IT Security Policies

IT Security Policies

Prepared by:

Saltlake Infosolutions Pvt. Ltd. G-5, Gnd Floor, Koyla Vihar Abhinandan, VIP Road, Kolkata – 700052 Phone: +91-9831592533 Email – [email protected] Web: http://www.saltlakesoft.com

[ORGANIZATION]

IT Security Policies

[ORGANIZATION]

2010.1

This sample document and all of its contents are copyright of Saltlake Infosolutions Pvt. Ltd. (http://www.saltlakesoft.com). All rights reserved.

2/[ORGANIZATION]/2010.1

IT Security Policies

[ORGANIZATION]

2010.1

Table of Contents Information Technology Security Policies ................................................................................................. 4 Business Continuity Plan .......................................................................................................................... 8 Disaster Recovery Plan........................................................................................................................... 14 Incident Response Plan .......................................................................................................................... 19 Risk assessment procedure .................................................................................................................... 27 Information Security Policy .................................................................................................................... 31 Network Security Policy ......................................................................................................................... 37 Backup Policy......................................................................................................................................... 42 User Management and Access Control Policy ......................................................................................... 50 Password Policy ..................................................................................................................................... 56 Application Software Policy ................................................................................................................... 60 Audit Trail Policy .................................................................................................................................... 63 Anti-Virus and Firewall Policy ................................................................................................................. 70 Change Management policy................................................................................................................... 77

3/[ORGANIZATION]/2010.1

IT Security Policies

[ORGANIZATION]

2010.1

Change Management policy Overview As IT infrastructure at [ORGANIZATION] grows, the dependence on IT Resources increases across functions. These IT Resources could be Application Software, System Software and Operating Systems, Hardware (including Server and Client machines), Network infrastructure etc. From time to time, these IT Resources may need to undergo changes which could be planned upgrades or maintenance. In addition, unexpected events can occur which require upgrades or maintenance of the resource. During the upgrades or maintenance, the IT Resource could be unavailable or partially available. It is critical for the organization to manage the changes occurring due to planned or unplanned events in such a way that the disruption in the business services of the [ORGANIZATION] is minimized.

Purpose The purpose of the Change Management Policy is to manage changes in a rational and predictable manner so that staff members and clients can plan accordingly, to minimize disruption in the business services of the [ORGANIZATION]. The Change Management Procedures are designed to provide an orderly process and control under which all change requests made for [ORGANIZATION]’s IT infrastructure are reviewed and approved prior to the installation or implementation of the change. Furthermore, it also defines the procedure and steps which need to be followed in case any Unplanned or Emergency change takes place.

Scope Any change in [ORGANIZATION]’s IT environment requires approval via the process defined in this policy. This policy applies to: • All employees, users and clients • Changes made to all Information Technology systems and services • Hardware upgrades or additions • Network changes • Infrastructure changes • Security patches / changes 77/[ORGANIZATION]/2010.1

IT Security Policies

• •

[ORGANIZATION]

2010.1

Software upgrades, updates, or additions System architecture and configuration changes

Definitions Planned Change: A change for which Formal notification received, reviewed, and approved by the Management in advance of the change being implemented. Unplanned Change: Failure to present notification to the formal process in advance of the change being made. It happens in case of unexpected changes, where time is too short to follow any formal procedure. Emergency Change: An immediate on-spot response required for an Incident requiring an urgent solution which is needed to prevent widespread service or system disruption.

Process The Change management process will consist of the following general procedures which are required to be followed for all types of changes and few specific procedures which will be followed for respective type of change being made, i.e. planned, unplanned & emergency changes. General procedures applied to all type of changes: • A written request has to be made. • An advance approval has to be obtained. • Must be assessed for impact, risk and priority. • Must be tested in advance as thoroughly as possible/reasonable. • Must be documented with all supporting documentation updated to reflect the change. • Only in exceptional circumstances urgent changes may be made out with the normal process and in any event they must be fully recorded in retrospective manner. • Communications must ensure that the effect of a change is properly made available to those who are significantly affected or on need to know basis. • A Change Review must be completed for each change, whether planned or planned, and whether successful or not. • A Change Management Control Log must be maintained for all kind of changes. Planned Change Procedure Any potential change made to the [ORGANIZATION]’s IT resources must be communicated to the Management by the System Administrator & his team responsible for changes. The Change Request Form must be used for communicating the potential change.

78/[ORGANIZATION]/2010.1

IT Security Policies

[ORGANIZATION]

2010.1

The following procedure should be followed in case of a Planned Change: 1. A Change Request Form must be filled and submitted to the senior management for providing necessary details and information about the change. e.g. a. Why the change is required? b. Who is responsible for implementing the change? c. The estimated date of the change. d. A description of the change, including a timeline and potential risks associated. e. Whether the change has been approved by other staff in charge of resources that may be affected, if any. f. The IT staff members who are involved in change must be listed. g. What assistance will be needed by other employees, if any. 2. Potential changes must be communicated before several working days in advance of when the work is to be done. 3. After receiving notification of a potential change, any user/employee who needs more information or has an objection to the change should contact the System Administrator. 4. In the event that an objection to the change cannot be resolved informally, the Director or Senior Management person involved will call a meeting of all involved parties to resolve the dispute. Unplanned Change Procedure For Unplanned Changes, all the steps in the general procedure mentioned above will be followed except for advance notification.

Emergency Change Procedure • All emergencies will be handled on a case-by-case basis by the System Administrator with the approval of the Management. • Approval must be obtained to execute the change from management. • Users and/or staff affected by the emergency will be notified as soon as possible. • Actions taken for dealing with the changes will be taken care by the System Administrator as soon as possible. • All change procedures must be recorded in retrospective manner and preserved with necessary supporting documents. In the case of emergency changes the above mentioned steps will be followed to allow the fastest possible response while still maintaining the proper levels of approval, monitoring, communication and documentation of all change related procedure

79/[ORGANIZATION]/2010.1

IT Security Policies

[ORGANIZATION]

2010.1

Responsibility and Implementation •

•

•

System Administrator and Compliance Officer will be responsible for implementation of Change Management Policy and procedures in consultation with Higher Authorities of the company. All Pre Implementation and Post Implementation processes which may be needed for future reference by the System Department must be documented or noted in Change Implementation Form and Change Management Log. This policy should be periodically reviewed and updated, where and whenever necessary, to reflect changes in the IT environment of the [ORGANIZATION].

Enforcement Any employee found to have violated this policy may be subject to disciplinary action, penalty and/or suspension, up to and including termination of employment.

(Attached : Change Management Forms) 1. Change Request Form 2. Change implementation form 3. Change Management Control Log

80/[ORGANIZATION]/2010.1

IT Security Policies

[ORGANIZATION]

2010.1

CHANGE REQUEST FORM [ORGANIZATION] Change Request Details Change Request No:

Date:

Requestor Name:

Designation:

Department: Description of Change:

Reason for Change:

Initiation Date:

Completion Date:

Approval from Other Departments (if any): Department:

Approved By:

Department:

Approved By:

Department:

Approved By:

Type of Change:
Planned


Unplanned


Emergency

Associated Risks: Impact of the Change:
High


Medium


Low

Personnel Required: Hardware Required: Software Required: Estimated Cost (INR):

Signature of Requestor in full:

Change Approval or Rejection Change Request Status:
Approved


Rejected

Change Scheduled On:

Comments: Change Implementation Assigned To: Designation of Approver: Signature of Approver in full:

Change Review Assigned To:

81/[ORGANIZATION]/2010.1

IT Security Policies

[ORGANIZATION]

2010.1

CHANGE IMPLEMENTATION FORM [ORGANIZATION] Change Implementation Form Change Request No:

Date:

Department: Name of Person Implementing Change:

Designation:

Date of Test of Change Implementation:

Change Tested By:

Description of Test:

Test Results:

Comments:

Change Implementation Date:

Results of Change Implementation:

Cost Incurred (INR):

Comments:

Signature of Person Implementing Change (in full): Comments of Reviewer: Signature of Reviewer (in full):

82/[ORGANIZATION]/2010.1

Change Request No.

Request Date

Requested By (Name)

Requested By (Designation)

CHANGE CONTROL LOG

IT Security Policies

Department

Change Description

Status (Approved /Rejected)

Date of Approval / Rejection

Change Initiated On

[ORGANIZATION]

Change Implemented On

Change Implemented By

Change Supervisor

Cost Incurred (Amount in INR)

Details Entered By

Signature

83/[ORGANIZATION]/2010.1

Result (Success / Failure)

[ORGANIZATION]

2010.1