CHAPTER 03: Processing information and documents

Section 01 Networks
Section 02 System Operation and Administration
Section 03 E-mail and the Worldwide Web
Section 04 Telephones & Fax
Section 05 Data Management
Section 06 Backup, Recovery and Archiving
Section 07 Securing Data

Section 01 Networks

Policy 030101 Configuring Networks
POLICY STATEMENT
“The network must be designed and configured to deliver high performance and reliability to meet the needs of the business whilst providing a high degree of access control and a range of privilege restrictions.”

Policy 030102 Managing the Network
POLICY STATEMENT
“Suitably Qualified staffs are to manage the organization’s network, and preserve its integrity in collaboration with the nominated individual system owners.”

Policy 030103 Accessing your Network Remotely
POLICY STATEMENT
“Remote access to the organization’s network and resources will only be permitted providing that authorized users are authenticated, data are encrypted across the network, and privileges are restricted.”

Policy 030104 Defending your Network Information from Malicious Attack
POLICY STATEMENT
“System hardware, operating and application software, the networks and communication systems must all be adequately configured and safeguarded against both physical attack and unauthorized network intrusion.”

Top

Section 02 System Operation and Administration

Policy 030201 Appointing System Administrators
POLICY STATEMENT
“The organization’s systems are to be managed by suitably qualified systems administrators who are responsible for overseeing the day to day running and security of the systems.”

Policy 030202 Administrating Systems
POLICY STATEMENT
“System Administrators must be fully trained and have adequate experience in the wide range of system and platforms used by the organization. In addition, they must be knowledgeable and conversant with the range of Information Security risks which need to be managed.”

Policy 030203 Controlling Data Distribution
POLCY STATEMENT
“For authorized personnel, the appropriate data and information must be made available as and when required; for all other persons, access to such data and information is prohibited with appropriate technical control required to supplement the enforcement of this policy.”

Policy 030204 Permitting Third Party Access
POLICY STATEMENT
“Third party access to corporate information is only permitted where the information in question has been ‘ring fenced’ and the risk of possible unauthorized access is considered to be negligible.”

Policy 030205 Managing Electronic Keys
POLICY STATEMENT
“The management of electronic keys to control both the encryption and decryption of sensitive messages must be performed under dual control, with duties being rotated between staff.”

Policy 030206 Managing System Operations and system Administration
POLICY STATEMENT
“The organization’s systems must be operated and administered using documented procedures in a manner which is both efficient but also effective in protecting the organization’s information security.”

Policy 030207 Managing System Documentation
POLICY STATEMENT
“System documentation is a requirement for all the organization’s information systems. Such documentation must be kept up-to-date and be available.”

Policy 030208 Monitoring Error Logs
POLICY STATEMENT
“Error logs must be properly reviewed and managed by qualified staff.”

Policy 030209 Scheduling Systems Operations
POLICY STATEMENT
“Systems Operations schedules are to be formally planned, authorized and documented.”

Policy 030210 Scheduling Changes to Routine Systems Operations
POLICY STATEMENT
“Changes to routine systems operations are to be fully tested and approved before being implemented.”

Policy 030211 Monitoring Operational Audit Logs
POLICY STATEMENT
“Operational audit logs are to be reviewed regularly by trained staff and discrepancies reported to the owner of the in formation system.”

Policy 030212 Synchronizing System Clocks
POLICY STATEMENT
“System clocks must be synchronized regularly between the organization’s various processing platforms.”

Policy 030213 Responding to System Faults
POLICY STATEMENT
“Only qualified and authorized staff or approved third party technicians may repair information system hardware faults.”

Policy 030214 Managing or Using Transaction / Processing Reports
POLICY STATEMENT
“Transaction and processing reports should be regularly reviewed by properly trained and qualified staff.”

Policy 030215 Commissioning Facilities Management –FM
POLICY STATEMENT
“Any Facilities Management company must be able to demonstrate compliance with this organization’s Information Security Policies and also provide a Service Level Agreement which documents the performance expected and the remedies available in case of compliance.”

Top

Section 03: E-mail and the Worldwide Web

Policy 030301 Downloading Files and Information from the Internet
POLICY STATEMENT
“Great care must be taken when downloading information and files from the Internet to safeguard against both malicious code and also inappropriate material.”

Policy 030302 Using and Receiving Digital Signatures
POLICY STATEMENT
“The transmission of sensitive and confidential data is to be authenticated by the use of digital signatures whenever possible.”

Policy 030303 Sending Electronic Mail (E-mail)
POLICY STATEMENT
“E-mail should only be used for university purposes, using terms which are consistent with other forms of business communication. The attachment of data files to an e-mail is only permitted after confirming the classification of the information being sent and then having scanned and verified the file for the possibility of a virus or other malicious code.”

Policy 030304 Receiving Electronic Mail (E-Mail)
POLICY STATEMENT
“Incoming e-mail must be treated with the utmost care due to its inherent Information Security risks. The opening of e-mail with file attachments is not permitted unless such attachments have already been scanned for possible viruses or other malicious code.”

Policy 030305 Retaining or Deleting Electronic Mail
POLICY STATEMENT
“Data retention periods for e-mail must be established to meet legal and business requirements and must be adhered to by all staff.”

Policy 030306 Setting up Intranet Access
POLICY STATEMENT
“Persons responsible for setting up Intranet access must ensure that any access restrictions pertaining to the data in source systems, are also applied to access from the organization’s Intranet.”

Policy 030307 Setting up Extranet Access
POLICY STATEMENT
“Persons responsible for setting up Extranet access must ensure that any access restrictions pertaining to the data in source systems, are also applied to access from the organization’s Extranet.”

Policy 030308 Setting up Internet Access
POLICY STATEMENT
“Persons responsible for setting up Internet access are to ensure that the organization’s network is safeguarded from malicious external intrusion by deploying, as a minimum, a configured firewall. Human Resources management must ensure that all personnel with Internet access (including e-mail) are aware of, and will comply with, an acceptable code of conduct in their usage of the Internet in addition to compliance with the organization’s Information Security Policies.”

Policy 030309 Developing a Web Site
POLICY STATEMENT
“Due to the significant risk of malicious intrusion from unauthorized external persons, Web sites may only be developed and maintained by properly qualified and authorized personnel.”

Policy 030310 Receiving Misdirected Information by E-mail
POLICY STATEMENT
“Unsolicited e-mail is to be treated with caution and not responded to.”

Policy 030311 Forwarding E-mail
POLICY STATEMENT
“Ensure that information you are forwarding by e-mail (especially attachments) is correctly addressed and only being sent to appropriate persons.”

Policy 030312 Using Internet for Work Purpose
POLICY STATEMENT
“Management is responsible for controlling user access to the Internet, as well as for ensuring that users are aware of the threats, and trained in the safeguards, to reduce the risk of Information Security incidents.”

Policy 030313 Giving Information when Ordering Goods on Internet
POLICY STATEMENT
“Staff authorized to make payment by credit card for goods ordered on the Internet, are responsible for its safe and appropriate use.”

Policy 030314 ‘Out of the Box’ Web Browser Issues
POLICY STATEMENT
“Web browsers are to be used in a secure manner by making use of the built-in security features of the software concerned. Management must ensure that staffs are made aware of the appropriate settings for the software concerned.”

Policy 030315 Using Internet ‘Search Engines’
POLICY STATEMENT
“Information obtained from Internet sources should be verified before being used for the university purposes.”

Policy 030316 Maintaining your Web Site
POLICY STATEMENT
“The Web site is an important marketing and information resource for the organization, and its safety from unauthorized intrusion is a top priority. Only qualified authorized person may amend the Web site with all changes being documented and reviewed.”

Policy 030317 Filtering Inappropriate Material from the Internet
POLICY STATEMENT
“The organization will use software filters and other techniques whenever possible to restrict access to inappropriate information on the Internet by staff. Report of attempted access will be scrutinized by management on a regular basis.”

Policy 030318 Certainty of File Origin
POLICY STATEMENT
“Computer files received from unknown senders are to be deleted without being opened.”

Top

Section 04 Telephones & Fax

Policy 030401 Using Video Conferencing Facilities
POLICY STATEMENT
“Video conference calls are only permitted if staffs are aware of the Information Security issues involved.”

Top

Section 05 Data Management

Policy 030501 Managing Databases
POLICY STATEMENT
“The integrity and stability of the organization’s databases must be maintained at all times.”

Top

Section 06 Backup, Recovery and Archiving

Policy 030601 Restarting or Recovering your System
POLICY STATEMENT
“Information system owners must ensure that adequate back up and system recovery procedures are in place.”

Policy 030602 Managing Backup and Recovery Procedures
POLICY STATEMENT
“Backup of the organization’s data files and the ability to recover such data is a top priority. Management is responsible for ensuring that the frequency of such backup operations and the procedures for recovery meet the needs of the business.”

Policy 030603 Recovery and Restoring of Data Files
POLICY STATEMENT
“Management must ensure that safeguards are in place to protect the integrity of data files during the recovery and restoration of data files, especially where such files may replace more recent files.”

Top

Section 07 Securing Data

Policy 030701 Using Encryption Techniques
POLICY STATEMENT
“Where appropriate, sensitive or confidential information or data should always be transmitted in encrypted form. Prior to transmission, consideration must always be given to the procedures to be used between the sending and recipient parties and any possible legal issues from using encryption techniques.”

Policy 030702 Sharing Information
POLICY STATEMENT
“Persons responsible for Human Resources Management are to ensure that all employees are fully aware of their legal and corporate duties and responsibilities concerning the inappropriate sharing and releasing of information, both internally within the organization and to external parties.”

Policy 030703 Sending Information to Third Parties
POLICY STATEMENT
“Prior to sending information to third parties, not only must the intended recipient be authorized to receive such information, but the procedures and Information Security measures adopted by the third party, must be seen to continue to assure the confidentiality and integrity of the information.”

Policy 030704 Maintaining Customer Information Confidentiality
POLICY STATEMENT
“Information relating to the clients and third party contacts of the organization is confidential, and must be protected and safeguarded from unauthorized access and disclosure.”

Policy 030705 Sending Out Reports
POLICY STATEMENT
“Prior to sending reports to third parties, not only must the intended recipient(s) be authorized to receive such information, but the procedures and Information Security measures adopted by each third party, must be seen to continue to assure the confidentiality and integrity of the information.”

Policy 030706 Dealing with Sensitive Financial Information
POLICY STATEMENT
“Sensitive financial information is to be classified as Highly Confidential and must be afforded security measures (technology and procedural) which, in combination, safeguard such information from unauthorized access and disclosure.”

Policy 030707 Deleting Data Created / Owned by Others
POLICY STATEMENT
“Data is to be protected against unauthorized or accidental changes, and may only be deleted with the proper authority.”

Policy 030708 Protecting Documents with Passwords
POLICY STATEMENT
“Sensitive / confidential electronic data and information should be secured, whenever possible, with access control applied to the directory on the (computer) system concerned. The sole use of passwords to secure individual documents is less effective, and hence discouraged, as passwords may be either forgotten or become revealed (over time) to unauthorized persons.”

Top