Preamble DooDads4Sale. com acknowledges an obligation to ensure appropriate security for all Information Technology data, equipment, and processes in its domain of ownership and control. This obligation is shared, to varying degrees, by every member of the company. This document will: 1. Enumerate the elements that constitute IT security. 2. Explain the need for IT security. 3. Specify the various categories of IT data, equipment, and processes subject to this policy. 4. Indicate, in broad terms, the IT security responsibilities of the various roles in which each member of the university may function. . Indicate appropriate levels of security through standards and guidelines. Scope of IT Security 1. Definition of Security. Security can be defined as “the state of being free from unacceptable risk”. The risk concerns the following categories of losses: • Confidentiality of Information. • Integrity of data. • Assets. • Efficient and Appropriate Use. • System Availability. Confidentiality refers to the privacy of personal or corporate information. This includes issues of copyright. Integrity refers to the accuracy of data.
Loss of data integrity may be gross and evident, as when a computer disc fails, or subtle, as when a character in a file is altered. The assets that must be protected include: • Computer and Peripheral Equipment. • Communications Equipment. • Computing and Communications Premises. • Power, Water, Environmental Control, and Communications utilities. • Supplies and Data Storage Media. • System Computer Programs and Documentation. • Application Computer Programs and Documentation. • Information.
Efficient and Appropriate Use ensures that the company’s IT resources are used for the purposes for which they were intended, in a manner that does not interfere with the rights of others. Availability is concerned with the full functionality of a system (e. g. finance or payroll) and its components. The potential causes of these losses are termed “threats”. These threats may be human or non-human, natural, accidental, or deliberate. 2. Domains of Security. This policy will deal with the following domains of security: • Computer system security: CPU, Peripherals, OS.
This includes data security. • Physical security: The premises occupied by the IT personnel and equipment. • Operational security: Environment control, power equipment, operation activities. • Procedural security by IT, vendor, management personnel, as well as ordinary users. • Communications security: Communications equipment, personnel, transmission paths, and adjacent areas. Reasons for IT Security Confidentiality of information is mandated by common law, formal statute, explicit agreement, or convention. Different classes of information warrant different degrees of confidentiality.
The hardware and software components that constitute the company’s IT assets represent a sizable monetary investment that must be protected. The same is true for the information stored in its IT systems, some of which may have taken huge resources to generate, and some of which can never be reproduced. The use of company IT assets in other than in a manner and for the purpose for which they were intended represents a misallocation of valuable company resources, and possibly a danger to its reputation or a violation of the law. Finally, proper functionality of IT systems is required for the efficient operation of the company.
Some systems, such as the web administration, data-base administration, order processing, and accounting systems are of paramount importance to the mission of the company. Other systems (e. g. somebody’s PC) are of less importance. Roles and Responsibilities 1. Policy Management. Approval of the IT Security Policy is vested with the Chief Information Officer. Advice and opinions on the Policy will be given by: • Information Technology Policy Committee (ITPC) • Information Technology Management Committee (ITMC) • Senior Executive Group (SEG)
Formulation and maintenance of the policy is the responsibility of the Director, Information Technology Services Unit of the Business Office. 2. Policy Implementation. Each member of the company will be responsible for meeting published IT standards of behavior. IT security of each system will be the responsibility of its custodian. 3. Custodians. • ITS will be the custodian of all strategic system platforms. • ITS will be custodian of the strategic communications systems. • ITS will be custodian of all central computing laboratories. Offices and Units will be custodians of strategic applications under their management control • Individuals will be custodians of desktop systems under their control. 4. Individuals. All ordinary users of company IT resources: • Will operate under the “Conditions of Use” provisions of the “Standards and Guidelines for All Users of Company Computing and Network Facilities. ” • Must behave under the “Code of Practice” provisions of the “Standards and Guidelines for All Users of Company Computing and Network Facilities. ” • Are responsible for the proper care and use of IT resources under their direct control. . Company Services. It is recognized that various sections of the company provide services that relate to IT security, both directly and indirectly. It is expected that there will be collaboration between these sections and ITS in generation of standards and implementation of the policy. Some of these sections and their services are: • Human Resources: Personnel selection, induction, and exit-processing. 6. Standards and Guidelines. Standards (mandatory) and guidelines (suggestions) will be published as attachments to this policy to assist ordinary users and system custodians to meet their IT security responsibilities.
These standards and guidelines, though presented as attachments, are an integral part of this company’s IT Security Policy and therefore define it in detail. These Standards and Guidelines will appear under the following classifications: • Personal behavior. • Strategic systems. • Computer. • Communications. • Desktop (personal) systems. • Company-based systems. Policy Documentation 1. Documents. This policy is enunciated by five documents: • “IT Security Policy”. • “Standards and Guidelines for All Users of University Computing and Network Facilities”. • “Standards and Guidelines for Strategic Systems”. “Standards and Guidelines for Company-Based Systems. ” • “Standards and Guidelines for Desktop Computers. ” 2. Acknowledgment. DooDads$Sale. com gratefully acknowledges the assistance of Murdoch University, Curtin University of Technology, and Edith Cowan University in allowing this institution use of their IT Security Policy material. In a similar spirit of cooperation DooDads4Sale. com is happy to provide other companies and interested parties with permission to use the material in these five documents. Inquiries should be addressed to the Director, Information Technology Services Unit. 3. Availability.
It is intended that this IT Security Policy be publicly accessible in its entirety via the Company’s World Wide Web Home Page. There is the requirement that all users of Company IT resources be familiar with relevant sections of this policy. 4. Changes. The IT Security Policy is be a “living” document that will be altered as required to deal with changes in technology, applications, procedures, legal and social imperatives, perceived dangers, etc. Major changes will be made in consultation with ITPC, ITMC, SEG, and Chief Information Officer. Minor changes will be approved by the Business Manager of the University.