Re: ISO/IEC 37001:2005 question

[Paul Kendall <PKendall () ACCUDATASYSTEMS COM>]

I noticed your notes under III/1 regarding no funding for training. If
you are to be in compliance with PCI, then awareness training for all
personnel is required (at least in the US version of the PCI standards).
 
12.6 Implement a formal security awareness program to make all employees
aware of the importance of cardholder data security.

12.6.1 Educate employees upon hire and at least annually (for example,
by letters, posters, memos, meetings, and promotions)

12.6.2 Require employees to acknowledge in writing that they have read
and understood the company's security policy and procedures.

 
========================================
Paul L. Kendall, PhD, CHS-III, CISM, CISSP
 
"What we do in Life echoes in Eternity..."
 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hugh Burley
Sent: Thursday, June 05, 2008 3:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] ISO/IEC 37001:2005 question


Hi Clifford,

I have managed to get a draft information security program policy in
front of our universities Information Security Committee (ISC) and our
legal council is now reviewing it. Once it has been reviewed by the ISC
it will then go before the University's board for approval. My approach
has been based on ISO 27001.  I reviewed a couple of dozen program level
policies before beginning this process about 10 months ago and consider
the Oxford Brookes University to be a good model 
http://www.brookes.ac.uk/infosec/isp.html! . My guiding principle other
than the ISO standard and CISSP and GSEC best practice was to try and
keep this document to under two pages. 

The critical issues that I see are that this information must be
accessible to staff, faculty, and students, and it must provide the
essential foundation and direction for the Information Security Program.
The question that I keep asking myself is, "What is essential in this
document to ensuring that the University maintains an effective
Information Security Program?" 

With that said, I have pasted my "draft" document below, including notes
from our last Information Security Committee meeting and local
references to statutes and policy. My gut feel is that a modified
version of this document will become policy within 12 months.  It will
have taken approximately two years to complete this process. 

GENERAL

This policy is intended for the general support of and to provide a
foundation for the security of Thompson Rivers University (TRU)
information assets and is applicable to all TRU students and employees.

TRU recognises that information and the associated processes, systems
and networks are valuable assets and that the management of personal
data has important implications for individuals. Through its security
policies, procedures and structures, the University is committed to the
security and retention of information, both within the University and in
external communications. Security is an integral part of the information
sharing which is essential to institutional endeavour and the
regulations outlined below are intended to support information security
measures while maintaining academic freedom throughout the University.

For the purposes of this document, information security is defined as
the preservation of: confidentiality: protecting information from
unauthorised access and disclosure; integrity: safeguarding the accuracy
and completeness of information and processing methods; and
availability: ensuring that information and associated services are
available to authorised users when required. 

Information exists in many forms. It may be printed or written on paper,
stored electronically, transmitted by post or using electronic means,
shown on films, or spoken in conversation. Appropriate protection is
required for all forms of information to ensure business continuity and
to avoid breaches of the law and statutory, regulatory or contractual
obligations. 

REGULATIONS

I. PROTECTION OF PERSONAL DATA 

1.         The University holds and processes information about
employees, students, and other data subjects for academic,
administrative and commercial purposes. When handling such information,
the University, and all staff or others who process or use any personal
information, must comply with the BC Freedom of Information and
Protection of Privacy Act [RSBC 1996] ( 
http://www.qp.gov.bc.ca/statreg/stat/F/96165_02.htm ). Responsibilities
under the FOIPP Act are set out in the University's Information
Disclosure Policy -- ADM 2-1 ( 
http://www.tru.ca/assets/policy/adm/adm02-1.pdf ), Head (of) Freedom of
Information and Protection of Privacy Policy -- ADM 2-0 ( 
http://www.tru.ca/assets/policy/adm/adm02-0.pdf ) and the
Confidentiality of Student Information Policy -- ADM 2-2 ( 
http://www.tru.ca/assets/policy/adm/adm02-2.pdf ).

2.         The University also performs a significant volume of credit
card transactions.  To ensure the protection of credit card information
the University complies with Payment Card Industry Data Security
Standards ( https://www.pcisecuritystandards.org/tech/index.htm ).

NOTES - Finance does not feel it is necessary to reference PCI-DSS any
more that the many standards controlling financial activity.

II. RESPONSIBILITIES 

1.         The University believes that information security is the
responsibility of all students and members of staff. Every person
handling information or using University information systems is expected
to observe the information security policies and procedures, both during
and, where appropriate, after his or her time at the University. 

2.         This Policy is the responsibility of the Board; supervision
of the Policy will be undertaken by the TRU Information Security
Committee. This policy may be supplemented by more detailed
interpretation for specific sites, systems and services. Implementation
of information security policy is managed through the Information
Security Manager, the Information Security Committee, and other
personnel with security responsibilities in specified areas of the
University.

III. EDUCATION AND TRAINING 

1.                  The University recognises the need for all staff,
students and other users of University systems to be aware of
information security threats and concerns, and to be equipped to support
University security policy in the course of their normal work. The
Information Security Manager shall implement a training programme for
each class of users and, when requested by the University's Schools and
Departments, shall provide information and further training in
information security matters to answer particular requirements.

NOTES cost attached no one will approve this.

IV.COMPLIANCE WITH LEGAL AND CONTRACTUAL OBLIGATIONS 

1.         Authorised Use - University IT facilities must only be used
for authorised purposes as defined in the Responsible Use of Information
Technology Facilities and Services Policy - BRD 16-0 ( 
http://www.tru.ca/assets/policy/brd/brd16-0.pdf ). The University may
from time to time monitor or investigate usage of IT facilities and any
person found using IT facilities or systems for unauthorised purposes,
or without authorised access, may be subject to disciplinary, and where
appropriate, legal proceedings. 

2.         Monitoring of Operational Logs- The University shall only
permit the inspection and monitoring of operational logs by computer
operations personnel and system administrators. Disclosure of
information from such logs, to officers of the law or to support
disciplinary proceedings, shall only occur (i) when required by and
consistent with law; (ii) when there is reason to believe that a
violation of law or of a University policy has taken place; or (iii)
when there are compelling circumstances. 

3.         Access to University Records-  In general, the privacy of
users' files will be respected but the University reserves the right to
examine systems, directories, files and their contents, to ensure
compliance with the law and with University policies and regulations,
and to determine which records are essential for the University to
function administratively or to meet its teaching obligations. Except in
emergency circumstances, authorisation for access must be obtained from
the data owner or their nominee as outline in the University's
Applications and Systems Access Request ( 
http://www.tru.ca/its/hdesk/accessrequestlform.html )process, and shall
be limited to the least perusal of contents and the least action
necessary to meet job requirements or resolve the situation.

4.         Protection of Software- To ensure that all software and
licensed products used within the University comply with the Canadian
Copyright Act ( R.S., 1985, c. C-42 ) and the University's Copyright
Policy --ADM 3-0 ( http://www.tru.ca/assets/policy/adm/adm03-0.pdf ),
the University will carry out checks from time to time to ensure that
only authorised products are being used, and will keep a record of the
results of those audits. Unauthorised copying of software or use of
unauthorised products by staff or students may be grounds for
disciplinary, and where appropriate, legal proceedings. 

5.         Virus, Malware, and Access Control-TRU will maintain
detection and prevention controls to protect against malicious software
and unauthorised external access to networks and systems. All users of
University computers, including laptops, shall comply with best
practice, as defined by Information Technology Services in order to
ensure that up to date security controls, are maintained on their
systems. 

V. RETENTION AND DISPOSAL OF INFORMATION 

1.                  All staff have a responsibility to consider security
when using, storing, or disposing of information.  All data owners as
set out in the Organizational Information Criticality Matrix (OICM),
should establish security procedures appropriate to the information held
and processed by them, and ensure that all staff are aware of those
procedures. The OICM is available from the Manager Information Security.
Retention periods for some kinds of personal information are listed in
the Records Retention/Destruction Policy ADM 2-3 ( 
http://www.tru.ca/assets/policy/adm/adm02-3.pdf ).

NOTES Library is working on this policy.  Remove?

VI.REPORTING

1.                  All staff, students and other users should report
immediately by email to infosecurity () tru ca or by telephone to the
Information Technology Service Desk, any observed or suspected; security
incidents where a breach of the University's information security
policies has occurred, or any security weaknesses in, or threats to,
systems or services.

VII.BUSINESS CONTINUITY

1.                  The University will implement, and regularly update,
a business continuity management process to counteract interruptions to
normal University activity and to protect critical processes from the
effects of failures or damage to vital services or facilities.

VIII.POLICY REVIEW

1.                  The University's Information Security Committee will
review and make any recommendations for update of this policy to the
Presidents Council on an annual basis or in response to changes in
regulatory compliance requirements.

IX. ENFORCEMENT

1.                  Violation of this policy or associated guidelines,
standards or procedures established by the University may result in
temporary or permanent loss of computing access privileges and may be
grounds for disciplinary, and where appropriate, legal proceedings.



 
Hugh Burley
Thompson Rivers University
ITS - Senior Technology Coordinator
 
Information Security 
BCCOL - 222D
250-852-6351


> > > Clifford Collins <collinsc () FRANKLIN EDU> 04/06/2008 9:08 am >>>
Colleagues,
Having read through the ISO/IEC 37001:2005 code of practices I noticed
in section 5.1.1 the need for an information security policy document
"approved by management, and published and communicated to all employees
and relevant external parties."

Does anybody have such a document they feel could serve as a model? If
so, would you please share it with me?

If you want more detail about what the code of practices expects to be
in this document, here's an excerpt on it:

The information security policy document should state management
commitment and set out the
organizations approach to managing information security. The policy
document should contain
statements concerning:

a) a definition of information security, its overall objectives and
scope and the importance of
security as an enabling mechanism for information sharing (see
introduction);
b) a statement of management intent, supporting the goals and principles
of information
security in line with the business strategy and objectives;
c) a framework for setting control objectives and controls, including
the structure of risk
assessment and risk management;
d) a brief explanation of the security policies, principles, standards,
and compliance
requirements of particular importance to the organization, including:
   1) compliance with legislative, regulatory, and contractual
requirements;
   2) security education, training, and awareness requirements;
   3) business continuity management;
   4) consequences of information security policy violations;
e) a definition of general and specific responsibilities for information
security management,
including reporting information security incidents;
f) references to documentation which may support the policy, e.g. more
detailed security
policies and procedures for specific information systems or security
rules users should
comply with.


This information security policy should be communicated throughout the
organization to users in a
form that is relevant, accessible and understandable to the intended
reader.


This is a pretty tall order and the reason why I'm looking for some
samples. Any help is appreciated.

Clifford A. Collins
Information Security Officer
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"