Smart Planet Software
Effective Date: February 2013
Expiration Date: In effect until
superseded or canceled.
The overriding goal of the Security Policy is to protect
the confidentiality, integrity and availability of business information, used
by the organization in its day-to-day activities. Without a policy upon which
to base standards and procedures decisions are likely to be inconsistent and security
holes will be present ready to be
exploited by both internal and external persons alike. The Security Policy has
the following objectives:
-
To protect the organization's business
information and any client or customer information within its custody or
safekeeping by safeguarding its confidentiality, integrity and availability.
-
To establish safeguards to protect the organization's information
resources from theft, abuse, misuse and any form of damage.
-
To establish responsibility and accountability
for Information Security in the organization.
-
To encourage management and staff to maintain an
appropriate level of awareness, knowledge and skill to allow them to minimize
the occurrence and severity of Information Security incidents.
-
To ensure that the organization is able to
continue its commercial activities in the event of security breaches
The Security Policy is intended to support the
protection, control and management of the organization's assets. These policies
are required to cover all information within the organization, which could
include data, and information that is:
-
Stored on databases
-
Stored on computers
-
Transmitted across internal and public networks
-
Printed or hand written on paper, white boards
etc.
-
Sent by facsimile (fax), telex or other
communications method
-
Stored on removable media such as CD-ROMs, hard
disks, tapes and other similar media
-
Stored on fixed media such as hard disks and
disk sub-systems
-
Held on film or microfiche
-
Presented on slides, overhead projectors, using
visual and audio media
-
Spoken during telephone calls and meetings or
conveyed by any other method
The following Security Policy applies to all computing
platforms, including local networks, systems, and applications used to in the day-to-day
operations of SPS. It also applies to users of those systems and applications,
including those who install, develop, maintain, administer and use those
systems and applications.
Incident Level
|
1
|
2
|
3
|
4
|
5
|
Potential Incident Severity
|
Terminal Impact
|
Devastating Impact
|
Critical Impact
|
Controllable
|
Irritating
|
Potential Financial Impact
|
Substantial Financial Loss
|
Significant Financial Loss
|
Medium Financial Loss
|
Small Financial
|
None
|
Potential Credibility Impact
|
Substantial Loss of Credibility
|
Serious Loss of Credibility
|
Strong Embarrassment
|
Minor Embarrassment
|
Irritation only
|
Possible Personnel impact if
Serious Error or Negligence
|
Possible Loss of Employment
|
Strong Disciplinary Action
|
Strong Disciplinary Action
|
Written Warning
|
Verbal Warning
|
Public Relation Activities
|
Pre-planned
|
Pre-planned
|
Press Comment
|
No Comment to
|
No Comment
|
and Media Statements
|
Press Statement
|
Press statement
|
if strong media
|
press • letters to
|
|
Management Level to Advised Immediately be
|
Management
|
Management
|
Management
|
Management
|
Management
|
Level of Customer Service
Disruption
|
Substantial Disruption
|
Critical Disruption
|
Conspicuous Disruption
|
Minimal Disruption
|
No Disruption
|
Customer Confidentiality Compromised
|
Top Secret or Highly Confidential
information released
|
Customer Proprietary Information released
|
Customer Internal Information released
|
Customer General Information released
|
None
|
All users should be aware of exactly what constitutes a
security incident or breach. Any form of non-compliance with Information
Security policy or procedures will constitute a Security Incident. Any and all
breaches; whether suspected or actual, should immediately be reported to
management. All such reports should be investigated with the appropriate level
of urgency and resources. Breaches of security resulting from a failure to
comply with either the Information Security Policy or Procedures of SPS will be
treated seriously and may result in disciplinary action against employees found
to have deliberately avoided compliance.
Information Security incident response actions should be
pre-planned and those persons responsible for investigating such incidents should
be fully aware of their duties in this respect.
All information should be assigned to a designated 'owner'
with responsibility for the confidentiality and integrity of the information.
Such 'ownership' remains constant, irrespective of changes in form or location
of the data unless 'ownership' is formally transferred. Owners' should make
information accessible to authorized personnel at all reasonable times.
It is essential to classify information according to its
value and level of sensitivity in order to deploy the appropriate level of
security. A system of classification should be easy to understand and to
administer; it should be effective and also determine the level of protection
the information is given, most importantly, it should be applied uniformly
throughout the organization: when if any doubt, the higher, more secure
classification should be used. With the exception of information already in the
public domain, data or information should not be divulged to anyone who is not
authorized to access it or is not specifically authorized by the information
owner. Data should be classified under the following categories:
Restricted - Highly sensitive internal document that could
seriously damage the organization if such information were lost or made public.
Restricted information has very restricted distribution and must be protected
at all times
Internal Use Only - Information not approved for general
circulation outside the organization where the loss would inconvenience the
organization or management but where disclosure is unlikely to result in
financial loss or serious damage to credibility.
Public Documents - Information, which has been approved for
public use and is in the public domain.
Police Only - Information of special interest
to Police which disclosure to other parties is unlikely to result in financial
loss or serious damage to credibility
Pawnshops Only Information of special interest to Pawnshops
which disclosure to other parties is unlikely to result in financial loss or
serious damage to credibility
Violations of Information Classification Policy may result in
disciplinary proceedings, and, possibly immediate dismissal.
5. Email Policy
The following are the guidelines for the use of email by SPS
personnel:
The following are the terms and conditions of employment with
SPS:
-
"New employees" references and
credentials must be verified.
-
All external suppliers who are contracted to
supply services to the organization must agree to follow the Information
Security policies of the organization. An appropriate summary of the
Information Security Policies must be formally delivered to any such supplier, prior
to any supply of services.
-
Non-disclosure agreements must be used in all
situations where the confidentiality, sensitivity or value of the information
being disclosed is classified as Restricted
-
All employees must comply with the information
Security Policies of the organization. Any information Security Incidents
resulting from noncompliance will result in immediate disciplinary action.
-
All employees and third party contractors are to
sign a formal undertaking regarding the intellectual property rights of work
undertaken during their terms of employment / contract respectively.
-
All employees are required to sign a formal
undertaking concerning the need to protect the confidentiality of information,
both during and after their contractual relations with the organization.
-
Notwithstanding the organizations respect for
employees' privacy in the workplace, SPS reserves the right to have access to
all information created and stored on the organizations systems.
-
All employee data is to be treated as strictly
confidential and made available only to properly authorized persons,
The following is a list of procedures when releasing an
employee as it relates to security:
-
Change locks & keys.
-
Disable employee alarm code.
-
Disable employee e-mail account.
-
Disable employee accounts and passwords in all SPS
managed domains, such as the domain and email.
-
Disable all employee accounts to SafeReporting, SafeReporting
Admin, and all Development, Test and Production websites.
-
Change the network administrator account
(administrator) password if the employee had access to that account.
-
Update the generic helpdesk account password for
all stores on Development, Test & Production.
-
Retrieve all documentation both hardcopy and
electronic,
-
All firewall rules should be review to ensure
that there is no custom rules (such as VPN or NAT rules) that would grant to
the released employee access network resources, Passwords for access to the
administration of the firewalls should also be changed if the released employee
had access.
Staff may not use the organization's systems to access or
download material from the Internet which is inappropriate, offensive, illegal,
or which jeopardizes security. All Internet use must be for business related
proposes.
The
selection of passwords, their use and management as a primary means to control
access to systems is to strictly adhere to best practice guidelines which
include:
-
Passwords shall not be shared with any other
person for any reason.
-
Passwords must be a minimum of six (6) alpha
numeric characters
-
Passwords must never be written down
-
Passwords must be changed at regular intervals,
If not changed by the user, system will force a password change using an expiry
date.
-
Users of SPS's internal network will be locked
after three (3) failed login attempts. All users accessing the SPS Automated
Reporting System remotely through a browser will be locked out after ten (10)
failed attempts.
-
Passwords of senior staff must be copied and
stored in a secure place in the unavoidable absence of the password holder.
-
All system administrators must have two user
ID's: one for general business and one for authorized administrative actions.
-
If possible, contractor(s) should have
restricted log-on hours.
-
New users will be provided a temporary password
that must be changed the first time they log on. Format of the temporary
password is as follows:
-
Six
character alphanumeric
-
First two characters alpha using the initials of
the user.
-
Following four characters are numeric,
Access to information is to be controlled through a
combination of electronic methods and process controls. Access control
standards for information systems must be established by management and should
incorporate the need to balance restrictions to prevent unauthorized access
against the need to provide unhindered access to meet the business needs. In
general, a user of the organizations systems should be offered no more access
than is necessary to perform the function required.
Access control policies include:
-
Off-site computer usage, whether at home or at
other locations, may only be used with the authorization of management. Usage
is restricted to business purposes, and users must be aware of and accept the
terms and conditions of use, which must include the adoption of adequate and
appropriate information security measures. Remote access control procedures
must provide adequate safeguards through robust identification, authentication
and encryption techniques
-
The owner of the system must authorize access to
their system(s) and such access, including the appropriate access rights (or
privileges), must be recorded in a Master Access Document. Such records are to
be regarded as Restricted documents and safeguarded accordingly.
-
Equipment is always to be safe guarded
appropriately - especially when left unattended
-
Access to the resources on the network must be
strictly controlled to prevent unauthorized access. Access to all computing and
information systems and peripherals shall be restricted unless explicitly
authorized.
-
Access to operating system commands is to be
restricted to those persons who are authorized to perform systems
administration / management functions.
-
Physical access to high security areas is to be
limited to staff whose duties require them to be in such areas
-
All locks at SPS's office must be immediately
changed when a staff member leaves the employment of SPS or when keys have been
lost.
-
Access to information and documents is to be
carefully controlled ensuring that only authorized personnel may have access to
sensitive information
-
Access controls for highly sensitive information
or high- risk systems are to be set in accordance with the value and
classification of the information assets being protected,
-
In order to reduce the incidence and possibility
of internal attacks, access control standards and data classification standards
are to be periodically reviewed whist maintained at all times
-
All accesses that are denied by a network
security system will be logged. Each denied access is to be considered a
security "event" but not necessarily a security "incident".
-
SPS reserves the right to monitor all system access
and usage to identify potential misuse of systems or information
Personnel issued with mobile phones by the organization are
responsible for using them in a manner consistent with the confidentiality
level of the matters being discussed.
Management must authorize the issue of portable computers.
Usage is restricted to business purposes and users must be aware of, and accept
the terms and conditions of use, especially responsibility for the security of
information on such devices.
The network must be designed and configured to deliver high
performance and reliability to meet the needs of the business whilst providing
a high degree of access control and a range of privilege restrictions
Software developed for or by SPS must always follow a
formalized development process which itself is managed under the project in
question. The integrity of the organizations operational software code must be safeguarded
using a combination of technical access controls and restricted privilege
allocation and robust procedures.
All network servers must be hardened
to remove all unnecessary development tools, utilities, protocols, etc. and
ensure that all appropriate security features are activated and configured
properly.
-
Computer hardware should only be purchased
through approved suppliers and in accordance with the organization's purchasing
policy and IT standards. Computer hardware of any kind that is unauthorized
should not be connected, interfaced, or otherwise used within the
organization's systems and network(s) to access, create, or store data.
-
Removable storage media of whatever format or
design should not be introduced to the organization for other than business
purposes. All such media should be scanned for viruses and / or other malicious
code prior to use. Only authorized persons should use removable storage media.
-
Master Hardware Inventory - A detailed list of
all hardware owned by the organization, showing things like type, make, model,
specifications, cost, location, user(s) and asset reference number must be
maintained and updated regularly.
-
All new and enhanced systems must be fully
supported at all times by comprehensive and up to date documentation. New
systems or upgraded systems should not be introduced to the live environment
unless supporting documentation
is available
-
Event logs must be properly reviewed and managed
by qualified staff.
-
Systems Operations schedules are to be formally
planned, authorized and documented. Changes to routine system operations are to
be fully tested and approved before being implemented
-
New systems must be tested for capacity, peak
loading and stress testing. They must demonstrate a level of performance and
resilience that meets or exceed the technical and business needs and
requirements.
Persons responsible for commissioning outsourced processing
resources must ensure that the services used are from reputable companies that
operate in accordance with quality standards. Any company must be able to
demonstrate compliance with SPS's Security Policy and also provide a Service
Level Agreement that documents the performance expected and remedies available
in case of non-compliance. All contracted and outsourced employees must submit
to annual criminal records checks performed by the Regina Police Service.
Backup of
the organizations data files and the ability to recover such data is a top
priority. A daily full back up will be done on the data files on the network
server(s) and each Friday the backup will be taken off the premises. This
backup must be stored in a safe, secure manner and must be available within
24hrs, 365 days a year. There must be at least two sets of media, which are
used in rotation, used for the offsite backup that are tested on a regular
basis.
Backup of data that resides on the staff's PC's or laptops
will be backed up at least once per week over the network to a central tape
drive.
For servers that do not reside on SPS's premises,
management must be confident that they are being backed up in a manner that is
consistent with SPS ls internal policy
The BCP must be continually updated and will address
the possibility of short and long-term loss of computing services. The plan
will include all procedures and information necessary to return to computing
systems to full operation in the event of a disaster.
Procedure for gaining access to SafeReporting is as follows:
New Department:
Updating Police Passwords:
Procedure for breach of access to SPS Police is as follows:
DISABLE
SPECIFIC USER ACCOUNT OR ALL POLICE ACCOUNTS IF ACCOUNT ACCESS UNKNOWN:
-
Disable all police accounts for the organization
or the specific user account
-
Produce usage report using the IP addresses
historically used for the organization and any unknown IP addresses.
-
Research pages and customers viewed.
-
Alert senior officer on finding and enable
unaffected accounts.