|
The Information Systems Security Policy intranet site has been designed as html pages using Microsoft Frontpage 2003. They have been optimised to display on screen settings of 1024 x 768, but can be used on other settings with scrollbars. The index.htm page should be set as the default so that any intranet or desktop links take the user directly to the main index from which other links can be accessed. The font style is verdana.
Each policy has its purpose and scope defined and where appropriate is broken down into different sections for Users, Management and Technical staff. Managers are also system users so it is recommended they become familiar with both sections. Managers of technical staff will also need to be aware of the Technical policies.
The Welcome page opens in the body of the index page. This page explains why we need the policies and how to search for the information you need. It also includes helpdesk and feedback email links.
The glossary provides a comprehensive list of the definitions which are used in this site and the Topic Index consists of an A-Z list of subjects to provide a quick way of getting to the information you need. The policy summary page provides an explanation for the purpose of each policy and also has a link to the full document.
Refer to the Navigation Tips for information on how to get to specific information and printing.
A printable version of each policy can be accessed from within the main policy document by clicking on the link at the top of the page.
Version 3.0 of the IT Policy System was released on 20th November 2004. This version includes full referencing to the ISO 17799 Information Technology Code of Practice for Information Security Management adopted by Standards New Zealand. This feature has been included to define best practice and to ascertain the extent to which the organisation meets compliance objectives. Using this unique feature it is possible to compare actual onsite practices with the objectives stated in the New Zealand standard. This is achieved by matching corporate policies to the provisions of the code of practice and physically checking for evidence of compliance with policy. If corporate policy satisfies the provisions of the code of practice and evidence shows that practice matches policy, then compliance with the standard is achieved.
This release also includes new menu code to fix display problems previously experienced with some browsers. In some cases links to existing company procedural and operational documentation or other corporate policies will be included. The following symbols may be used:-
Version 4.0 completed on 20th May 2005 includes full referencing of the policies to SIGS and a comprehensive mapping between SIGS and ISO 17799. The Personnel Management Policy has been redeveloped and expanded and the Physical Access Policy has been reformatted along with its menu structure. A new section has been added to the Communications Equipment Policy to deal with Blue Tooth and an additional policy covering PDAs has been added to the Computer Systems and Equipment use Policy. In the Network Management Policy the section on Wireless LANS has been expanded. The content of each policy has been revised in line with a more pragmatic approach.
Version 5.0 completed on 30th November 2005 incorporates the revision of ISO 17799. A new version of this standard was ratified in June 2005. Three new chapters have been added to the standard and more emphasis placed on dealing with security incidents, risk assessments and analysis. Explanations have been incorporated into drop down boxes so that policy documents do not appear as complex or long. Colour scheme has been amended. The Personnel section has been completely revised and expanded. Sections added or extensively modified in ISO 17799: 2005 are:- 4.1, 4.2, 6.2.2, 7.1.2, 7.1.3, 8.2.1, 8.3.1, 8.3.2, 8.3.3, 9.2.2, 10.2.2, 10.2.3, 10.4.2, 10.8.2, 10.9.2, 12.3.1, 12.5.4, 12.6.1, 13.2.1, Many existing policies have been additionally referenced to these sections. Policies added in this revision are:- Business Continuity Policy 3.1.5 - Risk Assessment Business Continuity Policy 3.1.6 - Critical assets and resources documented Computer Systems and Equipment Use Policy 1.3.24 Music CDs E-Commerce Policy 2.10 - Controlling mobile code E-Commerce Policy 2.11 - Online transactions Email Policy 1.1.10 - Accessing personal webmail accounts Hardware Management Policy 2.2.13 - Removable media drives Information Management Policy 1.4.7 - Information in transit Network Management Policy 2.11 - Management of Network Resources Network Management Policy 2.12 - Blocking mobile code Network Management Policy 2.13 - Monitoring logs turned on Password and Authentication Policy 1.2.4 Separate passwords required for work and home Software Management Policy 1.19 - Test Systems Software Management Policy 1.20 - Security controls for new IT projects Software Management Policy 2.4 - Archiving old versions of application software Remote Access Policy 2.4.1 - Service Level Agreements
Version 7.0 Rename ISO 17799 to ISO 27002
|
|
© 2004 All Rights Reserved Kaon Security Ltd |
About
the Information Technology Policy System
Link to a form, document or a log
Help
Where another Information Systems policy relates to, or
expands on the subject
Link to a procedure
Reference to ISO27002
Reference to SIGS (Security in the Government
Sector Policy)
Reference to BS 25999
Reference to SOX Section 404
Where another corporate policy has a connection with the
Information Systems policy