This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
2. Dartview Consulting â IT Security & Governance Policy Template
Contents
1.
Summary and Purpose ................................................................................................... 4
2.
Scope ............................................................................................................................. 4
3.
Policy Responsibilities .................................................................................................... 4
4.
Associated Documents or Links ...................................................................................... 4
5.
Guiding Standards & Frameworks .................................................................................. 4
6.
Security .......................................................................................................................... 5
6.1.
Approach ..................................................................................................................... 5
6.2.
Responsibilities ........................................................................................................... 5
6.3.
Incident Reporting ....................................................................................................... 5
6.4.
Physical Security & Restricted Areas ........................................................................... 5
6.5.
Passwords ................................................................................................................... 5
6.6.
Penetration Testing ..................................................................................................... 6
7.
Back-Up & Data Management ........................................................................................ 7
7.1.
Available Storage Areas .............................................................................................. 7
7.2.
Email Data & Personal Folders .................................................................................... 7
7.3.
Portable Media ............................................................................................................ 7
7.4.
Type and Content of Data............................................................................................ 7
7.5.
Archiving of Data ......................................................................................................... 8
7.6.
Disc Quotas ................................................................................................................. 8
7.7.
Back-Up Methods ........................................................................................................ 8
7.8.
Data Retention ............................................................................................................ 8
8.
Virus Protection .............................................................................................................. 9
8.1.
Unauthorised Software ................................................................................................ 9
8.2.
Employee Awareness and Responsibility .................................................................... 9
8.3.
Virus Prevention, Detection and Removal ................................................................... 9
9.
Internet & Email .............................................................................................................. 10
9.1.
Improper Use............................................................................................................... 11
9.2.
Good Practice.............................................................................................................. 11
10.
Third-Party Access ......................................................................................................... 12
11.
Employee Remote Access .............................................................................................. 12
12.
Account Administration ................................................................................................... 13
13.
Shared Folders ............................................................................................................... 13
14.
Email Distribution Lists.................................................................................................... 14
15.
Procurement ................................................................................................................... 15
16.
IS Service Continuity ...................................................................................................... 17
Page 3
3. Dartview Consulting â IT Security & Governance Policy Template
6. Security
This section should state the overall management approach towards Information Security,
moving on to detail any specific areas.
âIncreasingly, the business and its information systems, processes and networks are faced
with security threats from a range of sources including fraud, sabotage, fire and flood.
Computer viruses, hacking and denial of service attacks are becoming more common and
sophisticated as the connection of public and private networks to facilitate the sharing of
information resources becomes the norm.
Information is vital to the business and it must be safeguarded in order to help maintain
competitiveness, ensure compliance with relevant legislation and maintain commercial
image.â
6.1. Approach
âSenior Management is committed to the goals and principles of Information Security,
and will endeavour to ensure that the information assets of the business remain
adequately secured against all relevant risks. This will be achieved through:
ďˇ
ďˇ
ďˇ
ďˇ
ďˇ
An appropriate risk assessment process and the production, maintenance and
enforcement of policies relating to specific areas of IT risk
The provision of best practice guidance on the management of risks
Raising the profile of information security and increasing employee awareness
through appropriate education and training
Regular review of policy to ensure relevance
Regular audits to ensure policy complianceâ
6.2. Responsibilities
âOverall responsibility for information security lies with the Board of Directors, whilst the
Head of Information Services has specific responsibility for managing Information
Security on a day-to-day basis.
All employees are responsible for managing the security of any information they hold and
preventing unauthorised access, modification, destruction or disclosure.â
6.3. Incident Reporting
âAll employees are responsible for reporting any security breaches, intrusions or incidents
to the IS Service Desk. All security incidents will be investigated.â
6.4. Physical Security & Restricted Areas
âOnly members of the Information Services team will be given access to the Server Room
and IT Stores. Access will be controlled by a swipe card system.â
6.5. Passwords
âEmployees must log onto the network with their own User-ID and password, and these
must not be shared across multiple users.
Page 5
4. Dartview Consulting â IT Security & Governance Policy Template
7. Back-Up & Data Management
This section should state the overall management approach towards data back-up and
management, moving on to detail any specific areas.
âData stored on the <insert organisation name> network is Intellectual Property. It is
extremely important that this data is secured, protected, and recoverable in a timeframe
acceptable to the business.
Data is distributed throughout the organisation on numerous servers. It is also stored in a
number of formats (flat file, database, etc.). In order to protect this data, back-up copies will
be taken to allow retrieval of lost or corrupt data, and in extreme circumstances, to allow data
to be restored in support of Disaster Recovery or IS Service Continuity purposes.
The purpose of this section is to define the back-up policy that will be used to achieve these
goals.â
7.1. Available Storage Areas
This sub-section should state what storages areas are available to the business. This
may simply be a Windows Filing System with âdrive lettersâ set aside for personal and
shared storage, or may refer to the use of a formal Document Management System. If a
Windows Filing System is being used, it is important to state any areas that will not be
backed-up on a regular basis. Employees need to be advised specifically, where and
where not to store their data. It is common to refer to a âGood Practice Guideâ that goes
into more detail.
7.2. Email Data & Personal Folders
This sub-section should state the organisationâs approach towards email data and the
use of personal folders. It should state if Personal Folders are to be allow or not, and if
so, where they should be stored. It should refer to any mailbox limits that will be enforced
(single message size, mailbox size, etc.) and the protocol for mailbox archiving.
Employees should be advised how to save attachments and where they should be
stored. Employees using laptops, who come into the office environment only infrequently,
need to be considered here. It is common to refer to a âGood Practice Guideâ that goes
into more detail.
7.3. Portable Media
This sub-section should state the organisationâs approach towards portable data. It
should cover the use of USB sticks, USB hard-drives, CDâs and DVDâs. What this section
says, is very much dependant on the type of organisation, the sector in which it operates,
and the legalisation that applies. For organisations where data security and confidentiality
is paramount, there will be a need to detail what encryption methods and protocols are to
be used, and what processes are to be followed for authorised removal of data from the
corporate environment.
7.4. Type and Content of Data
This sub-section should state what type of data the organisation will allow to be retained
on the corporate network, and who is responsible for ensuring compliance and reporting
breach. It should state the process for reporting the discovery of non-business data
(family pictures, etc.) and inappropriate content (pornography, racial, etc.) and should
also outline any disciplinary actions that may follow discovery of such material.
Page 7
5. Dartview Consulting â IT Security & Governance Policy Template
8. Virus Protection
This section should describe the controls that the organisation will use to ensure the
protection, integrity and availability of its software and information assets. All software and
information processing facilities are vulnerable to the introduction of malicious software such
as computer viruses, trojans and worms. The organisation must ensure that all employees
are aware of the dangers of using unauthorised software, and are appropriately trained in the
safe use of Email and Internet access facilities.
8.1. Unauthorised Software
This sub-section should state the organisationâs stance with regard to unauthorised
software. Why it places the organisation at risk, what measures will be put in place to
prevent its installation, where processes will be followed in the event of its discovery.
8.2. Employee Awareness and Responsibility
This sub-section should provide all employees with a degree of awareness, highlighting
the risks associated with obtaining files from external sources (including via disk, file
transfer, internet download, email or other medium), and the measures that can be taken
to mitigate against these. Employee obligations, in terms of reporting suspicious
activity/behaviour of systems and applications should also be covered. An internal
programme of regular education is a good idea.
8.3. Virus Prevention, Detection and Removal
This sub-section should details the measures that the organisation will take in order to
prevent, detect, and remove virus. It should include:
ďˇ Details of the software to be used for both Employee Hardware (PCâs & Laptops)
and for Infrastructure items such as Servers
ďˇ How the software will be configured to operate (e.g. auto-scan on boot, scan on
insertion of portable media, etc.)
ďˇ Details of how software updates will be distributed and who will be responsible for
making sure this happens.
ďˇ Details of the processes to be adopted once a virus has been detected
ďˇ Details of the processes to be adopted for virus removal
ďˇ Details of any reports covering virus prevention, detection and removal that may
be required at Board Level
Page 9
6. Dartview Consulting â IT Security & Governance Policy Template
internet and email activities by law enforcement and regulatory bodies. As such, email and
internet access will be monitored. The organisation restricts access to certain categories of
site and has installed a variety of firewalls and other security systems. Employees must not
attempt to disable or circumvent these systems. If an attempt is made to access a prohibited
site, the employeeâs browser will be redirected to the organisationâs own web page. Where
an employee requires access to a restricted site, for business purposes, then a âRestricted
Internet site access requestâ form must be completed and submitted to the IT Service Desk.â
âIt is not permitted to apply automated email forwarding from any organisation email account
to any external email account.â
9.1. Improper Use
This sub-section should detail the uses of the Internet and Email service deemed by the
organisation as being âImproperâ.
Engaging in any of the following activities is likely to result in disciplinary action and may
result in civil liability or criminal prosecution.
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
ď§
Viewing, downloading, sending or publishing material that may be considered
offensive, illegal, obscene, profane, malicious, abusive or disparaging on the basis of
age, sex, race, religion, disability or sexual orientation.
Sending or publishing material that has the potential to embarrass, harass, or
intimidate.
Sending or publishing material that damages the reputation of any person or
organisation (or its goods or services).
Sending or publishing information that you know to be false or misleading.
Making unauthorised contractual commitments.
Failing to comply with project transmittal or security instructions.
Divulging confidential information including any personal information about other
individuals without appropriate authorisation.
Downloading or distributing copyright material without permission to do so.
Installing or distributing unauthorised or unlicensed software or data.
Using an account other than your own without the delegated authority of its owner.
Falsifying user information.
Subscribing to information broadcast services that are unrelated to business
activities.
Forwarding chain letters or other forms of junk mail.
Computer and network hacking.
Deliberately propagating any virus or similar malicious code.
Soliciting for personal gain or profit.
Gambling.
Conducting illegal activities.
9.2. Good Practice
This sub-section should detail the uses of the Internet and Email service deemed by the
organisation as constituting âGood Practiceâ.
The following good practice ensures efficient and productive use of the Internet and email
systems. Failure to adhere to this good practice may result in access to these services
being withdrawn or restricted.
ď§
ď§
Do not send trivial email messages. Use appropriate language at all times.
Ensure that emails are addressed correctly and consider to whom messages should
be copied or forwarded, keeping the number of addressees to a minimum.
Page 11
7. Dartview Consulting â IT Security & Governance Policy Template
12. Account Administration
This section should state the control procedures that will be used with regard to the User
Account Administration. It should include:
ďˇ Details of the process that must be used by the business when requesting New
Account Creation, and the information that must be provided as a minimum.
ďˇ Details of (or reference to) the SLA in place with the Service Desk (what is the stated
turnaround time from receipt of request to an account being available for use)
ďˇ Details of the process that must be used by the business when requesting Account
Closure, and the information that must be provided as a minimum.
ďˇ Details of (or reference to) the SLA in place with the Service Desk (what is the stated
turnaround time from receipt of request to an account being closed)
ďˇ Details of the process that must be used by the business when requesting Account
Modification, and the information that must be provided as a minimum.
ďˇ Details of (or reference to) the SLA in place with the Service Desk (what is the stated
turnaround time from receipt of request to an account being modified)
ďˇ Details of the process that will be followed by the Service Desk with regards to the
data associated with Closed Accounts, and the authorisations required in making
such data available to another person (e.g. a successor, the leaverâs line manager,
etc.)
ďˇ Details of the process that must be used by the business, in order to ensure prompt
return of any assets (e.g. laptop, mobile phone) that have been allocated to any
employee now leaving the organisation.
13. Shared Folders
This section should state the control procedures that will be used with regard to the use of
Shared Folders (in a traditional Windows Filing System). It should include:
ďˇ Details of the Drive Letter Mapping and Naming Convention that will be used.
ďˇ Details of the types of access that will be available (Full and Read-Only are usual).
ďˇ Details of the process that must be used by the business when requesting New
Shared Folder Creation, and the information that must be provided as a minimum.
ďˇ Details of (or reference to) the SLA in place with the Service Desk (what is the stated
turnaround time from receipt of request to a new shared folder being available for
use).
ďˇ Details of the process that must be used by the business when requesting Change of
Access Rights for an existing Shared Folder, and the information that must be
provided as a minimum.
ďˇ Details of (or reference to) the SLA in place with the Service Desk (what is the stated
turnaround time from receipt of request to the change in access rights being
implemented)
Page 13
8. Dartview Consulting â IT Security & Governance Policy Template
15. Procurement
This section should outline the organisationâs approach towards the procurement of IT Goods
and Services. It should include:
ďˇ Details of who is responsible for the actual placement of purchase orders.
ďˇ Details of the process that must be used by the business when making requisitions,
and the authorisations that are required
ďˇ Details of the process that must be used by the business when receiving goods and
or services
ďˇ Details of any stock control and inventory procedures that will be used.
ďˇ Details of the Asset Management & Tagging process that will be used for Hardware
and Software (this should include details of how assets will be recorded into the
CMDBâs of Service Management System)
ďˇ Details of the process to be used with regard to Disposal of Assets (consider the
WEEE directive)
âIn order to ensure compliance with the organisationâs technical infrastructure, and to
maximise business assets, all procurement of hardware, software, and services, will be
performed by Information Services.â
âAll requests for âday to dayâ IS expenditure must be made via the Service Desk Customer
Portal. Where a need for expenditure has arisen from a discussion between the business
and Information Services, a retrospective request will be logged by IS.â
âAll requests for IS expenditure are, on discretion, subject to authorisation by the Head of
Information Service and the Chief Financial Officer.â
âAll Purchase Orders will be raised by Information Services using the vendorâs online
procurement process wherever available.â
âAll hardware and software will be delivered to the organisationâs UK Head Office for the
attention of the Information Services department. Information Services will be responsible for
confirming receipt of delivery.â
âAll hardware items and software licences will be recorded as individual Configuration Items
(CIâs) within the Configuration Management Database (CMDB) of the Service Management
System adopted by Information Services (<name of ITSM application>).â
âIn order to achieve Service Level Agreement commitments, Information Services will
maintain a stock of hardware and software. Requests for expenditure will be met from stock
wherever possible.â
âAssets will not be deployed to individual users unless a request has been made via the
Service Desk Customer Portal. Prior to deployment, all hardware will be âasset-taggedâ and
the CMDB updated to record that the asset has been deployed. Where assets are returned
into stock, regardless of the circumstances, the following information must be provided to the
Head of Information Services:â
ďˇ
ďˇ
ďˇ
ďˇ
ďˇ
ďˇ
Organisation Asset Reference
Manufacturer Tag Reference
Manufacturer Serial Number
Previous User
Software currently installed
Page 15
9. Dartview Consulting â IT Security & Governance Policy Template
16. IS Service Continuity
This section should outline the organisationâs stance with regard to IS Service Continuity,
and as such should either be a detailed and comprehensive section, or more practically, refer
to a separate âIS Service Continuity Planâ. Areas for consideration should be:
ďˇ Identify & Assess the risks posed to the Infrastructure used to deliver services to the
organisation
ďˇ Identify & Assess the risks posed to the Network used to deliver services to the
organisation
ďˇ Identify & Assess the risks posed to the Resources used to deliver services to the
organisation
ďˇ Detail the planned responses to each risk, agree remedial action, assign ownership,
and develop test scenarios.
ďˇ Reference to any wider Risk Management Policy and Risk Management Strategy that
the organisation may maintain.
Suggested approach:
Clearly define a Scope
The term âIS Service Continuityâ should be clearly understood as being only âa componentâ of
the wider Business Continuity or Disaster Recovery topics. These wider topics are NOT
discussed or addressed in this document as they do not fall within the remit of Information
Services.
For example, if a Transport Issue or a Viral Outbreak means that an organisationâs Head
Office becomes inaccessible, this does necessarily constitute a need for IS Service
Continuity action to be taken, it may just be a Business Continuity issue provided services
themselves can still be accessed. If however, the Service Desk staff are based in the same
building, and cannot man the telephones; this is certainly an issue that must be dealt with.
Provide some Background to set the scene
The current IT Infrastructure could be described here (avoiding too much technical detail)
and shown in graphical format. Make reference to any existing contractual agreements (e.g.
Co-Location arrangements, External Data Centre services, or any other part of the provision
of services to the organisation that has been outsourced).
Physical Geography of the Organisation
The physical distribution of the organisationâs operational activities could be described here.
Where are the offices located, how are they connected to the organisationâs IT Infrastructure
and Network, who many people are based at each location, which locations use which
services, etc. Again, a graphical representation is always helpful.
Identify & Assess the Risks
A number of techniques and tools can be used to Identify & Assess risks. Some examples
are:
ďˇ Stakeholder Analysis
ďˇ RACI Diagram
ďˇ PESTLE Analysis
ďˇ SWOT Analysis
ďˇ Horizon Scanning
Page 17