Professional Documents
Culture Documents
Information Security Policy Version1.001 Revised
Information Security Policy Version1.001 Revised
Policy
Review Version: 1.1
2
HPL Information Security
Policy 1.0 in Brief.
◇ HPL has an Information Security Policy signed on
date: April’04, 2018.
◇ The policy covers security for the following areas:
Access Control for Electronically held information.
Usage of Network/Local/ Removable Drives
Protection of IT facilities.
Use of Electronic Mail
Internet usage policy.
Users should not do.
Definition of Inappropriate Materials.
Disciplinary Action.
3
Necessity of Revision
INFORMATION SECURITY MANAGEMENT SYSTEM
(ISMS) has defined policy standard as “ISO/IEC
27001:2013 ” which is not fully covered by the existing
policy.
Data backup policy is very narrowly described in the
1 existing policy.
Data recovery and restoration policy is absent.
E-Mail policy requires to be reviewed.
Proper definition of inappropriate material.
Absence of monitoring policy of the existing policy
standards.
Absence of IT audit.
Types of Security Policy
There are 3 types of security policy in the terms of organizational
security:
General Security Policy (will be covered by ISO/IEC
“
27001:2013
Issue Specific Policy
System Specific Policy.
5
Issue Specific Policy
Issue Specific Policy (ISSP) will cover the following areas:
Electronic mail
Use of the Internet
Specific minimum configurations of computers to defend against worms and
viruses.
Prohibitions against hacking or testing organization security controls.
Home use of company-owned computer equipment.
Use of personal equipment on company networks
Use of telecommunications technologies (FAX and Phone)
Use of photocopy equipment.
Use of Printer
6
System Specific Policy
System specific policy will cover the following areas:
Access Management.
Data Backup Policy.
Data Recovery and Restoration Policy.
7
Information Security
Management System
ISMS policy is a standardized policy for organizational security.
Why Should we implement this?
Reasons:
Secures your information in all its forms.
Increases your resilience to cyber attacks.
Provides a centrally managed framework.
Creates a new way of thinking about information security
Offers organization-wide protection
Improves company culture
Protects the confidentiality, integrity and availability of data
8
ISO/IEC 27002 Standard
ISO/ICE 27002 is the established policy standard for ISMS.
HPL can maintain the standard and apply for certification.
Implementation of this policy will improve the organizational culture and value.
9
Revised Policy-I
Security of information and content:
10
Revised Policy- II
Review suggestion for access control:
11
Revised Policy- III
Revised Usage of Information Technology Resources:
12
Revised Policy- III (Cont)
Revised Usage of Information Technology Resources:
14
Revised Policy- IV
Revised Usage of Information Technology Resources:
15
Revised Policy- V
Revised Usage of Network/Local/ Removable Drives:
Inserting any sort of USB flash device (pen drive, portable HDD),
CD/DVD, SD card is strongly prohibited on company’s device.
To enable these sort of device to company device permission from
MIS/IT will be given after the recommendation of manager. the
concerned person is requested to take written approval from
supervisor mentioning the justification and submit to Head of IT
16
Revised Policy- VI
Revised Personal Device Policy:
17
Revised Policy- VII
Data Back up Policy:
18
Revised Policy- VII
Revised Mail Policy:
Employees must use the official mail ID for communication.
Response form any other sort of mail ID will be considered as
unofficial.
Attachment from any unknown source via e-mail must not be
opened.
Reduce acknowledgement emails or cc’ing people unless
specified
Set clear subject lines with key words that aid identification of the
topic
Keep to one subject per email
Consider alternatives to attachments, such as a link or copying
relevant text.
19
Revised Policy- VIII (cont)
Revised Mail Policy:
20
Revised Policy- IX
Revised Printer Policy:
21
Revised Policy- X
Review suggestion for Controlling and Monitoring:
22
Miscellaneous
Employees are instructed to report any abnormal and
unseal or suspicious activity on network or devices
connected network to MIS/ IT Dept.
Must follow this Information Security Policy and ICT
act developed by GoB.
23
Thanks!
Any questions?
24