Educause Security Discussion mailing list archives
Re: ISO/IEC 37001:2005 question
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Thu, 5 Jun 2008 16:09:49 -0500
I noticed your notes under III/1 regarding no funding for training. If you are to be in compliance with PCI, then awareness training for all personnel is required (at least in the US version of the PCI standards). 12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security. 12.6.1 Educate employees upon hire and at least annually (for example, by letters, posters, memos, meetings, and promotions) 12.6.2 Require employees to acknowledge in writing that they have read and understood the company's security policy and procedures. ======================================== Paul L. Kendall, PhD, CHS-III, CISM, CISSP "What we do in Life echoes in Eternity..." ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hugh Burley Sent: Thursday, June 05, 2008 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] ISO/IEC 37001:2005 question Hi Clifford, I have managed to get a draft information security program policy in front of our universities Information Security Committee (ISC) and our legal council is now reviewing it. Once it has been reviewed by the ISC it will then go before the University's board for approval. My approach has been based on ISO 27001. I reviewed a couple of dozen program level policies before beginning this process about 10 months ago and consider the Oxford Brookes University to be a good model http://www.brookes.ac.uk/infosec/isp.html! . My guiding principle other than the ISO standard and CISSP and GSEC best practice was to try and keep this document to under two pages. The critical issues that I see are that this information must be accessible to staff, faculty, and students, and it must provide the essential foundation and direction for the Information Security Program. The question that I keep asking myself is, "What is essential in this document to ensuring that the University maintains an effective Information Security Program?" With that said, I have pasted my "draft" document below, including notes from our last Information Security Committee meeting and local references to statutes and policy. My gut feel is that a modified version of this document will become policy within 12 months. It will have taken approximately two years to complete this process. GENERAL This policy is intended for the general support of and to provide a foundation for the security of Thompson Rivers University (TRU) information assets and is applicable to all TRU students and employees. TRU recognises that information and the associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University is committed to the security and retention of information, both within the University and in external communications. Security is an integral part of the information sharing which is essential to institutional endeavour and the regulations outlined below are intended to support information security measures while maintaining academic freedom throughout the University. For the purposes of this document, information security is defined as the preservation of: confidentiality: protecting information from unauthorised access and disclosure; integrity: safeguarding the accuracy and completeness of information and processing methods; and availability: ensuring that information and associated services are available to authorised users when required. Information exists in many forms. It may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations. REGULATIONS I. PROTECTION OF PERSONAL DATA 1. The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the BC Freedom of Information and Protection of Privacy Act [RSBC 1996] ( http://www.qp.gov.bc.ca/statreg/stat/F/96165_02.htm ). Responsibilities under the FOIPP Act are set out in the University's Information Disclosure Policy -- ADM 2-1 ( http://www.tru.ca/assets/policy/adm/adm02-1.pdf ), Head (of) Freedom of Information and Protection of Privacy Policy -- ADM 2-0 ( http://www.tru.ca/assets/policy/adm/adm02-0.pdf ) and the Confidentiality of Student Information Policy -- ADM 2-2 ( http://www.tru.ca/assets/policy/adm/adm02-2.pdf ). 2. The University also performs a significant volume of credit card transactions. To ensure the protection of credit card information the University complies with Payment Card Industry Data Security Standards ( https://www.pcisecuritystandards.org/tech/index.htm ). NOTES - Finance does not feel it is necessary to reference PCI-DSS any more that the many standards controlling financial activity. II. RESPONSIBILITIES 1. The University believes that information security is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University. 2. This Policy is the responsibility of the Board; supervision of the Policy will be undertaken by the TRU Information Security Committee. This policy may be supplemented by more detailed interpretation for specific sites, systems and services. Implementation of information security policy is managed through the Information Security Manager, the Information Security Committee, and other personnel with security responsibilities in specified areas of the University. III. EDUCATION AND TRAINING 1. The University recognises the need for all staff, students and other users of University systems to be aware of information security threats and concerns, and to be equipped to support University security policy in the course of their normal work. The Information Security Manager shall implement a training programme for each class of users and, when requested by the University's Schools and Departments, shall provide information and further training in information security matters to answer particular requirements. NOTES cost attached no one will approve this. IV.COMPLIANCE WITH LEGAL AND CONTRACTUAL OBLIGATIONS 1. Authorised Use - University IT facilities must only be used for authorised purposes as defined in the Responsible Use of Information Technology Facilities and Services Policy - BRD 16-0 ( http://www.tru.ca/assets/policy/brd/brd16-0.pdf ). The University may from time to time monitor or investigate usage of IT facilities and any person found using IT facilities or systems for unauthorised purposes, or without authorised access, may be subject to disciplinary, and where appropriate, legal proceedings. 2. Monitoring of Operational Logs- The University shall only permit the inspection and monitoring of operational logs by computer operations personnel and system administrators. Disclosure of information from such logs, to officers of the law or to support disciplinary proceedings, shall only occur (i) when required by and consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; or (iii) when there are compelling circumstances. 3. Access to University Records- In general, the privacy of users' files will be respected but the University reserves the right to examine systems, directories, files and their contents, to ensure compliance with the law and with University policies and regulations, and to determine which records are essential for the University to function administratively or to meet its teaching obligations. Except in emergency circumstances, authorisation for access must be obtained from the data owner or their nominee as outline in the University's Applications and Systems Access Request ( http://www.tru.ca/its/hdesk/accessrequestlform.html )process, and shall be limited to the least perusal of contents and the least action necessary to meet job requirements or resolve the situation. 4. Protection of Software- To ensure that all software and licensed products used within the University comply with the Canadian Copyright Act ( R.S., 1985, c. C-42 ) and the University's Copyright Policy --ADM 3-0 ( http://www.tru.ca/assets/policy/adm/adm03-0.pdf ), the University will carry out checks from time to time to ensure that only authorised products are being used, and will keep a record of the results of those audits. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary, and where appropriate, legal proceedings. 5. Virus, Malware, and Access Control-TRU will maintain detection and prevention controls to protect against malicious software and unauthorised external access to networks and systems. All users of University computers, including laptops, shall comply with best practice, as defined by Information Technology Services in order to ensure that up to date security controls, are maintained on their systems. V. RETENTION AND DISPOSAL OF INFORMATION 1. All staff have a responsibility to consider security when using, storing, or disposing of information. All data owners as set out in the Organizational Information Criticality Matrix (OICM), should establish security procedures appropriate to the information held and processed by them, and ensure that all staff are aware of those procedures. The OICM is available from the Manager Information Security. Retention periods for some kinds of personal information are listed in the Records Retention/Destruction Policy ADM 2-3 ( http://www.tru.ca/assets/policy/adm/adm02-3.pdf ). NOTES Library is working on this policy. Remove? VI.REPORTING 1. All staff, students and other users should report immediately by email to infosecurity () tru ca or by telephone to the Information Technology Service Desk, any observed or suspected; security incidents where a breach of the University's information security policies has occurred, or any security weaknesses in, or threats to, systems or services. VII.BUSINESS CONTINUITY 1. The University will implement, and regularly update, a business continuity management process to counteract interruptions to normal University activity and to protect critical processes from the effects of failures or damage to vital services or facilities. VIII.POLICY REVIEW 1. The University's Information Security Committee will review and make any recommendations for update of this policy to the Presidents Council on an annual basis or in response to changes in regulatory compliance requirements. IX. ENFORCEMENT 1. Violation of this policy or associated guidelines, standards or procedures established by the University may result in temporary or permanent loss of computing access privileges and may be grounds for disciplinary, and where appropriate, legal proceedings. Hugh Burley Thompson Rivers University ITS - Senior Technology Coordinator Information Security BCCOL - 222D 250-852-6351
Clifford Collins <collinsc () FRANKLIN EDU> 04/06/2008 9:08 am >>>
Colleagues, Having read through the ISO/IEC 37001:2005 code of practices I noticed in section 5.1.1 the need for an information security policy document "approved by management, and published and communicated to all employees and relevant external parties." Does anybody have such a document they feel could serve as a model? If so, would you please share it with me? If you want more detail about what the code of practices expects to be in this document, here's an excerpt on it: The information security policy document should state management commitment and set out the organizations approach to managing information security. The policy document should contain statements concerning: a) a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing (see introduction); b) a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; c) a framework for setting control objectives and controls, including the structure of risk assessment and risk management; d) a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization, including: 1) compliance with legislative, regulatory, and contractual requirements; 2) security education, training, and awareness requirements; 3) business continuity management; 4) consequences of information security policy violations; e) a definition of general and specific responsibilities for information security management, including reporting information security incidents; f) references to documentation which may support the policy, e.g. more detailed security policies and procedures for specific information systems or security rules users should comply with. This information security policy should be communicated throughout the organization to users in a form that is relevant, accessible and understandable to the intended reader. This is a pretty tall order and the reason why I'm looking for some samples. Any help is appreciated. Clifford A. Collins Information Security Officer Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product"
Current thread:
- ISO/IEC 37001:2005 question Clifford Collins (Jun 04)
- <Possible follow-ups>
- Re: ISO/IEC 37001:2005 question Hugh Burley (Jun 05)
- Re: ISO/IEC 37001:2005 question Paul Kendall (Jun 05)
- Re: ISO/IEC 37001:2005 question Hugh Burley (Jun 05)