Policy
Acceptable Use Policy
Overview
: The purpose of this policy is to outline the acceptable use of the organization's resources and management of sensitive data. The primary goal is to protect systems from downloading of malicious or illegal software and to ensure resources are used for it's intended business purpose. Resources include but not limited to computers, software, e-mail, data and internet access.
Access Control Policy
Overview
: Access to systems and applications should be controlled to ensure access is commensurate with job and security requirements. Access should be consistent with a user's functional role in the organization and should define specific access rights authorized on systems, networks and applications.
Application Security Policy
Overview
: Applications developed, purchased or obtained to support the business must be designed and implemented to meet security requirements.  Data must be protected in accordance to the Data Classification Policy.
Asset Management Policy
Overview
: An Asset Management system or process is required to document organization's systems, devices, and applications so that the company can appropriately secure and support critical business services and to protect information as defined in the Information Classification Policy.  Examples of the types of assets may include systems that are used to host applications (e.g. servers, laptops, etc.), business applications and critical network infrastructure.
Authentication Management Policy
Overview
: Authentication is the process to verify the identity of an individual, originator or receiver of information. Authentication will require at least identity (such as user login ID) and one more mechanism to prove your identity (such as passwords and/or tokens).
Business Continuity Policy
Overview
: Business Continuity ensures business services will be available as needed.
Change Management and Control Policy
Overview
: Change Management is the process to manage and control changes in the environment to ensure confidentiality, integrity and availability to sensitive systems and data. Change management process must ensure changes to systems or applications are carefully documented, reviewed and approved prior to implementing in the production environment.
Encryption Policy
Overview
: Encryption solutions must be used to protect sensitive information (e.g., confidential, secret) with approved cryptographic algorithms. Objective of encryption is to ensure the confidentiality, integrity and proof of origin of sensitive information.
Information Backup and Restoration Policy
Overview
: Information (to include tape) backup and restoration is the process of ensuring system and application availability by backing up key information onto physical or tape media in the event information may need to be restored after a disaster or unintended errors.
Information Classification Policy
Overview
: Information (or Data) Classification is the process of classifying information into high level categories based on sensitivity and value to the organization. The higher the level of data classification (e.g. Confidential or Secret), the higher level of security controls and focus should be in place to protect the sensitive information.
Information Labeling, Handling and Disposal Policy
Overview
: This policy describes the requirements to properly label, handle, dispose and protect information (or data) based on data classification levels.
Information Risk Management Policy
Overview
: Risk Assessment (and Management) is the process to periodically review and mitigate risk to systems, business services, and sensitive data to ensure processes meet the organization's information security policies and standards. The goal is to reduce and mitigate risk to the organization.
Information Security Program Policy
Overview
: An Information Security Program oversees the establishment and maintenance of information security policies, standards, and initiatives. In order to meet business objectives, the Security Program will establish security roles and provide oversight to security activities across the organization to meet regulations, reduce risk to threats and enforce policies.
Information Security Training Policy
Overview
: The main objective of information security training policy is to increase security awareness in order protect the organization's information from unauthorized disclosure.
Key Management Policy
Overview
: Key Management is the practice of protecting cryptographic keys and systems from unauthorized modification or disclosure.
Malicious Software Control Policy
Overview
: Security controls must be in place for detection, prevention and remediation of malicious software.
Network Access Control Policy
Overview
: Network security must ensure that the network and connections between systems and network devices are used to support business purposes.
Password Management Policy
Overview
: Password is a secret phrase or text used to authenticate and prove identity to gain access to a resource, such as system, application or data. User passwords are intended to not be shared and should be carefully controlled to prevent unauthorized access to sensitive information.
Physical Access Policy
Overview
: The objective of Physical Access Security is to detect, prevent and deter unauthorized access to facilities.
Physical and Environmental Control Policy
Overview
: The main objective of Physical and Environmental Security is to maintain safety and to protect facilities from environmental damage and unauthorized physical access.
Remote Access (and Teleworking) Policy
Overview
: Remote Access (and Teleworking) Policy includes requirements to ensure that teleworking devices on wired or wireless networks, as well as the home office, are properly secured. In addition, teleworking rules must also be enforced.
Secure Log-on Procedure and Message Policy
Overview
: Access to operating systems must be controlled via a secure log-on process to ensure authorized access to information resources.
Security and System Logging Policy
Overview
:
The recording (or logging) of system, application, user activities and information security events must be produced and kept for an agreed period of time. Audit logging should be enabled on systems (and devices) to log user activity at the application or transaction level. Audit logs are critical to assist in incident response, future investigations, audit trail and troubleshooting.
Security Incident Management Policy
Overview
: Incident Management is the process to ensure security events and weaknesses (or "incidents") with information systems and processes are reported, investigated and resolved in a timely manner. Individuals should be made aware of their responsibilities and procedures to report information security incidents as soon as possible.
Separation of Non-Production and Production Environment Policy
Overview
: Separation of Development and Production is the practice of separating non-production (to include Development and testing) from Production environments. The objective is to ensure non-production activities do not impact confidentiality, integrity and availability of critical business services and sensitive information.
Session Management Policy
Overview
: Session Management is the process to ensure systems and user sessions are secure from session abandonment or when systems are no longer in use.  Examples of user sessions include workstation sessions and website sessions.
Software Maintenance Policy
Overview
: Software must be maintained to meet security requirements. Maintenance processes include patch management and configuration of software to ensure software is free of vulnerabilities. One of the most common threats is unpatched software that can be exploited by malicious users to gain unauthorized access to vulnerable systems, applications and eventually sensitive data.
System ID Management Policy
Overview
: A system ID (also known as service account) is primarily used for automation, authenticating system or application resources or services to name a few. System ID's are differentiated from User ID's in that they are "faceless", but still require to be uniquely identified, tracked and associated to appropriate individual or information resource.
Third-Party Security Policy
Overview
: Vendors, partners, contractors or other third parties must manage and protect information in accordance with the organization's information security policies and standards.
User ID Management Policy
Overview
: Identity represents who someone is to include unique characteristics (such as user ID) that differentiate from other individuals. User ID's should be appropriately managed as critical component of the organization's Identity Management (and Access Control) program.
User System Session Policy
Overview
: Workstations, to include desktops and laptops used for system processing capabilities, must be secured when users are away from their system or after a period of inactivity.
Vulnerability Management Policy
Overview
: Vulnerability Management is the process to detect, analyze and remediate vulnerabilities on systems, devices, networks and applications in an ongoing manner.