Standards, Policies, Procedures, and Guidelines. Lesson 19. Some Definitions (from Information Security Policies, Procedures and Standards ).
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
The Company relies on various kinds of information resources in its daily operations. These resources include data-processing systems, electronic mail, voice-mail, telephones, copiers, facsimile machines, and other information-generation and exchange methods. It is very important for users to recognize that these resources are made available to them to help the company meet short- and long-term goals, objectives and competitive challenges. Any improper use of any resource is not acceptable and will not be permitted.
8. Established corporate and unit procedures are to be used for budgeting approval, and acquisition of information-processing facilities, equipment, software, and support services.
9. Appropriate safeguards must be built into information-processing facilities. These safeguards should minimize the extent of loss of information or processing support that could result from such hazards as fire, water, or other natural disasters while maintaining operational effectiveness. Business recovery plans must provide for continuation of vital business functions if loss failure should occur.
10. Independent reviews to ensure that program objectives are being met are an integral part of this effort. These reviews may be conducted by Corporate Auditing, the internal audit staff of a unit, or external auditors.
11. Deliberate unauthorized acts against Company or customer information system(s) or facilities, including but not limited to misuse, misappropriation, destruction of information or system resources, the deliberate and unauthorized disclosure of information, or the use of unauthorized software/hardware, will result in disciplinary action as deemed by management.
The Company allows telecommuting where there are opportunities for improved employee performance, reduced commuting miles, and/or potential for savings for the Company or business unit.
Business units may implement telecommuting as a work option for certain employees based upon specific criteria and procedures consistently applied throughout the agency.
-- Consideration may be given to employees who have demonstrated
work habits and performance well suited to successful telecommuting.
-- Telecommuting criteria and procedures shall be evaluated to ensure
its benefits and effectiveness.
The telecommuter’s conditions of employment shall remain the same as for non-telecommuting employees.
-- Business visits, meetings with Your Company customers, or regularly
scheduled meetings with co-workers shall not be held at the home.
-- Telecommuting employees shall not act as primary caregivers for
dependents nor perform other personal business during hours agreed
upon as work hours.
The Company shall provide tele-workers office supplies. Equipment and software, if provided by the business unit for use at the tele-worksite, shall be for the purpose of conducting Company business.
Employee shall sign and abide by a telecommuting agreement between the employee and the supervisor.
-- Telecommuting shall be voluntary.
-- The agreement shall specify individual work schedules.
Company management has the responsibility to manage corporate information, personnel, and physical property relevant to business operations, as well as the right to monitor the actual utilization of all corporate assets.
Employees who fail to comply with the policies will be considered to be in violation of Your Company’s Employee Standards of Conduct and will be subject to appropriate corrective action.
Dial-In Access Policy
All incoming dial-up connections (via PSTN or ISDN) should use a strong one-time password authentication system (such as SecurID).
Dial-in access to the corporate network should only be allowed where necessary and where the following conditions are met:
-- Assurance. The dial-in server configuration shall be accurately documented. It shall be subjected to yearly audits.
-- Identification and Authentication. All incoming dial-up connections shall
use a strong authentication system: one-time passwords, challenge- response, etc. Administrator log-in shall not send passwords in
clear text. The call-back or closed user groups features should be used
-- Access Control. Dial-up servers shall not share file or printer resources
with other internal machines; that is, they shall not be file or printer
servers. Only administrative personnel shall be allowed to log on
locally. Dial-up servers shall be installed in a physically secured/locked