Information Security

Policy
Review Version: 1.1

HPL Information Security Policy Version 1.1

 Outline
 HPL Information Security Policy 1.0 in Brief.
 Why Revision is necessary?
 Types of Security Policy.
 Information security management systems (ISMS)
 ISO/IEC 27002 Standard.
 Revised Policy

HPL Information Security Policy Version 1.1

2
 HPL Information Security
Policy 1.0 in Brief.
◇ HPL has an Information Security Policy signed on
date: April’04, 2018.
◇ The policy covers security for the following areas:
 Access Control for Electronically held information.
 Usage of Network/Local/ Removable Drives
 Protection of IT facilities.
 Use of Electronic Mail
 Internet usage policy.
 Users should not do.
 Definition of Inappropriate Materials.
 Disciplinary Action.

3
 Necessity of Revision
 INFORMATION SECURITY MANAGEMENT SYSTEM
(ISMS) has defined policy standard as “ISO/IEC
27001:2013 ” which is not fully covered by the existing
policy.
 Data backup policy is very narrowly described in the
1 existing policy.
 Data recovery and restoration policy is absent.
 E-Mail policy requires to be reviewed.
 Proper definition of inappropriate material.
 Absence of monitoring policy of the existing policy
standards.
 Absence of IT audit.
 Types of Security Policy
There are 3 types of security policy in the terms of organizational
security:
 General Security Policy (will be covered by ISO/IEC

“
27001:2013
 Issue Specific Policy
 System Specific Policy.

5
 Issue Specific Policy
Issue Specific Policy (ISSP) will cover the following areas:
 Electronic mail
 Use of the Internet
 Specific minimum configurations of computers to defend against worms and
viruses.
 Prohibitions against hacking or testing organization security controls.
 Home use of company-owned computer equipment.
 Use of personal equipment on company networks
 Use of telecommunications technologies (FAX and Phone)
 Use of photocopy equipment.
 Use of Printer

6
 System Specific Policy
System specific policy will cover the following areas:
 Access Management.
 Data Backup Policy.
 Data Recovery and Restoration Policy.

7
 Information Security
Management System
ISMS policy is a standardized policy for organizational security.
Why Should we implement this?
Reasons:
 Secures your information in all its forms.
 Increases your resilience to cyber attacks.
 Provides a centrally managed framework.
 Creates a new way of thinking about information security
 Offers organization-wide protection
 Improves company culture
 Protects the confidentiality, integrity and availability of data

8
 ISO/IEC 27002 Standard
 ISO/ICE 27002 is the established policy standard for ISMS.
 HPL can maintain the standard and apply for certification.
 Implementation of this policy will improve the organizational culture and value.

9
 Revised Policy-I
Security of information and content:

 Company is the owner of any sort of information held.

 No one is allowed/ attempt to delete/ modify/copy/transfer any
information without the prior approval from the authorized
authority.
 Any information if company feels to be confidential/ vulnerable
then company can encrypt the information as per requirement.
 Encryption method may vary based on the weightage of the
information.

10
 Revised Policy- II
Review suggestion for access control:

 Passwords are highly confidential property.

 Password must not be shared with anyone except for support
purpose with IT/ MIS dept.
 It is advised to change the default password as soon as the
device is handed over from IT /MIS.
 Password should be at least 8 Characters.
 Password will be combination of alpha-numeric characters.
 Password should be changed in an interval of 90 days.

11
 Revised Policy- III
Revised Usage of Information Technology Resources:

 Employees can use IT resources for occasional personal usage..

 Such work must not interfere with the execution of their duties.
 It is strictly prohibited to use company’s IT resources for personal
financial gain.
 No such activity should perform which can affect company’s
network.
 With out proper permission from top team or MIS/IT dept no one is
allowed to connect company’s IT resources to internet via dial up,
wireless or modem.

12
 Revised Policy- III (Cont)
Revised Usage of Information Technology Resources:

 Each and every IT resource provided by the company will be

under active directory.
 Company can monitor the activates any time.
 Installation/ use of private software on company’s IT resource is
strongly prohibited.
 Employees are instructed to lock their monitor while leaving work
station during office hour.
 After office hour or leaving work station for more than 2 hours the
device must be shut down.
 Employees are not allowed to take their devices (ie: laptop/ note
book) out of office premise.
13
 Revised Policy- III (Cont)
Revised Usage of Information Technology Resources:

 If somehow it is necessary to take the resources out of office

premise then that employee must take permission from head of IT
/MIS through the proper authorized channel.
 The security of Cloud storage information will be just like any
other stored information.

14
 Revised Policy- IV
Revised Usage of Information Technology Resources:

 Employees must not create/use/edit/spread any information/

news/ message using company resource which is against the law
of People’s Govt. Bangladesh or violate cyber security law.
 Company will always has the authority to block any service/ site
seems dangerous for company and it’s resources.
 Employees are requested to monitor their anti- virus activity. And
instructed to report IT/ MIS dept in case of observing any
abnormal activity.

15
 Revised Policy- V
Revised Usage of Network/Local/ Removable Drives:

 Inserting any sort of USB flash device (pen drive, portable HDD),
CD/DVD, SD card is strongly prohibited on company’s device.
 To enable these sort of device to company device permission from
MIS/IT will be given after the recommendation of manager. the
concerned person is requested to take written approval from
supervisor mentioning the justification and submit to Head of IT

16
 Revised Policy- VI
Revised Personal Device Policy:

 Employees are allowed to bring their own devices.

 To connect the devices (laptop/ network) to company network
permission from MIS/IT will be given after the recommendation of
manager
 Employees should not perform any activity using their own device
which can jeopardies the security of the company’s security
(security of data and instinctual property) .

17
 Revised Policy- VII
Data Back up Policy:

 Employee will be responsible for the security and storage of their

operational and functional data.
 Employee will remain fully responsible for the regular backup of
important data on the disks of personal computer and the other
equipment.
 Using Cloud storage is always welcome.
 Data and information that are held on the portable notebook or
laptop computers must be kept to a minimum only for the duration
required.

18
 Revised Policy- VII
Revised Mail Policy:
 Employees must use the official mail ID for communication.
Response form any other sort of mail ID will be considered as
unofficial.
 Attachment from any unknown source via e-mail must not be
opened.
 Reduce acknowledgement emails or cc’ing people unless
specified
 Set clear subject lines with key words that aid identification of the
topic
 Keep to one subject per email
 Consider alternatives to attachments, such as a link or copying
relevant text.
19
 Revised Policy- VIII (cont)
Revised Mail Policy:

 address is advised to use only for official use. Employees are

requested not to connect official e-mail ID with any social network.
 Employees are requested to regularly delete message according
to the current record management schedule.
 Official e-mail address is advised to use only for official use.
Employees are requested not to connect official e-mail ID with any
social network

20
 Revised Policy- IX
Revised Printer Policy:

 An employee must know his/her default printer.

 Print outs must be collected immediately after finishing.
 While printing larger documents announcing it will be considered
as a good practice.
 If for some reason IT/ MIS operation has to change/ relocate any
printer from the domain then must give the users prior notification.

21
 Revised Policy- X
Review suggestion for Controlling and Monitoring:

 There should be a governing committee for controlling and

monitoring the established policy.
 Committee will be responsible for periodic IT audit.
 IT audit can be preformed bi-annually.
 All the audit results must be stored.

22
 Miscellaneous
 Employees are instructed to report any abnormal and
unseal or suspicious activity on network or devices
connected network to MIS/ IT Dept.
 Must follow this Information Security Policy and ICT
act developed by GoB.

23
 Thanks!
Any questions?

24