Sample Information Systems and Technology Security Policy:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
(New page: =='''Sample Information Systems and Technology Security Policy'''== <br> As stated in the '''<Your Company Name>''' (the "Company") [[Sample Information Security Program Charter:|'''Sample...)
 
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
=='''Sample Information Systems and Technology Security Policy'''==
==Sample Information Systems and Technology Security Policy==
<br>
This Information Systems and Technology Security Policy define Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets.
As stated in the '''<Your Company Name>''' (the "Company") [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']], the Company will follow a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures. The Information Security Program will protect information assets by establishing policies to identify, classify, define protection and management objectives, and define acceptable use of Company information assets.<br>
<br>
This Information Systems and Technology Security Policy, defines Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets.<br>
<br>
 
=='''I. Scope'''==
<br>
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, at hosted or outsourced sites, or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and procedures unless an exception has been granted by the Chief Information Security Officer (CISO).<br>
<br>
The Company Information Security Program Charter and relevant policies, standards and guidelines must have the fundamental guidance, procedures, and commentary based upon the ISO 27002 framework. The ISO 27002 standard is the rename of the existing ISO 17799, ISO 17799:2005 standard, and is a code of practice for information security subject to the guidance provided within ISO 27001. The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of organizational security standards and effective security management practices.<br>
<br>


=='''II. Objectives'''==
==Objectives==
<br>
The information security objectives from a holistic perspective that must be addressed in the subordinate control documents; standards, procedures, and supporting documentation are described as follows.<br>
The information security objectives from a holistic perspective that must be addressed in the subordinate control documents; standards, procedures, and supporting documentation are described as follows.<br>
<br>
<br>
#'''Asset Identification and Classification'''
'''[[Sample_Asset_Identification_and_Classification_Standard:|Asset Identification and Classification]]:''' The Asset Identification and Classification standards define Company objectives for establishing specific standards on the identification, classification, and labeling of Company information assets.<br>
The Asset Identification and Classification standards define Company objectives for establishing specific standards on the identification, classification, and labeling of Company information assets.<br>
<br>
#'''Asset Protection'''
The Asset Protection standards define the Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets.<br>
<br>
#'''Asset Management'''
The Asset Management standards define Company objectives for establishing specific standards for the management of the networks, systems, and applications that store, process and transmit Company information assets.<br>
<br>
#'''Acceptable Use'''
The Acceptable Use standards define Company objectives for establishing specific standards on appropriate business use of the Company's information and telecommunications systems and equipment.<br>
<br>
#'''Vulnerability Assessment and Management'''
The Vulnerability Assessment and Management standards define the Company's objectives for establishing specific standards for the assessment and ongoing management of vulnerabilities.<br>
<br>
#'''Threat Assessment and Monitoring'''
The Threat Assessment and Monitoring standards define Company objectives for establishing specific standards for the assessment and ongoing monitoring of threats to Company information assets.<br>
<br>
#'''Security Awareness'''
The Security Awareness standards define Company objectives for establishing a formal Security Awareness Program, and specific standards for the education and communication of the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']] and associated policies, standards, guidelines, and procedures.<br>
<br>
 
=='''III. Responsibilities'''==
<br>
The Company MIS Steering Committee is the approving authority for the Information Systems and Technology Security Policy.<br>
<br>
The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Information Systems and Technology Security Policy and associated standards and procedures while the Chief Information Officer (CIO) authorizes the approval of the Information Systems and Technology Security Policy, standards, and associated procedures.<br>
<br>
<br>
The individuals, groups, or organizations identified in the scope of this policy are accountable for one or more of the following levels of responsibility when using Company information assets:<br>
'''[[Sample_Asset_Protection_Policy:|Asset Protection]]:''' The Asset Protection standards define the Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets.<br>
<br>
<br>
Owners, as cited within the system of record are managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. Owners are responsible for defining procedures that are consistent with the intent defined by the Information Systems and Technology Security Policy and associated standards, ensuring the confidentiality, integrity and availability of information assets; authorizing access to those who have an approved business need for the information; and ensuring the revocation of access for those who no longer have a business need for the information.<br>
'''[[Sample_Asset_Management_Policy:|Asset Management]]:''' The Asset Management standards define Company objectives for establishing specific standards for the management of the networks, systems, and applications that store, process and transmit Company information assets.<br>
<br>
<br>
Custodians are the managers, administrators, and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for: providing a secure processing environment that protects the confidentiality, integrity and availability of information; administering access to information as authorized by the Owner; and implementing procedural safeguards and cost-effective controls.<br>
'''[[Sample_Acceptable_Use_Policy:|Acceptable Use]]:''' The Acceptable Use standards define Company objectives for establishing specific standards on appropriate business use of the Company's information and telecommunications systems and equipment.<br>
<br>
<br>
 
'''[[Sample_Vulnerability_Assessment_and_Management_Policy:|Vulnerability Assessment and Management]]:''' The Vulnerability Assessment and Management standards define the Company's objectives for establishing specific standards for the assessment and ongoing management of vulnerabilities.<br>
=='''IV. Enforcement and Exception Handling'''==
<br>
<br>
Failure to comply with the Information Systems and Technology Security Policy and associated standards, guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
'''[[Sample_Threat_Assessment_and_Monitoring_Policy:|Threat Assessment and Monitoring]]:''' The Threat Assessment and Monitoring standards define Company objectives for establishing specific standards for the assessment and ongoing monitoring of threats to Company information assets.<br>
<br>
<br>
Requests for exceptions to the Information Systems and Technology Security Policy should be submitted to the CIO. Exceptions shall be permitted only on receipt of written approval from the CIO. The CIO will periodically report to the <Company> Board of Directors or designated committee concerning the current status of policy and standard implementations.<br>
'''[[Sample_Security_Awareness_Policy:|Security Awareness]]:''' The Security Awareness standards define Company objectives for establishing a formal Security Awareness Program, and specific standards for the education and communication of the Information Systems and Technology Security Policy and associated policies, standards, guidelines, and procedures.<br>
<br>
<br>


=='''V. Review and Revision'''==
==Document Examples==
<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
The Information Systems and Technology Security Policy will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
<br>
Recommended:        _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Typed Name><br>
<br>
::Chief Information Security Officer<br>
<br>
<br>
Approved:        _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Typed Name><br>
<br>
::Chief Information Officer<br>
<br>
<br>
<gallery>
Image:Information Systems and Technology Security Policy.png|Information Systems and Technology Security Policy page one of six.
Image:Information Systems and Technology Security Policy(1).png|Information Systems and Technology Security Policy page two of six.
Image:Information Systems and Technology Security Policy(2).png|Information Systems and Technology Security Policy page three of six.
Image:Information Systems and Technology Security Policy(3).png|Information Systems and Technology Security Policy page four of six.
Image:Information Systems and Technology Security Policy(4).png|Information Systems and Technology Security Policy page five of six.
Image:Information Systems and Technology Security Policy(4).png|Information Systems and Technology Security Policy page six of six.
</gallery>

Latest revision as of 15:46, 13 January 2014

Sample Information Systems and Technology Security Policy

This Information Systems and Technology Security Policy define Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets.

Objectives

The information security objectives from a holistic perspective that must be addressed in the subordinate control documents; standards, procedures, and supporting documentation are described as follows.

Asset Identification and Classification: The Asset Identification and Classification standards define Company objectives for establishing specific standards on the identification, classification, and labeling of Company information assets.

Asset Protection: The Asset Protection standards define the Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets.

Asset Management: The Asset Management standards define Company objectives for establishing specific standards for the management of the networks, systems, and applications that store, process and transmit Company information assets.

Acceptable Use: The Acceptable Use standards define Company objectives for establishing specific standards on appropriate business use of the Company's information and telecommunications systems and equipment.

Vulnerability Assessment and Management: The Vulnerability Assessment and Management standards define the Company's objectives for establishing specific standards for the assessment and ongoing management of vulnerabilities.

Threat Assessment and Monitoring: The Threat Assessment and Monitoring standards define Company objectives for establishing specific standards for the assessment and ongoing monitoring of threats to Company information assets.

Security Awareness: The Security Awareness standards define Company objectives for establishing a formal Security Awareness Program, and specific standards for the education and communication of the Information Systems and Technology Security Policy and associated policies, standards, guidelines, and procedures.

Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.