Sample Integrity Protection Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 14:17, 1 May 2010 by Mdpeters (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Document History


Version Date Revised By Description
1.0 1 January 2010 <Current date> Michael D. Peters <Owners's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document recertification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document recertification date: 1 January 2011 <Date>


Sample Integrity Protection Standard


The <Your Company Name> (the "Company") Sample Asset Protection Policy defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of Company information assets.

This Integrity Protection Standard builds on the objectives established in the Sample Asset Protection Policy, and provides specific instructions and requirements for proper controls to protect the integrity of sensitive Company information assets.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.

Confidentiality classifications are defined in the Sample Information Classification Standard.

Information assets are defined in the Sample Asset Identification and Classification Policy.

Integrity Protected refers to information that is classified as Integrity Protected. Refer to the Sample Information Classification Standard for integrity classification categories.

Sensitive Information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.

II. Requirements


A. General


1. "Integrity Protected" information and Sensitive information must be protected with integrity controls.


2. Integrity controls must be defined and incorporated into development and production processes and procedures to ensure that the information is correct, auditable, and reproducible.


3. The Company-approved file integrity and file hashing algorithms are specified in the Encryption Standard.


4. The controlling application should perform integrity checking when integrity controls are inappropriate (for example, databases).


5. "Integrity Protected" information and Sensitive information must be encrypted during storage and when transmitted over a public or shared network in accordance with the Encryption Standard and Information Handling Standard.


6. A formal review must be conducted at least annually to evaluate the integrity controls that are included in the processes and procedures that manage the storage, processing, and transmission of sensitive information.


B. Confidential Information


1. Automated integrity checking should be used during the input of data into a system whenever possible.


2. Systems that store or process "Confidential" information should use Company-approved file integrity mechanisms on critical system and data files.


C. Restricted Information


1. The input of "Restricted" information should be checked manually for accuracy.


2. Systems that store or process "Restricted" information should use Company-approved file integrity mechanisms on critical system and data files.


III. Responsibilities


The Chief Information Security Officer (CISO) approves the Integrity Protection Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Integrity Protection Standard.

Company management, including senior management and department managers, is accountable for ensuring that the Integrity Protection Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Integrity Protection Standard.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Integrity Protection Standard and associated guidelines; defining the integrity control requirements for information assets associated with their functional authority; and ensuring integrity controls are reviewed annually to identify, prioritize, and mitigate process vulnerabilities and weaknesses.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; and implementing procedural safeguards and cost-effective controls that are consistent with the Integrity Protection Standard.

Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Integrity Protection Standard and associated guidelines, as well as notifying Owners in a timely manner when data integrity may have been compromised.

IV. Enforcement and Exception Handling


Failure to comply with the Integrity Protection Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Integrity Protection Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Integrity Protection Standard.

V. Review and Revision


The Integrity Protection Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer