Transcription of IINNFFOORRMMAATTIIOONN SSEECCUURRIITTYY …
1 information security POLICY IINNFFOORRMMAATTIIOONN SSEECCUURRIITTYY ppoolliiccyy Prepared by the information security office January 31, 2003 EDD information security Policy 6/5/2006 Page i TABLE OF CONTENTS FOREWARD .. 1 INTRODUCTION .. 1 What is information security ?.. 1 What is information ?
2 1 What are information assets? .. 1 What are privacy rights? .. 1 What is business continuity?.. 1 What is information security ? .. 1 Why is information security necessary? .. 2 How were security requirements established? .. 2 How were security risks assessed? .. 2 How were security controls selected? .. 2 What was the information security strategy?.. 2 information security .. 2 information security Policy (ISP) Document .. 2 2 Scope .. 3 Objective .. 3 Management intent .. 3 Supportive information security 3 ISP review and evaluation.
3 3 Policy enforcement .. 3 ORGANIZATIONAL information security infrastructure ..4 information security 4 information security coordination and 4 Summary of information security responsibilities .. 4 Evidence of compliance requirements .. 4 Authorization process for new facilities .. 4 Authorization process for new agreements and contracts .. 4 Specialist information security advice .. 5 Cooperation between Independent review of information 5 security of third party access .. 5 Responding to access requests .. 5 Identification of risks from third party access.
4 5 Types of access .. 5 Reasons for access .. 6 Third party access controls .. 6 ASSET CLASSIFICATION AND CONTROL .. 6 Accountability for 6 information 6 Confidential information .. 6 Sensitive 6 Public information .. 7 PERSONNEL security .. 7 security in job definition and human resources .. 7 Documented information security responsibilities .. 7 EDD information security Policy 6/5/2006 Page ii Manager and supervisor Confidentiality agreements.
5 7 information access responsibilities .. 7 information security awareness, training, and education (SATE) .. 7 Management information security training .. 7 Individual information security training .. 8 Addressing information security incidents and malfunctions .. 8 Reporting information security weaknesses or threats .. 8 Reporting information system malfunctions .. 8 Reporting information security incidents ..8 Responding to 8 Learning from 9 Disciplinary process .. 9 PHYSICAL AND ENVIRONMENTAL security .. 9 Secure areas .. 9 Secure area protections.
6 9 Isolated delivery and loading 10 Equipment security .. 10 Equipment location and 10 Power protection .. 10 Cabling security .. 10 Equipment maintenance .. 10 Equipment physical maintenance .. 10 Equipment logical maintenance .. 11 security of equipment 11 Secure movement, inventory, disposal, and reuse of equipment and 11 Desk and work area controls .. 11 COMMUNICATIONS AND OPERATIONS MANAGEMENT .. 11 Operational procedures and responsibilities .. 11 Input data validation .. 12 information transmission 12 Verification of service 12 Housekeeping (system backup, logging, etc.)
7 12 Operational change control .. 12 Incident management 12 Separation of duties .. 12 Separation of development and production .. 12 External facilities management .. 12 Capacity monitoring .. 12 Software security .. 13 Control of system 13 Control of applications software .. 13 Control of malicious software and hoaxes .. 13 Communications security .. 14 security of communications devices .. 14 security of network 14 Individual access controls .. 14 Technical access controls ..15 Electronic commerce and E-government controls.
8 15 Media handling and security .. 15 Media handling 15 Management of removable computer 15 Media and equipment disposal .. 15 EDD information security Policy 6/5/2006 Page iii ACCESS 16 Business requirement for access 16 Individual access management .. 16 Individual responsibilities.
9 16 Network access control .. 16 Operating system access 16 Application access 16 information access restriction .. 16 Sensitive system isolation .. 16 Monitoring access and use .. 16 Mobile 17 AUTOMATED SYSTEMS DEVELOPMENT AND 17 CONTINUITY PLANNING 17 Aspects of continuity 17 Business impact 18 Writing and implementing continuity 18 EDD Continuity Plan for Business (CPB).. 18 Business continuity testing and maintenance .. 19 Emergency Response and Business Continuity Training .. 19 Business continuity planning activation.
10 19 COMPLIANCE .. 20 Compliance with requirements ..20 Copyright and Intellectual property rights .. 20 security of confidential and sensitive information .. 20 Misuse of information processing technology .. 20 Regulation of cryptographic controls .. 20 Collection of 20 Reviews of security policy and technical 21 Compliance with security policy .. 21 Technical compliance checking .. 21 System audit considerations .. 21 System audit controls .. 21 Protection of system audit tools .. 21 External auditor access .. 21 APPENDICES .. 22 APPENDIX A - STATUTORY AUTHORITY.
