Thursday, July 18, 2019
Ict Policy and Server Room Proposal for a Small Firm
INFORMATION COMMUNICATION TECHNOLOGY POLICY DOCUMENT INTRODUCTION Information and Communications Technology Policy addresses security issues and how to effectively apply and maintain information systems, thereby facilitating protection of critical, valuable and confidential information together with its associated systems. Most people are likely to recognise the impact and severity of the loss or theft of confidential designs for a new product. However they do not always recognise the potential risk, and consequential result, of seemingly ââ¬Ëinnocent' activities, such as copying software or copying the corporate database onto their laptop computer or not documenting changes made to their systems. The purchase and installation of hardware and software requires those involved to consider carefully the Information Security issues involved in this process. Careful consideration of the company's business needs is paramount, as it is usually expensive to make subsequent changes. Analysis of user requirements versus the various benchmarks test results will establish the best choice of server/software to be purchased. Installation of new equipment must be properly considered and planned to avoid unnecessary disruption and to ensure that the IT & T Policy issues are adequately covered. The issue of IT consumables is looked into. These are expensive and should be properly controlled both from an expense perspective as well as an Information Security perspective. Valuable items should always be kept in a secure environment to avoid damage or loss. OBJECTIVES To develop an Information Communication Technology policy for KPLC Retirement Benefits Scheme that introduces efficient and effective use of IT systems and in turn facilitate the smooth running of the secretariat. MISSION STATEMENT To strive to provide nothing but the best means of data and telecommunications services to the secretariat as a whole. DEFINITION OF ICT POLICY A set of rules, regulations, procedures and plans of action for administration of equipment, resources, and services in the ICT section. TERMS OF REFERENCE The aim of this document is to; ) Analyse procedures and practices that are in use currently and identify those that can be reinforced or changed. ii) Work out a time plan for the smooth transition from the use of KPLC systems and resources. iii) Review implemented policies elsewhere to facilitate broad knowledge and adapt ideas suitable to our environment. TABLE OF CONTENTS INFORMATION COMMUNICATION TECHNOLOGY POLICY DOCUMENT1 INTRODUCTION1 TABLE OF CONTENTS2 PREAMBLE4 IT & T SYSTEM DESCRIPTIONS4 1. 0 PROCUREMENT OF HARDWARE, PERIPHERALS & OTHER EQUIPMENT8 1. 1 Purchasing and Installing Hardware8 1. 2Cabling, UPS, Printers and Modems15 1. 3Consumables16 . 4Working off premises or using out-sourced processing18 1. 5Using Secure Storage20 1. 6Documenting Hardware23 1. 7 Telecommunications equipment25 1. 8Other Hardware Issues28 1. 9 Disaster Recovery Plans30 2. 0 CONTROLLING ACCESS TO INFORMATION & SYSTEMS IN THE SECRETARAIT32 2. 1Controlling Access to Information and Systems32 2. 1. 5 Controlling Access to Operating System Software38 Managing Passwords39 3. 0 PROCESSING INFORMATION AND DOCUMENTS46 3. 1Networks46 3. 2System Operations and Administration49 3. 3E-mail and the World Wide Web57 3. 4Telephones & Fax69 3. 5Data Management73 3. 6Backup, Recovery and Archiving75 . 7Document Handling78 3. 7. 3 Countersigning Documents79 3. 7. 5 Approving Documents before dispatch80 3. 7. 6 Signature Verification80 3. 8Securing Data83 3. 8 . 4 Maintaining Customer Information Confidentiality86 4. 0 PURCHASING AND MAINTAINING COMMERCIAL SOFTWARE90 4. 1Purchasing and Installing Software90 4. 2Software Maintenance & Upgrade92 4. 3Other Software Issues94 5 COMBATING CYBER CRIME95 5. 1Combating Cyber Crime95 5. 1. 1 Defending Against Premeditated Third Party Cyber Crime Attacks95 5. 1. 2 Minimising the Impact of Cyber Attacks97 5. 1. 3 Collecting Evidence for Cyber Crime Prosecution98 5. 1. Defending Against Premeditated Internal Attacks99 5. 1. 5 Defending Against Opportunistic Cyber Crime Attacks100 6. 0 COMPLYING WITH LEGAL AND POLICY REQUIREMENT101 6. 1Complying with Legal Obligations101 6. 1. 2 Complying with General Copyright Legislation101 6. 1. 3 Complying with Copyright and Software Licensing Legislation102 6. 1. 4 Legal Safeguards against Computer Misuse103 6. 2Complying with Policies103 6. 3Avoiding Litigation106 6. 3. 3 Sending Copyrighted Information Electronically107 7. 1 E- Commerce Issues108 7. 2 Structurin g E-Commerce Systems Including Web Sites108 7. 3 Securing E-Commerce Networks109 . 4 Configuring E-Commerce Web Sites110 7. 5 Using External Service Providers for E-Commerce Delivery Channel111 8. 7Cost Considerations116 9. 0 DEALING WITH PREMISES RELATED CONSIDERATIONS118 9. 1 Physical Security of Equipment and Assets118 10. 0 NETWORK SECURITY MEASURES122 10. 1 Data Network devices122 10. 2 System administration123 10. 3 System Auditing129 10. 4 Email Policies130 10. 5 The Internet131 10. 6Computer desktop equipment133 10. 7Human Resource Aspects Policies141 10. 8Security Policy Auditing142 10. 9Incidence Management and Responses146 Reporting an Incident146 What is Cybercrime? 151 10. 0Movement of Telecommunications Equipment155 11. 1Setting Classification Standards157 12. 0 RETIREMENT OF OBSOLESCENCE OR OBSOLETE EQUIPMENT158 12. 1 Setting New Hardware Standards158 12. 2Methods of assessing old and inapt Software/hardware158 12. 3Hardware and software obsolescence160 12. 4RBS Depre ciation Factors for Defining Old Or Inapt Equipment161 13. 0 APPENDIX 1162 13. 1 LIST OF SPARES & ACCESSORIES162 14. 1 GLOSSARY & REFERENCES163 PREAMBLE It is necessary for one to be familiar with the various Information Technology and Telecommunications Systems that the company has acquired and installed over the years. This document provides the description of the systems as well as the policies formulated in regard to these IT & Telecommunications systems. IT & T SYSTEM DESCRIPTIONS 1. Telephony The telephone network for RBS consists of the public interconnected network using automatic branch exchanges (PABX) which connects us to the public network using telecommunication service providers and private branch network (PBX) which is housed in our commercial office premises which help us communicate in the premises through extension numbers. 2. Computer Data systems These are composed of data network hubs and switches which make the Local Area Networks (LAN) and the routers which interconnect the LANs. Each LAN is composed of passive data networks, servers and PCs that use the network thus realised to exchange information and data throughout the enterprise. 3. System Software and Data System software is the general term used to describe the many software programs, drivers and utilities that together enable a computer system to operate. One of the main components of system software is the operating system of the computer e. g. Microsoft Windowsà ® XP Professional. 4. Data Data in the language of information technology means the individual elements that comprise the information and can be processed, formatted and re-presented, so that it gains meaning and thereby becomes information. Here we are concerned with the protection and safeguard of that data/information which, in its various forms can be identified as Business Assets or Information Assets. The term data and information can be used somewhat interchangeably; but, as a general rule, information always comprises data, but data is not always information. ICT SYSTEMS DESCRIPTIONS DESCRIPTIONS THE OF SYSTEM RBS ââ¬â Open Retirement Benefits Scheme System The system is used for the administration of employee and employer contributions into the RBS Fund. It has a database for member details together with their dependants. This is used when benefits are to be calculated for deceased persons and withdrawing members. The system also has a pensioners payroll used to pay all pensioners whether retirees or widows and orphans. Group Life for all employees and the issue of Last Expense is also maintained and administered in the system. Database Management Systems The secretariat database is managed using ORACLE database management systems(DBMS). Oracle databases are relational, thus data is stored in them in row-column (table) format. All the company data is stored and managed using ORACLE. WINDOWS NT ENVIRONMENT The Window NT environment operates in domains. A domain is a collection of computers and users defined by the administrator of a Windows NT Server network that share a common directory database. A domain provides access to the centralised user accounts and group accounts maintained by the domain administrator. Each domain has a unique name. Window NT Environment In the current WAN model of KPLC there is a single master domain called KPLCSTIMA. The KPLCSTIMA is also the main account domain and KPLCNET as Internet resource domain. A child domain known as RBS. KPLCSTIMA will be created from the master domain and will have trust relationship with it. This is will give us more control of our systems and semi-autonomy from the KPLC systems. It will be installed with Windows Server 2003 standard edition operating system which will provide the following services at RBS: 1. File and Print sharing. 2. Microsoft Exchange Services ââ¬â host the resident Staff memberââ¬â¢s mailboxes and enable efficient sending and receiving of internal/Internet mail and if need be provide also storage of the mailboxes. 3. Anti-virus Software. 4. Systems Management Server for Network management. 5. Internet Browsing. 6. To allow for faster downloads of the application updates. 7. To enable the efficient installation and periodic updates of the PC anti-virus in the local area network. 8. For faster and seamless primary logon of client PCââ¬â¢s to the network. Our application i. e. RBS system is already running in a stand alone server and will continue that way to ensure system stability and integrity. The new system will also run on its own stand alone server for the same reason. â⬠¢The primary domain controller (PDC) tracks changes made to domain accounts. Whenever an administrator makes a change to a domain account, the change is recorded in the directory database on the PDC. The PDC is the only domain server that receives these changes directly. A domain has one PDC. A backup domain controller (BDC) maintains a copy of the directory database. This copy is synchronised periodically and automatically with the PDC. BDCââ¬â¢s also authenticate user logons, and a BDC can be promoted to function as the PDC. Multiple BDCââ¬â¢s can exist in a domain. Client PCs Currently there are four PCs and two laptops in the secretariat all running Windows XP as the desktop operating system and networked using Windows NT operating system of the K PLC master domain. All PCs have MS Office 2003 ââ¬â 2007 as an office desktop application. The PCs have between 256 and 512 MB RAM. All the PCs are running on Microsoft TCP/IP protocol and use USER LEVEL access on the network. Microsoft Exchange Server Microsoft Exchange Server is used for electronic messaging in and out of the organisation. Exchange is organised into entities called sites each consisting of one or more servers containing mailboxes and public folders. Mailboxes are where a userââ¬â¢s messages are kept, each user having a single mailbox whereas public folders are like notice ââ¬â boards, containing information that is shared between multiple users. Intra-site communication has to occur at high speed and with high reliability. Inter-site communication can occur at lower speeds. In addition to local messaging, there is Internet messaging, implemented via the Proxy Server. Anti-Virus Software McAfeeââ¬â¢s Total Virus Defence Software is the current company guard against viruses. The software is loaded on all the Exchange server protects against viruses distributed. A group of computers and the server that manages them is called an Anti-virus Domain. The anti ââ¬â virus server downloads new version automatically from McAfee Website on the Internet. Once the new software version is downloaded, the system administrator configures it for distribution. It also alerts the system administrator to ââ¬Ëpullââ¬â¢ the latest versions to the Anti-virus Server. Internet Microsoft Proxy Server provides an easy, secure way to bring Internet access to every desktop in an organisation. The proxy server is a gateway between the companyââ¬â¢s network and the Internet. A gateway is special software, or a computer running special software, that enables two different networks to communicate. The gateway acts as a barrier that allows you to make requests to the Internet and receive information, but does not allow access to your network by unauthorised users. [pic] 1. 0 PROCUREMENT OF HARDWARE, PERIPHERALS & OTHER EQUIPMENT 1. 1 Purchasing and Installing Hardware This Chapter deals with the Information Technology and Security issues relating to the purchase, use or maintenance of equipment through which information is processed and stored. 1. 1. 0 Procurement of Hardware, Peripherals and Other Equipment Policy Statement All purchases of new systems hardware or new components for existing systems must be made in accordance with Information Security and other organisation Policies, as well as technical standards. Such requests to purchase must be based upon a User Requirements Specification document and take account of longer-term organisational business needs. The purchase and installation of hardware requires those involved to consider carefully the Information Security issues involved in this process. This section covers the key areas to be considered. . 1. 1 Specifying Information Security Requirements for New Hardware The purchase of new computers and peripherals requires careful consideration of the business needs because it is usually expensive to make subsequent changes. |ICT Issues to consider |Action Required | |The system must have adequate capacity or else it may not be |Estimate the current and potential load on the system. | |able to process your data. For critical applications ensure t hat the system is reliable and of | | |high quality. | | |Select a supplier with a proven ââ¬Ëtrack record', who is likely to be | | |in business for the life of the hardware. | |Data must be adequately protected; otherwise there is a risk |Determine the type of safeguards necessary for the information | |of loss or accidental / malicious damage. concerned and ensure that the hardware is capable of supporting the | | |required features, e. g. the type of operating system and attached | | |devices. See classifying information and data | |Where hardware maintenance is poor or unreliable, you greatly|Choose a supplier with a proven ââ¬Ëtrack record', who is likely to be | |increase the risk to the organisation, because, in the event |in business for the life of the hardware. |of failure, processing could simply STOP. |Enter into a maintenance contract at the time of purchase with a | | |suitable response time in the event of a failure. See service level | | |agreement | |T he system must be sufficiently ââ¬Ëresilient' to avoid |Determine your organisationââ¬â¢s tolerance to system non-availability | |unplanned down-time, which can have an immediate negative |(seconds, minutes, hours or days? , and approach the design of your | |impact on your organisation |hardware configuration accordingly. | | |Consider the use of mirrored disks to guard against disk failures; | | |duplicate processors in case of processor failure; duplicate | | |configurations; and the use of an Uninterrupted Power Supply (UPS) | | |and standby generators. 1. 1. 2 Installing New Hardware Installation of new equipment must be properly considered and planned to avoid unnecessary disruption and to ensure that the ICT Policy issues are adequately covered. (See Premises for further detail. ) Policy Statement All new hardware installations are to be planned formally and notified to all interested parties ahead of the proposed installation date. Information Technology and Securi ty requirements for new installations are to be circulated for comment to all interested parties, well in advance of installation. ICT Issues to consider |Action Required | |The equipment must be located in a suitable environment otherwise|Adhere to the specifications and recommendations of the | |it may fail. |manufacturer or supplier, e. g. for operational temperature, | | |humidity etc. | |Adequate safeguards against fire, water and electrical failure | | |should be in place. See Premises | |Any disclosure of your network diagrams, security features, |Ensure that all persons on site, whether from your own | |locations and configurations etc. exposes potential |organisation or not, have completed a Non-Disclosure Agreement | |vulnerabilities, which could be exploited. Although a Non Disclosure Agreement paves the way for legal | | |redress, it cannot protect you against actual commercial damage. | |Leaving tools, utilities and developer's kits on your new system |All new syste ms should be configured for maximum practical | |endangers the confidentiality and integrity of your data |security by the removal of unnecessary utilities, developers' | | |programs, etc. a technique known as hardening. | |Without an installation plan for the new equipment, disruption to|Ensure that all special pre-installation requirements (e. g. air | |operational systems is more likely. |conditioning) have been met. | | |Identify the precise location for the equipment and ensure that | | |the power and network cables are ready. | | |Agree a detailed installation plan with the vendor. | |Anticipate what might go wrong and consider how to minimise the | | |risks. | |Where the installation plan does not include safeguards against |Agree a detailed installation plan and document it. See Project | |the (inevitable) increased security threat resulting from |Plan | |(relatively) ââ¬Ëopen access' to the systems area, accidental or |Monitor progress against the plan. |malicious damage can result. |Only allow authorised persons access to the systems area. | | |To protect all parties never allow engineers to work unattended. | | | | |Breaches of Health and Safety regulations endanger the well being|Ensure Health and Safety regulations are followed when locating | |of your staff and your organisationââ¬â¢s commercial activities. the equipment, peripherals and cables. | | |A periodic visual inspection is beneficial also. | 1. 1. 3 Testing Newly Installed Systems and Equipment Hardware should be tested when new to verify it is working correctly, and then further tests applied periodically to ensure continued effective functioning. Policy Statement All equipment must be fully and comprehensively tested and formally accepted by users before being transferred to the live environment or user sites. |ICT Issues to consider |Action Required | |Where new equipment is not tested for critical functions before |Ensure that all new installations are thoroughly tested after | |being used, it can lead to failure and hence damage to both data |initial set-up and prior to live use. |and other linked systems. |All such tests should be in accordance with a documented test | | |plan. | |Inadequate testing can threaten the integrity and availability of|Check the test outputs to confirm the results. Ensure that | |your data. |all-key components, e. g. hard disk subsystems are included in the| | |tests. | |Devices that are known to degrade with time, e. g. printers, | | |should be tested periodically | |Where testing is performed in a manner that does not simulate |Ensure that the test plan simulates realistic work patterns | |live conditions, the results of such testing cannot be relied | | |upon. | |Poor security procedures during equipment testing can compromise |Ensure that Non Disclosure Agreement have been obtained from all | |the confidentiality of your data. |third party staff involved in testing the equipment. | |Verify that the required security configuration and safeguards | | |have been implemented for the new hardware. | | |If live data is used in the testing process for the new hardware,| | |ensure that it is closely controlled. See Use of Live Data for | | |Testing | Explanatory notes NT servers The analysis of user requirements (client base and mail sizes expected) versus the various benchmarks test results will establish the best choice of server to be purchased. For file and print server only disk space is a key requirement. IT & T Issues |Key Actions | |CPU Board |Dual CPU, redundant system components in many aspects | |Disk & Disk space |Enough storage to cater for expected growth of mail database for the next| | |fiscal year | | | | | |Redundant and RAID-5 capable | |SPEC INT2000 |Compares CPU speeds for various servers. | | | |SPEC CPU2000 |To establish best processors and server performances. | | | | |(http://www. specbench. org/) |To establish best server as per RBS requirements. | | | | | |Do sample analysis based on databases expected or consult database | | |product vendor on system demands. |TPC-C benchmark |The TPC-C benchmark measures the ability of a server to process | | |transactions in a simulated business environment, calculating both the | |See guidelines at http://www. tpc. org/ for |performance of the System Under Test and real world scenario. | |transactions per server | | | |Mail servers should handle 1500 mail user traffic simultaneously in a | | |normal business environment. | | | | |Mail servers should be capable of storing all mails processed in a normal| | |working day. | Routers |ICT Issues |Key Actions | |Router basics |Dual CPU, all redundant system components installed at time of purchase | | |in many aspects | |IOS, RAM and ROM |Latest Cisco IOS e. g. ver 12. X. , 128 MB RAM and suitable flash memory to | | |store all features of IOS. | | | | |VPN and 3-DES features enabled | |IOS compatibility |New routers should Cisco compatible to integrate seamlessly with existing| | |IOS and equipment. | |Number of WAN ports |Decide by local needs e. g. | | | | | |Hub-routers should be preferred for small LANs | |User Management |Manageable by local o r by remote interface, RMON, SNMP or network user | | |interfaces. | Hubs and Switches Item |Action | |Hardware basics |Dual CPU, all redundant system components installed at time of purchase in many | | |aspects | |IOS, RAM and ROM |Latest Cisco IOS e. g. ver 12. X, VLAN and work grouping, bridging possible. | |IOS compatibility |Cisco compatible to integrate seamlessly with existing IOS and equipment. |Protocols |Ethernet enabled | |L | | |Number of LAN ports |Decide by local needs e. g. | | |Hub-routers should be preferred for small LANs | |User Management |Manageable by local or by remote interface, RMON, SNMP or html enabled network | | |user interface. | Modems Item |Action required | |Software Compatible |Supports HyperTerminal for Windows | | | | | |Should be configurable using AT commands | |V90 |Modems should be V90 standard and downward compatible with existing V54 & V42 | | |types, etc. |2 & 4 wire |Supports two wire dialup and 4 wire leased analogue line use. | Data cabinets Equipment cabinets should be properly chosen. The current 6U cabinet is too small for any future expansion or even good workmanship to be carried out. Vendors should provide cabinet of size equal or larger than 12U cabinet. |Item |Action | |Sufficient space for equipment |The cabinet should house all the equipment and accessories at the installation| |See http://www. datacabinets. om/ |time, leave room for future expansion and provide free space for proper | | |ventilation | |Aesthetically chosen for office environment |The cabinet aesthetically coloured to match with general looks in the vicinity| | |free standing or wall mounted and should be equipped with sufficient power | | |blocks. | |Proper ventilation and humidity |The cabinet must have sufficient cooling fans. The fans in these cabinets | | |shall be designed to give minimum noise level expected in a normal office | | |environment and must be designed to keep the humidity level low. | |Designed for equipment therein |The cabinets will be used to house all the active equipment and connection | | |accessories such patch panels, Light Unit Interfaces (LIU). | | | | | |Be lockable and be equipped with some trays. LIUs, cord organisers, cable | | |straps etc. |Grounding and ESD |All cabinet shall be electrically grounded to ensure electric noise and | | |electrostatic discharge is minimised. | Server Room The following items are useful in a server room construction. |Item |Action | |Backup supply |Installation of a central UPS to back up for at least 30 minutes after an | | |outage. | |Conditioned power supply |Installation of spike protectors is necessary to ensure well regulated supply | | |free of surges and dips. |Neat and extensive cable trays |Construction of a technical (false) floor and technical roof (false ceiling) | | |to house all types of cabling and utilities such as fire hydrants, smoke | | |detectors, etc | |No electrostatic discharge (ESD) in computer centre and |Proper grounding and use of anti-static PVC tiles on floor. Each tile must be| |equipment |grounded well. | |Maintain ambient temperature |Installation of a two way redundant air conditioning system. | | |Maintain 16 ? C via room wall. | |Guard against fires and similar hazards |Installation of an automatic fire-fighting system |Use effective extinguishers that are less hazardous to |Use most inert system e. g. Inergen | |human health. |See www. inergen. com/ | |Classify room usage |Partitioning of the computer room | |Proper lighting |Supply and installation of False Ceiling | |Protection against harmful effects of fire hydrants |Supply of Gas Masks | 1. 2Cabling, UPS, Printers and Modems Cabling For best of cabling the following international standards should be incorporated when carrying voice/data-cabling works. |Item |Action | |Scope |Systems Administrator to access scope of requirements. | |Design of cabling plant and premises consideration |According to ANSI/EIA/TIA 568B & 569 standards | | |See www. ansi. org, www. eia. org & http://www. tiaonline. rg | |Implementation and workmanship of cabling works and testing |According to ANSI/EIA/TIA 606 & 607 standards of installing and | | |maintaining data/voice cabling plant. | |Network Active devices |Different vendors have preferred methods of rolling out active | | |devices try this method: | | | | | |Develop | |high-level process flow diagram for deploying new solutions | | |solution hardware requirements | | |solution management platforms | | |solution validation by pilot project | | |full solution deployment | | |document all related information for management, maintenance and | | |future extensions | UPS The following formulas are useful in determining choice of UPS. The UPS are rated in terms of steady power out put and backup time. Steady power rate is given in watts= W Backup time is given in Hours or Ampere-hour of the batteries. = Ah Backup capacity in terms of Ampere-Hour is Ah = (Watt x time) and or is computed to be Ah =3. 6 Mega joules. Power x Time = Energy (joules) Translates to Time =Ah/power E. g. StimaEIS is 7. 2-kVA load. To backup for half an hour it requires (7200 x 30 x 60 x 60)/3. 6 x106 = 216 Ah Given that each small battery is 12V with 9 Ah each then the UPS will have 24 small batteries. Similarly for rest of the computers same formula can be used. 1. 3Consumables Introduction ICT consumables are expensive and should be properly controlled both from an expense perspective as well as an Information Security perspective. This section deals with the Information Security aspects of IT consumables. 1. 3. 1 Controlling IT Consumables Policy Statement IT Consumables must be purchased in accordance with the organisationââ¬â¢s approved purchasing procedures with usage monitored to discourage theft and improper use. They must be kept in a well-designated store away from working area. Explanatory Notes Examples of consumables are printer forms, stationery, printer paper, toner & ink, ribbons, disks, diskettes, bar-code labels and other accessories. Item |Key Actions | |Pilfering of your consumables results in increased organisational|Safeguard Consumables against petty theft by locking cupboards, | |expense. |maintaining a register, written authorisation prior to removal of| | |items etc. Keys to be kept by the supervisorââ¬â¢s office. | |Consumables may be s tolen with the intent to defraud your |Take special measures to protect potentially valuable pre-printed| |organisation or customers. |forms and account for their usage. Store area should be a | | |restricted area, use gate-passes and authorisation. |Confidential data may be revealed to unauthorised persons from |Ensure that confidential information cannot be identified from | |discarded Consumables e. g. discarded draft printer output and |discarded Consumables, such as printer ribbons and floppy disks, | |test data printer output. |by destroying them. | | |Destroy or shred surplus printout / fiche containing data, | | |whether or not the data appears to be confidential ââ¬â it may be! | | |See also Classifying Information and Data. | 1. 3. Using removable storage media including Diskettes and CDs Policy Statement Only personnel who are authorised to install or modify software, and staff who are authorised to transfer and update data shall use removable media to transfer dat a to / from the organisationââ¬â¢s network. Any other persons shall require specific authorisation. Explanatory Notes When using removable storage media, there are additional ICT Security risks associated with the portability of the media. Personnel authorised to install & modify software is the system administrator. Personnel authorised to transfer and update data shall be determined by the general manager and systems administrator. ICT Issues |Key Actions | |Loss or ââ¬Ëdisappearance' of disks, tapes, etc. can |Ensure that all media are stored safely and securely. | |compromise the confidentiality of the organisationââ¬â¢s |Make sure that all media are labelled clearly, whether physically and/or | |data. |electronically, and that they can be located easily when needed. | | |Designate key individuals to monitor the storage and use of removable | | |media. | |Damage to media compromises the integrity of your |Follow the manufacturers' recommendations when handling the m edia. | |corporate records. Take protective measures against environmental extremes of temperature, | | |humidity, dust, etc. , appropriate to the importance and sensitivity of the| | |data. | | |Consider carefully the safeguards required for any media being moved or | | |stored off-site; especially backup tapes / disks. | | |In the case of irreplaceable data, you should consider taking security | | |copies, each of which must be properly safeguarded. | |Consider using fire-resistant storage cabinets for such media. | 1. 4Working off premises or using out-sourced processing Working Off-Premises involves a broad range of Information Security risks. In addition to the obvious threat of theft of the equipment there are also significant risks to the information contained on portable equipment. It is necessary to use business centres with great care as confidential information or data can be input onto equipment that is not under your control. 1. 4. 1 Contracting or using Out-sour ced Processing The following issues should be considered if the organisation decides to utsource some or all of its computer processing. Policy Statement Persons responsible for commissioning out-sourced computer processing must ensure that the services used are from reputable companies that operate with accredited information security and quality standards which should include an appropriate Service Level Agreement. |ICT Issues to consider |Action Required | |Inadequate performance can threaten your organisation's |Determine the critical success factors for your organisation in terms of| |information processing and business operations. speed, reliability, response and ability to scale rapidly (if | | |necessary). | | |Document these factors in a Service Level Agreement with penalty clauses| | |for breaches. | |Poor reliability threatens the performance of your |Consider your organisation's tolerance to system non-availability in | |business. |seconds, minutes, hours or days? | | |Ensure that the service provider can meet these needs. | |Document these factors in a Service Level Agreement with penalty clauses| | |for breaches. | |Lack of direct control when outsourcing can compromise |Due diligence should be exercised to ensure that the outsourcing company| |data confidentiality. |is reputable and operates with adequate standards. | | |Obtain a Non Disclosure Agreement from the outsourcing company. | | |Insist on secure transmission methods between your organisation and | | |theirs, e. g. authenticated transmission with encrypted data. | 1. 4. 2 Issuing Laptop / Portable Computers to Personnel Laptops, Portables, Palmtops -or even electronic ââ¬Ëorganisers', which connect to and store your organisationââ¬â¢s data ââ¬â are included within this topic. Throughout this topic we refer to them collectively as ââ¬Ëlaptops' Policy Statement Line management must authorise the issue of portable computers. Usage is restricted to business purposes, and users must be aware of, and accept the terms and conditions of use, especially responsibility for the security of information held on such devices |ICT Issues |Action Required | |Confidential data disclosed to unauthorised persons can |Be certain that the member of staff has a valid business reason for | |damage the organisation. |using a laptop. Maintain and update the Hardware Inventory with the | | |primary user's name and contact details | | |Ensure that you are always able to trace the physical location of the | | |laptop and that the type and sensitivity of any stored data is known and| | |properly secure. | | |Always use any ââ¬Ëpower-on' password feature as a simple deterrent to | | |opportunistic usage. | | |Ensure the confidentiality and security of backup files. |The use of unlicensed software can subject your |All software used on the laptop must be licensed and comply with both | |organisation to legal action |legal and organisational standards. | |Viruses, Worms, Trojans and other Malicious Code can |Scan the laptop for malicious code and viruses regularly. | |corrupt both data and the system files. |Always scan files before accepting them onto the laptop | |Theft of the laptop exposes the organisation to the threat|Ensure that the holder implements adequate safety procedures against | |of disclosure o f sensitive corporate data to competitors. |theft. | |Consider the use of securing wires or other security devices in open | | |offices. | | |Ensure that the Hardware Inventory contains relevant allocation details | | |of all computers. Insure the laptop against loss, theft and damage. | | |Be aware of any exclusion in cover. Prepare guidelines for issuing | | |portable computing equipment. |Inadequate backup and recovery routines can lead to the |Ensure that laptop computers can have their data safeguarded through | |loss of data. |regular backups. | | |Ensure that the primary user of the equipment recognises their | | |responsibilities in this regard. | Guidelines for Issuing Portable Computing Equipment Those responsible for issuing portable computer equipment must ensure that the following is complied with before issuing such equipment to employees. â⬠¢ Ensure that adequate insurance cover is provided for the portable equipment for use in the home country and abroad. Ensure that suitable virus scanning software is present on the equipment. â⬠¢ Supply suitable network connections and ensure that access procedures are applied if the equipment is to be connected to a network. â⬠¢ Ensure that adequate capacity (hard disk and memory size) is available on the equipment to support business processing. â⬠¢ Ensure that adequate backup and restore facilities and procedures are in place. â⬠¢ Ensure that compatible versions of application software are in place. â⬠¢ Ensure that software encryption and/or physical locking devices are in place. â⬠¢ Ensure that adequate records of the equipment are maintained, and that the issue is authorised and receipted. Ensure that authorisation for use of portable computing equipment is received â⬠¢ Ensure that the Terms of Use are issued and signed. 1. 5Using Secure Storage Introduction It is essential that valuable confidential or critical information or equipment is stored in a secure locati on. This section covers secure storage. Policy Statement Sensitive or valuable material and equipment must be stored securely and according to the classification status of the information being stored. Documents are to be stored in a secure manner in accordance with their classification status. 1. 5. 1 Using lockable storage cupboards & filing cabinets A lockable storage cupboard should be considered for storing sensitive or valuable equipment. A lockable filing cabinet should be considered for secure storage of paper-based files and records, or small but movable items. |ICT Issues |Key Actions | |Unsecured organisation sensitive material may be |Ensure that all sensitive material is secured in a lockable storage | |stolen from the department. |cupboard, cabinet or safe when not required. The more sensitive the | | |material, the more care must be taken in selecting the appropriate storage| | |method. | |Ensure you are aware of who is an authorised key holder to any such | | |storage cupboard, cabinet or safe. | | |Ensure that a second key is available with a trusted key holder via a dual| | |control issues process in case the key holder is unavailable or the item | | |is required in an emergency. | |Securely locked organisation sensitive material may be|Ensure that highly sensitive material including computer discs and tapes | |stolen or damaged whilst in store. |are stored in a fire rated storage cupboard, cabinet, or sa fe. Beware that| | |the cabinet itself may survive the fire but the items inside may be | | |damaged irreparably. | | |Ensure that all sensitive material is secured in a lockable storage | | |cupboard, cabinet, or safe when not required. | | |Use a storage unit, which matches the sensitivity of the material. The | | |more sensitive the material, the more care must be taken in selecting the | | |appropriate storage method. | |Ensure you are aware of who is an authorised key holder to any such | | |storage cupboard, cabinet or safe. | | |Ensure that a second key is available with a trusted key holder via a dual| | |control issues process in case the key holder is unavailable or the item | | |is required in an emergency. | 1. 5. 2 Using Fire-Protected Storage Cabinets & Safes A fire protected storage cabinet is a good way to protect sensitive material against the risk of being destroyed by fire and possible water damage from fire fighting activities. The use of safes for storage is to be en couraged. The security of the safe itself is just as critical. Policy Statement Items such as backup-tapes, microfiche, microfilm, archives, recovery diskettes, passwords, CDs for software installation shall be considered sensitive and valuable to the organisation and must be stored in fire-protected storage cabinets & safes. |IT & T Issues |Key Actions | |Sensitive data stored in fire-protected cabinets can |Ensure that all sensitive material is secured in a Fire protected | |nevertheless be damaged beyond use. Due to their possible |cabinets & safe when not required. Yearly & Monthly system & database | |additional weight, siting is a key consideration |backups should be kept away from the building | | |Ensure you are aware of who is an authorised key holder to any such | | |storage cupboard, cabinet or safe. | | |Ensure that a second key is available with a trusted key holder via a | | |data control issues process in case the key holder is unavailable or the | | |item is required in an emergency. | |Sensitive data may be lost if stolen or during transit. |Copies of archives should be kept separate from actual database backups. | |A physical log file to control backup data movement to various safe | | |locations to be kept up-to-date both with signature of security personnel| | |and person moving the backups. | | |Data Library to be up-to-date with details of backup date, type, | | |location, type & expiry date | 1. 6Documenting Hardware Introduction This section deals with hardware documentation and manuals, and also hardware inventory. It is es sential that hardware documentation is kept up to date and made available to all users as appropriate. 1. . 1Managing and Using Hardware Documentation ââ¬ËDocumentation' refers to both the operator manuals and the technical documentation that should be provided by the supplier / vendor. Policy Statement Hardware documentation must be kept up-to-date and readily available to the all staff that may need it. |ICT Issues |Key Actions | |If equipment is operated incorrectly mistakes and |Ensure you receive all operational and technical manuals for each piece | |damage may result. |of equipment. | | |Store the documentation accessibly but safely. | |Systems users must be trained according to the supplier's manuals | |A failure to follow the recommended schedule of |Ensure all regular maintenance is carried out and monitored. | |maintenance runs the risk of system malfunction, which |Adopt procedures which ensure that your operators complete all | |could possibly jeopardise your busines s operation. |maintenance for which they are responsible according to the | | |manufacturer's recommendation | |Failure to operate equipment in accordance with the |Ensure you receive all operational and technical manuals for each piece | |instructions can invalidate the warranty. |of equipment. | |Ensure that such manuals are readily available and form the basis of all | | |training. | |Failure to complete and return the manufacturer's |Complete the warranty card in time and record the details in your | |warranty card may invalidate the warranty and hence |Hardware Inventory Register. | |limit the manufacturer's liability | | ] 1. 6. 2 Maintaining a Hardware Inventory or Register Introduction A register / database of all computer equipment used within your organisation is to be established and maintained. Policy Statement A formal inventory of all equipment should be maintained and kept up to date at all times. ICT Issues |Key Actions | |Theft of equipment is most likely to result in additional |Establish inventory and implement procedures for updating it. | |cost to the organisation and could compromise data security. |Ensure that you have a procedure to advise the acquisition of new | | |hardware, the disposal of old items and any changes of location. | | |Periodically verify the correctness of the inventory by checking that | | |a sample of hardware is physically present. |Inadequate insurance could render your organisation liable |Establish inventory and implement procedures for keeping it | |to loss in the event of a claimable event. |up-to-date. | | |Ensure that you periodically review the adequacy of your insurance | | |cover. | |Shortcomings in the planning of equipment replacement can |Establish an inventory and, in conformance with your IT Plan, ââ¬Ëear | |make it difficult to plan ahead for new technology. |mark' equipment for replacement and plan accordingly. | 1. 7 Telecommunications equipment (Procurement, maintenance, practices and design t elecommunications) Procurement of telecommunications system â⬠¢ Manufacturer maintenance (internal & external) â⬠¢ Design criteria of systems â⬠¢ Commissioning & Decommissioning of systems â⬠¢ Fibre optic systems Introduction This chapter deals with the Information Communication Technology issues relating to the purchase, use, maintenance and the design of equipment through which information is processed and transmitted. The systems covered include, Telephony (PAX and PABX) Data Networks Fibre Network 1. 7. 1 System Design ( Engineering) Policy statement ICT system engineering will be based on tested and proven state of the art technology for a given ICT system. Explanatory notes The systems administrator shall from time to time update her/himself with new international standards for ICT systems. She/he shall be required to come up with flexible systems that will meet the company needs at the best. |ICT Issues |Actions | |Technology |System engineering shall be based on the latest technology in the | | |required field such as Telephony. | |Company's needs (Application) |The design shall address the company needs and applications for at least| | |the next ten years. |Flexibility |The system design shall address the equipment flexibility and upgrade. | |Redundancy |The design will state the expected loading and redundancy of the | | |equipment | 1. 7. 2 Procurement Policy Statement In addition to the public and company procurement procedures, the ICT departments will specify in details the functional and capacity requirements of system before any purchase is done. Explanatory notes Before any system acquisition is done, the system administrator will be requir ed to have evaluated the company's needs. This will include system performance; reliability ultimate capacity and staff abilities included proposed training requirements. This will be in the form of Request for Proposal (RFP) documents. |IC T Issues |Actions | |Tender document |Shall have detailed system/equipment description of the performance, | | |reliability and capacity of hardware. The system life expectancy shall be| | |required | |Spares and Support |The system spares will be stated. The system support and staff training | | |clearly be addressed | |Authorised dealership/partnership |The vendor shall be required to state and prove the partnerships with the | | |manufacturer | |Tendering |The type of bidders to be invited shall be stated | 1. 7. 3 Commissioning/ Decommissioning Policy Statement System commissioning will be carried out as stipulated in the manufacture's testing/commissioning sheets for any new ICT equipment. Tests should nclude all the RFP system requirements. System commissioning is necessary to ascertain system performance all the designed parameters will be tested. After the commissioning the system passwords should be immediately changed as a security measure, to protect any data manipulation or corruption from the vendor. |ICT Issues |Actions | |Performance |All tests as per system design and manufacturer's | | |specification/performance shall be carried out. |Drawings |All system drawings shall be submitted ( at least three copies)and kept | | |in safe custody | |Equipment Cabinet keys |The equipment cabinet keys shall be handed over to the functional head | |Decommissioning |System decommissioning shall be carried out once the equipment is no | | |longer in use. | | |Commissioning sheets and drawings shall be used to determine the current | | |connection (Circuit termination) of the system. | | |The decommissioned equipment shall be removed from the Telecom room and | | |all wires/cables not used shall be removed. | |The drawings for decommissioned systems/equipment shall be retired. | 1. 7. 4 Maintenance Practices Policy Statement All ICT systems shall be maintained regularly as per manufacture's recommendations. Where system are placed in harsh environments, system maintenance will be carried out as deemed by the systems administrator. Explanatory notes All system maintenance should be done in house as much as possible. Outsourcing of maintenance (Annual Maintenance Contracts, AMCââ¬â¢s) contrac
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.