Welcome

Welcome to the IT Policy and Procedures internal website for the Fake Chicken Company.           

 

Definition and Scope of IT Security

IT Security is all about keeping corporate information safe.  The policies address the need to protect confidential and sensitive information from disclosure, unauthorised access, loss, corruption and interference and is relevant to information in both electronic and physical formats.  Security can be defined by three things:-

  • Confidentiality - information must not be made available or disclosed to unauthorised individuals, entities, or processes
  • Integrity - data must not be altered or destroyed in an unauthorised manner, and accuracy and consistency must be preserved regardless of changes
  • Availability - information must be accessible and useable on demand by authorised entities

 

What You Need to Know

As inappropriate or unauthorised use of computer systems, communications systems and networks may expose The Fake Chicken Company to security threats and a wide range of legal issues, these policies have been designed to protect the users, stake holders and The Fake Chicken Company from illegal or damaging actions by individuals either knowingly or unknowingly.   

Most of the IT Security Policies are based on plain old common sense and you are required to understand your obligations.

 

 

Top

Why We Introduced the Policies

The Fake Chicken Company exists in an ever changing technological world and to ensure we can continue to operate in this environment and continue to do business we must be more aware of security issues and measures that protect the company's key assets, ie:-

  • Its people
  • Its business and the infrastructure to support the business
  • Its products and services

Security attacks against organisations like The Fake Chicken Company are increasing all the time and we must ensure our systems can be protected against these threats.  The first step in achieving this is to document the rules around system configuration and system use.  By complying with the rules we are doing everything we can to protect our systems and our people from a security threat.

Please remember the policies have been introduced to protect you as much as The Fake Chicken Company.

 

 

Top

What the Policies Do

  • They provide the Computer Security framework for The Fake Chicken Company as an organisation.
  • They help protect the assets of The Fake Chicken Company.
  • They provide a uniform level of control and guidelines for management.
  • They provide one Computer Security message to all.

  • They advise you as to what the Computer Security controls and guidelines are.

Top

How the Policies are Arranged

 

The policies are set out by category of user.  Everyone who uses computer systems, communications systems or networks that make up The Fake Chicken Company's computing environment should be familiar with the policies listed under the heading User.  Managers should be familiar with both the User policies and the Management Policies and Technical staff need to be familiar with the policies listed under Technical.  Supporting documents are available under "Other Documents". 

Top

The Fake Chicken Company's Obligations

 

The Fake Chicken Company management team shares the responsibility for information security to ensure that:-

  • The Information Systems Security Policies are approved, published, communicated, reviewed and continue to meet business needs

  • That any significant change in the exposure of information to security threats is identified and managed

  • All security incidents are monitored and reviewed

  • Major initiatives to improve information security are approved and authorised

  • Information security controls across the organisation are co-ordinated

  • Responsibilities for the protection of information and information system assets are clearly defined and allocated

  • The appropriate structure is implemented to effectively manage information security

  • The purpose, use and implementation of any new information processing facilities is approved

Equipment is provided to all computer system users so they are able to perform their duties and The Fake Chicken Company is responsible for ensuring that you know how to use the equipment and systems correctly and are aware of the policies and staff security responsibilities.

 

 

 

 

Your Obligations

 

It is the responsibility of every staff member, temporary employee, contractor and third party user to ensure they are familiar with the policies and abide by them.  For systems to remain secure and information protected everyone must read, understand and comply with the Information Systems Security Policies.

 

 

Top

 

Non-Compliance

 

As these policies have been put in place to protect both The Fake Chicken Company and the users, The Fake Chicken Company has an expectation that they will be complied with.  A serious breach of any policy is considered to be a violation of the staff code of conduct, contract for service, or agreement between The Fake Chicken Company and a third party and will be handled accordingly.  

Top

What to do Next

To find out what each of the policies is about look at the Policy Summary.  This document outlines the purpose of each policy and provides a direct link to the complete policy document. 

Check out the Top 20 Key Points for Users first.  This is just an appetiser and lists the most important things that you, as users, need to know. 

Security is a common sense practice and the policies go a long way to cover off the areas to look out for and be aware of but they are not the be all and end all. Security is everyone's responsibility and we may discover additional security issues or loopholes while performing our daily tasks.  If you discover anything unusual, please contact Hen Rietta.

Top

Need Some Help?

If you are unsure what something means, try the Glossary which will provide a definition.  If you need help or have any questions or issues please e-mail the Information Systems Helpdesk.

Can't Find What You're Looking For?

If you're interested in a particular topic then you might want to try the Topic Index which lists series of topics in alphabetical order.

Top

Limitations of Use

 

The Information Systems Policies listed below have been developed by Kaon Security Ltd under copyright.  Kaon Security Ltd gives consent to The Fake Chicken Company to reproduce, store and transmit the documents for internal use only.  These documents will not be used in whole or in part for any purpose other than the purpose for which they were provided.  Under no circumstances shall Kaon Security Ltd be liable to anyone for direct, special, incidental, collateral or consequential damages arising out of the use of this material.

Compliance with IS0 27002 Standard

IS0 27002 is the code of practice adopted by New Zealand and many other countries around the world as a common basis for developing organisational security standards and effective security management practices.  This joint Australian/New Zealand standard was prepared by Joint Technical Committee IT-012, Information Systems, Security and Identification Technology.  It was approved on behalf of the Council of Standards Australia and the Council of Standards New Zealand on 4th May 2001 and was published on 8th June 2001.  It replaced AS/NZS 4444:1999.  It has subsequently been reviewed and updated in June 2005.

Compliance with the IS0 27002 Standard for Information Systems Security assists with achieving ISO 9000 certification and provides evidence that security is taken seriously by  management.  Trading partners, shareholders, stakeholders and other third parties with a vested interest in The Fake Chicken Company can have confidence that the company is acting responsibly in protecting its computer systems and the information stored within them from the risk of a serious security breach that could potentially affect the company's profitability.

The 22 Information Systems Security Policies included in this mini-web have been fully referenced to ISO 27002.  Using these references it is possible to ascertain the extent to which the organisation meets internal compliance objectives, adheres to best practice and satisfies the provisions of the code.  It also assists in complying with the following international codes, acts and standards:-

  • IS18 - Code of Practice (Queensland, Australia)

  • HIPAA - The Health Insurance Portability and Accountability Act (USA)

  • GLBA - The Gramm, Leach, Bliley Act (USA)

  • Sarbanes Oxley (USA)

  • European Union Data Protection Directive (EU)

 

 

Compliance with Security in the Government Sector (SIGS) Policy

The Government requires that information important to its functions, its official resources and its classified equipment is adequately safeguarded to protect the public and national interests and to preserve personal privacy. This policy addresses the protection of the Confidentiality [Confidentiality - information must not be made available or disclosed to unauthorised individuals, entities, or processes.] , Integrity [Integrity - data must not be altered or destroyed in an unauthorised manner, and accuracy and consistency must be preserved regardless of changes.] and Availability [Availability - information must be accessible and useable on demand by authorised entities.] of all official information. Official information includes information that is produced, transmitted, and stored in electronic form. This policy also addresses the classified equipment used to produce, transmit and store official information.

The 22 Information Systems Security Policies included in this mini-web have been fully referenced to the  SIGS Policy.  Using these references it is possible to ascertain the extent to which the Government agency meets internal compliance objectives and satisfies the requirements of the Policy. 

 

SIGS has also been fully referenced to the IS0 27002 standard.

 

 

 

Compliance with BS 25999 Standard

The BS25999 Standard was developed by practitioners throughout the business continuity community, drawing upon their academic, technical and practical experiences of business continuity management (BCM).  It has been produced to provide a system based on good practice for business continuity management and is intended to serve as a single reference point for most situations where business continuity management is practised and to be used by large, medium and small organisations in industrial, commercial, public and voluntary sectors.

 

The 24 IT Policy documents included in the IT Policy System have been referenced to BS25999 where appropriate.  Using these references it is possible to ascertain the extent to which the company meets internal compliance objectives and satisfies the requirements of the Policy. 

 

 

Top

Compliance with Sarbanes Oxley (SOX) Section 404

Management Assessment Of Internal Controls

(a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall--

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

The 24 IT Policy documents included in the IT Policy System have been referenced to SOX Section 404 where appropriate.  Using these references it is possible to ascertain the extent to which the company meets internal compliance objectives and satisfies the requirements of the Policy. 

 

 

Top

Payment Card Industry Data Security Standard (PCI DSS)

 

The PCI DSS Standard describes the 12 Payment Card Industry (PCI) Data Security Standard (DSS) requirements that apply to organisations who process credit card payments or hold credit card data. These PCI DSS requirements are organized in 6 logically related groups, which are “control objectives.”

 

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.

 

These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.

 

 

 

Regulatory Framework

  •       Archives, Culture and Heritage Reform Act 2000

  •       Privacy Act 1993

  •       Electronic Transactions Act 2002

  •       Copyright Act 1994

  •       Crimes Amendment Act 2003

  •       Official Information Act 1982

  •       Companies Act 1993

  •       Local Government Act 1974

  •       Local Government Act 2002

  •       Local Government Official Information and Meetings Act 1987

  •       Building Act 1991

  •       Resource Management Act 1991

This policy also complies with the following standards and codes:-

 

Parliamentary Acts

Top

 Monitoring and Review

These policies will be regularly monitored and reviewed to ensure that they remain relevant to The Fake Chicken Company's business aims and objectives and in the event of the introduction of new or upgraded technology.  A policy review may also be instigated in the event a security incident is experienced in order to prevent a similar occurrence.

The IT Manager will monitor staff compliance to the policies, associated standards and procedures on an ongoing basis.  Training needs will be identified and continuous offending will be escalated to Senior Managers and above. 

The IT Policy System has been reviewed as follows:-

Description Date of Release Date of Next Review
Creation of Policy System Version 6.1 20 November 2004  
Version 4.0 20 May 2005  
Version 5.0 30 November 2005  
Version 5.1 30 May 2006  
Version 6.0 30 July 2006  
Version 6.1 20 December 2006  
Version 7.0 31 March 2007  
Version 8.0 31 March 2008  
Version 9.0 31 March 2009  

 

 

Top

Please Give Us Your Feedback

We are keen to improve how this site works and to do that we rely on your input. Please feel free to pass on any suggestions or comments via e-mail to the Information Systems Helpdesk.

Authorisation

Hen Rietta, IT Manager

Date:  1st July 2005

 

Top

 

                                                     

© 2004 All Rights Reserved   Kaon Security Ltd     Release Version 4.0    20/5/2005