A Massachusetts corporation, incorporated on February 11, 1993.
(Adopted by the ad hoc Executive Committee for review of policies)
The objective of this requirement is to ensures that users of IT/IS facilities do not unintentionally place themselves, or UTICo, at risk of prosecution or disciplinary action, by carrying out computer related activities which contravene current policy or legislative restrictions.
Information within UTICo is intended to be openly accessible and available to all members of the organization for sharing and processing. Certain information (sensitive information) has to be processed, handled and managed securely and with accountability.
This policy outlines the control requirements for all information contained within UTICo’s network and IT systems.
This document forms UTICo’s Electronic Information Security Policy. Its purpose is to provide an overarching framework (a commitment of undertaking) to apply information security controls throughout UTICo.
1.3.Purpose and scope
All processing of data and collection of information will be processed in accordance with U.S. law.
This policy defines how UTICo will secure electronic information, which is found within:
• The IS/IT infrastructure
• Key Business System data and information.
• Security of information held in electronic form on any
computer used within UTICo.
And is processed or used by:
• External users, agents and guest users authorized to use UTICo’s network or IT Systems.
• Individuals who process key data and information within Key
Information Security controls are designed to protect UTICo’s reputation through the preservation of: • Confidentiality – knowing that key data and information can be accessed only by those authorized to do so; • Integrity – knowing that key data and information is accurate and up-to-date, and has not been deliberately or inadvertently modified from a previously approved version; and, • Availability – knowing that the key data and information can always be accessed.
UTICo is committed to protecting its members and Key Business Systems. Controls will therefore be deployed that mitigate the risk of vulnerabilities being exploited which adversely affect the efficient operation of UTICo.
This policy applies to all users of UTICo network and IT Services and includes:
• Third party contractors and consultants working for or on behalf of UTICo;
• All other individuals and groups who have been granted access to UTICo’s network or IT Services.
These categories of persons and agencies are collectively known as
the „user‟ in this policy document.
Each user is responsible for their own actions and must ensure all actions relating to using UTICo network and IT Services adheres to the principles and requirements of this policy.
2. Legislation and policy
Supply and use of UTICo network and IT Services is bound by U.S. law. UTICo is also governed by external policies which impose responsibilities on the provision of IT Services and network access/
3. Information Security – risk management
Information security governance is the structure which supports the implementation of this policy. An IT infrastructure will be implemented within UTICo to ensure the effective and efficient implementation of this policy across UTICo.
3.1.Ownership and maintenance of policy
This policy is owned by IT Services and is maintained, reviewed and
amended by the IT Security Co-ordinator. This policy will be subject to annual review and will be submitted to UTICo Executive if substantial amendment or redrafting is required in order to maintain relevance and effectiveness.
3.2.Risk management and Electronic Service Incidents
The IT Services, Service Desk will be responsible for raising an incident message in relation to any reported security incident at UTICo. These incidents will be recorded as ‟Electronic Security Incidents‟. Electronic Security Incidents will be recorded with a unique reference number; a review of incidents will be conducted at six monthly intervals. Incidents considered to be exhibiting unacceptable levels of risk to UTICo network or IT Services will be subject to an investigation to identify the inherent vulnerabilities exposed by this incident. A report will be submitted to the IT Services Management Team for consideration of the question of suitable remedial action which may be effectively implemented to mitigate future risks.
3.3.Security of Third Party Access
Procedures will be developed to regulate access to UTICo’s information processing facilities by third parties. Such access will be controlled and regulated in order to protect information assets and prevent loss or damage to data through unauthorized access.
3.4.Identification of risk from third party access
Third parties who require access to UTICo’s IT/IS infrastructure will be bound by contracts which define the security requirements.
4. Asset Clarification
Information assets will be categorized and recorded to enable appropriate management and control. IT Services will maintain an inventory, subject to audit, of assets in three categories: • Business Systems; • Hardware inventory; • Software inventory. Any system and the data it contains that is not part of the above inventory is the responsibility of the creator of that system, however the asset will require compliance with this policy and users will be required to adhere to the principles of this document. All asset identification procedures must be compliant with and support UTICo Business Continuity Plan.
5. Security Issues – roles and access levels
Controls will be deployed to reduce the risks of human error, theft, fraud, nuisance or malicious misuse of facilities.
All users will be bound by the confidentiality agreement in either their contract or terms of employment.
5.2.Responding to security incidents
Administering UTICo network or IT Services must not in any circumstances try to prove or collect evidence in relation to any suspected or perceived security breach.
A security incident is any incident which alters, destroys or amends data within the Key Business Systems without authority. May cause damage to or reduces the efficiency of UTICo network or IT Services.
5.3. Reporting Security incidents
All suspected security incidents are to be reported. Initial reports of suspected security incidents should be channeled through their line manager to the IT Security Coordinator.
6. Physical and Environmental Security
Controls will be implemented as appropriate to prevent unauthorized access to, interference with, or damage to information assets.
Computer systems and networks will be protected by suitable physical, technical, procedural and environmental security controls. File servers and machines that hold or process high criticality, high sensitivity or high availability data will be located in physically secured areas. All Key Business Systems will be subject to security measures which supports UTICo Business Continuity Plan.
6.2.Data Storage Facility Security
Records of authorisation will be maintained by IT Services and Facilities. Access control will be by smart card, key lock or digital lock as appropriate. Communications equipment will normally be located in dedicated rooms which should not be used for any other purpose.
Servers holding corporate information will be held in a secure environment protected by:-
• Physical security and access control
• Fire detection and extinguishing systems
• Temperature and humidity control
• Water sensors
• Stable, conditioned electrical supply protected by uninterruptible power supply (UPS) and standby generator
IT Services must ensure the IT Infrastructure is covered by appropriate hardware and software maintenance and support.
7. Communications and Operations Management
Controls will be implemented to enable the correct and secure operation of information processing facilities.
7.1.Documented operating procedure
Design, build and configuration documentation will be produced in respect of system platforms.
7.2.Segregation of duties
Access to Key Business Systems and key data and information will only be granted based on the user role and access classification. Segregation of duties between operations and development environment shall be strictly maintained and all work on Key Business Systems will be strictly segregated. Sensitive operations will be identified and action taken to implement split functional controls where appropriate,
7.3.System planning and acceptance
All changes to live Key Business Systems will follow a pre-defined change management process, to ensure that activities are undertaken in accordance with stringent change control processes. Controls will be implemented to check for malicious or fraudulent code being introduced to Key Business Systems. All systems will be protected by a multi-level approach involving firewall, router configuration, e-mail scanning, and virus and spy/malware protection on all workstations on UTICo network. Network traffic will be monitored for any anomalous activity which may indicate a security threat to the network. A Virus Protection procedure will be implemented to prevent the introduction and transmission of computer viruses both within and from outside UTICo. Failure to maintain a device in a state which prevents or detects virus infection will leave the device liable to exclusion from UTICo network until the security issue is resolved.
7.4.IT Housekeeping and storage
System backups will be performed by the relevant IT support in accordance with documented procedures. The procedure will include keeping backups off site in secure storage. Backups of corporate data are taken on a daily basis for Key Business Systems or less frequently if appropriate. Backups protect electronic information from major loss or failure of system software and hardware. Backups are not designed to guard against accidental deletion or overwriting of individual
user data files Backup and recovery of individual user files is the responsibility of the owner (see “Personal Responsibilities for Electronic Information Security”).
Controls will be implemented to achieve, maintain and control access to computer networks, including wireless LANs. The configuration of critical routers, firewall and other network security devices will be the responsibility of, maintained by, documented and kept securely. No IT equipment may be connected to UTICo network without approval by IT Services. Any device found to be installed without prior authority from IT Services will be disconnected, the equipment removed and an investigation commenced to establish the cause of the network compromise.
Removable magnetic and optical media containing Key Business System data or Sensitive Information will be reused or disposed of through controlled and secure means when no longer required. Procedures will be made available for the secure disposal of removable data storage media containing Key Business System data or sensitive information when these become defunct or unserviceable. Users should contact the IT Services, Service Desk for the current procedures.
7.7.Software usage and control
All major software upgrades and in-house systems development for
Key Business Systems will be appropriately controlled and tested through a managed process before live implementation and deployment.
8. Access control
Procedures for the registration and deregistration of users and for managing access to all information systems shall be established to ensure that all users access rights match their authorizations.
Access to Key Business Systems will be appropriately controlled and comply with the access rights of the user.Access to UTICo network and IT Services will be restricted according to the access classification of the user.
Formal procedures will be implemented for granting access to both UTICo network and IT Services. This will be supported by a formal review of user privileges on a regular basis to ensure that they remain appropriate to the role and relationship with UTICo. Accounts identified as dormant accounts will be closed in accordance with current procedures. Users should note that failure to comply with the Remote Access Policy and Agreement will leave the user liable to disciplinary action and possible criminal law prosecution under the appropriate legislation. UTICo recognizes the inherent dangers of information stored on portable computers (laptops, notebooks, tablets and smart phones) as well as removable media.
Wireless computer networks potentially introduce new security risks which are the subject of specific “Wireless Security Policy” which should be read in conjunction with this Electronic Information Security Policy.For Windows operating systems the following will be enforced
• network passwords must be a minimum of 6 characters
• Network passwords will be subject to enforced periodic change, the life of a chosen password will be 6 months.
• network password history will prevent reuse of the last 3 password changes
• accounts will be locked on the third failed login attempt
Policy on network password complexity will be reviewed periodically.