Sample Asset Protection Policy:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
==Document History==
==Sample Asset Protection Standard==
<br>
The Asset Protection Standard defines Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets. Company information assets are defined in the [[Sample Asset Identification and Classification Standard:|'''Sample Asset Identification and Classification Standard''']].
{| id="table1" width="100%" border="1"
 
| bgcolor="#C0C0C0" | '''Version'''
==Objectives==
| bgcolor="#C0C0C0" | '''Date'''
| bgcolor="#C0C0C0" | '''Revised By'''
| bgcolor="#C0C0C0" | '''Description'''
|-
| 1.0
| 1 January 2009 <Current date>
| Michael D. Peters '''<Owners's name>'''
| This version replaces any prior version.
|}
<br>
==Document Certification==
<br>
{| id="table1" width="100%" border="1"
| bgcolor="#C0C0C0" | '''Description'''
| bgcolor="#C0C0C0" | '''Date Parameters'''
|-
| '''Designated document recertification cycle in days:'''
| 30 - 90 - 180 - '''365''' '''<Select cycle>'''
|-
| '''Next document recertification date:'''
| 1 January 2010 '''<Date>'''
|}
<br>
=='''Sample Asset Protection Policy'''==
<br>
As stated in the Company [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']], the Company will follow a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures. The Information Security Program will protect information assets by establishing policies to identify, classify, and define protection and management objectives, and define acceptable use of Company information assets.<br>
<br>
This Asset Protection Policy defines Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets. Company information assets are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
<br>
=='''I. Scope'''==
<br>
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, at hosted or outsourced sites, or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.<br>
<br>
=='''II. Objectives'''==
<br>
Authorization for access to information assets will be based on the classification of the information and defined to provide only the level of access required to meet an approved business need or perform prescribed job responsibilities. Proper identification and authentication are required. Specific instructions and requirements for controlling access to information assets are provided in the [[Sample Access Control Standard:|'''Sample Access Control Standard''']].<br>
Authorization for access to information assets will be based on the classification of the information and defined to provide only the level of access required to meet an approved business need or perform prescribed job responsibilities. Proper identification and authentication are required. Specific instructions and requirements for controlling access to information assets are provided in the [[Sample Access Control Standard:|'''Sample Access Control Standard''']].<br>
<br>
<br>
Line 44: Line 9:
Information assets must be protected with physical access control of areas containing information assets or processing activities. The physical access controls must be commensurate with the classification of the information and defined to provide only the level of physical access required to meet an approved need or perform prescribed job responsibilities. Specific instructions and requirements for physical access to information assets are provided in the [[Sample Physical Access Standard:|'''Sample Physical Access Standard''']].<br>
Information assets must be protected with physical access control of areas containing information assets or processing activities. The physical access controls must be commensurate with the classification of the information and defined to provide only the level of physical access required to meet an approved need or perform prescribed job responsibilities. Specific instructions and requirements for physical access to information assets are provided in the [[Sample Physical Access Standard:|'''Sample Physical Access Standard''']].<br>
<br>
<br>
The supporting infrastructure for systems, networks, telephony, and hardware should be protected from failure and regularly inspected or tested, as appropriate. Supporting infrastructure includes electricity or other power sources, water supply, cabling, external communication lines, heating and air conditioning equipment, sewage, etc. <br>
The supporting infrastructure for systems, networks, telephony, and hardware should be protected from failure and regularly inspected or tested, as appropriate. Supporting infrastructure includes electricity or other power sources, water supply, cabling, external communication lines, heating and air conditioning equipment, sewage, etc.<br>
<br>
<br>
Encryption must be used to protect Restricted and Confidential information assets that will be transmitted over non-secure or public networks. Storage of Restricted and Confidential information assets must be achieved with similar approved encryption methods. Only Company-approved encryption algorithms and products can be used to protect Restricted and Confidential information. Specific instructions and requirements for encryption are provided in the [[Sample Encryption Standard:|'''Sample Encryption Standard''']].<br>
Encryption must be used to protect Restricted and Confidential information assets that will be transmitted over non-secure or public networks. Storage of Restricted and Confidential information assets must be achieved with similar approved encryption methods. Only Company-approved encryption algorithms and products can be used to protect Restricted and Confidential information. Specific instructions and requirements for encryption are provided in the [[Sample Encryption Standard:|'''Sample Encryption Standard''']].<br>
Line 54: Line 19:
Information assets must be protected from destructive software elements such as viruses and malicious code that impair normal operations. Company-approved virus detection programs must be installed, enabled, and updated on all systems susceptible to viruses and malicious code. Specific instructions and requirements for protecting information assets from viruses and malicious code are provided in the [[Sample Anti-Virus Standard:|'''Sample Anti-Virus Standard''']].<br>
Information assets must be protected from destructive software elements such as viruses and malicious code that impair normal operations. Company-approved virus detection programs must be installed, enabled, and updated on all systems susceptible to viruses and malicious code. Specific instructions and requirements for protecting information assets from viruses and malicious code are provided in the [[Sample Anti-Virus Standard:|'''Sample Anti-Virus Standard''']].<br>
<br>
<br>
Auditing must be activated to record relevant security events. The audit logs must be securely maintained for a reasonable period of time. Specific instructions and requirements for auditing information assets are provided in the [[Sample Auditing Standard:|'''Sample Auditing Standard''']].<br>
Auditing must be activated to record relevant security events. The audit logs must be securely maintained for a reasonable period of time. Specific instructions and requirements for auditing information assets are provided in the Auditing Standard.<br>
<br>
=='''III. Responsibilities'''==
<br>
The Chief Information Officer (CIO) is the approval authority for the Asset Protection Policy.<br>
<br>
The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Asset Protection Policy and associated standards and guidelines.<br>
<br>
The individuals, groups, or organizations identified in the scope of this policy are accountable for one or more of the following levels of responsibility when using Company information assets:<br>
<br>
Owners are managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. Owners are responsible for defining procedures that are consistent with the Asset Protection Policy and associated standards, ensuring the confidentiality, integrity and availability of information assets; authorizing access to those who have an approved business need for the information; and ensuring the revocation of access for those who no longer have a business need for the information.<br>
<br>
Custodians are the managers, administrators, and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for: providing a secure processing environment that protects the confidentiality, integrity and availability of information; administering access to information as authorized by the Owner; and implementing procedural safeguards and cost-effective controls.<br>
<br>
Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for using the information only for its intended purposes, and for maintaining the confidentiality, integrity and availability of information accessed consistent with the Owner's approved safeguards while under the User's control.<br>
<br>
=='''IV. Policy Enforcement and Exception Handling'''==
<br>
Failure to comply with the Asset Protection Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Information Systems and Technology Security Policy should be submitted to the CIO. Exceptions shall be permitted only on receipt of written approval from the CIO. The CIO will periodically report to the <Company> Board of Directors or designated committee concerning the current status of policy and standard implementations.<br>
<br>
 
=='''V. Review and Revision'''==
<br>
The Asset Protection Policy will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
<br>
Recommended:        _______________________________________________________<br>
<br>
::Signature
::<Typed Name>
::Chief Information Security Officer
<br>
<br>
Approved:       _______________________________________________________<br>
==Document Examples==
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
<br>
<br>
::Signature
<gallery>
::<Typed Name>
Image:Asset Protection Standard.png|Asset Protection Standard page one of seven.
::Chief Information Officer
Image:Asset Protection Standard(1).png|Asset Protection Standard page two of seven.
Image:Asset Protection Standard(2).png|Asset Protection Standard page three of seven.
Image:Asset Protection Standard(3).png|Asset Protection Standard page four of seven.
Image:Asset Protection Standard(4).png|Asset Protection Standard page five of seven.
Image:Asset Protection Standard(5).png|Asset Protection Standard page six of seven.
Image:Asset Protection Standard(6).png|Asset Protection Standard page seven of seven.
</gallery>

Latest revision as of 18:16, 14 January 2014

Sample Asset Protection Standard

The Asset Protection Standard defines Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets. Company information assets are defined in the Sample Asset Identification and Classification Standard.

Objectives

Authorization for access to information assets will be based on the classification of the information and defined to provide only the level of access required to meet an approved business need or perform prescribed job responsibilities. Proper identification and authentication are required. Specific instructions and requirements for controlling access to information assets are provided in the Sample Access Control Standard.

Authorization for remote access to information assets will be provided only to meet an approved business need or perform prescribed job responsibilities. Remote access must be facilitated by using Company-approved methods and programs. Specific instructions and requirements for accessing information assets remotely are provided in the Sample Remote Access Standard.

Information assets must be protected with physical access control of areas containing information assets or processing activities. The physical access controls must be commensurate with the classification of the information and defined to provide only the level of physical access required to meet an approved need or perform prescribed job responsibilities. Specific instructions and requirements for physical access to information assets are provided in the Sample Physical Access Standard.

The supporting infrastructure for systems, networks, telephony, and hardware should be protected from failure and regularly inspected or tested, as appropriate. Supporting infrastructure includes electricity or other power sources, water supply, cabling, external communication lines, heating and air conditioning equipment, sewage, etc.

Encryption must be used to protect Restricted and Confidential information assets that will be transmitted over non-secure or public networks. Storage of Restricted and Confidential information assets must be achieved with similar approved encryption methods. Only Company-approved encryption algorithms and products can be used to protect Restricted and Confidential information. Specific instructions and requirements for encryption are provided in the Sample Encryption Standard.

Information assets must be created and maintained with appropriate controls to ensure that the information is correct, auditable, and reproducible. Specific instructions and requirements for protecting the integrity of information assets are provided in the Sample Integrity Protection Standard.

The Company must establish appropriate controls to ensure information assets are consistently available to conduct business. Business continuity planning to effectively back up, replicate, and recover information assets, as necessary, must be established. Specific instructions and requirements for protecting the availability of information assets are provided in the Sample Availability Protection Standard.

Information assets must be protected from destructive software elements such as viruses and malicious code that impair normal operations. Company-approved virus detection programs must be installed, enabled, and updated on all systems susceptible to viruses and malicious code. Specific instructions and requirements for protecting information assets from viruses and malicious code are provided in the Sample Anti-Virus Standard.

Auditing must be activated to record relevant security events. The audit logs must be securely maintained for a reasonable period of time. Specific instructions and requirements for auditing information assets are provided in the Auditing Standard.

Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.