Privacy Policy

The policy parts

The following elements should be treated in an information security policy.

Guidelines for -Eligibility Administration / access control

Guidelines on who should access what and how work on this should be managed in the organization.

To protect the information, access to it is limited. The threats are both within the organization and outside it, such as suppliers and consultants. The threat need not be conscious. One mistake can have major consequences. It is therefore very important that access be given only to the IT system and the user category need and can use.

Consider:

  • Who should have access to IT systems
  • What should they get access, modify, delete in IT systems and their own computer
  • Who is responsible for deciding on the respective grant permissions
  • Procedures for granting, monitoring and updating permissions
  • Authentication

Guidelines for technical solutions to access, both in application and system level, outside-in and internally on its own network, should be defined. The guidelines should also address construction rules for intranet on a global level. Since the area includes technology, systems and supplier selection, it is important that they are aware and long term so that you avoid runaway costs in the form of extensive upgrades or security system with separate solutions for each product.

Consider:

  • Future Security
  • Administrative workload
  • Authentication of the new serving systems
  • Cost of leased lines / VPN solutions
  • Logging and tracing

Logging is to save data on the activities that took place, what was done and who made them. Traceability is that by logging to identify and monitor the progress of various activities. This is necessary in order to find the head of security related incidents.

Keep in mind that some types of logging can be set by the Data Protection Act or impinge on people's privacy.

Consider:

  • What should be logged
  • How are the logs up
  • Who monitors the logs
  • How long should they be saved
  • How should they be stored
  • Information classification

To classify information is a cornerstone of information security. In this way, determines the level of protection to different types of information should have. Classification should be based on three aspects: confidentiality (the data can not be accessed by unauthorized persons), accuracy (the information is not inaccurate) and availability (the information can be accessed by authorized).

Consider:

  • Create a simple rating system where the number of classes is determined from the start.
  • Point out the owner of any information
  • Introduction

All IT systems are introduced, before being put into service have been reviewed based on the security requirements of the organization. Procedures should be established for what is to be done in the context of an IT system is purchased and put into operation.

Consider:

  • Any requirement to use certified and evaluated products
  • Testing and Test Environment
  • Current security system
  • System Safety

Every IT system should have a plan that specifies the security requirements on it. Different systems process different data and information, and therefore different requirements from system to system. A risk analysis of threats and consequences should be done for each system. Based on the risk analysis is then formulated system security plan.

System safety plans can be broken out of the policy and be separate documents.

Consider:

  • Identify system owners
  • Define security to ensure confidentiality
  • Define security requirements to ensure the accuracy
  • Define security requirements to ensure availability
  • Consider the law, if the system includes
  • Cyber ​​security instructions

Cyber ​​security instructions are hand set rules and routines for what and how different user groups can use IT systems. Three kinds of IT instructions should be: user's manual - for users, user management - management personnel and operating instructions - for operating personnel.

Cyber ​​security instructions can be broken out of the policy and be separate documents.

Consider:

  • All systems must have some kind of instruction
  • The instructions shall be decided by management
  • Protection against malicious software

Guidelines for the protection to be available against malware such as viruses, worms, trojans, and the like should be. Protection and procedures should be available to the extent to be able to detect malicious code, prevent infection, prevent proliferation, and recover systems that are infected.

See also the separate section protect against malware.

Consider:

  • Personalize protection after threats
  • Install protection on multiple levels in the IT environment
  • Narrow by rules using non-approved software and downloading of files from external sources
  • IT network (internal)

Guidelines for the internal network should be handled should be. An organization's network should be divided into different sections depending on what services are available and the security they require. Responsibility for IT network should be separated from the responsibility for IT operations.

See also the separate section Rules for infrastructure.

Consider:

  • A responsible person per PSU
  • Building access control based on security domains
  • User access to network services should be limited by using access control
  • Limit administrators' rights to what they need to do the job
  • IT Network (external)

External connections involving exposure to potentially large risks. It is therefore very important to have control over who can connect and how.

See also the separate section Rules for infrastructure.

Consider:

  • Determine the types of connections that are allowed
  • Documenting (and update) list of connections
  • Authentication for external connections
  • Firewalls

The firewall monitors and restricts traffic between two networks, usually the internal network and the Internet, and is a must.

See also separate section Rules for infrastructure.

Consider:

  • The only way for IP communications to get to and from the organization should be through the firewall
  • The firewall must include malware protection
  • Guidelines for logging traffic (see the section above: Logging and tracing)
  • Electronic mail

By being an effective and easy way to communicate the e-mail has become an increasingly popular research tool. Since this is a method of communication that uses the internet, e-mail certain threats: e-mail can be intercepted and the contents or sender can be changed by unauthorized persons. Furthermore, email is a very common way to spread malicious code.

Consider:

  • Who should have access to e-mail
  • What information may be sent by e-mail
  • Malware protection
  • Attachment Manager
  • Encryption
  • Telecommuting and Mobile Computing (Connecting remotely)

It involves special risks of working outside the regular workplace, whether it is about mobile computing, for example, a conference, or working from home.

See also separate section Connecting remotely.

Consider:

  • Theft Risk / fire
  • Chance of confidentiality and use
  • Backup
  • Malware protection and intrusion
  • Guidelines for support remotely
  • The encryption during transmission and for stored information
  • Management of prints
  • Authentication when connecting to the workplace
  • Business Continuity Planning

Guidelines on what to do about IT systems suffer from interference or interruption should be. There are two types of plans should be drawn up: contingency plan and disaster recovery plan. Interruption Plan handles interruptions and delays while emergency plan involves circumstances that are considered catastrophic. This can of course also involve interruptions or disruptions in mission critical systems.

Consider:

  • Provide IT systems a priority - based on system security plans
  • Elucidation what is considered to be disastrous
  • Incident Management (Manage IT incidents)

In order to best prevent and manage cyber incidents should be guidelines for both ordinary users and for IT staff.

See also separate section on Managing IT incidents.

Consider:

  • Prevention
  • Crisis
  • After Work - follow up and draw lessons
  • Backup and Storage

Backup should be done regularly. It is important to determine what information should be backed up and how often this should be done.

Read more in the separate section Creating backups.

Consider:

  • What information should be backed up
  • How often to back up,
  • How many versions back in time to be saved
  • How and where the copies should be stored
  • The information shall be legible throughout its shelf life

Login to Your Account

Forgot Password?
Or

Not Registered Yet? Create an Account

Sign Up

I agree to Look Page's User Agreement and Privacy Policy

Or

Already a Member?

Forgot Password

Cancel