SafeReporting - Security Policy

Smart Planet Software

Security Policy

Effective Date: February 2013

Expiration Date: In effect until superseded or canceled.







 

1. Introduction

The overriding goal of the Security Policy is to protect the confidentiality, integrity and availability of business information, used by the organization in its day-to-day activities. Without a policy upon which to base standards and procedures decisions are likely to be inconsistent and security holes will be present  ready to be exploited by both internal and external persons alike. The Security Policy has the following objectives:

 

  • To protect the organization's business information and any client or customer information within its custody or safekeeping by safeguarding its confidentiality, integrity and availability.

  • To establish safeguards to protect the organization's information resources from theft, abuse, misuse and any form of damage.

  • To establish responsibility and accountability for Information Security in the organization.

  • To encourage management and staff to maintain an appropriate level of awareness, knowledge and skill to allow them to minimize the occurrence and severity of Information Security incidents.

  • To ensure that the organization is able to continue its commercial activities in the event of security breaches

     

    The Security Policy is intended to support the protection, control and management of the organization's assets. These policies are required to cover all information within the organization, which could include data, and information that is:

  • Stored on databases

  • Stored on computers

  • Transmitted across internal and public networks

  • Printed or hand written on paper, white boards etc.

  • Sent by facsimile (fax), telex or other communications method

  • Stored on removable media such as CD-ROMs, hard disks, tapes and other similar media

  • Stored on fixed media such as hard disks and disk sub-systems

  • Held on film or microfiche

  • Presented on slides, overhead projectors, using visual and audio media

  • Spoken during telephone calls and meetings or conveyed by any other method

 

2. Scope

The following Security Policy applies to all computing platforms, including local networks, systems, and applications used to in the day-to-day operations of SPS. It also applies to users of those systems and applications, including those who install, develop, maintain, administer and use those systems and applications.

3. Security Incident Guidelines

Incident Level

1

2

3

4

5

Potential Incident Severity

Terminal Impact

Devastating Impact

Critical Impact

 Controllable

Irritating

Potential  Financial Impact

Substantial Financial Loss

Significant Financial Loss

Medium Financial Loss

Small Financial 

None

Potential Credibility Impact

Substantial Loss of Credibility

Serious Loss of Credibility

Strong Embarrassment

Minor Embarrassment

Irritation only

Possible Personnel impact if Serious Error or Negligence

Possible Loss of Employment

Strong Disciplinary Action

Strong Disciplinary Action

Written Warning

Verbal Warning

Public Relation Activities

Pre-planned

Pre-planned

Press Comment

No Comment to

No Comment

and Media Statements

Press Statement

Press statement

if strong media

press • letters to

 

Management Level to Advised Immediately be

Management

Management

Management

Management

Management

Level of Customer Service Disruption

Substantial Disruption

Critical Disruption

Conspicuous Disruption

Minimal Disruption

No Disruption

Customer Confidentiality Compromised

Top Secret or Highly Confidential information released

Customer Proprietary Information released

Customer Internal Information released

Customer General Information released

None

 

All users should be aware of exactly what constitutes a security incident or breach. Any form of non-compliance with Information Security policy or procedures will constitute a Security Incident. Any and all breaches; whether suspected or actual, should immediately be reported to management. All such reports should be investigated with the appropriate level of urgency and resources. Breaches of security resulting from a failure to comply with either the Information Security Policy or Procedures of SPS will be treated seriously and may result in disciplinary action against employees found to have deliberately avoided compliance.

Information Security incident response actions should be pre-planned and those persons responsible for investigating such incidents should be fully aware of their duties in this respect.

4. Information Ownership and Classification

All information should be assigned to a designated 'owner' with responsibility for the confidentiality and integrity of the information. Such 'ownership' remains constant, irrespective of changes in form or location of the data unless 'ownership' is formally transferred. Owners' should make information accessible to authorized personnel at all reasonable times.

It is essential to classify information according to its value and level of sensitivity in order to deploy the appropriate level of security. A system of classification should be easy to understand and to administer; it should be effective and also determine the level of protection the information is given, most importantly, it should be applied uniformly throughout the organization: when if any doubt, the higher, more secure classification should be used. With the exception of information already in the public domain, data or information should not be divulged to anyone who is not authorized to access it or is not specifically authorized by the information owner. Data should be classified under the following categories:

Restricted - Highly sensitive internal document that could seriously damage the organization if such information were lost or made public. Restricted information has very restricted distribution and must be protected at all times

Internal Use Only - Information not approved for general circulation outside the organization where the loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or serious damage to credibility.

Public Documents - Information, which has been approved for public use and is in the public domain.

Police Only - Information of special interest to Police which disclosure to other parties is unlikely to result in financial loss or serious damage to credibility

Pawnshops Only Information of special interest to Pawnshops which disclosure to other parties is unlikely to result in financial loss or serious damage to credibility

Violations of Information Classification Policy may result in disciplinary proceedings, and, possibly immediate dismissal.

 

5. Email Policy

The following are the guidelines for the use of email by SPS personnel:

    6. Terms and Conditions of Employment

    The following are the terms and conditions of employment with SPS:

    • "New employees" references and credentials must be verified.

       

    • All external suppliers who are contracted to supply services to the organization must agree to follow the Information Security policies of the organization. An appropriate summary of the Information Security Policies must be formally delivered to any such supplier, prior to any supply of services.

       

    • Non-disclosure agreements must be used in all situations where the confidentiality, sensitivity or value of the information being disclosed is classified as Restricted

       

    • All employees must comply with the information Security Policies of the organization. Any information Security Incidents resulting from noncompliance will result in immediate disciplinary action.

       

    • All employees and third party contractors are to sign a formal undertaking regarding the intellectual property rights of work undertaken during their terms of employment / contract respectively.

       

    • All employees are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after their contractual relations with the organization.

       

    • Notwithstanding the organizations respect for employees' privacy in the workplace, SPS reserves the right to have access to all information created and stored on the organizations systems.

       

    • All employee data is to be treated as strictly confidential and made available only to properly authorized persons,

    7. Employee Release Procedures

    The following is a list of procedures when releasing an employee as it relates to security:

    • Change locks & keys.

    • Disable employee alarm code.

    • Disable employee e-mail account.

    • Disable employee accounts and passwords in all SPS managed domains, such as the domain and email.

    • Disable all employee accounts to SafeReporting, SafeReporting Admin, and all Development, Test and Production websites.

    • Change the network administrator account (administrator) password if the employee had access to that account.

    • Update the generic helpdesk account password for all stores on Development, Test & Production.

    • Retrieve all documentation both hardcopy and electronic,

    • All firewall rules should be review to ensure that there is no custom rules (such as VPN or NAT rules) that would grant to the released employee access network resources, Passwords for access to the administration of the firewalls should also be changed if the released employee had access.

    8. Internet Usage

    Staff may not use the organization's systems to access or download material from the Internet which is inappropriate, offensive, illegal, or which jeopardizes security. All Internet use must be for business related proposes.

    9. Passwords

    The selection of passwords, their use and management as a primary means to control access to systems is to strictly adhere to best practice guidelines which include:

    • Passwords shall not be shared with any other person for any reason.

    • Passwords must be a minimum of six (6) alpha numeric characters

    • Passwords must never be written down

    • Passwords must be changed at regular intervals, If not changed by the user, system will force a password change using an expiry date.

    • Users of SPS's internal network will be locked after three (3) failed login attempts. All users accessing the SPS Automated Reporting System remotely through a browser will be locked out after ten (10) failed attempts.

    • Passwords of senior staff must be copied and stored in a secure place in the unavoidable absence of the password holder.

    • All system administrators must have two user ID's: one for general business and one for authorized administrative actions.

    • If possible, contractor(s) should have restricted log-on hours.

    • New users will be provided a temporary password that must be changed the first time they log on. Format of the temporary password is as follows:

      • Six character alphanumeric

      • First two characters alpha using the initials of the user.

      • Following four characters are numeric,

     

    10. Access Control

    Access to information is to be controlled through a combination of electronic methods and process controls. Access control standards for information systems must be established by management and should incorporate the need to balance restrictions to prevent unauthorized access against the need to provide unhindered access to meet the business needs. In general, a user of the organizations systems should be offered no more access than is necessary to perform the function required.

    Access control policies include:

    • Off-site computer usage, whether at home or at other locations, may only be used with the authorization of management. Usage is restricted to business purposes, and users must be aware of and accept the terms and conditions of use, which must include the adoption of adequate and appropriate information security measures. Remote access control procedures must provide adequate safeguards through robust identification, authentication and encryption techniques

    • The owner of the system must authorize access to their system(s) and such access, including the appropriate access rights (or privileges), must be recorded in a Master Access Document. Such records are to be regarded as Restricted documents and safeguarded accordingly.

    • Equipment is always to be safe guarded appropriately - especially when left unattended

    • Access to the resources on the network must be strictly controlled to prevent unauthorized access. Access to all computing and information systems and peripherals shall be restricted unless explicitly authorized.

    • Access to operating system commands is to be restricted to those persons who are authorized to perform systems administration / management functions.

    • Physical access to high security areas is to be limited to staff whose duties require them to be in such areas

    • All locks at SPS's office must be immediately changed when a staff member leaves the employment of SPS or when keys have been lost.

    • Access to information and documents is to be carefully controlled ensuring that only authorized personnel may have access to sensitive information

    • Access controls for highly sensitive information or high- risk systems are to be set in accordance with the value and classification of the information assets being protected,

    • In order to reduce the incidence and possibility of internal attacks, access control standards and data classification standards are to be periodically reviewed whist maintained at all times

    • All accesses that are denied by a network security system will be logged. Each denied access is to be considered a security "event" but not necessarily a security "incident".

    • SPS reserves the right to monitor all system access and usage to identify potential misuse of systems or information

    11. Use of Mobile Phones

    Personnel issued with mobile phones by the organization are responsible for using them in a manner consistent with the confidentiality level of the matters being discussed.

    12. Use of Portable Computers

    Management must authorize the issue of portable computers. Usage is restricted to business purposes and users must be aware of, and accept the terms and conditions of use, especially responsibility for the security of information on such devices.

    13. Networks

    The network must be designed and configured to deliver high performance and reliability to meet the needs of the business whilst providing a high degree of access control and a range of privilege restrictions

      14. Purchasing and Maintaining Commercial Software

        15. Developing and Maintaining In-house Software

        Software developed for or by SPS must always follow a formalized development process which itself is managed under the project in question. The integrity of the organizations operational software code must be safeguarded using a combination of technical access controls and restricted privilege allocation and robust procedures.

          16. Computer Hardware

          All network servers must be hardened to remove all unnecessary development tools, utilities, protocols, etc. and ensure that all appropriate security features are activated and configured properly.

          • Computer hardware should only be purchased through approved suppliers and in accordance with the organization's purchasing policy and IT standards. Computer hardware of any kind that is unauthorized should not be connected, interfaced, or otherwise used within the organization's systems and network(s) to access, create, or store data.

          • Removable storage media of whatever format or design should not be introduced to the organization for other than business purposes. All such media should be scanned for viruses and / or other malicious code prior to use. Only authorized persons should use removable storage media.

          • Master Hardware Inventory - A detailed list of all hardware owned by the organization, showing things like type, make, model, specifications, cost, location, user(s) and asset reference number must be maintained and updated regularly.

          • All new and enhanced systems must be fully supported at all times by comprehensive and up to date documentation. New systems or upgraded systems should not be introduced to the live environment unless supporting documentation is available

          • Event logs must be properly reviewed and managed by qualified staff.

          • Systems Operations schedules are to be formally planned, authorized and documented. Changes to routine system operations are to be fully tested and approved before being implemented

          • New systems must be tested for capacity, peak loading and stress testing. They must demonstrate a level of performance and resilience that meets or exceed the technical and business needs and requirements.

          17. Contracting or Using Outsourced Processing Resources

          Persons responsible for commissioning outsourced processing resources must ensure that the services used are from reputable companies that operate in accordance with quality standards. Any company must be able to demonstrate compliance with SPS's Security Policy and also provide a Service Level Agreement that documents the performance expected and remedies available in case of non-compliance. All contracted and outsourced employees must submit to annual criminal records checks performed by the Regina Police Service.

          18. Data Backup and Recovery Procedures

          Backup of the organizations data files and the ability to recover such data is a top priority. A daily full back up will be done on the data files on the network server(s) and each Friday the backup will be taken off the premises. This backup must be stored in a safe, secure manner and must be available within 24hrs, 365 days a year. There must be at least two sets of media, which are used in rotation, used for the offsite backup that are tested on a regular basis.

          Backup of data that resides on the staff's PC's or laptops will be backed up at least once per week over the network to a central tape drive.

          For servers that do not reside on SPS's premises, management must be confident that they are being backed up in a manner that is consistent with SPS ls internal policy

          19. Business Continuity Plan (BCP)

          The BCP must be continually updated and will address the possibility of short and long-term loss of computing services. The plan will include all procedures and information necessary to return to computing systems to full operation in the event of a disaster.

          20. Police Access Procedures

          Procedure for gaining access to SafeReporting is as follows:

          New Department:

            Updating Police Passwords:

               

               

              21. Police Access Breach

              Procedure for breach of access to SPS Police is as follows:

              DISABLE SPECIFIC USER ACCOUNT OR ALL POLICE ACCOUNTS IF ACCOUNT ACCESS UNKNOWN:

              • Disable all police accounts for the organization or the specific user account

              • Produce usage report using the IP addresses historically used for the organization and any unknown IP addresses.

              • Research pages and customers viewed.

              • Alert senior officer on finding and enable unaffected accounts.