Previous | Table of Contents | Next |
Other elements should be added, but any policy containing at least the most significant elements described is likely to be effective and thus improve general controls.
Workpaper 7-1. Complete Sample IT Security Policy
This security manual has been developed to provide both general and specific guidance on security-related matters to company personnel. Management believes that this is necessary so that all of our personnel can have access to the information required to be properly enabled to address security concerns and issues as they arise.
This policy document is oriented toward safeguarding the companys investment in hardware, software, and data. Without such a policy, it has not been practical to provide management the assurance it desires that only authorized system access is permitted, that systems activities are consistent with business activities, and so on.
This manual has been developed with some sensitivity to the variety of computer systems now in place and supporting some part of our total business. We have established the following classes based on the installed workstations. You must address all items for your installation class. The items for each class are the minimum requirements, but we encourage you to review them all, as items from other classes might benefit your installation. Requests for variations from this policy, if submitted in writing to this department, will be considered and formally responded to.
1.- - - D
Unauthorized entry to the data center shall be prevented by locks, automatic admission checking system, or guards. If the data center is on the ground floor, the windows shall be of an unbreakable type, preferably also opaque and not possible to open.
2. - B C D
Fire extinguishers of carbon dioxide or Halon gas shall be located in the data center and in the adjacent room. Where applicable, the fire control organization should be consulted, and they should make periodic inspections.
3. - - - D
Automatic fire extinguishing installations, smoke detectors, and fire alarms are strongly recommended. However, in most countries, Halon will be forbidden within the first half of the 1990s. The technological developments must be observed. Before deciding for a new automatic Halon installation, corporate approval must be obtained.
4. - B C D
Sprinklers might be a suitable alternative if they are combined with an automatic power shut-off to the data center before the sprinklers are released.
5. - - C D
When constructing a data center, sewer and water pipes should be removed or the material changed to an anticorrosive material. If there is any risk of leakage, flooding, or water rising from the drainage system, there shall be (automatic) shut-off valves and gutters.
6. - - - D
A water or moisture alarm should be installed.
7. - B C D
Where needed, air conditioning equipment shall be installed. If suitable, the capacity should be divided into at least two units.
8. - - - D
Equipment for alarm and power shut-off at unsuitable temperatures or humidity should be installed.
9. A B C D
An Uninterruptible Power Supply (UPS) should be installed where power disruptions are frequent and recovery takes a long time or where disruptions incur significant costs.
10. A B C D
Stabilizers should be used where voltage or frequency is not stable.
11. A B C D
When sending data media containing payment transactions, special security measures shall be taken to prevent the media from being altered. Such measures could be a fixed timetable for the conveyance, transport in a locked box, and an electronic seal on a tape.
12. A B C D
Backup copies shall be taken so frequently that the time for a recovery procedure is relatively short. The recovery should not take more than four hours or create business disturbances or incur significant costs. For frequently used files, backup shall be at least daily. A full backup including low-frequency files and system and application software shall be performed at least monthly.
13. A B C D
The backup copies shall be stored in such a way that they cannot be destroyed or stolen at the same time as the computer. They should either be stored in another building or in a fireproof cupboard in another room away from the computer. The backup copies shall be kept under lock and key.
Previous | Table of Contents | Next |