Control

To prevent unauthorized access to
information held in application
systems.

11.6.1 Information Access Restriction

11.6.2 Sensitive System Isolation


11.7 Mobile
Computing And
Teleworking

To ensure information security when
using mobile computing and
teleworking facilities.

11.7.1 Mobile Computing And Communications

11.7.2 Teleworking

Department of . . .


Information Security Management Policy

© Copyright 20
1
0 The State of Western Australia


Page
11

of 12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

Category

Section

Purpose

Sub
-
section
s

12 Information
Systems Acquisition,
Development and
Maintenance

12.1 Security Re
quirements
Of Information Systems

To ensure that security is an integral
part of information systems.

12.1.1 Security Requirements Analysis And Specification


12.2 Correct Processing In
Applications

To prevent errors, loss, unauthorized
modification or mi
suse of information
in applications.

12.2.1 Input Data Validation

12.2.2 Control Of Internal Processing

12.2.3 Message Integrity

12.2.4 Output Data Validation


12.3 Cryptographic
Controls

To protect the confidentiality,
authenticity or integrity of inform
ation
by cryptographic means.

12.3.1 Policy On The Use Of Cryptographic Controls

12.3.2 Key Management


12.4 Security Of System
Files

To ensure the security of system files.



12.5 Security In
Development And Support
Processes

To maintain the security of

application
system software and information.

12.5.1 Change Control Procedures

12.5.2 Technical Review Of Applications After Operating
System Changes

12.5.3 Restrictions On Changes To Software Packages

12.5.4 Information Leakage

12.5.5 Outsourced Software
Development


12.6 Technical Vulnerability
Management

To reduce risks resulting from
exploitation of published technical
vulnerabilities.

12.6.1 Control Of Technical Vulnerabilities

13 Information
Security Incident
Management

13.1 Reporting Information
Se
curity Events And
Weaknesses

To ensure information security events
and weaknesses associated with
information systems are
communicated in a manner allowing
timely corrective action to be taken.

13.1.1 Reporting Information Security Events

13.1.2 Reporting
Security Weaknesses


13.2 Management Of
Information Security
Incidents And
Improvements

To ensure a consistent and effective
approach is applied to the
management of information security
incidents.

13.2.1 Responsibilities And Procedures

13.2.2 Learning Fr
om Information Security Incidents

13.2.3 Collection Of Evidence

Department of . . .


Information Security Management Policy

© Copyright 20
1
0 The State of Western Australia


Page
12

of 12

aurorabelly_e8aec818
-
8cfb
-
4c25
-
a731
-
429f6010ccec.doc

Category

Section

Purpose

Sub
-
section
s

14 Business
Continuity
Management

14.1 Information Security
Aspects Of Business
Continuity Management

To counteract interruptions to
business activities and to protect
critical business proce
sses from the
effects of major failures of information
systems or disasters and to ensure
their timely resumption.

14.1.1 Including Information Security In The Business
Continuity Management Process

14.1.2 Business Continuity And Risk Assessment

14.1.3 Dev
eloping And Implementing Continuity Plans
Including Information Security

14.1.4 Business Continuity Planning Framework

14.1.5 Testing, Maintaining And Re
-
Assessing Business
Continuity Plans

15 Compliance

15.1 Compliance With
Legal Requirements

To avoid br
eaches of any law,
statutory, regulatory or contractual
obligations, and of any security
requirements.

15.1.1 Identification Of Applicable Legislation

15.1.2 Intellectual Property Rights (Ipr)

15.1.3 Protection Of Organizational Records

15.1.4 Data Protect
ion And Privacy Of Personal Information

15.1.5 Prevention Of Misuse Of Information Processing
Facilities

15.1.6 Regulation Of Cryptographic Controls


15.2 Compliance With
Security Policies And
Standards, And Technical
Compliance

To ensure compliance of sy
stems
with organizational security policies
and standards.

15.2.1 Compliance With Security Policies And Standards

15.2.2 Technical Compliance Checking


15.3 Information Systems
Audit Considerations

To maximize the effectiveness of and
to minimize interfer
ence to/from the
information systems audit process.

15.3.1 Information Systems Audit Controls

12.

Potential Policies

(delete as needed)

The ISO/AS/NZS Information Security Controls can be used as a framework or structure for information security policies.