Example of a Security Document

IT Security Policy

Policy Statement
It is the responsibility of the IT department to protect the confidentially of all NewCo data, hardware and software. This is whether it is held internally, centrally or remotely. This is to ensure data remains secure and available to all authorised members of staff.

Summary of main security policies
A summary of the main security polices is detailed below. Email and physical security policies are given in greater detailer following the overview of all policies.

Network Security Policy
The Network policy covers all devices and systems that connect to the NewCo network. This is regardless of whom owns the device. The NewCo network is defined as any network connection that allows the users access to any other system owned by NewCo. This includes wired, wireless or remote connections.

Physical Security Policy
The physical security policy seeks to ensure the safety of all authorised personal and visitors to the NewCo site at all times. It is also the policies aim to ensure against unauthorised access and theft of company equipment.
To be read in conjunction with the Health and Safety at Work Act 1974.

Email Security Policy
The Email security policy aims to provide users with a set of rules to adhere to when sending, receiving and storing email. This is to ensure the proper use of the NewCo email services. Users include employees, temporary staff, students, trainees and home workers.
To be read in conjunction with the Data Protection Act 1998.

Cloud Policy
The cloud policy contains the terms of use stated by the application, platform and service provider. The aim of the policy is to ensure NewCo cloud service users remain within the contracted terms by informing employees of the permitted use under the Cloud provider’s license agreement.
Email Security Policy

Purpose
The purpose of this policy is to ensure that the NewCo email system is used properly. Email is an invaluable tool but it should be recognised that without care users can cause unintentional harm and enable security breaches. It is therefore the aim of this policy to make all users aware of what NewCo deems as acceptable and unacceptable use of its email system.

Scope
The policy applies to all email services offered by and for NewCo. The individuals authorised to any NewCo email recourses are required to make sure they are familiar with this policy.
NewCo Must:
Ensure that email services are available to all users who require an Email account to complete their work duties.
Provide the appropriate and authorised software for Email.
Provide an authorisation process for access of Emails.
Ensure that all NewCo staff using Email are aware of the risks and provide training in accordance with the published Email policy.
The preservation of the system.Give insurance that all staff member details are secured confidently and abide the Data Protection Act 1998.

Policy

Conditions of Use by Law
This policy forbids users from committing the following offenses under UK law.

  • Composing or forwarding an Email that contains offensive, racist, obscene or pornographic material.
  • Forwarding confidential information that is in contravention of the Data Protection Act.
  • Knowingly sending malicious software as an attachment within an Email.
  • Political lobbying Via Email.
  • Actions that may result in NewCo being in breach of copyright and licensing laws.
  • Using another’s Email account with consent.
  • Forging email messages

 Conditions of Use According to NewCo
This policy also forbids certain Email activities that impede NewCo’s ability to efficiently provide a functioning Email service. They are as follows.
Sending chain letters and non work related messages and/or attachments.
Sending large and unnecessary messages or attachments.
Sending Spam to a large group of users.

Monitoring
Employees should be aware that NewCo reserves the right to retain messages and all content based on legal and statutory obligations.

  • All emails are monitored for malicious software.
  • All emails are logged automatically – incoming and outgoing.

Conduct
A user must conduct themselves within the bounds of this policy at all times when using Email services.
A user must not send or forward confidential information belonging to NewCo or under protection by NewCo via non NewCo recognised Email accounts. This includes but is not limited to hotmail, yahoo and AOL. NewCo provides users with an internal mail server and in the case where sensitive information must be sent your ‘@NewCo’ account should be used.

External Communication
A user must never give the impression that the views shared by themselves are that of NewCo unless authorised to do so.

Staff Responsibilities

Email is to be checked often and replied to in a timely fashion.
NewCo provides an out-of-office function and in the case you are away, staffs are required to turn this feature on. Contact information should be added for urgent enquiries. If this is not complied with disciplinary action may take place. (for more information on setting the out-of-office feature, please refer to the email handbook)

Enforcement

Any NewCo employee that fails to follow this policy is in violation of company practice and maybe subject to termination of contract.

Revision History
2012-04-22
Created entire policy
Physical Security Policy

Purpose
The physical security of computer equipment and the safety of equipment and people should comply with the guidelines as detailed below.

Scope
This policy covers all equipment and visitors on any NewCo site that is considered under the IT department’s management.
 

Policy

Hardware Security Marking
All hardware should be security marked by branding or scratching with the name NewCo and postcode etched onto it. Labels are considered inferior as they can be easily removed.
 

PC cases
 All PCs fitted with a lockable case should remain locked at all times.
 

Computer Equipment
All computer peripherals that can be wire tired in place should remain connected to their respective computer at all times.
 

Network Equipment
Where possible, networking equipment should be locked in place. This will take the form of a metal bracket anchoring the device to a wall or floor.
 

Windows
Windows above ground level are considered dangerous and therefore all windows on elevated levels should be fitted with a key. For fire safety percussions, the window key must remain in the window at all times.

Equipment Visibility
Equipment located on the ground floor and visible to the public should be concealed behind blinds. The blinds will then remain closed at all times.

Intruder Alarm
An intruder alarm should be placed on all exits and conform to the following speciation. Installation, maintenance and monitoring will be provided by an approved company. Exits are defined as an Area where access could be possible by unauthorised personal. This includes elevated accesses points – windows and rooftops.
The alarms should be tested on a monthly basis by security personal and building mangers and yearly by an approved company.
 

Computer Areas
All computer areas will meet regulations stated below.
 

Air Flow
The computer area should contain air conditioning to provide an adequate environment for computers to operate in a stable manner. This will ensure computers are running at a lower risk of systems failure due to heat.
 

Area Positioning
The computer area will not be placed under any internal pipes or drainage solutions to reduce the risk of flooding. A risk assessment should be completed if this cannot be abided to.
 

Electric Points
Sockets should be place in area where computer cables will not run along the floor and cause a trip hazard. If extension sockets are used to meet this requirement the engineer should ensure individual sockets can be fused and isolated.

PAT Testing
To reduce the chance of an electrical fire, all electrical equipment will be PAT (portable appliance testing) tested before use. This is an obligation of the Health and Safety at Work act 1974. More information can be found at http://www.pat-testing.info

Staff Responsibilities
 Staff are to understand that security is a responsibility undertaken by all employees at NewCo. Therefore, it is a must that management are cooperated with to achieve the aims of this policy.
Staff should be aware that it is their responsibility to assist in protecting themselves, colleagues, contractors and visitors to NewCo.
 Where staff become aware of a potential or an actual security breach is/has taken place it is there responsibly to report the indent immediately.
 All staff are responsible for the confidentially of the information they hold and use, in particular user credentials.
It is an offence to take/borrow any NewCo equipment without proper authorisation from there department manger. All equipment borrowed must be signed for and failure to do so will result in disciplinary action.

Enforcement
Any NewCo employee that fails to follow this policy is in violation of company practice and maybe subject to termination of contract.

Revision History
2012-04-22
Created entire policy
 

Created: 2014-09-17 12:54:39 Updated: 2014-10-06 15:15:10