SlideShare a Scribd company logo

IT Security & Governance Template

•
•
Flevy.com Best Practices
Flevy.com Best Practices

This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here: http://flevy.com/browse/business-document/it-security-and-governance-template-312 This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning

BusinessTechnology
1 of 9
IT Security & Governance Policy Template . Page 1
Dartview Consulting – IT Security & Governance Policy Template Contents 1. Summary and Purpose ................................................................................................... 4 2. Scope ............................................................................................................................. 4 3. Policy Responsibilities .................................................................................................... 4 4. Associated Documents or Links ...................................................................................... 4 5. Guiding Standards & Frameworks .................................................................................. 4 6. Security .......................................................................................................................... 5 6.1. Approach ..................................................................................................................... 5 6.2. Responsibilities ........................................................................................................... 5 6.3. Incident Reporting ....................................................................................................... 5 6.4. Physical Security & Restricted Areas ........................................................................... 5 6.5. Passwords ................................................................................................................... 5 6.6. Penetration Testing ..................................................................................................... 6 7. Back-Up & Data Management ........................................................................................ 7 7.1. Available Storage Areas .............................................................................................. 7 7.2. Email Data & Personal Folders .................................................................................... 7 7.3. Portable Media ............................................................................................................ 7 7.4. Type and Content of Data............................................................................................ 7 7.5. Archiving of Data ......................................................................................................... 8 7.6. Disc Quotas ................................................................................................................. 8 7.7. Back-Up Methods ........................................................................................................ 8 7.8. Data Retention ............................................................................................................ 8 8. Virus Protection .............................................................................................................. 9 8.1. Unauthorised Software ................................................................................................ 9 8.2. Employee Awareness and Responsibility .................................................................... 9 8.3. Virus Prevention, Detection and Removal ................................................................... 9 9. Internet & Email .............................................................................................................. 10 9.1. Improper Use............................................................................................................... 11 9.2. Good Practice.............................................................................................................. 11 10. Third-Party Access ......................................................................................................... 12 11. Employee Remote Access .............................................................................................. 12 12. Account Administration ................................................................................................... 13 13. Shared Folders ............................................................................................................... 13 14. Email Distribution Lists.................................................................................................... 14 15. Procurement ................................................................................................................... 15 16. IS Service Continuity ...................................................................................................... 17 Page 3
Dartview Consulting – IT Security & Governance Policy Template 6. Security This section should state the overall management approach towards Information Security, moving on to detail any specific areas. “Increasingly, the business and its information systems, processes and networks are faced with security threats from a range of sources including fraud, sabotage, fire and flood. Computer viruses, hacking and denial of service attacks are becoming more common and sophisticated as the connection of public and private networks to facilitate the sharing of information resources becomes the norm. Information is vital to the business and it must be safeguarded in order to help maintain competitiveness, ensure compliance with relevant legislation and maintain commercial image.” 6.1. Approach “Senior Management is committed to the goals and principles of Information Security, and will endeavour to ensure that the information assets of the business remain adequately secured against all relevant risks. This will be achieved through:      An appropriate risk assessment process and the production, maintenance and enforcement of policies relating to specific areas of IT risk The provision of best practice guidance on the management of risks Raising the profile of information security and increasing employee awareness through appropriate education and training Regular review of policy to ensure relevance Regular audits to ensure policy compliance” 6.2. Responsibilities “Overall responsibility for information security lies with the Board of Directors, whilst the Head of Information Services has specific responsibility for managing Information Security on a day-to-day basis. All employees are responsible for managing the security of any information they hold and preventing unauthorised access, modification, destruction or disclosure.” 6.3. Incident Reporting “All employees are responsible for reporting any security breaches, intrusions or incidents to the IS Service Desk. All security incidents will be investigated.” 6.4. Physical Security & Restricted Areas “Only members of the Information Services team will be given access to the Server Room and IT Stores. Access will be controlled by a swipe card system.” 6.5. Passwords “Employees must log onto the network with their own User-ID and password, and these must not be shared across multiple users. Page 5
Dartview Consulting – IT Security & Governance Policy Template 7. Back-Up & Data Management This section should state the overall management approach towards data back-up and management, moving on to detail any specific areas. “Data stored on the <insert organisation name> network is Intellectual Property. It is extremely important that this data is secured, protected, and recoverable in a timeframe acceptable to the business. Data is distributed throughout the organisation on numerous servers. It is also stored in a number of formats (flat file, database, etc.). In order to protect this data, back-up copies will be taken to allow retrieval of lost or corrupt data, and in extreme circumstances, to allow data to be restored in support of Disaster Recovery or IS Service Continuity purposes. The purpose of this section is to define the back-up policy that will be used to achieve these goals.” 7.1. Available Storage Areas This sub-section should state what storages areas are available to the business. This may simply be a Windows Filing System with „drive letters‟ set aside for personal and shared storage, or may refer to the use of a formal Document Management System. If a Windows Filing System is being used, it is important to state any areas that will not be backed-up on a regular basis. Employees need to be advised specifically, where and where not to store their data. It is common to refer to a „Good Practice Guide‟ that goes into more detail. 7.2. Email Data & Personal Folders This sub-section should state the organisation‟s approach towards email data and the use of personal folders. It should state if Personal Folders are to be allow or not, and if so, where they should be stored. It should refer to any mailbox limits that will be enforced (single message size, mailbox size, etc.) and the protocol for mailbox archiving. Employees should be advised how to save attachments and where they should be stored. Employees using laptops, who come into the office environment only infrequently, need to be considered here. It is common to refer to a „Good Practice Guide‟ that goes into more detail. 7.3. Portable Media This sub-section should state the organisation‟s approach towards portable data. It should cover the use of USB sticks, USB hard-drives, CD‟s and DVD‟s. What this section says, is very much dependant on the type of organisation, the sector in which it operates, and the legalisation that applies. For organisations where data security and confidentiality is paramount, there will be a need to detail what encryption methods and protocols are to be used, and what processes are to be followed for authorised removal of data from the corporate environment. 7.4. Type and Content of Data This sub-section should state what type of data the organisation will allow to be retained on the corporate network, and who is responsible for ensuring compliance and reporting breach. It should state the process for reporting the discovery of non-business data (family pictures, etc.) and inappropriate content (pornography, racial, etc.) and should also outline any disciplinary actions that may follow discovery of such material. Page 7
Dartview Consulting – IT Security & Governance Policy Template 8. Virus Protection This section should describe the controls that the organisation will use to ensure the protection, integrity and availability of its software and information assets. All software and information processing facilities are vulnerable to the introduction of malicious software such as computer viruses, trojans and worms. The organisation must ensure that all employees are aware of the dangers of using unauthorised software, and are appropriately trained in the safe use of Email and Internet access facilities. 8.1. Unauthorised Software This sub-section should state the organisation‟s stance with regard to unauthorised software. Why it places the organisation at risk, what measures will be put in place to prevent its installation, where processes will be followed in the event of its discovery. 8.2. Employee Awareness and Responsibility This sub-section should provide all employees with a degree of awareness, highlighting the risks associated with obtaining files from external sources (including via disk, file transfer, internet download, email or other medium), and the measures that can be taken to mitigate against these. Employee obligations, in terms of reporting suspicious activity/behaviour of systems and applications should also be covered. An internal programme of regular education is a good idea. 8.3. Virus Prevention, Detection and Removal This sub-section should details the measures that the organisation will take in order to prevent, detect, and remove virus. It should include:  Details of the software to be used for both Employee Hardware (PC‟s & Laptops) and for Infrastructure items such as Servers  How the software will be configured to operate (e.g. auto-scan on boot, scan on insertion of portable media, etc.)  Details of how software updates will be distributed and who will be responsible for making sure this happens.  Details of the processes to be adopted once a virus has been detected  Details of the processes to be adopted for virus removal  Details of any reports covering virus prevention, detection and removal that may be required at Board Level Page 9
Dartview Consulting – IT Security & Governance Policy Template internet and email activities by law enforcement and regulatory bodies. As such, email and internet access will be monitored. The organisation restricts access to certain categories of site and has installed a variety of firewalls and other security systems. Employees must not attempt to disable or circumvent these systems. If an attempt is made to access a prohibited site, the employee‟s browser will be redirected to the organisation‟s own web page. Where an employee requires access to a restricted site, for business purposes, then a “Restricted Internet site access request” form must be completed and submitted to the IT Service Desk.” “It is not permitted to apply automated email forwarding from any organisation email account to any external email account.” 9.1. Improper Use This sub-section should detail the uses of the Internet and Email service deemed by the organisation as being „Improper‟. Engaging in any of the following activities is likely to result in disciplinary action and may result in civil liability or criminal prosecution.                   Viewing, downloading, sending or publishing material that may be considered offensive, illegal, obscene, profane, malicious, abusive or disparaging on the basis of age, sex, race, religion, disability or sexual orientation. Sending or publishing material that has the potential to embarrass, harass, or intimidate. Sending or publishing material that damages the reputation of any person or organisation (or its goods or services). Sending or publishing information that you know to be false or misleading. Making unauthorised contractual commitments. Failing to comply with project transmittal or security instructions. Divulging confidential information including any personal information about other individuals without appropriate authorisation. Downloading or distributing copyright material without permission to do so. Installing or distributing unauthorised or unlicensed software or data. Using an account other than your own without the delegated authority of its owner. Falsifying user information. Subscribing to information broadcast services that are unrelated to business activities. Forwarding chain letters or other forms of junk mail. Computer and network hacking. Deliberately propagating any virus or similar malicious code. Soliciting for personal gain or profit. Gambling. Conducting illegal activities. 9.2. Good Practice This sub-section should detail the uses of the Internet and Email service deemed by the organisation as constituting „Good Practice‟. The following good practice ensures efficient and productive use of the Internet and email systems. Failure to adhere to this good practice may result in access to these services being withdrawn or restricted.   Do not send trivial email messages. Use appropriate language at all times. Ensure that emails are addressed correctly and consider to whom messages should be copied or forwarded, keeping the number of addressees to a minimum. Page 11
Dartview Consulting – IT Security & Governance Policy Template 12. Account Administration This section should state the control procedures that will be used with regard to the User Account Administration. It should include:  Details of the process that must be used by the business when requesting New Account Creation, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to an account being available for use)  Details of the process that must be used by the business when requesting Account Closure, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to an account being closed)  Details of the process that must be used by the business when requesting Account Modification, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to an account being modified)  Details of the process that will be followed by the Service Desk with regards to the data associated with Closed Accounts, and the authorisations required in making such data available to another person (e.g. a successor, the leaver‟s line manager, etc.)  Details of the process that must be used by the business, in order to ensure prompt return of any assets (e.g. laptop, mobile phone) that have been allocated to any employee now leaving the organisation. 13. Shared Folders This section should state the control procedures that will be used with regard to the use of Shared Folders (in a traditional Windows Filing System). It should include:  Details of the Drive Letter Mapping and Naming Convention that will be used.  Details of the types of access that will be available (Full and Read-Only are usual).  Details of the process that must be used by the business when requesting New Shared Folder Creation, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to a new shared folder being available for use).  Details of the process that must be used by the business when requesting Change of Access Rights for an existing Shared Folder, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to the change in access rights being implemented) Page 13
Dartview Consulting – IT Security & Governance Policy Template 15. Procurement This section should outline the organisation‟s approach towards the procurement of IT Goods and Services. It should include:  Details of who is responsible for the actual placement of purchase orders.  Details of the process that must be used by the business when making requisitions, and the authorisations that are required  Details of the process that must be used by the business when receiving goods and or services  Details of any stock control and inventory procedures that will be used.  Details of the Asset Management & Tagging process that will be used for Hardware and Software (this should include details of how assets will be recorded into the CMDB‟s of Service Management System)  Details of the process to be used with regard to Disposal of Assets (consider the WEEE directive) “In order to ensure compliance with the organisation‟s technical infrastructure, and to maximise business assets, all procurement of hardware, software, and services, will be performed by Information Services.” “All requests for „day to day‟ IS expenditure must be made via the Service Desk Customer Portal. Where a need for expenditure has arisen from a discussion between the business and Information Services, a retrospective request will be logged by IS.” “All requests for IS expenditure are, on discretion, subject to authorisation by the Head of Information Service and the Chief Financial Officer.” “All Purchase Orders will be raised by Information Services using the vendor‟s online procurement process wherever available.” “All hardware and software will be delivered to the organisation‟s UK Head Office for the attention of the Information Services department. Information Services will be responsible for confirming receipt of delivery.” “All hardware items and software licences will be recorded as individual Configuration Items (CI‟s) within the Configuration Management Database (CMDB) of the Service Management System adopted by Information Services (<name of ITSM application>).” “In order to achieve Service Level Agreement commitments, Information Services will maintain a stock of hardware and software. Requests for expenditure will be met from stock wherever possible.” “Assets will not be deployed to individual users unless a request has been made via the Service Desk Customer Portal. Prior to deployment, all hardware will be „asset-tagged‟ and the CMDB updated to record that the asset has been deployed. Where assets are returned into stock, regardless of the circumstances, the following information must be provided to the Head of Information Services:”       Organisation Asset Reference Manufacturer Tag Reference Manufacturer Serial Number Previous User Software currently installed Page 15
Dartview Consulting – IT Security & Governance Policy Template 16. IS Service Continuity This section should outline the organisation‟s stance with regard to IS Service Continuity, and as such should either be a detailed and comprehensive section, or more practically, refer to a separate “IS Service Continuity Plan”. Areas for consideration should be:  Identify & Assess the risks posed to the Infrastructure used to deliver services to the organisation  Identify & Assess the risks posed to the Network used to deliver services to the organisation  Identify & Assess the risks posed to the Resources used to deliver services to the organisation  Detail the planned responses to each risk, agree remedial action, assign ownership, and develop test scenarios.  Reference to any wider Risk Management Policy and Risk Management Strategy that the organisation may maintain. Suggested approach: Clearly define a Scope The term „IS Service Continuity‟ should be clearly understood as being only „a component‟ of the wider Business Continuity or Disaster Recovery topics. These wider topics are NOT discussed or addressed in this document as they do not fall within the remit of Information Services. For example, if a Transport Issue or a Viral Outbreak means that an organisation‟s Head Office becomes inaccessible, this does necessarily constitute a need for IS Service Continuity action to be taken, it may just be a Business Continuity issue provided services themselves can still be accessed. If however, the Service Desk staff are based in the same building, and cannot man the telephones; this is certainly an issue that must be dealt with. Provide some Background to set the scene The current IT Infrastructure could be described here (avoiding too much technical detail) and shown in graphical format. Make reference to any existing contractual agreements (e.g. Co-Location arrangements, External Data Centre services, or any other part of the provision of services to the organisation that has been outsourced). Physical Geography of the Organisation The physical distribution of the organisation‟s operational activities could be described here. Where are the offices located, how are they connected to the organisation‟s IT Infrastructure and Network, who many people are based at each location, which locations use which services, etc. Again, a graphical representation is always helpful. Identify & Assess the Risks A number of techniques and tools can be used to Identify & Assess risks. Some examples are:  Stakeholder Analysis  RACI Diagram  PESTLE Analysis  SWOT Analysis  Horizon Scanning Page 17

Recommended

KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & IT
Max Neira Schliemann
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
CSSRL PUNE
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
Michael Lines
 

Recommended

KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & IT
Max Neira Schliemann
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
CSSRL PUNE
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
Michael Lines
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
Laddawan Rattanaruang
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
tschraider
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
mcloete
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Comprehensive plans are in place to improve our institutional cyber security
Comprehensive plans are in place to improve our institutional cyber securityComprehensive plans are in place to improve our institutional cyber security
Comprehensive plans are in place to improve our institutional cyber security
JasonTrinhNguyenTruo
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
Fidelis Cybersecurity
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
CIOs and the Shock of the New
CIOs and the Shock of the NewCIOs and the Shock of the New
CIOs and the Shock of the New
Malcolm Ryder
 
29 Guidelines of a Masterful Coach
29 Guidelines of a Masterful Coach29 Guidelines of a Masterful Coach
29 Guidelines of a Masterful Coach
Masterful Coaching
 

More Related Content

What's hot

Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
tschraider
 
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 

What's hot (20)

It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
TrustArc Webinar: How to Prepare Your Business for Privacy Changes in the Mid...
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Comprehensive plans are in place to improve our institutional cyber security
Comprehensive plans are in place to improve our institutional cyber securityComprehensive plans are in place to improve our institutional cyber security
Comprehensive plans are in place to improve our institutional cyber security
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
 
Security policy
Security policySecurity policy
Security policy
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 

Viewers also liked

Social Web Policy (Example 1)
Social Web Policy (Example 1)Social Web Policy (Example 1)
Social Web Policy (Example 1)
Jason Shmeltzner
 
Data governance, Information security strategy
Data governance, Information security strategyData governance, Information security strategy
Data governance, Information security strategy
vasanthi4ever
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Capgemini
 
La Gouvernance des DonnĂŠes
La Gouvernance des DonnĂŠesLa Gouvernance des DonnĂŠes
La Gouvernance des DonnĂŠes
Soft Computing
 
Canada Presentation
Canada PresentationCanada Presentation
Canada Presentation
laipeng
 

Viewers also liked (19)

CIOs and the Shock of the New
CIOs and the Shock of the NewCIOs and the Shock of the New
CIOs and the Shock of the New
 
29 Guidelines of a Masterful Coach
29 Guidelines of a Masterful Coach29 Guidelines of a Masterful Coach
29 Guidelines of a Masterful Coach
 
Social Web Policy (Example 1)
Social Web Policy (Example 1)Social Web Policy (Example 1)
Social Web Policy (Example 1)
 
Data governance, Information security strategy
Data governance, Information security strategyData governance, Information security strategy
Data governance, Information security strategy
 
Information Systems Governance
Information Systems GovernanceInformation Systems Governance
Information Systems Governance
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
 
Canada Slideshow
Canada SlideshowCanada Slideshow
Canada Slideshow
 
What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information Governance
 
Canada
CanadaCanada
Canada
 
Selling to the CIO
Selling to the CIOSelling to the CIO
Selling to the CIO
 
La Gouvernance des DonnĂŠes
La Gouvernance des DonnĂŠesLa Gouvernance des DonnĂŠes
La Gouvernance des DonnĂŠes
 
Information system development
Information system development Information system development
Information system development
 
Canada
CanadaCanada
Canada
 
Canada Presentation
Canada PresentationCanada Presentation
Canada Presentation
 
Canada Powerpoint
Canada PowerpointCanada Powerpoint
Canada Powerpoint
 
Canada
Canada Canada
Canada
 
Hr policies
Hr policiesHr policies
Hr policies
 
Hr Policy / Employee Catalogue - A template for your company
Hr Policy / Employee Catalogue - A template for your companyHr Policy / Employee Catalogue - A template for your company
Hr Policy / Employee Catalogue - A template for your company
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and Roadmap
 

Similar to IT Security & Governance Template

Complex queries in_business_objects
Complex queries in_business_objectsComplex queries in_business_objects
Complex queries in_business_objects
cmcmm
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
IT-Toolkits.org
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
PasangdolmoTamang
 
Safeguarding Your Data: Best Practices for Secure Cloud Storage
Safeguarding Your Data: Best Practices for Secure Cloud StorageSafeguarding Your Data: Best Practices for Secure Cloud Storage
Safeguarding Your Data: Best Practices for Secure Cloud Storage
MaryJWilliams2
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
phanleson
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
jenkinsmandie
 
Security and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of ITSecurity and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of IT
Microsoft
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
Elyes ELEBRI
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
Md. Sajjat Hossain
 

Similar to IT Security & Governance Template (20)

A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Complex queries in_business_objects
Complex queries in_business_objectsComplex queries in_business_objects
Complex queries in_business_objects
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Safeguarding Your Data: Best Practices for Secure Cloud Storage
Safeguarding Your Data: Best Practices for Secure Cloud StorageSafeguarding Your Data: Best Practices for Secure Cloud Storage
Safeguarding Your Data: Best Practices for Secure Cloud Storage
 
Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...
Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...
Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...
 
Seclore FileSecure HotFolder Walkthrough
Seclore FileSecure HotFolder WalkthroughSeclore FileSecure HotFolder Walkthrough
Seclore FileSecure HotFolder Walkthrough
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 
Whitman_Ch04.pptx
Whitman_Ch04.pptxWhitman_Ch04.pptx
Whitman_Ch04.pptx
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
Security and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of ITSecurity and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of IT
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
 
Ch.5 rq (1)
Ch.5 rq (1)Ch.5 rq (1)
Ch.5 rq (1)
 
Seven Essential Strategies for Effective Archiving
Seven Essential Strategies for Effective ArchivingSeven Essential Strategies for Effective Archiving
Seven Essential Strategies for Effective Archiving
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 

More from Flevy.com Best Practices

100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf
Flevy.com Best Practices
 
Project Management for MBA (in French)
Project Management for MBA (in French)Project Management for MBA (in French)
Project Management for MBA (in French)
Flevy.com Best Practices
 
4 Stages of Disruption
4 Stages of Disruption4 Stages of Disruption
4 Stages of Disruption
Flevy.com Best Practices
 
Customer-centric Culture
Customer-centric CultureCustomer-centric Culture
Customer-centric Culture
Flevy.com Best Practices
 
[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors
Flevy.com Best Practices
 
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
Flevy.com Best Practices
 
[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization
Flevy.com Best Practices
 
[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition
Flevy.com Best Practices
 
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
Flevy.com Best Practices
 
[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model
Flevy.com Best Practices
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
Flevy.com Best Practices
 
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
Flevy.com Best Practices
 
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
Flevy.com Best Practices
 
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
Flevy.com Best Practices
 
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
Flevy.com Best Practices
 
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
Flevy.com Best Practices
 
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
Flevy.com Best Practices
 
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
Flevy.com Best Practices
 
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
Flevy.com Best Practices
 

More from Flevy.com Best Practices (20)

100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf
 
Project Management for MBA (in French)
Project Management for MBA (in French)Project Management for MBA (in French)
Project Management for MBA (in French)
 
4 Stages of Disruption
4 Stages of Disruption4 Stages of Disruption
4 Stages of Disruption
 
Customer-centric Culture
Customer-centric CultureCustomer-centric Culture
Customer-centric Culture
 
[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors
 
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
 
[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization
 
[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition
 
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
 
[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
 
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
 
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
 
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
 
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
 
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
 
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
 
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
 
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
 
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
 

Recently uploaded

BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
amitlee9823
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
amitlee9823
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
dollysharma2066
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
Workforce Group
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
lizamodels9
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
Aggregage
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Dipal Arora
 

Recently uploaded (20)

BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 

IT Security & Governance Template

  • 1. IT Security & Governance Policy Template . Page 1
  • 2. Dartview Consulting – IT Security & Governance Policy Template Contents 1. Summary and Purpose ................................................................................................... 4 2. Scope ............................................................................................................................. 4 3. Policy Responsibilities .................................................................................................... 4 4. Associated Documents or Links ...................................................................................... 4 5. Guiding Standards & Frameworks .................................................................................. 4 6. Security .......................................................................................................................... 5 6.1. Approach ..................................................................................................................... 5 6.2. Responsibilities ........................................................................................................... 5 6.3. Incident Reporting ....................................................................................................... 5 6.4. Physical Security & Restricted Areas ........................................................................... 5 6.5. Passwords ................................................................................................................... 5 6.6. Penetration Testing ..................................................................................................... 6 7. Back-Up & Data Management ........................................................................................ 7 7.1. Available Storage Areas .............................................................................................. 7 7.2. Email Data & Personal Folders .................................................................................... 7 7.3. Portable Media ............................................................................................................ 7 7.4. Type and Content of Data............................................................................................ 7 7.5. Archiving of Data ......................................................................................................... 8 7.6. Disc Quotas ................................................................................................................. 8 7.7. Back-Up Methods ........................................................................................................ 8 7.8. Data Retention ............................................................................................................ 8 8. Virus Protection .............................................................................................................. 9 8.1. Unauthorised Software ................................................................................................ 9 8.2. Employee Awareness and Responsibility .................................................................... 9 8.3. Virus Prevention, Detection and Removal ................................................................... 9 9. Internet & Email .............................................................................................................. 10 9.1. Improper Use............................................................................................................... 11 9.2. Good Practice.............................................................................................................. 11 10. Third-Party Access ......................................................................................................... 12 11. Employee Remote Access .............................................................................................. 12 12. Account Administration ................................................................................................... 13 13. Shared Folders ............................................................................................................... 13 14. Email Distribution Lists.................................................................................................... 14 15. Procurement ................................................................................................................... 15 16. IS Service Continuity ...................................................................................................... 17 Page 3
  • 3. Dartview Consulting – IT Security & Governance Policy Template 6. Security This section should state the overall management approach towards Information Security, moving on to detail any specific areas. “Increasingly, the business and its information systems, processes and networks are faced with security threats from a range of sources including fraud, sabotage, fire and flood. Computer viruses, hacking and denial of service attacks are becoming more common and sophisticated as the connection of public and private networks to facilitate the sharing of information resources becomes the norm. Information is vital to the business and it must be safeguarded in order to help maintain competitiveness, ensure compliance with relevant legislation and maintain commercial image.” 6.1. Approach “Senior Management is committed to the goals and principles of Information Security, and will endeavour to ensure that the information assets of the business remain adequately secured against all relevant risks. This will be achieved through:      An appropriate risk assessment process and the production, maintenance and enforcement of policies relating to specific areas of IT risk The provision of best practice guidance on the management of risks Raising the profile of information security and increasing employee awareness through appropriate education and training Regular review of policy to ensure relevance Regular audits to ensure policy compliance” 6.2. Responsibilities “Overall responsibility for information security lies with the Board of Directors, whilst the Head of Information Services has specific responsibility for managing Information Security on a day-to-day basis. All employees are responsible for managing the security of any information they hold and preventing unauthorised access, modification, destruction or disclosure.” 6.3. Incident Reporting “All employees are responsible for reporting any security breaches, intrusions or incidents to the IS Service Desk. All security incidents will be investigated.” 6.4. Physical Security & Restricted Areas “Only members of the Information Services team will be given access to the Server Room and IT Stores. Access will be controlled by a swipe card system.” 6.5. Passwords “Employees must log onto the network with their own User-ID and password, and these must not be shared across multiple users. Page 5
  • 4. Dartview Consulting – IT Security & Governance Policy Template 7. Back-Up & Data Management This section should state the overall management approach towards data back-up and management, moving on to detail any specific areas. “Data stored on the <insert organisation name> network is Intellectual Property. It is extremely important that this data is secured, protected, and recoverable in a timeframe acceptable to the business. Data is distributed throughout the organisation on numerous servers. It is also stored in a number of formats (flat file, database, etc.). In order to protect this data, back-up copies will be taken to allow retrieval of lost or corrupt data, and in extreme circumstances, to allow data to be restored in support of Disaster Recovery or IS Service Continuity purposes. The purpose of this section is to define the back-up policy that will be used to achieve these goals.” 7.1. Available Storage Areas This sub-section should state what storages areas are available to the business. This may simply be a Windows Filing System with „drive letters‟ set aside for personal and shared storage, or may refer to the use of a formal Document Management System. If a Windows Filing System is being used, it is important to state any areas that will not be backed-up on a regular basis. Employees need to be advised specifically, where and where not to store their data. It is common to refer to a „Good Practice Guide‟ that goes into more detail. 7.2. Email Data & Personal Folders This sub-section should state the organisation‟s approach towards email data and the use of personal folders. It should state if Personal Folders are to be allow or not, and if so, where they should be stored. It should refer to any mailbox limits that will be enforced (single message size, mailbox size, etc.) and the protocol for mailbox archiving. Employees should be advised how to save attachments and where they should be stored. Employees using laptops, who come into the office environment only infrequently, need to be considered here. It is common to refer to a „Good Practice Guide‟ that goes into more detail. 7.3. Portable Media This sub-section should state the organisation‟s approach towards portable data. It should cover the use of USB sticks, USB hard-drives, CD‟s and DVD‟s. What this section says, is very much dependant on the type of organisation, the sector in which it operates, and the legalisation that applies. For organisations where data security and confidentiality is paramount, there will be a need to detail what encryption methods and protocols are to be used, and what processes are to be followed for authorised removal of data from the corporate environment. 7.4. Type and Content of Data This sub-section should state what type of data the organisation will allow to be retained on the corporate network, and who is responsible for ensuring compliance and reporting breach. It should state the process for reporting the discovery of non-business data (family pictures, etc.) and inappropriate content (pornography, racial, etc.) and should also outline any disciplinary actions that may follow discovery of such material. Page 7
  • 5. Dartview Consulting – IT Security & Governance Policy Template 8. Virus Protection This section should describe the controls that the organisation will use to ensure the protection, integrity and availability of its software and information assets. All software and information processing facilities are vulnerable to the introduction of malicious software such as computer viruses, trojans and worms. The organisation must ensure that all employees are aware of the dangers of using unauthorised software, and are appropriately trained in the safe use of Email and Internet access facilities. 8.1. Unauthorised Software This sub-section should state the organisation‟s stance with regard to unauthorised software. Why it places the organisation at risk, what measures will be put in place to prevent its installation, where processes will be followed in the event of its discovery. 8.2. Employee Awareness and Responsibility This sub-section should provide all employees with a degree of awareness, highlighting the risks associated with obtaining files from external sources (including via disk, file transfer, internet download, email or other medium), and the measures that can be taken to mitigate against these. Employee obligations, in terms of reporting suspicious activity/behaviour of systems and applications should also be covered. An internal programme of regular education is a good idea. 8.3. Virus Prevention, Detection and Removal This sub-section should details the measures that the organisation will take in order to prevent, detect, and remove virus. It should include:  Details of the software to be used for both Employee Hardware (PC‟s & Laptops) and for Infrastructure items such as Servers  How the software will be configured to operate (e.g. auto-scan on boot, scan on insertion of portable media, etc.)  Details of how software updates will be distributed and who will be responsible for making sure this happens.  Details of the processes to be adopted once a virus has been detected  Details of the processes to be adopted for virus removal  Details of any reports covering virus prevention, detection and removal that may be required at Board Level Page 9
  • 6. Dartview Consulting – IT Security & Governance Policy Template internet and email activities by law enforcement and regulatory bodies. As such, email and internet access will be monitored. The organisation restricts access to certain categories of site and has installed a variety of firewalls and other security systems. Employees must not attempt to disable or circumvent these systems. If an attempt is made to access a prohibited site, the employee‟s browser will be redirected to the organisation‟s own web page. Where an employee requires access to a restricted site, for business purposes, then a “Restricted Internet site access request” form must be completed and submitted to the IT Service Desk.” “It is not permitted to apply automated email forwarding from any organisation email account to any external email account.” 9.1. Improper Use This sub-section should detail the uses of the Internet and Email service deemed by the organisation as being „Improper‟. Engaging in any of the following activities is likely to result in disciplinary action and may result in civil liability or criminal prosecution.                   Viewing, downloading, sending or publishing material that may be considered offensive, illegal, obscene, profane, malicious, abusive or disparaging on the basis of age, sex, race, religion, disability or sexual orientation. Sending or publishing material that has the potential to embarrass, harass, or intimidate. Sending or publishing material that damages the reputation of any person or organisation (or its goods or services). Sending or publishing information that you know to be false or misleading. Making unauthorised contractual commitments. Failing to comply with project transmittal or security instructions. Divulging confidential information including any personal information about other individuals without appropriate authorisation. Downloading or distributing copyright material without permission to do so. Installing or distributing unauthorised or unlicensed software or data. Using an account other than your own without the delegated authority of its owner. Falsifying user information. Subscribing to information broadcast services that are unrelated to business activities. Forwarding chain letters or other forms of junk mail. Computer and network hacking. Deliberately propagating any virus or similar malicious code. Soliciting for personal gain or profit. Gambling. Conducting illegal activities. 9.2. Good Practice This sub-section should detail the uses of the Internet and Email service deemed by the organisation as constituting „Good Practice‟. The following good practice ensures efficient and productive use of the Internet and email systems. Failure to adhere to this good practice may result in access to these services being withdrawn or restricted.   Do not send trivial email messages. Use appropriate language at all times. Ensure that emails are addressed correctly and consider to whom messages should be copied or forwarded, keeping the number of addressees to a minimum. Page 11
  • 7. Dartview Consulting – IT Security & Governance Policy Template 12. Account Administration This section should state the control procedures that will be used with regard to the User Account Administration. It should include:  Details of the process that must be used by the business when requesting New Account Creation, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to an account being available for use)  Details of the process that must be used by the business when requesting Account Closure, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to an account being closed)  Details of the process that must be used by the business when requesting Account Modification, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to an account being modified)  Details of the process that will be followed by the Service Desk with regards to the data associated with Closed Accounts, and the authorisations required in making such data available to another person (e.g. a successor, the leaver‟s line manager, etc.)  Details of the process that must be used by the business, in order to ensure prompt return of any assets (e.g. laptop, mobile phone) that have been allocated to any employee now leaving the organisation. 13. Shared Folders This section should state the control procedures that will be used with regard to the use of Shared Folders (in a traditional Windows Filing System). It should include:  Details of the Drive Letter Mapping and Naming Convention that will be used.  Details of the types of access that will be available (Full and Read-Only are usual).  Details of the process that must be used by the business when requesting New Shared Folder Creation, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to a new shared folder being available for use).  Details of the process that must be used by the business when requesting Change of Access Rights for an existing Shared Folder, and the information that must be provided as a minimum.  Details of (or reference to) the SLA in place with the Service Desk (what is the stated turnaround time from receipt of request to the change in access rights being implemented) Page 13
  • 8. Dartview Consulting – IT Security & Governance Policy Template 15. Procurement This section should outline the organisation‟s approach towards the procurement of IT Goods and Services. It should include:  Details of who is responsible for the actual placement of purchase orders.  Details of the process that must be used by the business when making requisitions, and the authorisations that are required  Details of the process that must be used by the business when receiving goods and or services  Details of any stock control and inventory procedures that will be used.  Details of the Asset Management & Tagging process that will be used for Hardware and Software (this should include details of how assets will be recorded into the CMDB‟s of Service Management System)  Details of the process to be used with regard to Disposal of Assets (consider the WEEE directive) “In order to ensure compliance with the organisation‟s technical infrastructure, and to maximise business assets, all procurement of hardware, software, and services, will be performed by Information Services.” “All requests for „day to day‟ IS expenditure must be made via the Service Desk Customer Portal. Where a need for expenditure has arisen from a discussion between the business and Information Services, a retrospective request will be logged by IS.” “All requests for IS expenditure are, on discretion, subject to authorisation by the Head of Information Service and the Chief Financial Officer.” “All Purchase Orders will be raised by Information Services using the vendor‟s online procurement process wherever available.” “All hardware and software will be delivered to the organisation‟s UK Head Office for the attention of the Information Services department. Information Services will be responsible for confirming receipt of delivery.” “All hardware items and software licences will be recorded as individual Configuration Items (CI‟s) within the Configuration Management Database (CMDB) of the Service Management System adopted by Information Services (<name of ITSM application>).” “In order to achieve Service Level Agreement commitments, Information Services will maintain a stock of hardware and software. Requests for expenditure will be met from stock wherever possible.” “Assets will not be deployed to individual users unless a request has been made via the Service Desk Customer Portal. Prior to deployment, all hardware will be „asset-tagged‟ and the CMDB updated to record that the asset has been deployed. Where assets are returned into stock, regardless of the circumstances, the following information must be provided to the Head of Information Services:”       Organisation Asset Reference Manufacturer Tag Reference Manufacturer Serial Number Previous User Software currently installed Page 15
  • 9. Dartview Consulting – IT Security & Governance Policy Template 16. IS Service Continuity This section should outline the organisation‟s stance with regard to IS Service Continuity, and as such should either be a detailed and comprehensive section, or more practically, refer to a separate “IS Service Continuity Plan”. Areas for consideration should be:  Identify & Assess the risks posed to the Infrastructure used to deliver services to the organisation  Identify & Assess the risks posed to the Network used to deliver services to the organisation  Identify & Assess the risks posed to the Resources used to deliver services to the organisation  Detail the planned responses to each risk, agree remedial action, assign ownership, and develop test scenarios.  Reference to any wider Risk Management Policy and Risk Management Strategy that the organisation may maintain. Suggested approach: Clearly define a Scope The term „IS Service Continuity‟ should be clearly understood as being only „a component‟ of the wider Business Continuity or Disaster Recovery topics. These wider topics are NOT discussed or addressed in this document as they do not fall within the remit of Information Services. For example, if a Transport Issue or a Viral Outbreak means that an organisation‟s Head Office becomes inaccessible, this does necessarily constitute a need for IS Service Continuity action to be taken, it may just be a Business Continuity issue provided services themselves can still be accessed. If however, the Service Desk staff are based in the same building, and cannot man the telephones; this is certainly an issue that must be dealt with. Provide some Background to set the scene The current IT Infrastructure could be described here (avoiding too much technical detail) and shown in graphical format. Make reference to any existing contractual agreements (e.g. Co-Location arrangements, External Data Centre services, or any other part of the provision of services to the organisation that has been outsourced). Physical Geography of the Organisation The physical distribution of the organisation‟s operational activities could be described here. Where are the offices located, how are they connected to the organisation‟s IT Infrastructure and Network, who many people are based at each location, which locations use which services, etc. Again, a graphical representation is always helpful. Identify & Assess the Risks A number of techniques and tools can be used to Identify & Assess risks. Some examples are:  Stakeholder Analysis  RACI Diagram  PESTLE Analysis  SWOT Analysis  Horizon Scanning Page 17