• No results found

Information Security Policy

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Security Policy"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

Office of the Prime Minister

Policy document

CIMU P 0016:2003

Version: 2.0

Effective date: 01 Oct 2003

Information Security Policy

1.

Policy statement

i) General

The Public Service of the Government of Malta (Public Service) shall protect its information assets, employees, and the physical and working environment from a wide range of threats in order to ensure business continuity, minimise business damage and optimise return on investment and business opportunities.

The Public Service shall comply with laws, contracts and with this Policy. The Public Service shall put in place appropriate security measures to:

• protect all information assets from accidental or unauthorised use, theft, modification, destruction and shall prevent the unauthorised disclosure of restricted information;

• protect the physical and working environment from malicious attacks, power failures and other electrical anomalies, water supply failure etc;

• reduce the risk of human error, theft, fraud or misuse of facilities including social engineering attacks on Public Service employees;

(2)

ii) Information Security Framework

Measurement and benchmarking activities related to information security in the Public Service, and to the physical and working environment of its employees shall be based on the Information Security Framework (ISF) with a focus on the following domains:

• Information Security Policy • Security organisation • Asset classification and control • Personnel security

• Physical and environment security

• Communication and operations management • Access control

• Systems development and maintenance • Business continuity management • Compliance.

An ISF diagram showing these domains is presented in Appendix A of this Policy.

iii) Implementation

The target population of this Policy is all Public Officers, employees of CIMU and Agents, Third parties, and outsourcing organisations. Employees of Third Parties and outsourcing organisations are involved when there is information processing, and / or in the case of Third Party physical access (to offices, computer rooms, etc.) or logical access (to databases, networks, etc.) to information assets.

The implementation strategy needs to be based on three fundamental directions:

a) Information security Policy (Umbrella Policy)

The aim of this Policy is to establish security measurement and benchmarking based on the ISF and related to Public Service information assets, employment, and the physical and working environment.

b) Corporate (Horizontal) implementation

The aim of this implementation phase is to introduce a minimum level of Information security across the whole Public Service, and its Agents. This implementation shall be based on this Policy, the Information Security Organisation Policy (CIMU P 0017:2003), the Information Security Compliance Policy (CIMU P 0018:2003), the Minimum Security Directive (CIMU D 0016:2003), the Information Security Organisation Directive (CIMU D 0017:2003) and the Information Security Compliance Directive (CIMU D 0018:2003).

The high-level Corporate Information Security implementation plan will be issued by the CIMU.

c) Specific (Vertical) implementation

(3)

to Appendix B).

The high-level Specific Information Security implementation plan will be issued by CIMU.

iv) Policy violations

The CIMU will take appropriate measures in cases of violation of this Policy and of the related Framework documents.

Heads of Public Service Departments and Agents shall, in cases of violation of this Policy within their respective area, take appropriate and timely measures, and liaise with the Agent to control information security.

2.

Purpose

The objective of this Policy is to set up a high-level Public Service-wide Information Security Framework based on an International standard and local experience. This includes introducing security measures to protect Public Service information assets, employees, and the physical and working environment from a wide range of threats in order to ensure business continuity, minimise business damage and optimise return of investment and business opportunities.

This Policy will be an umbrella policy for all policies related to the Public Service Information Security Framework.

3.

Who should know this Policy

Persons having the following positions, as a minimum, should know this Policy. Additional positions shall be introduced in the Information Security Organisation Policy. They shall communicate appropriately with persons in other positions regarding the contents and furtherance of this Policy:

Head of Security Coordinating Committee

Chief Information Management Officer

CIMU Communications Executive All Account holders

Permanent Secretaries Heads of Department

All Public Officers Director of the Internal Audit and Investigations Directorate

Information Management Officers Auditor General

Head of Agent Head of Outsourcing Organisation

(4)

4.

Scope of applicability

The scope of applicability of this Policy is to set up an Information Security Framework within the Public Service as a baseline for further development of Policies, Standards and Directives with the provision that this Framework may be extended to the Public Sector of the Government of Malta (Public Sector).

5.

Definitions

Access control – controlled access to information. For more details, refer to the standard

MSA ISO/IEC 17799:2001.

Asset classification and control – to evaluate, grade and control types of information

assets according to information security criteria. For more details, refer to the standard MSA ISO/IEC 17799:2001.

Agent – A trusted organisation that acts on behalf of Government entities providing

services (i.e. Information and Communication Services).

Business continuity management – counteracting interruptions to business activities

and protecting critical business processes from the effects of major failures or disasters. For more details, refer to the standard MSA ISO/IEC 17799:2001.

Communications and Operations – ensuring the correct and secure operation of

information processing facilities. For more details, refer to the standard MSA ISO/IEC 17799:2001.

Compliance – avoiding breaches to any criminal and civil law, statutory, regulatory or

contractual obligation and any security requirement. For more details, refer to the standard MSA ISO/IEC 17799:2001.

Information Assets – all systems and services that gather, generate and store data,

supported by an ICT infrastructure and related technology. In addition, information written or printed on paper, shown on film or recorded in conversation are also information assets.

Information security – the preservation of confidentiality, integrity and availability of

information. Note:

Confidentiality – ensuring that information is accessible only to those

authorised to have access.

Integrity – safeguarding the accuracy and completeness of information and

processing methods.

Availability – ensuring that authorised users have access to information and

associated assets when required.

Logical access – access to ICT resources, applications, systems or data mediated

(5)

delivery mechanism or resourcing alternative.

Personnel security – reduction of risk of human error, theft, fraud or misuse of facilities.

For more details, refer to the standard MSA ISO/IEC 17799:2001.

Physical access – concrete and material admission, admittance, entrance, entry to sites,

buildings, offices and Data Centres.

Physical and Environment security – prevention of unauthorised access, damage and

interference to business premises and information. For more details, refer to the standard MSA ISO/IEC 17799:2001.

Security measurement – administrative and technical / technological methods to quantify

business continuity and minimise business damage.

Security organisation – initiation and control of the implementation of information

security within the Public Service. Also, refers to the establishment of mechanisms for information dissemination. For more details, refer to the standard MSA ISO/IEC 17799:2001.

Social engineering – can be broken into two types: human based and computer based.

Human-based social engineering refers to person-to person interaction to retrieve the desired information. Computer-based social engineering refers to having computer software that attempts to retrieve the desired information.

Systems development and maintenance – ensures that security is build into information

systems. For more details, refer to the standard MSA ISO/IEC 17799:2001.

Third Party – someone other than the principals directly involved in a transaction or

agreement.

6.

Roles and responsibilities

For the purpose of this policy, the following roles and responsibilities have been identified. Role Responsibility

01. Head of Security

Coordinating Committee i. to review, endorse and champion Information Security in the Public Service 02. Chief Information

Management Officer i. to review Information Security Policies, Standards, Directives and Handbooks ii. to issue the high level Information Security

implementation plans

iii. to monitor core Information Security within the Public Service and take corrective action when necessary

(6)

03. CIMU Communications

Executive i. to publish this Policy

04. Account Holder i. to follow Security Policies, Standards and Directives related to the nature of their job

05. Permanent Secretary / Head

of Department i. to implement and enforce this Policy within the Ministry / Department

06. Public Service Officers /

CIMU Employees i. Directives related to the nature of their job to follow Security Policies, Standards and

07. Head of Agent i. to implement Security Policies, Standards and Directives related to the nature of their job

08. Agent Employees i. to follow Security Policies, Standards and Directives related to the Agent’s responsibilities

7.

Supporting Documents

In support of this Policy, the following Policies and Directives shall apply: 01. CIMU D 0016:2003 Minimum Information Security Directive 02. CIMU P 0017:2003 Information Security Organisation Policy 03. CIMU D 0017:2003 Information Security Organisation Directive 04. CIMU P 0018:2003 Information Security Compliance Policy 05. CIMU D 0018:2003 Information Compliance Security Directive

8.

References

01. Data Protection Act – Chapter 440 http://www.justice.gov.mt

02. Electronic Commerce Act – Chapter 426 http://www.justice.gov.mt

03. MSA ISO/IEC 17799:2001– Information Technology – Code of Practice for information security management

(7)

Nations Organisations

http://accsubs.unsystem.org/isccdocuments/documents/distribution/maintext/ security-managers.html

05. OECD Guidelines for the Security of Information Systems and Networks – Towards a culture of Security

http://www.oecd.org

8.

Modification history

Version Date Changes

1.0 09.02.2003 Initial Release

2.0 01.10.2003 Scheduled Review without changes

9.

Maintenance and review cycle

Maintenance and review of this Policy is set for six months after the initial release as indicated in the effective date. Subsequent review to this policy shall be based on a twelve month cycle.

Signature and Stamp

Joseph R. Grima

(8)

Appendix A – Information Security Framework

Communications & Operations Management Policy Access Control Policy Systems Development & Maintenance Policy Compliance Policy Standards and/or Directives Standards and/or Directives Standards and/or Directives Standards and/or Directives Standards and/or Directives Standards and/or Directives Standards and/or Directives Standards and/or Directives Standards and/or Directives Business Continuity Management Policy Standards and/or Directives Security Policy Personnel Security Policy Asset Classification & Control Policy Security Organisation Policy Physical & Environmental Security Policy Information Security Framework

Implementation by the Public Service and Agents

(9)

Appendix B – Public Service Information Security Framework Implementation Scenario

S e c u r i t y C o m p l i a n c e S e c u r i t y D o m a i n

Public Service Information Security Framework Implementation Scenario

Fu ll Complian ce Ad eq uat e Secur ity Min imum Secur ity

Business Continuity Management Policy System Development & Maintenance Policy Communications & Operations Management Policy Asset Classification & Control Policy

Information Compliance Policy & Information Compliance Directive Physical & Environment Security Policy

Access Control Policy Personnel Security Policy

2

1 Information Security Policy & Minimum Information Security Directive

References

Download now ( PDF - 9 Page - 267.53 KB )

Related documents

CCNA Sikandar Notes 11

To configure a default route on a Cisco router, enter the following global configuration command:?. ip route 0.0.0.0 0.0.0.0 [ip-address of the next-hop router outbound-interface]

G r a p h i c a l A p p l i c a t i o n D e v e l o p m e n t w i t h B o n i t a S t u d i o

When the fields of the Form(s) for a step are defined, a default page template is generated by Bonita Open Solution and linked with an html file that directs how the Form is to be

ABM Parking Services. Parking, Elevated Readiness Guide: Comprehensive Solutions for Parking and Transportation Management

Working with the Navy Pier team, ABM implemented dynamic pricing to maximize revenue, automated the debit card process to save time, and introduced online parking reservations

Industry Metrics for Outsourcing and Vendor Management

• Maintenance Resources Consumed • Cost • Effort • Elapsed time Quality • Defects • Customer survey Output • Function points. The following summarizes common measures used

NACIR New Applications for CPV's: A fast way to improve reliability and technology progress

Banda “Energy Losses Estimation for CPV Plants”, 6th International Conference on Concentrating Photovoltaic Systems, Freiburg, April 2010. 35 th

Vocabulary Exercises

Materials For Warm-up, one copy of the Vocabulary grid for each student One copy of the board for each group of three to four students One dice for each group of three to four

On-the-fly pipeline parallelism

We have extended the Cilk parallel-programming model [15, 20, 24] to augment its native fork-join parallelism with on-the-fly pipeline parallelism, where the linear pipeline

Challenges and emerging technical solutions in on-growing salmon farming

Sea water can also be used in a RAS land farm, and the produced fish could reach higher weights (e.g. However the economically optimal size for transfer is not known. By using