Professional Documents
Culture Documents
Adwea Ims It MGMT PLC v1.14
Adwea Ims It MGMT PLC v1.14
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
Title Signature
Approved By Chairman
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.13. [ITD-IS-PL-013] INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE POLICY ............... 83
3.13.1. Policy summary ...................................................................................................................83
3.13.2. Applicability .........................................................................................................................83
3.13.3. Background .........................................................................................................................83
3.13.4. Guiding principle .................................................................................................................83
3.13.5. Detailed policy requirements ..............................................................................................84
3.13.6. Responsibilities and accountabilities ..................................................................................88
3.13.7. Any References ...................................................................................................................88
3.14. [ITD-IS-PL-014] INFORMATION SECURITY INCIDENT MANAGEMENT POLICY .............................................. 89
3.14.1. Policy summary ...................................................................................................................89
3.14.2. Applicability .........................................................................................................................89
3.14.3. Background .........................................................................................................................89
3.14.4. Guiding principle .................................................................................................................89
3.14.5. Detailed policy requirements ..............................................................................................90
3.14.6. Responsibilities and accountabilities ..................................................................................93
3.14.7. Any References ...................................................................................................................93
3.15. [ITD-IS-PL-015] INFORMATION SYSTEMS CONTINUITY PLANNING POLICY ................................................. 94
3.15.1. Policy summary ...................................................................................................................94
3.15.2. Applicability .........................................................................................................................94
3.15.3. Background .........................................................................................................................94
3.15.4. Guiding principle .................................................................................................................94
3.15.5. Detailed policy requirements ..............................................................................................95
3.15.6. Responsibilities and accountabilities ..................................................................................97
3.15.7. Any References ...................................................................................................................97
4. ROLES AND RESPONSIBILITIES .................................................................................................. 98
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
1 EXECUTIVE SUMMARY
We believe that Information Security is critical for establishing trust between our customers, business
partners, and employees. It is one of the fundamental requirements to ensure integrity and timely
availability of information for serving our customers efficiently and effectively, ensure legal
compliance and to prevent unauthorized access to our business systems and data.
This Information Security Policy is developed to define the appropriate use of computing and
communications resources. It addresses security aspects of the information stored on or transferred
via computers, networks, telephones or other communications devices, as well as the usage and
protection of the physical assets themselves. This policy applies to all employees and contracted
work force associated with ADWEA.
2 GENERAL APPLICABILITY
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3 IT POLICY ELEMENTS
This policy protects the information used to conduct ADWEAs business and the systems that support
this information. The high-level objectives of this policy are:
Maintaining the confidentiality of sensitive information
Successful management of the information security risks within ADWEA.
Efficient management of information security process
Compliance with sector or national requirements
3.1.2 Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.1.3 Background
We believe that Information Security is critical for establishing trust between our customers, business
partners, and employees. It is one of the fundamental requirements to ensure integrity and timely
availability of information for serving our customers efficiently and effectively, ensure legal compliance
and to prevent unauthorized access to our business systems and data.
These polices provide information that communicates the direction to be followed in securing the
organization.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.1.5.1 The Director General shall ensure that the information security policy, as well as guidelines
and standards, are utilized and acted upon by delegating the responsibility appropriately
down the line while remaining accountable.
3.1.5.2 The Director General must ensure the availability of sufficient training and information
material for all users, to enable the users to protect ADWEA's data and information systems.
3.1.5.3 The Information security policy shall be reviewed and updated annually or when necessary,
in accordance with principles described in NESA UAE Information Assurance Standards. This
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
will ensure that it remains appropriate in the light of any relevant changes to the law,
organizational policies or contractual obligations
3.1.5.4 All important changes to ADWEA's activities, and other external changes related to the threat
level, shall result in a revision of the policy and the guidelines relevant to the information
security.
3.1.5.5 It is ADWEAs policy that the information it manages shall be appropriately secured to protect
against the consequences of breaches of confidentiality, failures of integrity or interruptions
to the availability of that information.
3.1.5.6 This information security policy provides management direction and support for information
security across the organization. Specific, subsidiary information security policies shall be
considered part of this information security policies and shall have equal standing.
3.1.5.7 This policy has been ratified by ADWEA and forms part of its policies and procedures. It is
applicable to and will be communicated to staff and other relevant parties.
3.1.5.8 To determine the appropriate levels of security measures applied to information systems, a
process of risk assessment shall be carried out for each critical services to identify the
probability and impact of security failures.
3.1.5.9 To manage information security within the organization an information security oversight
committee shall be established, chaired by a senior officer and comprising appropriate senior
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
organizational managers. The objective of this group shall be to ensure that there is clear
direction and visible management support for security initiatives.
3.1.5.10 This oversight group shall promote security through appropriate commitment and adequate
resourcing.
3.1.5.11 An information security working party, comprising management representatives from all
relevant parts of the organization, shall devise and coordinate the implementation of
information security controls.
3.1.5.12 The responsibility for ensuring the protection of information systems and specific security
processes, shall be with the head of the department managing that information system.
3.1.5.13 Specialist advice on information security shall be made available throughout the
organization.
3.1.5.14 ADWEA will establish and maintain appropriate contacts with other organizations, law
enforcement authorities, regulatory bodies, and network and telecommunications operators
in respect of its information security policy.
3.1.5.15 The implementation of the information security policy shall be reviewed independently of
those charged with its implementation.
3.1.5.16 Violations of this policy, including failure to report non-compliance, can result in disciplinary
action as described in the exceptions process.
3.1.6.1 Owner of the security policy - The Director General is the owner of the security policy (this
document). He delegates the responsibility for security-related decision making to the CISO
(Chief Information Security Officer) and the information security oversight committee . All
policy changes must be endorsed by the above committee.
3.1.6.2 Information security oversight committee- The role of the committee is primarily to
coordinate and facilitate information security initiatives and activities at the executive and
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
senior management level and thus to enable ADWEA to optimize their information security
posture and minimize security risk.
3.1.6.3 CISO (Chief Information Security Officer) - The CISO holds the primary responsibility for
ensuring the management of information security.
3.1.6.4 Information owner- They are people or departments who are accountable for specific
information or information resources. They are primarily responsible for information
classifications , defining access rules and other security controls for the information assets
under their jurisdiction.
3.1.6.5 System owner- System owner are individuals or a department who are responsible for
implementing the defined controls and access to an information resource.
3.1.6.6 Users -Employees are responsible for getting acquainted with and to comply with the
policies.
3.1.6.7 Consultants and contractual partners- Contractual partners and contracted consultants must
comply with the information security policy. The information owner is responsible for
ensuring that this is implemented.
3.1.6.8 Internal Audit is authorized to assess compliance with this and other corporate policies.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
To ensure that a current and complete information risk profile exists for technology, applications
and infrastructure within the enterprise.
Ensure that the entitys risk appetite and tolerance are understood, articulated and
communicated internally.
To ensure that these risks are treated in accordance with the information security requirements
and objectives of the entity which are aligned with the NESA requirements.
3.2.2 Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.2.3 Background
Entities owning, operating, and or maintaining Critical Information Infrastructure in UAE must
consider all relevant NESAs issuances and guidance about risk management when performing risk
assessment.
These entities are charged with protecting the confidentiality, integrity and availability of its
Information Resources as per NESA mandates. To accomplish this task, a formal Information Security
Risk Management Program has been established as a component of the ADWEAs Information
Security Program to ensure that ADWEA is operating with an acceptable level of risk. The Information
Security Risk Management Program is described in this Policy.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.2.5.1 ADWEA will use the NESA IAS as its framework for managing its IT information security risks
by establishing the context, performing IT risk assessments, implementing risk treatments
and monitoring their implementation.
3.2.5.2 There will be a formal documented and approved process and procedure associated with the
Information Security risk assessment, treatment and monitoring for ADWEA.
3.2.5.3 The scope of the risk assessment, treatment and monitoring shall cover all the critical services
and their supporting functions based on the information asset classification (refer to asset
management policy).
3.2.5.4 Roles and responsibilities related to the overall Information Security risk management for
ADWEA shall be clearly defined and communicated.
3.2.5.5 Risk impact criteria, acceptance criteria and risk evaluation criteria shall be clearly defined
under risk management standards.
3.2.5.6 The Information Security risk management shall be integrated with the enterprise risk
management.
3.2.5.7 The Information Security risk management plan shall cover all the main elements as outlined
below.
3.2.5.7.1 Information Risk Identification- ADWEA shall apply the information security risk assessment
process to identify risks associated with the loss of confidentiality, integrity and availability
for its critical information assets by:
Defining clearly the scope of the risk assessment exercise.
Identifying critical business functions.
Identifying critical information systems supporting business critical functions within
the scope and boundary of the risk assessment.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.2.5.7.4 Monitoring of Information security risk management ADWEA shall plan and document
the process for the review and update of the risk assessment and treatment; this shall
include planned reviews and updates as well as ad hoc updates if significant changes occur.
ADWEAs monitoring and review processes shall encompass all aspects of the risk
management process and shall take account of changes in:
A. The entity itself
B. Technology used
C. Business objectives and processes
D. Risk criteria and the risk assessment process
E. Assets and consequences of losses of confidentiality, integrity or availability
F. Identified threats
G. Identified vulnerabilities
H. Effectiveness of the implemented controls
I. External events, such as changes to the legal or regulatory environment, changed
contractual obligations, and changes in social climate.
ADWEA shall monitor security incidents that might trigger the risk assessment
process.
Responsibilities for monitoring and review shall be clearly defined and documented.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.2.5.7.5 Communication of Information security risks- ADWEA shall communicate and consult
risk information obtained during and after risk management activities with all
stakeholders involved.
It will establish and use a formal risk communication plan for communicating risk
information with key stakeholders including decision-makers within the entity during
all stages of the risk management process.
As per the Roles and Responsibilities section mentioned at the end of the overall Information
security policy.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This policy specifies an information security awareness and training program to inform and motivate all
workers regarding their information security obligations.
3.3.2 Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but not
limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.3.3 Background
Technical security controls are a vital part of our information security framework but are not in
themselves sufficient to secure all our information assets. Effective information security also requires
the awareness and proactive support of all workers, supplementing and making full use of the technical
security controls. Lacking adequate information security awareness, workers are less likely to recognize
or react appropriately to information security threats and incidents. Whereas awareness implies a
basic level of understanding about a broad range of information security matters, training implies
more narrowly-focused and detailed attention to one or more specific topics. Training tends to be
delivered through classroom or online courses, while awareness tends to be delivered by multiple
communications methods such as seminars, case studies, written briefing and reference materials ,
posters and conversations. Awareness provides the foundation level of knowledge and understanding
for training to build upon.
In order to protect information assets, all workers must be informed about relevant, current
information security matters, and motivated to fulfill their information security obligations.
3.3.5.1 An information security awareness program shall ensure that all workers achieve and
maintain at least a basic level of understanding of information security matters, such as
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
guidelines. However, workers with limited intranet access must also be kept suitably
informed by other means such as seminars, briefings and courses.
3.3.5.6 Information security awareness trainings shall be measured for effectiveness using
awareness training test results and other supporting metrics.
3.3.6.1 The Director General is accountable for running an effective information security awareness
and training program.
3.3.6.2 The Chief Information Security Officer is responsible for managing an effective information
security awareness and training program.
3.3.6.3 Concerned training department is responsible for running security awareness and training
related activities.
3.3.6.4 IT Help/Service Desk is responsible for helping workers on basic information security
guidance.
3.3.6.5 Managers are responsible for ensuring that their staff and other workers within their remit
participate in the information security awareness, training and educational activities where
appropriate.
3.3.6.6 Workers are personally accountable for complying with the information security related
policies or processes and any training and awareness programs conducted by ADWEA.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
To increase ADWEAs assurance that personnel will contribute positively to the information security
posture of ADWEA by understanding their responsibilities and ensuring they are suitable for their role.
To address security requirements for each phase of the employment, contract or agreement lifecycle,
supporting HR processes such as employment, change of employment or termination.
3.4.2 Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but not
limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements
3.4.3 Background
As cited in a variety of sources, people are often described as the weakest link in any security system.
It is important to build security into the entire Human Resource (HR) process, from pre-employment,
during employment, and through termination, to ensure that policies and procedures are in place to
address security issues. Consistent training throughout the entire process ensures that employees and
contractors are fully aware of their roles and responsibilities and understand the criticality of their
actions in protecting and securing both information and facilities.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
A. All personnel are presented, on first access or during personnel orientation, relevant
information security policies and guidelines so as to be read and accepted.
B. All personnel are properly briefed on their information security roles and
responsibilities prior to being granted access to ADWEA information or information
system
C. All personnel comply with ADWEAs information security policies and procedures
D. All personnel skills and qualifications are continuously being evaluated and improved
in accordance with a set appropriate criteria
E. A disciplinary process shall be defined, communicated to all personnel and enforced
F. The disciplinary process shall be commenced only after verification that a security
breach has occurred
3.4.5.3. TERMINATION / CHANGE OF EMPLOYMENT
Employment termination or change of employment responsibilities shall be defined and
assigned emphasizing the communication in relation to ADWEA information security
(including confidentiality and property rights)
All ADWEA personnel shall return all of the organizations assets in their possession
upon termination of employment, contract or agreement
All personnel access to information and information systems shall be revoked upon
termination of their employment, contract or agreement, or adjusted upon change.
3.4.6.1 The Director General is accountable for enforcing an effective HR security policy across the
organization.
3.4.6.2 Chief Information Security Officer is responsible for developing and maintaining the HR
security policy (including this one), and ensure its working in conjunction with the HR process
owners.
3.4.6.3 HR Process Owners are responsible for ensuring that ADWEAs HR process and polices fully
incorporate the HR security policy elements outlined under this policy.
3.4.6.4 Employees are personally accountable for complying with the HR security related policies or
processes.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.4.6.5 Internal Audit is authorized to assess compliance with this and other corporate policies.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
To define compliance from the perspective of ADWEAs Information security policy and UAE IA
standards
To increase ADWEAs assurance that all ADWEAs information security requirements and externally
mandated requirements have been implemented and maintained where applicable throughout the
lifecycle.
3.5.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.5.3. Background
A compliance policy facilitates the implementation of the associated controls to ensure ADWEA is
compliant at the entity, sector, and national levels.
Important elements to consider when developing a compliance framework or policy include the
following (but not limited to it):
Awareness of relevant regulations/laws. (Do you know what you should follow?)
Awareness of relevant policies. (Do you know what organizational policies apply to
information use?)
Awareness of relevant contractual agreements. (Do you know what agreements your
organization has made that impose conditions on the use of data?)
Awareness of relevant standards or best practices. (Do you know what standards or best
practices your organization chooses to follow with respect to information use?)
Management of organizational records. (Do you know what you should keep and for how
long?)
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.5.5.1. All ADWEAs legal and contractual compliance requirements, including at sector and national
levels, shall be identified and documented, specifying the consequences of not meeting each
compliance requirement.
3.5.5.2. ADWEA commits to comply with all national, sector and local laws and regulations for
information/cyber security
3.5.5.3. Execution of all Information security procedures and activities shall comply with ADWEAs
Information Security Policies and Processes.
3.5.5.4. Any perceived violations shall be reported to the site-specific information security focal point
as identified by ADWEA and appropriate actions shall be taken to mitigate the risks of non-
compliance.
3.5.5.5. All deviations from Information security policy at the site level shall be approved by ISGC.
3.5.5.6. Compliance audits shall be conducted only by resources identified by the Information
Security Governance Committee on an annual basis, and shall be carefully planned and
agreed upon when performed against Systems or assets.
3.5.5.7. Information consisting of vulnerabilities and potential non-compliance shall be considered as
confidential information and shall be treated accordingly.
3.5.5.8. Information concerning such vulnerabilities and non-compliance shall be shared only on a
need to know basis.
3.5.5.9. Information Security Governance Committee shall be informed of all potential vulnerabilities
and non-compliance issues on a regular basis and shall be accountable for providing adequate
resources to mitigate these issues.
3.5.5.10. Site specific security focal point of contact is responsible for informing CISO to communicate
with external customers or government entities .
3.5.5.11. Individual employees shall not share any potential vulnerabilities or non-compliance issues
externally (e.g.: to media, government or customers) or internally except to individuals or
roles identified by ISGC for this purpose.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.5.6.1. As per the Roles and Responsibilities section mentioned at the end of the overall Information
security policy.
3.5.6.2. IS/Internal Audit is authorized to assess compliance with this policy. Typical responsibilities
include:
Define the audit criteria, scope and audit plan for each IS security audit.
Select auditors and conduct audits to ensure objectivity and the impartiality of the audit
process.
Ensure that the results of the audits are reported to relevant management
Document the audit program and the audit results
Ensure that the internal audit findings and subsequent corrective actions is effectively
implemented and recorded.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
To ensure that information security performance is measured, analyzed, evaluated and improved,
where necessary to meet changing risk factors and ADWEAs goals and objectives.
3.6.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.6.3. Background
Ongoing performance monitoring and evaluation is one of the major contributors to overall effective
and success information security operation within any entity. Therefore, ADWEA shall have an overall
framework for its monitoring and performance measurement activities.
For the measurement of information security performance and the effectiveness of the information
security management system. The organization needs to determine the following:
what needs to be monitored and measured, including information security processes and
controls.
the methods for monitoring, measurement, analysis and evaluation, as applicable, to
ensure valid results
when the monitoring and measuring is to be performed.
who would monitor and measure.
when are the results from monitoring and measurement analyzed and evaluated; and
who would analyze and evaluate these results
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.6.5.1. Key security performance indicators shall be established by CISO and be reviewed and
approved by the Information Security Governance committee, to evaluate the performance
of ADWEAs Information security controls and the effectiveness of the IT security
management program in achieving business goals and objectives.
3.6.5.2. Annual compliance and operational audits shall identify and evaluate adherence to security
KPIs.
3.6.5.3. When risk factor changes (i.e. threats and vulnerabilities landscape changes) compliance and
operational audits shall identify and evaluate adherence to security KPIs.
3.6.5.4. All information security incidents shall be analyzed to determine ineffective security controls
and appropriate compensating controls shall be put in place.
3.6.5.5. Information Security Governance Committee shall outline performance improvement plans
based on successive progression of security controls maturity and in line with companys
goals and objectives.
3.6.5.6. Information Security Governance Committee shall monitor the implementation of
performance improvement plan on a regular basis.
3.6.6.1. As per the Roles and Responsibilities section mentioned at the end of the overall Information
security policy.
3.6.6.2. Internal Audit is responsible for assessing the performance of the Information security
program based on the KPIs set by the CISO and approved by the Information Security
Governance Committee.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
To ensure that all information assets are properly classified and that the assets are appropriately
managed and protected throughout its lifecycle, as per their classification.
3.7.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.7.3. Background
An asset is defined as "an item of value". Asset management is based on the idea that it is important
to identify, track, classify, and assign ownership for the most important assets in your organization to
ensure they are adequately protected. Tracking inventory of IT hardware is the simplest example of
asset management. Knowing what you have, where it lives, how important it is, and who's responsible
for it are all-important pieces of the puzzle.
Similarly, an Information Asset is an item of value containing information. The same concepts of
general asset management apply to the management of information assets. To be effective, an overall
asset management strategy shall include information assets, software assets, and information
technology equipment.
An organization shall be able to know what physical, environmental or information assets it holds, and
can manage and protect them appropriately. Important elements to consider when developing an
asset management policy are:
Inventory (do you know what assets you have & where they are?)
Responsibility/Ownership (do you know who is responsible for each asset?)
Importance (do you know how important each asset is in relation to other assets?)
Establish acceptable-use rules for information and assets.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.7.6.1. Director General shall have the ultimate accountability for all information assets of ADWEA.
He/ She may delegate full / partial ownership along with the defined responsibilities to any
internal roles / function with operational rights and responsibility.
3.7.6.2. IT Head is responsible to provide operational support and management of information assets
within ADWEA as outlined in this policy.
3.7.6.3. CISO- (Chief Information Security Officer) - The information security officer is responsible for
developing and implementing information security policy designed to protect information
and any supporting information systems from unauthorized access, use, disclosure,
corruption or destruction of data.
3.7.6.4. End Users authorized by the Information Owner to access information , are bound by the
acceptable usage policy of ADWEA (REF to Acceptable Use policy).
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
To ensure ADWEA appropriately protects buildings and rooms to prevent unauthorized access,
damage, or interference to the information systems therein.
To ensure ADWEA appropriately protects information systems equipment from physical and
environmental threats.
3.8.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.8.3. Background
Physical and environmental security programs define the various measures or controls that protect
organizations from loss of connectivity and availability of computer processing caused by theft, fire,
flood, intentional destruction, unintentional damage, mechanical equipment failure and power
failures. Physical security measures shall be sufficient to deal with foreseeable threats and shall be
tested periodically for their effectiveness and functionality.
These are some of the fundamental elements of any Physical and environmental security program
which can act as guidelines for developing an appropriate Physical and environmental security policy
and process. They are listed below.
Determine which managers are responsible for planning, funding, and operations of
physical security of the Data Center.
Review best practices and standards that can assist with evaluating physical security
controls, such as ISO/IEC 27002:2013 / NESA IAS etc.
Establish a baseline by conducting a physical security controls gap assessment that will
include the following as they relate to your campus Data Center:
o Environmental Controls
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.8.5.1. Secure areas : ADWEA shall take due care to prevent unauthorized physical access, damage
or interference to the organization's premises and infrastructure, using controls appropriate
to the identified risks and the value of the assets protected. The policies outlined below are
geared towards the same.
3.8.5.1.1. Physical security perimeter : Security perimeters shall be used to protect areas
that contain information and information processing facilities - using walls,
controlled entry doors/gates, manned reception desks and other measures. The
following points should be considered:
a) perimeter siting and strength is determined in response to risk assessment;
b) clearly defined and marked perimeters, except in situations where
hidden/disguised perimeters would enhance security;
c) use of physical sound proof walls, windows and doors, protected with bars,
locks, alarms as appropriate;
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.8.5.1.6. Public access (or any delivery and loading access) :Access points such as
delivery and loading areas, and other points where unauthorized persons may
enter the premises, shall be controlled. The following points should be
considered.
a. limits on access to the delivery and loading areas, and to other public access
areas, to the degree possible;
b. inspection of incoming and outgoing materials, and separation of incoming
and outgoing shipments, where possible; and
c. isolation of these areas from information processing facilities and areas
where information is stored, where possible.
3.8.5.2. Equipment security : ADWEA shall take due measures to prevent loss, damage, theft or
compromise of assets or interruption to the organization's activities.
3.8.5.2.1. Equipment siting and protection: Equipment shall be sited or protected to
reduce the risks from environmental threats and hazards, and to reduce the
opportunities for unauthorized access by human threats. The following points
should be considered.
a. siting to minimize unnecessary risks to the equipment, and to reduce the
need for unauthorized access to sensitive areas;
b. siting to isolate items requiring special protection, to minimize the general
level of protection required;
c. use of particular controls as appropriate to minimize physical threats -- e.g.,
theft or damage from vandalism, fire, water, dust, smoke, vibration,
electrical supply variance, or electromagnetic radiation; and
d. guidelines for eating, drinking, smoking or other activities near equipment.
3.8.5.2.2. Supporting utilities: Equipment shall be protected from power failures,
telecommunications failures, and other disruptions caused by failures in
supporting utilities such as HVAC, water supply and sewage. The following
points should be considered.
a. assuring that the supporting utilities are adequate to support the
equipment under normal operating conditions; and
b. making reasonable provision for backups (e.g., a UPS) in the event of
supporting utility failure.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
As per the Roles and Responsibilities section at the end of the overall Information security policy set.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.9.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.9.3. Background
Operations security involves planning and sustaining the day-to-day processes that are critical to
maintaining the security of organizations information environments. The extent and complexity of
security operations will vary between organizations based on their risk tolerances and resource levels.
However the most important aspect of operations security is that the operations themselves should
be repeatable, reliable, and consistently performed.
The 7 key guiding security controls for any Operational security related policy / process development
are listed below.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.9.5.1. Operational procedures and responsibilities: ADWEA shall take due measures to ensure the
correct and secure operation of information processing facilities. To this effect the below
mentioned policies have been instituted.
3.9.5.1.1. Documented operating procedures :
Operating procedures shall be documented, maintained and made available to
all users who need them. The following points should be considered:
o documentation of/for all significant system activities including start-up,
close-down, back-up and maintenance;
o treatment of such documents as a formal organizational record, subject to
appropriate change authorization, change tracking and archiving; and
o provision of appropriate security for such documentation, including
distribution control.
3.9.5.1.2. Change management
Changes to information processing facilities and systems shall be controlled using
appropriate change management procedures. The following points should be considered:
o risk assessments, including an analysis of potential impacts and necessary
countermeasures or mitigation controls;
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.9.5.2. Third party delivery management: This category of statement aims to implement and
maintain the appropriate level of information security and service delivery in the context of
third-party service delivery agreements.
3.9.5.2.1. Service delivery
Security controls, service definitions and delivery levels shall be included in third-party
service delivery agreements.
3.9.5.2.2. Monitoring and review of third-party services
Services, reports and records provided by the third party shall be regularly monitored and
reviewed, and appropriate audits conducted.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.9.5.3. System planning and acceptance : This set of policies aims to minimize the risk of systems
failures and non-availability.
3.9.5.3.1. Capacity management
The use of information and information facility resources shall be appropriately
monitored, and projections made for future capacity requirements to ensure adequate
systems performance. The following points should be considered:
o identification of capacity requirements for each new and ongoing
system/service;
o projection of future capacity requirements, considering current use, projected
trends, and anticipated changes in business requirements; and
o system monitoring and tuning to ensure and, where possible, improve availability
and effectiveness of current systems.
3.9.5.3.2. System acceptance
Acceptance criteria for new information systems, upgrades, and new versions shall be
appropriately established, and suitable tests of the system(s) carried out during
development and prior to acceptance. The following points should be considered:
o clear definition of, agreement on, testing of, and documentation of compliance
with requirements for system acceptance; and
o consultation with affected persons, or representatives of affected groups, at all
phases of the process.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.9.5.4. Protection against malicious code: This set of statements aims to protect the integrity of
software and information.
3.9.5.4.1. Controls against malicious code
Appropriate controls shall be implemented for prevention, detection and response to
malicious code, including appropriate user awareness. The following points shall be
considered:
o prohibiting the use or installation of unauthorized software, including a
prohibition of obtaining data and software from untrusted networks;
o protective measures, such as installation of up-to-date anti-virus and anti-
spyware software;
o periodic reviews/scans of installed software and the data content of systems to
identify and, where possible, remove any unauthorized software;
o defined procedures for response to identification of malicious code or
unauthorized software;
The following points may also be considered:
o continuity/recovery plans to deal with system interruptions and failures caused
by malicious code; and
o user awareness training on these policies and methods.
3.9.5.5. Back-up : This set of policy aims to maintain the integrity and availability of organizational
information.
3.9.5.5.1. Information back-up
Back-up copies of information and software shall be made, and tested at appropriate
intervals, in accordance with an agreed-upon back-up standards. The following points
should be considered:
o formal definition of the level of backup required for each system -- scope of data
to be imaged, frequency of imaging, duration of retention -- based on legal-
regulatory-certificatory standards and business requirements;
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
o complete inventory records for the back-up copies, including content and current
location;
o complete documentation of restoration procedures for each system;
o storage of the back-ups in a remote location, at a sufficient distance to make
them reasonably immune from damage to data at the primary site;
o appropriate physical and environmental controls for the back-up copies where-
ever located;
o appropriate technical controls, such as encryption, for back-up copies of sensitive
information;
o regular testing of back-up media.
o regular testing of restoration procedures.
3.9.5.6. Network security management :This set of statement aims to ensure the protection of
information in networks and protection of the supporting network infrastructure.
3.9.5.6.1. Network controls
Networks shall be appropriately managed and controlled, to be protected from threats,
and to maintain security for the systems and applications using the network, including
information in transit. The following points should be considered:
o separation of operational responsibilities for networks from those for computer
systems and operations, where appropriate;
o implementation of appropriate controls to assure the availability of network
services and information services using the network;
o establishment of responsibilities and procedures for management of equipment
on the network, including equipment in user areas;
o special controls to safeguard the confidentiality and integrity of sensitive data
passing over the organization's network and to/from public networks;
o appropriate logging and monitoring of network activities, including security-
relevant actions; and
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.9.5.7. Media handling :This set of statement aims to prevent unauthorized disclosure, modification,
removal or destruction of information assets, or interruptions to business activities due to
inappropriate media handling.
3.9.5.7.1. Management of removable media
Procedures and supporting standards shall be established for management of removable
media. The following points should be considered:
o where appropriate to the sensitivity of the data, logging and an audit trail of
removal of media from or relocations within the organization's premises;
o where appropriate to the sensitivity of the data, a requirement for authorization
prior to removal or relocation;
o appropriate redundancy of storage in light of the risks to the removable media,
including where storage retention requirements exceed the rated life of the
media.
o restrictions on the type of media, and its usage to ensure adequate security.
o registration and encryption of certain type(s) of media; and
o secure disposal of media when no longer needed .
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
As per the Roles and Responsibilities section at the end of the overall Information Security policy
set.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.10.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.10.3. Background
Communications encompasses the breadth of digital data flows both within an organization and
between external entities across network infrastructures. These flows now include data, voice, video,
and all their associated signaling protocols. Securing these information flows as they traverse Intranets,
Extranets, and Internet, requires effective network infrastructure management as well as controls,
policies, and procedures.
When beginning the process of developing and establishing a secure communications policy/ program
, the following fundamentals must be considered and adhered to:
Develop policies and standards that support the:
o Establishment of clear authority and accountability for network management.
o Risk based segregation of groups of systems, users, and information systems
o Authority to control, actively monitor, and log traffic traversing designated ingress
and egress points.
Identify threats related to the communications environment.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.10.5.1. Exchange of information: This set of statement aims to maintain the security of information
and software exchanged within ADWEA and any external entity.
3.10.5.1.1. Information exchange
Formal standards and procedures shall be implemented to protect the exchange of
information, covering the use of all types of communications facilities and data storage
media. The following points should be considered:
o Procedural controls designed to protect exchanged information from
interception, copying, modification, mis-routing or destruction;
o procedures for the detection of and protection against malicious code
o procedures for the protection of wireless communications;
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.10.5.2. Electronic commerce services: This set of statement aims to ensure the security of electronic
commerce services and their secure use.
3.10.5.2.1. Electronic commerce
Information involved in electronic commerce passing over public networks shall be
appropriately protected from fraudulent activity, contract dispute, and unauthorized
disclosure and modification.
3.10.5.2.2. On-line transactions
Information involved in on-line transactions shall be appropriately protected to prevent
incomplete transmission, misrouting, unauthorized message alteration, unauthorized
disclosure, unauthorized message duplication or replay.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.10.5.3. Monitoring: This policy section talks about monitoring and detecting unauthorized
information processing activities.
3.10.5.3.1. Audit logging
Audit logs that record user activities, exceptions, and information security events shall be
produced, and kept for an agreed-upon time period, to assist in future investigations and
access control monitoring. The following points should be considered:
o recording all key events, including the data/time and details of the event, the
user-ID associated, terminal identity and/or location, network addresses and
protocols, records of successful and unsuccessful system accesses or other
resource accesses, changes to system configurations, use of privileges, use of
system utilities and applications, files accessed and the kinds of access, alarms
raised by the access control or any other protection system (e.g., ID/IP);
o appropriate privacy protection measures for logged data that is identified as
confidential;
o appropriate technical, physical and administrative security protection of audit
logs, to ensure integrity and availability.
3.10.5.3.2. Monitoring system use
Procedures for monitoring use of information processing facilities shall be established and
the results of monitoring activities regularly reviewed. The following points should be
considered:
o event tracking and recording as specified in the "audit trail" policy element;
o monitoring and review of data as determined by the criticality of the
application/system or information involved, past experience with information
security incidents, and general risk assessment.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
As per the Roles and Responsibilities section at the end of the overall Information security policy set.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
To cover the user access life-cycle with respect to the assignment and revocation of access
privileges.
To underscore the importance of the active participation of users in safeguarding the
access privileges and credentials provided to them, and the practices needed to prevent
unauthorized disclosure of privileged information.
To cover the mechanisms that an organization can use to ensure that only authorized users
have access to organizational computing devices.
3.11.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.11.3. Background
A basic element of any organization's information security program is the protection of information
resources that support the critical operations of the organization from unauthorized access,
modification, or disclosure. Access control is basically the use of administrative, physical, or technical
security features to manage how users and systems communicate and interact with other information
resources.
The following comprise the core principles for developing an access control policy framework.
Roles and responsibilities related.
Need-to-Know: Access only to information needed to perform assigned tasks.
Need-to-Use: Access only to information resources needed to perform assigned tasks.
Access levels and privileges by role.
Periodic review and removal of access levels and privileges
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
Segregation of duties for requesting, authorizing, and reviewing access levels and privileges
What is required to identify users?
Requirement for vetting users in person
Requirement to protect and preserve records concerning user identification and
credentials
What criteria is used to determine the types of credentials used?
What criteria is used to determine the level of access to applications and services?
Identification of roles with privileged access
Contractual obligations for limiting access granted to vendors and partners
What is required from identity providers and from service providers?
Requirement to identify the security requirements of applications - both, purchased and
developed internally
Requirement to determine the Level of Authentication (LOA) required to access a service
based on risk
3.11.5.1. Business requirements for access control: The objective of this section is to provide policy
elements to control access to information, information processing facilities, and business
processes.
3.11.5.1.1. Access control
Access controls shall be periodically reviewed, based on business needs and external
requirements. Access controls shall take account of:
o security issues for particular information systems, given business needs,
anticipated threats and vulnerabilities;
o security issues for particular types of data, given business needs, anticipated
threats and vulnerabilities;
o all relevant legislative, regulatory and certificatory requirements;
o relevant contractual obligations or service level agreements;
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.11.5.2. User access management : This policy statement ensures only authorized users have
access to specific information and information systems. The following points should be
considered:
o formal procedures to control the allocation of access rights;
o procedures covering all stages in the life-cycle of user access, from provisioning
to de-provisioning;
o special attention to control privileged ("super-user") access rights; and
o appropriate technical measures for identification and authentication to ensure
compliance with defined access rights.
3.11.5.2.1. User registration
Formal user registration and de-registration procedures shall be implemented, for granting
and revoking access to all information systems and services. The following points should be
considered:
o assignment of unique user-IDs to each user;
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.11.5.3. Network access control : The purpose of this section is to outline policies that support
prevention of unauthorized access to network services.
3.11.5.3.1. Policy on use of network services
Users shall only be provided with access to the services that they have been specifically
authorized to use. The following points should be considered:
o authorization procedures for determining who is allowed to access to which
networks and network services, consistent with other access rights; and
o deployment of technical controls to limit network connections.
3.11.5.3.2. User authentication for external connections
Appropriate authentication methods shall be used to control remote access to the network.
3.11.5.3.3. Equipment/location identification in networks
Where appropriate and technically feasible, access to the network shall be limited to
identified devices or locations.
3.11.5.3.4. Remote diagnostic and configuration port protection
Physical and logical access to diagnostic and configuration ports shall be appropriately
controlled. The following points should be considered:
o physical security for on-site diagnostic and configuration ports;
o technical security for remote diagnostic and configuration ports; and
o disabling/removing ports, services and similar facilities which are not required.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.11.5.5. Application and information access control : This set of statement aims to prevent
unauthorized access to information held in application systems.
3.11.5.5.1. Information access restriction
Access to information and application system functions by users and support personnel
shall be restricted in accordance with a defined access control policy that is consistent with
the organizational access policy.
3.11.5.5.2. Sensitive system isolation
Sensitive systems shall have a dedicated (isolated) computing environment wherever
technically feasible. The following points should be considered:
o explicit identification and documentation of sensitivity by each
system/application controller; and
o explicit identification and acceptance of risks when a shared facilities and/or
resources must be used.
3.11.5.6. Mobile computing and teleworking : This set of statement aims to ensure information
security when using mobile computing and teleworking facilities. Controls shall be
implemented that are in line with the:
o type of user(s);
o setting(s) of mobile/teleworking use; and
o sensitivity of the applications and data being accessed from mobile/teleworking
settings.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
As per the Roles and Responsibilities section at the end of the overall Information security policy set.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
To ensure that third parties adequately secure the information and technology resources that they
access, process, and manage. This includes information sharing, defining legal obligations, and ensuring
non-disclosure agreements are executed to protect confidential information.
To ensure that supplier agreements are established and documented so that there is no
misunderstanding regarding both parties' obligations to fulfill relevant security requirements.
3.12.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.12.3. Background
External 3rd party suppliers are a vital component of business operations. Suppliers may have access to
a wide range of information from the supported organization. Once shared with a supplier, direct
control of this information is lost, regardless of sensitivity or value. As a result, appropriate technical
and contractual controls and mitigation processes must be established with all external suppliers.
When developing and establishing a 3rd party security policy/ program, the following fundamentals
must be considered:
Identify and document various suppliers and the types of information that they access or
manipulate.
Identify current policies and standards that describe or include third party responsibilities
and any compliance requirements associated with external providers (e.g., NESA, HIPAA,
PCI DSS, ISO 27000).
Review data classification standards and how these relate to the suppliers and information
that they handle. Where applicable it shall be ensured that information security and data
protection clauses are included in any supplier contracts.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
party organization and team that is affecting their involvement with ADWEA,
the third party shall immediately inform and update ADWEA.
3.12.5.1.7. During the engagement period with third parties, ADWEA personnel shall
always follow security measures in order to protect the confidentiality,
availability and integrity of ADWEA information assets.
3.12.5.1.8. Any information being exchanged between ADWEA and the third party shall be
protected properly according to the guidelines in the Information Classification
Policy and Network and Communication Security Policy.
3.12.5.1.9. All third parties shall be informed about the information security policies and
procedures in ADWEA before starting any engagement and ensure that all the
necessary security requirements are properly enforced and addressed.
3.12.5.1.10. ADWEA reserves the right to monitor all the activities, access, network and
systems being utilized by the personnel of third parties at ADWEA premises.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
A list of agreed on Service Levels that will ensure and support the availability of
ADWEAs information assets in the case of a disaster.
Provision for confidentiality, non-disclosure and acceptable use clauses relating
to the information used and processed by the third party.
3.12.5.5. Third Party Responsibilities
3.12.5.5.1. Third party management shall ensure that their personnel assigned to ADWEA
projects are aware and comply with ADWEAs Information Security Policies.
3.12.5.5.2. In case of any information security breach affecting ADWEAs information
assets, either within ADWEAs premises or at the third partys, third party shall
notify ADWEA immediately of such incidents.
3.12.5.5.3. All software/hardware used by third parties personnel to process or access
ADWEAs information assets shall be declared and checked by ADWEA and may
be subjected to an audit.
3.12.5.5.4. Any ADWEA assets given to third party personnel shall be returned to ADWEA
upon the completion of the engagement or whenever the asset is no longer
required to support their activities.
3.12.5.5.5. Third party personnel shall never override security controls in ADWEA under
any circumstances. Third parties shall never take advantage of the
vulnerabilities identified within ADWEA information systems in order to gain
unauthorized access.
3.12.5.6. Supplier Service Delivery Management
3.12.5.6.1. ADWEA shall periodically monitor, review and audit supplier service delivery.
3.12.5.6.2. Any exceptions to the ADWEAs defined Supplier Service Delivery
requirements shall be recorded. Risks due to exceptions shall be managed to
acceptable levels through application of compensating controls.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
and storage of data in cloud environments. This should include the following
considerations:
Perform necessary due diligence to determine requirements and restrictions
relevant to information processing, storage and retention in the cloud
environment with respect to ADWEA data criticality (and its classification)
Include the cloud environment (and, where possible, its components) into the
risk assessment process
Develop and maintain specific security standards and procedures to ensure
compliance with this policy requirements with respect to utilization of cloud
based services.
Ensure information about security incidents that happen at the cloud service
provider are communicated, when possible.
Where possible, reserve a right to audit the security arrangements in place at
cloud service provider
3.12.5.7.2. Service delivery agreements with cloud providers: ADWEA shall document
relevant security requirements in service delivery agreements with cloud
service providers. Each service delivery agreement for cloud services shall
include provisions for:
Understanding and maintaining awareness of where information with
applicable (eg geographical) restrictions will be stored or transmitted in the
cloud environment
Ensuring appropriate information migration plans at the end of the service
period.
Ensuring all other cloud security requirements determined relevant by ADWEA
are included in the service delivery agreement
As per the Roles and Responsibilities section at the end of the overall Information security policy set.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
To ensure that security requirements are established as an integral part of the entire lifecycle of an
information system.
To ensure that development lifecycle processes are established to maintain the security of information
systems as the systems are designed, developed, tested, and maintained.
To ensure the protection of data used for testing.
3.13.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but not
limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.13.3. Background
Security risks and events occur throughout a systems lifetime. This is true whether the system is
developed internally or purchased for on premise hosting or cloud implementation. Security shall be
embedded throughout all phases of the system development life cycle, assessed during system
acquisition processes, and monitored during system maintenance, including disposal.
To be most effective, information security must be integrated into the system lifecycle from system
inception through system disposal. Regardless of the formal or informal lifecycle methodology
employed, security can be incorporated into information systems acquisition, development and
maintenance by implementing effective security practices in the following areas.
Security requirements for information systems
Security in development and support processes
Test data
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.13.5.1. Security requirements of information systems : The objective of this set of statements is
to ensure that security is an integral part of ADWEAs information systems, and of the
business processes associated with those systems.
3.13.5.1.1. Security requirements analysis and specification
Statements of business requirements for new information systems, or enhancements to
existing information systems shall include specification of the requirements for security
controls. The following points should be considered:
o consideration of business value of and legal-regulatory-certificatory standards
for information assets affected by the new/changed system(s);
o consideration of administrative, technical and physical controls available to
support security for the system(s);
o integration of these controls early in system design and requirements
specification; and
o a formal plan for testing and acceptance, including independent evaluation
where appropriate.
3.13.5.2. Correct processing in applications: This aims to prevent errors, loss, unauthorized
modification or misuse of information in applications.
3.13.5.2.1. Input and output data validation
Data input and output in applications shall be validated to ensure that the data is correct
and appropriate. The following points should be considered:
o use of both automatic and manual methods of data verification and cross-
checking, as appropriate; and
o defined responsibilities and processes for responding to detected errors.
3.13.5.2.2. Control of internal processing
Validation checks shall be incorporated into applications to detect the corruption of
information through processing errors or deliberate acts. The following points should be
considered:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
o use of both automatic and manual methods of data verification and cross-
checking, as appropriate; and
o defined responsibilities and processes for responding to detected errors.
3.13.5.2.3. Message integrity
Requirements for ensuring authenticity and protecting message integrity in applications
shall be identified, and appropriate controls implemented.
3.13.5.3. Cryptographic controls: This set of statement aims to protect the confidentiality, integrity
and authenticity of information by cryptographic means.
3.13.5.3.1. Policy on the use of cryptographic controls
ADWEA shall develop use of cryptographic controls for protection of information based on
the points mentioned below :
develop specifications (or applicable standards) based on a thorough risk assessment,
that considers appropriate algorithm selections, key management and other core
features of cryptographic implementations;
cryptographic controls should be applied as appropriate, to data at rest and fixed-
location devices, data transported by mobile/removable media and embedded in mobile
devices, and data transmitted over communications links; and
specification of roles and responsibilities for implementation of and the monitoring of
compliance with the policy.
consideration of legal restrictions on technology deployments.
3.13.5.3.2. Key management
Key management standards and processes shall be implemented to support an
organization's use of cryptographic techniques. The following points should be considered
and supported by relevant procedures:
o distributing, storing, archiving and changing/updating keys;
o recovering, revoking/destroying and dealing with compromised keys; and
o logging all transactions associated with keys.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.13.5.4. Security of system files :This set of statement aims to ensure the security of critical system
files.
3.13.5.4.1. Control of operational software
ADWEA shall control the installation of software on operational systems, to minimize the
risk of interruptions or corruption of information services. The following points should be
considered:
o updating performed only with appropriate management authorization;
o updating performed only by appropriately trained personnel;
o only appropriately tested and certified software deployed to operational
systems;
o appropriate change management and configuration control processes for all
stages of updating;
o appropriate documentation of the nature of the change and the processes used
to implement it;
o a rollback strategy in place, including retention of prior versions as a contingency
measure; and
o appropriate audit logs maintained to track changes.
3.13.5.4.2. Protection of system test data
Test data shall be selected carefully and appropriately logged, protected and controlled.
3.13.5.4.3. Access control for program source code
Access to program source code shall be restricted. The following points should be
considered:
o appropriate physical and technical safeguards for program source libraries,
documentation, designs, specifications, verification and validation plans; and
o maintenance and copying of these materials subject to strict change
management and other controls.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.13.5.5. Security in development and support processes: This set of statement aims to maintain
the security of application system software and information.
3.13.5.5.1. Change control procedures
The implementation of changes shall be controlled by the use of formal change control
procedures. The following points should be considered:
o a formal process of documentation, specification, testing, quality control and
managed implementation;
o a risk assessment, analysis of actual and potential impacts of changes, and
specification of any security controls required;
o a budgetary or other financial analysis to assess adequacy of resources;
o formal agreement and approval of changes by appropriate management; and
o appropriate notification of all affected parties prior to implementation, on the
nature, timing and likely impacts of the changes;
o scheduling of changes to minimize the adverse impact on business processes.
3.13.5.5.2. Technical review of applications after operating system changes
When operating systems and processes are changed, critical business processes shall be
reviewed and tested to ensure that there has been no adverse impact.
3.13.5.5.3. Restrictions on changes to software packages
Modifications to software packages shall be discouraged, limited to necessary changes, and
all changes shall be strictly controlled and monitored.
3.13.5.5.4. Information leakage
Opportunities for information leakage shall be appropriately minimized or prevented. The
following points should be considered:
o risk assessment of the probable and possible mechanisms for information
leakage, and consideration of appropriate countermeasures;
o regular monitoring of likely information leak mechanisms and sources; and
o end-user awareness and training on preventive strategies (e.g., to remove meta-
data in transferred files).
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.13.5.6. Technical vulnerability management : This set of statement aims to reduce risks resulting
from exploitation of published technical vulnerabilities.
3.13.5.6.1. Control of technical vulnerabilities
Timely information about technical vulnerabilities of information systems used by the
organization shall be obtained, evaluated in terms of organizational exposure and risk, and
appropriate countermeasures taken. The following points should be considered:
o a complete inventory of information assets sufficient to identify systems put at
risk by a particular technical vulnerability;
o procedures to allow timely response to identification of technical vulnerabilities
that present a risk to any of the organization's information assets, including a
timeline based on the level of risk;
o defined roles and responsibilities for implementation of countermeasures and
other mitigation procedures.
As per the Roles and Responsibilities section mentioned at the end of the overall Information Security
policy.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
To ensure a consistent and effective approach to the management of information security incidents,
including communication on security events and weaknesses.
Ensure personnel are trained and equipped to detect, report, and respond to adverse events, providing
the foundation for effective Information Security Incident Management.
Build an effective, timely, repeatable methodology for managing information security incidents that
meets legal requirements and is continually improved.
To ensure that the Information security incident response is integrated with the overall risk
management process to provide the capability to update the risk management portfolio.
3.14.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but not
limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.14.3. Background
No matter the extent of our defenses, it inevitable that Information Security Incidents will occur. For
this reason, establishing, periodically assessing, and continually improving incident management
processes and capabilities is very important.
These are some of the fundamental elements of any Incident management program which can act as
our guidelines for developing an appropriate IS incident management policy and process. They are listed
below.
Define what constitutes an information security incident and review how varied incidents
can be classified.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
Consider what constitutes an information security incident that requires special handling
(vs. common security events). Review incident classification schemes that allow for aligning
handling procedures to potential impacts and risks.
Identify and establish essential roles and procedures needed for effective incident
management.
Evaluate the technical and operational capabilities of your organization to detect and
respond to security incidents. Consider how senior management support can be gained to
formalize effective incident management processes. Formulate procedures and workflow
for effectively addressing incidents throughout their lifecycle.
Create effective communication, coordination, and reporting plans for broad spectrum of
incidents including data breach events.
Identify key partners and stakeholders and levels of communication and engagement.
Review the legal and contractual communication requirements associated with data types
that may be involved in Information Security Incidents.
Adapt and learn from security incidents and strive for continual improvement by
identifying and planning for training needs and enhancement of response capabilities.
3.14.5.1. Reporting information security events and weaknesses : This set of statement aims to ensure
information security events and weaknesses associated with the ADWEAs information and
information system assets are communicated in a manner to allow appropriate corrective
actions to be taken.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
3.14.5.2. Management of information security incidents and improvements :This set of statement
aims to ensure a consistent and effective approach is applied to the management of
information security events and incidents.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
As per the Roles and Responsibilities section mentioned at the end of the overall Information security
policy.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
Information system continuity planning provides a managed, organized method for the deployment of
resources and procedures to assure the continuity of critical business operations under extraordinary
circumstances, including the maintenance of measures to assure the privacy and security of its
information resources. The key objective is to ensure timely resumption from, and if possible
prevention of, interruptions to business activities and processes caused by failures of information
systems.
3.15.2. Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but not
limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
3.15.3. Background
Organizations are vulnerable to a variety of natural and man-made emergencies, disasters, and
hazards. Recognizing that not all events can be prevented and some risks may be deemed acceptable,
proper planning is essential to maintain or restore services when an unexpected or unavoidable event
disrupts normal operations.
These are some of the fundamental elements of any Critical functions continuity program which can
act as guidelines for developing an appropriate Information Systems Continuity related policy and
process. They are listed below.
Obtain commitment and authority from organizational Leadership. High level support is
essential for building the cross functional teams that are needed to prepare and deploy
the plan.
Establish a planning team for each business unit.
Perform a risk assessment in each unit.
Identify critical resources:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
o People Identify all support staff, and establish a chain of succession for key
personnel.
o Places Identify key buildings, and plan alternate locations for workers and
equipment.
o Systems Perform a business impact analysis to prioritize systems in terms of
criticality.
o Other Identify other critical assets required for normal business operations.
Determine continuity and recovery strategies within each unit.
Train staff on what to do in case of a disaster.
Test system recovery procedures at different levels.
Create a communication plan.
Review the Information systems continuity plan annually.
3.15.5.1. Information security aspects of Information systems continuity management: The objective
is to ensure timely resumption from, and if possible prevention of, interruptions to business
activities and processes caused by failures of information systems.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
As per the Roles and Responsibilities section mentioned at the end of the overall Information Security
policy.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
CISO The CISO has the overall responsibility for the management of
information security.
(Chief
Information
Security
He is responsible for the following:
Officer)
Develop and manage an information security plan that identifies the
information security environment and controls to be implemented to
protect information assets and monitor these internal controls and
adjust/improve when required.
Define and manage information security risk assessments and risk
treatment plan.
Review/Approve IT Security business cases, request funding and
resources, and provide progress report to ISGC.
Identify processes and schedule for monitoring, tracking and reporting
IT Security Program success.
Manage creation and changes to IT Security Program Charter
documents
Coordinator for facilitating Risk, Incident and Audit management
activities
Interface with operations, customers and vendors to communicate IT
Security Program policy, process and procedure changes.
Escalate major IT Security Program issues to ISGC.
Communicate Information Security Policy deviations or non-
conformance issues to ISGC.
Provide ways to improve efficiency and effectiveness of the
information security function.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
All the defined security policies are applicable for the new Information systems with no
exception. However, where the above security measures cannot be implemented in existing
systems due to older technology or system limitations, the policy recommends to enforce the
measures to an extent of acceptable limit without affecting the performance, integrity &
availability of the Information systems.
Temporary override of security controls such as Application Whitelisting, DLP, HIPS, etc. may
be allowed for legitimate job requirements by authorized personnel with approval.
Security updates / solutions including new Virus definitions, Operating system patch etc. shall
be qualified / approved by the respective system Vendors as and where necessary .
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
6. REFERENCES
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
7. DEFINITIONS
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
This policy is to outline the acceptable use of computing and communications resources at ADWEA.
These rules are in place to protect the employee and ADWEA. Inappropriate use exposes ADWEA
to risks including malware attacks and compromise of network systems and services.
8.2. Aplicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.
8.3.1. General
a) Users are responsible and accountable for the information assets and services and their use
in ADWEA. Any action carried out by users or under their user accounts is considered as their
responsibility.
b) Information assets and services in ADWEA shall be used for business purpose, shall not
conflict with the religious, political and moral values of UAE and shall comply with all the
local and federal rules and regulations.
c) Users shall not use or access any information asset and services that they are not authorized
to. Users shall not bypass any restriction on assets or access in ADWEA.
d) Assets and services usage may be monitored for security or operational purposes.
e) ADWEA reserves the right to audit the use of assets and services on a periodic basis to ensure
the compliance to ADWEA Policies.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
f) In case this policy does not apply on certain assets, users shall immediately refer back to
ADWEA Information Security.
a) Corporate provided Endpoint Protection product shall be operated in real time on all devices.
The product shall be configured for real time malware and network threat protection and
must be kept up-to-date.
b) Third party contractors, consultants and vendors computers connected to ADWEA network
must run an approved and up-to-date Endpoint Protection product with real time malware
and network threat protection.
c) Users shall not install an unapproved Endpoint Protection or Antivirus product, or try to alter
the configuration or disable the existing product.
d) Endpoint Protection full scans shall be done a minimum of once per week on all user
workstations and servers.
e) Users should ensure that Endpoint Protection full scan is performed on all devices being used
by them.
f) Devices not fully scanned or definition not updated at least once per week should be
disconnected from the network.
g) External or downloaded materials shall be malware/virus-scanned, using the provided
corporate Endpoint Protection product.
h) Users shall notify the IT Service Desk immediately if they suspect that a malware/virus has
been released into any computing resources within ADWEA.
i) If an infection is found or suspected, the machine will be disconnected from the network
until verified as clean.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
a) Users shall apply due care when using any of the specific provided facilities in ADWEA, such
as Internet and Intranet.
b) Users shall be aware of the classified information in ADWEA as per the Asset Management
Policy and refrain from publishing such information in the Intranet/Internet and shall not
share or publish any statement which can impact ADWEAs interests or reputation.
c) Users shall not download, install or use any unauthorized software on the computing devices
provided to them by ADWEA. All new software requests shall go through IT Service Desk for
authorization and installation.
d) It is strictly prohibited to use Proxy Avoidance tools and services.
e) Users should not connect networked devices directly to the internet by using an external
modem or similar devices. Internet traffic going directly to the internet is not protected by
ADWEA security controls and expose ADWEA network to significant security risks.
f) If internet is used as a source for information in any ongoing activity or project in ADWEA,
information source shall be verified before being used for business purposes.
g) It is prohibited to visit internet sites and services that:
Contradict the ethics and morals of the UAE such as Adult material, Dating, etc.
Contains material which expresses hate to religions.
Not in line with UAE Laws.
Allow or assist users to access Blocked Content.
Constitute a risk such as Phishing websites, Hacking tools & Spywares.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
Relevant to gambling.
Provide information on purchasing, manufacturing, promoting and using illegal
drugs.
Promote change or reform in public policy, public opinion, social practice,
economic activities and relationships.
Offer information about or promote or are sponsored by groups advocating anti-
government beliefs or action.
h) ADWEA management respects copyright when downloading files and documents. Users shall
refrain from sharing copyrighted material at all times.
a) Users shall not use personal email or third-party email systems (such as Gmail, Yahoo Mail,
Hotmail, Live, Outlook, iCloud, etc.) to conduct ADWEA business, or to store business data
and emails.
b) Users shall not accept official business-related emails from 3rd parties using personal email
address (such as Gmail, Yahoo Mail, Hotmail, Live, Outlook, iCloud, etc.)
c) Users shall not share any confidential information through email as per the Asset
Management Policy, unless secure email controls have been implemented or password
protected prior to being exchanged.
d) Users shall use email forwarding with due care.
e) All emails shall contain approved ADWEA signatures and disclaimers.
f) Users shall not use ADWEAs email address to register on any website on the internet or for
any non-business purposes.
g) Users shall not use the automatic forwarding option to/from external email address.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
h) Emails or other forms of electronic communication containing the following are strictly
prohibited:
Chain emails/jokes/videosetc.
Spam
Harmful attachments or content, e.g. virus, wormetc.
Defamatory, offensive, racist or obscene remarks
Conflict with the religious, cultural, political or moral values of the UAE
i) Email attachments shall be content scanned for incoming/outgoing emails.
j) Any misuse of the email service, information security alerts and warnings at ADWEA shall be
immediately reported to the IT Service Desk.
k) Any unauthorized use or forging of email header information is strictly prohibited.
a) Employees may use their mobile devices to access ADWEA services as per Bring Your Own
Device Policy in ADWEA.
b) Corporate mobile devices provided by ADWEA shall be password protected.
c) Corporate mobile devices provided by ADWEA should be only used for business purposes
only.
d) Users shall always keep corporate mobile devices safe and protect them from theft.
e) Users shall prevent any attempt of shoulder surfing by unauthorized users while using
corporate mobile devices in public places.
f) Users should follow Malware protection guidelines provided in the Antivirus Policy while
using any corporate mobile device.
g) Users shall follow the guidelines provided in the Teleworking Security Policy for secure
remote access while working from outside ADWEA networks.
h) Corporate smartphone users are responsible to back up the data on their devices.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
i) Users shall follow the manufacturers instructions when using the corporate mobile devices,
e.g. protection against heat and exposure to electromagnetic fields.
j) Corporate mobile devices provided by ADWEA shall never be shared with others.
k) Mobile devices used to access or store ADWEA data shall never be jail broken or rooted or
cracked.
l) ADWEA reserves the right to stop or disconnect any ADWEA services running on the mobile
devices without notifying the user.
m) Any lost or stolen corporate mobile device shall be immediately reported to IT Service Desk.
a) Desks shall be kept clear while away, and data classified as Restricted or above shall be stored
in locked drawers or cabinets. Keys used to lock drawers or cabinets shall not be left at an
unattended work area.
b) Laptops shall be either locked with a locking cable or locked away in a fixed and secure drawer
or cabinet when the work area is unattended or at the end of the workday. It is the user
responsibility to ensure all security precautions are taken.
c) Passwords shall not be posted on or under a computer or in any other accessible location.
d) Information of classification of Restricted or above shall not be left on meeting room
whiteboards and tables after meetings have been concluded.
e) Users shall collect printed documents immediately from the printers, fax machines and
photocopiers and refrain from leaving the sensitive data and confidential information in the
printing facilities.
f) Photocopiers, printers and other printing machines available in the printing facilities of ADWEA
shall only be used for business purposes.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
a) Computers and devices provided by ADWEA or used to access or store ADWEA data shall be
screen locked and password protected when unattended for any period of time
b) Users shall properly log out from systems and applications when session is finished.
c) Users shall save critical business data on ADWEA share drive .
8.3.9. Voip
a) VoIP Services that use the Public Internet are prohibited. This includes but not limited to the
services or software or hardware that uses the Public Internet as means of communications.
a) Users should not plug personal removable media into corporate devices, and should not plug
removable media containing corporate data into their personal devices.
b) Removable media containing data classified as Confidential or higher, shall be encrypted.
c) Removable media containing corporate data classified as Confidential or higher shall not
leave ADWEA premises unless required in the performance of an authorized assigned duties
and a record shall be kept.
d) User shall not plug an unknown removable media into corporate devices or devices
connected to ADWEA Network.
8.3.11. Compliance
a) Users shall comply with this policy and any other related acceptable use policies for any
specific information asset.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Approval Stamp.
Chairman:
I hereby certify that I have read and fully understand the contents of the Acceptable Use Policy.
My signature below certifies my knowledge, acceptance and adherence to ADWEA Group Acceptable Use Policy.
Name:
_________________________________________________________________
Company:
_________________________________________________________________
File Number:
_________________________________________________________________
Date:
_________________________________________________________________
Signature:
_________________________________________________________________
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.