Monday, May 27, 2019
Ict Policy and Server Room Proposal for a Small Firm
INFORMATION COMMUNICATION TECHNOLOGY POLICY DOCUMENT INTRODUCTION Information and Communications applied science indemnity addresses earnest issues and how to effectively apply and maintain cultivation dodges, thereby facilitating valueion of hypercritical, valuable and confidential information together with its associated placements. Most people argon likely to bring in the tot totally(prenominal)yude and severity of the loss or theft of confidential designs for a clean product.However they do non forever recognise the potential insecurity, and consequential result, of seemingly innocent activities, such(prenominal) as copying softwargon product program or copying the corporate selective informationbase onto their laptop computer com invester or non documenting changes do to their systems. The purchase and installation of hardw atomic number 18 and software requires those involved to consider carefully the Information protective covering issues involved in this process. Careful consideration of the comp eithers crinkle involve is paramount, as it is usually expensive to make subsequent changes.Analysis of drug abuser requirements versus the various benchmarks experiment results forget establish the best choice of master of ceremonies/software to be purchased. episode of in the raw equipment must(prenominal) be properly considered and mean to fend off un demand disruption and to contain that the IT & T Policy issues are adequately cover. The issue of IT consumables is looked into. These are expensive and should be properly controlled both from an expense posture as well as an Information Security perspective. Valuable items should continuously be kept in a secure environment to avoid damage or loss.OBJECTIVES To develop an Information Communication technology policy for KPLC retirement Benefits Scheme that introduces efficient and effective use of IT systems and in turn facilitate the smooth zip of the secretariat. MISSION STATEMENT To strive to provide nothing notwithstanding the best means of information and telecommunications services to the secretariat as a whole. DEFINITION OF ICT POLICY A set of rules, regulations, procedures and plans of action for administration of equipment, resources, and services in the ICT piece. TERMS OF REFERENCE The aim of this document is to ) Analyse procedures and practices that are in use currently and identify those that can be reinforced or changed. ii) take a crap out a meter plan for the smooth transition from the use of KPLC systems and resources. iii) Review apply policies elsewhere to facilitate broad knowledge and adapt ideas fitting to our environment. TABLE OF CONTENTS INFORMATION COMMUNICATION TECHNOLOGY POLICY DOCUMENT1 INTRODUCTION1 TABLE OF CONTENTS2 PREAMBLE4 IT & T SYSTEM DESCRIPTIONS4 1. 0 PROCUREMENT OF HARDWARE, PERIPHERALS & OTHER EQUIPMENT8 1. 1 Purchasing and lay ironware8 1. 2Cabling, UPS, Printers and Modems15 1. 3Consumables16 . 4W orking off premises or using out-sourced processing18 1. 5 apply proficient Storage20 1. 6Documenting ironware23 1. 7 Telecommunications equipment25 1. 8Other Hardware Issues28 1. 9 Disaster Recovery Plans30 2. 0 CONTROLLING ACCESS TO INFORMATION & SYSTEMS IN THE SECRETARAIT32 2. 1Controlling Access to Information and Systems32 2. 1. 5 Controlling Access to Operating System Software38 Managing Passwords39 3. 0 PROCESSING INFORMATION AND DOCUMENTS46 3. 1 meshings46 3. 2System Operations and Administration49 3. 3E-mail and the World Wide Web57 3. 4Telephones & Fax69 3. 5 information Management73 3. 6Backup, Recovery and Archiving75 . 7Document Handling78 3. 7. 3 Countersigning Documents79 3. 7. 5 Approving Documents before dispatch80 3. 7. 6 Signature Verification80 3. 8Securing Data83 3. 8. 4 exerciseing Customer Information orphicity86 4. 0 PURCHASING AND MAINTAINING COMMERCIAL SOFTWARE90 4. 1Purchasing and Installing Software90 4. 2Software Maintenance & Upgrade92 4. 3Other Sof tware Issues94 5 COMBATING CYBER CRIME95 5. 1Combating Cyber Crime95 5. 1. 1 Defending Against Premeditated Third Party Cyber Crime Attacks95 5. 1. 2 Minimising the Impact of Cyber Attacks97 5. 1. 3 Collecting Evidence for Cyber Crime Prosecution98 5. 1. Defending Against Premeditated indispensable Attacks99 5. 1. 5 Defending Against Opportunistic Cyber Crime Attacks100 6. 0 COMPLYING WITH LEGAL AND POLICY REQUIREMENT101 6. 1Complying with Legal Obligations101 6. 1. 2 Complying with General Copyright Legislation101 6. 1. 3 Complying with Copyright and Software Licensing Legislation102 6. 1. 4 Legal Safeguards against Computer Misuse103 6. 2Complying with Policies103 6. 3Avoiding Litigation106 6. 3. 3 Sending Copyrighted Information Electronically107 7. 1 E- Commerce Issues108 7. 2 Structuring E-Commerce Systems Including Web Sites108 7. 3 Securing E-Commerce webs109 . 4 Configuring E-Commerce Web Sites110 7. 5 employ External Service Providers for E-Commerce Delivery Channel111 8 . 7Cost Considerations116 9. 0 DEALING WITH PREMISES RELATED CONSIDERATIONS118 9. 1 Physical Security of Equipment and Assets118 10. 0 NETWORK SECURITY MEASURES122 10. 1 Data Network devices122 10. 2 System administration123 10. 3 System Auditing129 10. 4 Email Policies130 10. 5 The Internet131 10. 6Computer desktop equipment133 10. 7Human Resource Aspects Policies141 10. 8Security Policy Auditing142 10. 9Incidence Management and Responses146 Reporting an Incident146 What is Cybercrime? 151 10. 0Movement of Telecommunications Equipment155 11. 1Setting Classification Standards157 12. 0 RETIREMENT OF OBSOLESCENCE OR OBSOLETE EQUIPMENT158 12. 1 Setting New Hardware Standards158 12. 2Methods of assessing old and inapt Software/hardware158 12. 3Hardware and software obsolescence160 12. 4RBS Depreciation Factors for Defining Old Or Inapt Equipment161 13. 0 APPENDIX 1162 13. 1 LIST OF SPARES & ACCESSORIES162 14. 1 GLOSSARY & REFERENCES163 PREAMBLE It is necessary for one to be familiar wit h the various Information Technology and Telecommunications Systems that the political party has acquired and installed over the years.This document provides the description of the systems as well as the policies formulated in regard to these IT & Telecommunications systems. IT & T SYSTEM DESCRIPTIONS 1. Telephony The telephone mesh topology for RBS consists of the public interconnected mesh using automatic branch exchanges (PABX) which connects us to the public network using telecommunication service providers and private branch network (PBX) which is house in our commercial office premises which help us communicate in the premises by extension numbers. 2. Computer Data systemsThese are compose of info network hubs and switches which make the Local Area Networks (local area network) and the routers which interconnect the LANs. Each LAN is composed of passive data networks, servers and PCs that use the network thus get to exchange information and data throughout the enterpris e. 3. System Software and Data System software is the general term use to describe the m any software programs, drivers and utilities that together enable a computer system to operate. One of the main components of system software is the run system of the computer e. g.Microsoft Windows XP Professional. 4. Data Data in the language of information technology means the indivi twofold elements that comprise the information and can be processed, formatted and re-presented, so that it gains meaning and thereby becomes information. Here we are bear on with the protection and off the hook(predicate)guard of that data/information which, in its various forms can be identified as Business Assets or Information Assets. The term data and information can be used somewhat interchangeably but, as a general rule, information al vogues comprises data, but data is not always information.ICT SYSTEMS DESCRIPTIONS DESCRIPTIONS THE OF SYSTEM RBS Open Retirement Benefits Scheme System The system is us ed for the administration of employee and employer contributions into the RBS Fund. It has a database for phallus details together with their dependants. This is used when benefits are to be calculated for deceased persons and withdrawing members. The system also has a pensioners payroll used to pay all pensioners whether retirees or widows and orphans. Group Life for all employees and the issue of dying Expense is also maintained and administered in the system.Database Management Systems The secretariat database is managed using ORACLE database management systems(DBMS). Oracle databases are relational, thus data is break ind in them in row-column (table) format. tout ensemble the company data is stored and managed using ORACLE. WINDOWS NT ENVIRONMENT The Window NT environment operates in human races. A body politic is a collection of computers and users defined by the administrator of a Windows NT Server network that share a common directory database. A champaign provides accession to the centralised user accounts and group accounts maintained by the domain administrator.Each domain has a unique name. Window NT Environment In the current WAN model of KPLC there is a single arrive at domain called KPLCSTIMA. The KPLCSTIMA is also the main account domain and KPLCNET as Internet resource domain. A child domain know as RBS. KPLCSTIMA will be created from the master domain and will have trust relationship with it. This is will give us more control of our systems and semi-autonomy from the KPLC systems. It will be installed with Windows Server 2003 standard rendering operating system which will provide the following services at RBS 1.File and Print sharing. 2. Microsoft transfer Services host the resident Staff members mailboxes and enable efficient sending and receiving of internal/Internet mail and if need be provide also storage of the mailboxes. 3. Anti-virus Software. 4. Systems Management Server for Network management. 5. Internet Browsing. 6. To allow for faster downloads of the application up checks. 7. To enable the efficient installation and periodic updates of the PC anti-virus in the local area network. 8. For faster and seamless ancient logon of client PCs to the network.Our application i. e. RBS system is already running in a stand alone server and will continue that way to ensure system stability and integrity. The new system will also run on its own stand alone server for the same reason. The capital domain controller (PDC) tracks changes made to domain accounts. Whenever an administrator makes a change to a domain account, the change is recorded in the directory database on the PDC. The PDC is the only domain server that receives these changes directly. A domain has one PDC. A backup domain controller (BDC) maintains a copy of the directory database. This copy is synchronised periodically and automatically with the PDC. BDCs also authenticate user logons, and a BDC can be promoted to function as the PDC. Multip le BDCs can exist in a domain. lymph gland PCs Currently there are four PCs and two laptops in the secretariat all running Windows XP as the desktop operating system and networked using Windows NT operating system of the KPLC master domain. whole PCs have MS Office 2003 2007 as an office desktop application.The PCs have between 256 and 512 MB crash. All the PCs are running on Microsoft TCP/IP protocol and use USER LEVEL access on the network. Microsoft Exchange Server Microsoft Exchange Server is used for electronic messaging in and out of the constitution. Exchange is organised into entities called sites individually consisting of one or more servers containing mailboxes and public folders. unhorseboxes are where a users messages are kept, each user having a single mailbox whereas public folders are like notice boards, containing information that is shared between multiple users.Intra-site communication has to fleet at high speed and with high reliability. Inter-site commu nication can occur at lower speeds. In addition to local messaging, there is Internet messaging, implemented via the Proxy Server. Anti-Virus Software McAfees Total Virus Defence Software is the current company guard against viruses. The software is loaded on all the Exchange server protects against viruses distributed. A group of computers and the server that manages them is called an Anti-virus Domain. The anti virus server downloads new interpretation automatically from McAfee Website on the Internet.Once the new software version is downloaded, the system administrator configures it for distribution. It also alerts the system administrator to pull the latest versions to the Anti-virus Server. Internet Microsoft Proxy Server provides an easy, secure way to bring Internet access to every desktop in an plaque. The proxy server is a gateway between the companys network and the Internet. A gateway is special software, or a computer running special software, that enables two differe nt networks to communicate.The gateway acts as a barrier that allows you to make requests to the Internet and receive information, but does not allow access to your network by un empower users. pic 1. 0 PROCUREMENT OF HARDWARE, PERIPHERALS & OTHER EQUIPMENT 1. 1 Purchasing and Installing Hardware This Chapter deals with the Information Technology and Security issues relating to the purchase, use or maintenance of equipment through which information is processed and stored. 1. 1. 0 Procurement of Hardware, Peripherals and Other Equipment Policy StatementAll purchases of new systems hardware or new components for subsisting systems must be made in accordance with Information Security and other organisation Policies, as well as skilful standards. Such requests to purchase must be found upon a User Requirements Specification document and take account of longer-term organisational business needs. The purchase and installation of hardware requires those involved to consider carefully t he Information Security issues involved in this process. This section covers the signalize areas to be considered. . 1. 1 Specifying Information Security Requirements for New Hardware The purchase of new computers and peripherals requires careful consideration of the business needs because it is usually expensive to make subsequent changes. ICT Issues to consider Action Required The system must have adequate capacity or else it may not be Estimate the current and potential load on the system. able to process your data. For critical applications ensure that the system is reliable and of high quality. Select a supplier with a proven track record, who is likely to be in business for the livelihood of the hardware. Data must be adequately protected differently there is a risk Determine the type of safeguards necessary for the information of loss or accidental / malicious damage. concerned and ensure that the hardware is capable of supporting the needful features, e. g. the type of operating system and attached devices. See classifying information and data Where hardware maintenance is poor or unreliable, you greatlyChoose a supplier with a proven track record, who is likely to be increase the risk to the organisation, because, in the event in business for the life of the hardware. of failure, processing could simply STOP. Enter into a maintenance contract at the time of purchase with a fit response time in the event of a failure. See service level agreement The system must be sufficiently resilient to avoid Determine your organisations tolerance to system non-availability unplanned down-time, which can have an immediate negative (seconds, minutes, hours or days? , and approach the design of your impact on your organisation hardware configuration accordingly. Consider the use of mirrored disks to guard against disk failures double up processors in case of processor failure duplicate configurations and the use of an Unin terrupted Power furnish (UPS) and standby generators. 1. 1. 2 Installing New Hardware Installation of new equipment must be properly considered and planned to avoid unnecessary disruption and to ensure that the ICT Policy issues are adequately covered. (See exposit for further detail. ) Policy Statement All new hardware installations are to be planned formally and notified to all interested parties a chieftain of the proposed installation date. Information Technology and Security requirements for new installations are to be circulated for comment to all interested parties, well in advance of installation. ICT Issues to consider Action Required The equipment must be located in a suitable environment otherwiseAdhere to the specifications and recommendations of the it may fail. manufacturer or supplier, e. g. for operational temperature, humidity etc. Adequate safeguards against clear, water and electrical failure should be in place. See Premises Any disclosure of you r network diagrams, security features, interpret that all persons on site, whether from your own perspectives and configurations etc. exposes potential organisation or not, have completed a Non-Disclosure discernment vulnerabilities, which could be exploited. Although a Non Disclosure Agreement paves the way for legal redress, it cannot protect you against actual commercial damage. Leaving tools, utilities and developers kits on your new system All new systems should be configured for maximum practical endangers the confidentiality and integrity of your data security by the removal of unnecessary utilities, developers programs, etc. a technique known as hardening. Without an installation plan for the new equipment, disruption to batten down that all special pre-installation requirements (e. g. air operational systems is more likely. conditioning) have been met. Identify the precise situation for the equipment and ensure that the power and network cables are read y. Agree a detailed installation plan with the trafficker. Anticipate what might go wrong and consider how to minimise the risks. Where the installation plan does not include safeguards against Agree a detailed installation plan and document it. See Project the (inevitable) increased security bane resulting from Plan (relatively) distribute access to the systems area, accidental or Monitor progress against the plan. malicious damage can result. Only allow authorised persons access to the systems area. To protect all parties never allow engineers to work unattended. Breaches of Health and Safety regulations endanger the well beingEnsure Health and Safety regulations are followed when locating of your staff and your organisations commercial activities. the equipment, peripherals and cables. A periodic visual inspection is beneficial also. 1. 1. 3 Testing Newly Installed Systems and Equipment Hardware should be tested when new to avow it is working correct ly, and then further tests applied periodically to ensure continued effective functioning. Policy StatementAll equipment must be fully and comprehensively tested and formally accepted by users before being transferred to the live environment or user sites. ICT Issues to consider Action Required Where new equipment is not tested for critical functions before Ensure that all new installations are thoroughly tested after being used, it can lead to failure and therefore damage to both data initial set-up and prior to live use. and other linked systems. All such tests should be in accordance with a document test plan. Inadequate testing can little terroren the integrity and availability ofCheck the test products to confirm the results. Ensure that your data. all- trace components, e. g. hard disk subsystems are include in the tests. Devices that are known to degrade with time, e. g. printers, should be tested periodically Where testing is performed in a manner that doe s not simulate Ensure that the test plan simulates realistic work patterns live conditions, the results of such testing cannot be relied upon. unfortunate security procedures during equipment testing can compromise Ensure that Non Disclosure Agreement have been obtained from all the confidentiality of your data. third party staff involved in testing the equipment. Verify that the required security configuration and safeguards have been implemented for the new hardware. If live data is used in the testing process for the new hardware, ensure that it is closely controlled.See Use of Live Data for Testing informative notes NT servers The analysis of user requirements (client base and mail sizes expect) versus the various benchmarks test results will establish the best choice of server to be purchased. For file and print server only disk space is a key requirement. IT & T Issues Key Actions processor Board Dual CPU, redundant system components in many aspects dish & Disk space Enough storage to cater for expected growth of mail database for the next fiscal year Redundant and RAID-5 capable SPEC INT2000 Compares CPU speeds for various servers. SPEC CPU2000 To establish best processors and server performances. (http//www. specbench. org/) To establish best server as per RBS requirements. Do sample analysis based on databases expected or consult database product vendor on system demands. TPC-C benchmark The TPC-C benchmark measures the ability of a server to process transactions in a simulated business environment, calculating both the See guidelines at http//www. tpc. org/ for performance of the System Under Test and real world scenario. transactions per server Mail servers should handle 1500 mail user traffic simultaneously in a normal business environment. Mail servers should be capable of storing all mails processed in a normal working day. Routers ICT Issues Key Actions Router basics Dual CPU , all redundant system components installed at time of purchase in many aspects IOS, RAM and ROM Latest Cisco IOS e. g. ver 12. X. , 128 MB RAM and suitable flash memory to store all features of IOS. VPN and 3-DES features enabled IOS compatibility New routers should Cisco compatible to integrate seamlessly with existing IOS and equipment. Number of WAN ports Decide by local needs e. g. Hub-routers should be preferred for small LANs User Management Manageable by local or by st feed interface, RMON, SNMP or network user interfaces. Hubs and Switches Item Action Hardware basics Dual CPU, all redundant system components installed at time of purchase in many aspects IOS, RAM and ROM Latest Cisco IOS e. g. ver 12. X, VLAN and work grouping, bridging possible. IOS compatibility Cisco compatible to integrate seamlessly with existing IOS and equipment. Protocols Ethernet enabled L Number of LAN ports Decide by local needs e. g. Hub-routers should be pref erred for small LANs User Management Manageable by local or by remote interface, RMON, SNMP or html enabled network user interface. Modems Item Action required Software Compatible Supports HyperTerminal for Windows Should be configurable using AT commands V90 Modems should be V90 standard and downward compatible with existing V54 & V42 types, etc. 2 & 4 wire Supports two wire dialup and 4 wire leased analogue line use. Data cabinets Equipment cabinets should be properly chosen. The current 6U cabinet is too small for any future expansion or even good workmanship to be carried out. Vendors should provide cabinet of size equal or larger than 12U cabinet. Item Action Sufficient space for equipment The cabinet should house all the equipment and accessories at the installation See http//www. datacabinets. om/ time, sacrifice inhabit for future expansion and provide free space for proper ventilation Aesthetically chosen for office environment The cabinet aesthetic ally sinister to match with general looks in the vicinity free standing or wall mounted and should be equipped with sufficient power blocks. Proper ventilation and humidity The cabinet must have sufficient cooling fans.The fans in these cabinets shall be designed to give minimum noise level expected in a normal office environment and must be designed to keep the humidity level low. Designed for equipment therein The cabinets will be used to house all the active equipment and connection accessories such patch panels, Light Unit Interfaces (LIU). Be lockable and be equipped with some trays. LIUs, cord organisers, cable straps etc. Grounding and ESD All cabinet shall be electrically grounded to ensure electric noise and electrostatic discharge is minimised. Server Room The following items are utilizable in a server room construction. Item Action Backup supply Installation of a central UPS to back up for at least(prenominal)(prenominal) 30 minutes aft er an outage. Conditioned power supply Installation of spike protectors is necessary to ensure well regulated supply free of surges and dips. neat and extensive cable trays Construction of a skillful (false) floor and technical roof (false ceiling) to house all types of cabling and utilities such as fire hydrants, smoke detectors, etc No electrostatic discharge (ESD) in computer centre and Proper grounding and use of anti-static PVC tiles on floor. Each tile must be equipment grounded well. Maintain ambient temperature Installation of a two way redundant air conditioning system. Maintain 16 ? C via room wall. Guard against fires and similar hazards Installation of an automatic fire-fighting system Use effective extinguishers that are less hazardous to Use most inert system e. g. Inergen human health. See www. inergen. com/ Classify room usage Partitioning of the computer room Proper lighting Supply and installation of False Ceiling Protection against harmf ul effects of fire hydrants Supply of Gas Masks 1. 2Cabling, UPS, Printers and Modems CablingFor best of cabling the following international standards should be incorporated when carrying voice/data-cabling works. Item Action Scope Systems Administrator to access scope of requirements. Design of cabling name and premises consideration According to ANSI/EIA/TIA 568B & 569 standards See www. ansi. org, www. eia. org & http//www. tiaonline. rg Implementation and workmanship of cabling works and testing According to ANSI/EIA/TIA 606 & 607 standards of installing and maintaining data/voice cabling plant. Network Active devices Different vendors have preferred methods of rolling out active devices try this method Develop high-level process flow diagram for deploying new solutions solution hardware requirements solution management platforms solution validation by pilot project full solution deployment document all related information for management, maintenanc e and future extensions UPSThe following formulas are useful in determining choice of UPS. The UPS are rated in terms of steady power out put and backup time. Steady power rate is given in watts= W Backup time is given in Hours or Ampere-hour of the batteries. = Ah Backup capacity in terms of Ampere-Hour is Ah = (Watt x time) and or is computed to be Ah =3. 6 Mega joules. Power x Time = Energy (joules) Translates to Time =Ah/power E. g. StimaEIS is 7. 2-kVA load. To backup for half an hour it requires (7200 x 30 x 60 x 60)/3. 6 x106 = 216 Ah Given that each small battery is 12V with 9 Ah each then the UPS will have 24 small batteries. Similarly for rest of the computers same formula can be used. 1. 3Consumables IntroductionICT consumables are expensive and should be properly controlled both from an expense perspective as well as an Information Security perspective. This section deals with the Information Security aspects of IT consumables. 1. 3. 1 Controlling IT Consumables Poli cy Statement IT Consumables must be purchased in accordance with the organisations approved purchasing procedures with usage monitored to discourage theft and improper use. They must be kept in a well-designated store away from working area. Explanatory Notes Examples of consumables are printer forms, stationery, printer paper, toner & ink, ribbons, disks, diskettes, bar-code labels and other accessories. Item Key Actions Pilfering of your consumables results in increased organisationalSafeguard Consumables against petty theft by locking cupboards, expense. maintaining a register, written authorisation prior to removal of items etc. Keys to be kept by the supervisors office. Consumables may be stolen with the role to defraud your Take special measures to protect potentially valuable pre-printed organisation or customers. forms and account for their usage. Store area should be a dependant area, use gate-passes and authorisation. Confidential data may be revealed to unauthor ised persons from Ensure that confidential information cannot be identified from discarded Consumables e. g. discarded draft printer output and discarded Consumables, such as printer ribbons and floppy disks, test data printer output. by destroying them. Destroy or shred surplus printout / fiche containing data, whether or not the data appears to be confidential it may be See also Classifying Information and Data. 1. 3. Using removable storage media including Diskettes and CDs Policy Statement Only effect who are authorised to install or modify software, and staff who are authorised to transfer and update data shall use removable media to transfer data to / from the organisations network. Any other persons shall require specific authorisation. Explanatory Notes When using removable storage media, there are additional ICT Security risks associated with the portability of the media. force-out authorised to install & modify software is the system administrator. Personnel authorised to transfer and update data shall be determined by the general omnibus and systems administrator. ICT Issues Key Actions Loss or disappearance of disks, tapes, etc. can Ensure that all media are stored safely and securely. compromise the confidentiality of the organisations Make sure that all media are labelled clearly, whether physically and/or data. electronically, and that they can be located easily when needed. Designate key individuals to monitor the storage and use of removable media. distress to media compromises the integrity of your Follow the manufacturers recommendations when handling the media. corporate records. Take protective measures against environmental extremes of temperature, humidity, dust, etc. , enamour to the importance and sensitivity of the data. Consider carefully the safeguards required for any media being moved or stored off-site especially backup tapes / disks. In the case of irreplaceable data, you should consi der taking security copies, each of which must be properly safeguarded. Consider using fire-resistant storage cabinets for such media. 1. 4Working off premises or using out-sourced processing Working Off-Premises involves a broad range of Information Security risks. In addition to the obvious threat of theft of the equipment there are also significant risks to the information contained on portable equipment. It is necessary to use business centres with great care as confidential information or data can be input onto equipment that is not under your control. 1. 4. 1 Contracting or using Out-sourced Processing The following issues should be considered if the organisation decides to utsource some or all of its computer processing. Policy Statement Persons responsible for fit out-sourced computer processing must ensure that the services used are from reputable companies that operate with accredited information security and quality standards which should include an appropriate Ser vice Level Agreement. ICT Issues to consider Action Required Inadequate performance can threaten your organisations Determine the critical success factors for your organisation in terms of information processing and business operations. speed, reliability, response and ability to scale rapidly (if necessary). Document these factors in a Service Level Agreement with penalty clauses for breaches. Poor reliability threatens the performance of your Consider your organisations tolerance to system non-availability in business. seconds, minutes, hours or days? Ensure that the service provider can meet these needs. Document these factors in a Service Level Agreement with penalty clauses for breaches. Lack of direct control when outsourcing can compromise Due diligence should be exercised to ensure that the outsourcing company data confidentiality. is reputable and operates with adequate standards. Obtain a Non Disclosure Agreement from the outsourcing company. Insis t on secure transmission system methods between your organisation and theirs, e. g. authenticated transmission with encrypted data. 1. 4. 2 Issuing Laptop / Portable Computers to PersonnelLaptops, Portables, Palmtops -or even electronic organisers, which connect to and store your organisations data are included in spite of appearance this topic. Throughout this topic we refer to them collectively as laptops Policy Statement Line management must authorise the issue of portable computers. Usage is restricted to business purposes, and users must be aware of, and accept the terms and conditions of use, especially responsibility for the security of information held on such devices ICT Issues Action Required Confidential data disclosed to unauthorised persons can Be certain that the member of staff has a valid business reason for damage the organisation. using a laptop.Maintain and update the Hardware Inventory with the primary users name and contact details Ensure that you are always able to trace the physical location of the laptop and that the type and sensitivity of any stored data is known and properly secure. Always use any power-on password feature as a dewy-eyed deterrent to opportunistic usage. Ensure the confidentiality and security of backup files. The use of unlicensed software can subject your All software used on the laptop must be licensed and comply with both organisation to legal action legal and organisational standards. Viruses, Worms, Trojans and other Malicious Code can Scan the laptop for malicious code and viruses regularly. corrupt both data and the system files. Always scan files before accepting them onto the laptop Theft of the laptop exposes the organisation to the threatEnsure that the holder implements adequate safety procedures against of disclosure of reasonable corporate data to competitors. theft. Consider the use of securing wires or other security devices in open offices. Ensure that the Hardware Inventory contains relevant allocation details of all computers. Insure the laptop against loss, theft and damage. Be aware of any exclusion in cover. Prepare guidelines for issuing portable computing equipment. Inadequate backup and recovery routines can lead to the Ensure that laptop computers can have their data safeguarded through loss of data. regular backups. Ensure that the primary user of the equipment recognises their responsibilities in this regard. Guidelines for Issuing Portable Computing Equipment Those responsible for issuing portable computer equipment must ensure that the following is complied with before issuing such equipment to employees. Ensure that adequate insurance cover is provided for the portable equipment for use in the home country and abroad. Ensure that suitable virus scanning software is present on the equipment. Supply suitable network connections and ensure that access procedures are applied if the equipment is to be conn ected to a network. Ensure that adequate capacity (hard disk and memory size) is available on the equipment to support business processing. Ensure that adequate backup and restore facilities and procedures are in place. Ensure that compatible versions of application software are in place. Ensure that software encryption and/or physical locking devices are in place. Ensure that adequate records of the equipment are maintained, and that the issue is authorised and receipted. Ensure that authorisation for use of portable computing equipment is received Ensure that the Terms of Use are issued and signed. 1. 5Using Secure Storage Introduction It is essential that valuable confidential or critical information or equipment is stored in a secure location. This section covers secure storage. Policy Statement comminuted or valuable material and equipment must be stored securely and according to the classification status of the information being stored. Documents are to be stored in a s ecure manner in accordance with their classification status. 1. 5. 1 Using lockable storage cupboards & filing cabinets A lockable storage cupboard should be considered for storing sensitive or valuable equipment.A lockable filing cabinet should be considered for secure storage of paper-based files and records, or small but movable items. ICT Issues Key Actions unfastened organisation sensitive material may be Ensure that all sensitive material is secured in a lockable storage stolen from the department. cupboard, cabinet or safe when not required. The more sensitive the material, the more care must be taken in selecting the appropriate storage method. Ensure you are aware of who is an authorised key holder to any such storage cupboard, cabinet or safe. Ensure that a second key is available with a trusted key holder via a dual control issues process in case the key holder is unavailable or the item is required in an emergency. firmly locked organisation sensitive ma terial may beEnsure that highly sensitive material including computer discs and tapes stolen or damaged whilst in store. are stored in a fire rated storage cupboard, cabinet, or safe.Beware that the cabinet itself may survive the fire but the items inside may be damaged irreparably. Ensure that all sensitive material is secured in a lockable storage cupboard, cabinet, or safe when not required. Use a storage unit, which matches the sensitivity of the material. The more sensitive the material, the more care must be taken in selecting the appropriate storage method. Ensure you are aware of who is an authorised key holder to any such storage cupboard, cabinet or safe. Ensure that a second key is available with a trusted key holder via a dual control issues process in case the key holder is unavailable or the item is required in an emergency. 1. 5. 2 Using Fire-Protected Storage Cabinets & Safes A fire protected storage cabinet is a good way to protect sensitive m aterial against the risk of being destroyed by fire and possible water damage from fire fighting activities. The use of safes for storage is to be encouraged.The security of the safe itself is just as critical. Policy Statement Items such as backup-tapes, microfiche, microfilm, archives, recovery diskettes, passwords, CDs for software installation shall be considered sensitive and valuable to the organisation and must be stored in fire-protected storage cabinets & safes. IT & T Issues Key Actions Sensitive data stored in fire-protected cabinets can Ensure that all sensitive material is secured in a Fire protected nevertheless be damaged beyond use. Due to their possible cabinets & safe when not required.Yearly & Monthly system & database additional weight, siting is a key consideration backups should be kept away from the make Ensure you are aware of who is an authorised key holder to any such storage cupboard, cabinet or safe. Ensure that a second key is available with a trusted key holder via a data control issues process in case the key holder is unavailable or the item is required in an emergency. Sensitive data may be lost if stolen or during transit. Copies of archives should be kept separate from actual database backups. A physical log file to control backup data movement to various safe locations to be kept up-to-date both with signature of security personnel and person moving the backups. Data Library to be up-to-date with details of backup date, type, location, type & expiry date 1. 6Documenting Hardware Introduction This section deals with hardware documentation and manuals, and also hardware lineage. It is essential that hardware documentation is kept up to date and made available to all users as appropriate. 1. . 1Managing and Using Hardware Documentation Documentation refers to both the operator manuals and the technical documentation that should be provided by the supplier / vendor. Policy Statement Hardware documentati on must be kept up-to-date and readily available to the all staff that may need it. ICT Issues Key Actions If equipment is operated incorrectly mistakes and Ensure you receive all operational and technical manuals for each piece damage may result. of equipment. Store the documentation accessibly but safely. Systems users must be trained according to the suppliers manuals A failure to follow the recommended agenda of Ensure all regular maintenance is carried out and monitored. maintenance runs the risk of system malfunction, which Adopt procedures which ensure that your operators complete all could possibly jeopardise your business operation. maintenance for which they are responsible according to the manufacturers recommendation Failure to operate equipment in accordance with the Ensure you receive all operational and technical manuals for each piece instructions can invalidate the warranty. of equipment. Ensure that such manuals are readily available and form the basis of all training. Failure to complete and reward the manufacturers Complete the warranty card in time and record the details in your warranty card may invalidate the warranty and hence Hardware Inventory Register. limit the manufacturers liability 1. 6. 2 Maintaining a Hardware Inventory or Register Introduction A register / database of all computer equipment used within your organisation is to be established and maintained. Policy Statement A formal inventory of all equipment should be maintained and kept up to date at all times. ICT Issues Key Actions Theft of equipment is most likely to result in additional Establish inventory and implement procedures for updating it. cost to the organisation and could compromise data security. Ensure that you have a procedure to advise the acquisition of new hardware, the disposal of old items and any changes of location. Periodically verify the justness of the inventory by checking that a sample of hardware is physically pres ent. Inadequate insurance could render your organisation liable Establish inventory and implement procedures for guardianship it to loss in the event of a claimable event. up-to-date. Ensure that you periodically review the adequacy of your insurance cover. Shortcomings in the planning of equipment replacement can Establish an inventory and, in conformance with your IT Plan, ear make it difficult to plan ahead for new technology. mark equipment for replacement and plan accordingly. 1. 7 Telecommunications equipment (Procurement, maintenance, practices and design telecommunications) Procurement of telecommunications system shaper maintenance (internal & external) Design criteria of systems Commissioning & De fit out of systems Fibre optic systems Introduction This chapter deals with the Information Communication Technology issues relating to the purchase, use, maintenance and the design of equipment through which information is processed and transmitted. The systems cov ered include, Telephony (PAX and PABX) Data Networks Fibre Network 1. 7. 1 System Design ( Engineering) Policy statement ICT system engineering will be based on tested and proven state of the art technology for a given ICT system. Explanatory notesThe systems administrator shall from time to time update her/himself with new international standards for ICT systems. She/he shall be required to come up with flexible systems that will meet the company needs at the best. ICT Issues Actions Technology System engineering shall be based on the latest technology in the required field such as Telephony. Companys needs (Application) The design shall address the company needs and applications for at least the next ten years. Flexibility The system design shall address the equipment flexibility and upgrade. Redundancy The design will state the expected loading and redundancy of the equipment 1. 7. 2 Procurement Policy Statement In addition to the public and company procurement procedu res, the ICT departments will specify in details the functional and capacity requirements of system before any purchase is done. Explanatory notes Before any system acquisition is done, the system administrator will be required to have evaluated the companys needs.This will include system performance reliability ultimate capacity and staff abilities included proposed training requirements. This will be in the form of Request for scheme (RFP) documents. IC T Issues Actions Tender document Shall have detailed system/equipment description of the performance, reliability and capacity of hardware. The system life expectancy shall be required Spares and Support The system spares will be stated.The system support and staff training clearly be addressed Authorised dealership/partnership The vendor shall be required to state and prove the partnerships with the manufacturer Tendering The type of bidders to be invited shall be stated 1. 7. 3 Commissioning/ Decommissioning Pol icy Statement System commissioning will be carried out as stipulated in the manufactures testing/commissioning sheets for any new ICT equipment. Tests should nclude all the RFP system requirements. System commissioning is necessary to construe system performance all the designed parameters will be tested. After the commissioning the system passwords should be immediately changed as a security measure, to protect any data manipulation or corruption from the vendor. ICT Issues Actions Performance All tests as per system design and manufacturers specification/performance shall be carried out. Drawings All system drawings shall be submitted ( at least three copies)and kept in safe custody Equipment Cabinet keys The equipment cabinet keys shall be handed over to the functional head Decommissioning System decommissioning shall be carried out once the equipment is no longer in use. Commissioning sheets and drawings shall be used to determine the current connection (Circuit t ermination) of the system. The decommissioned equipment shall be removed from the Telecom room and all wires/cables not used shall be removed. The drawings for decommissioned systems/equipment shall be retired. 1. 7. 4 Maintenance Practices Policy Statement All ICT systems shall be maintained regularly as per manufactures recommendations. Where system are placed in harsh environments, system maintenance will be carried out as deemed by the systems administrator. Explanatory notes All system maintenance should be done in house as much as possible. Outsourcing of maintenance (Annual Maintenance Contracts, AMCs) contrac
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment