Menu
Home > Policies > Policy & Procedure >
Policy & Procedure
Policy Title :
Security Policy
Policy Number :
VIII. 8
Responsible Party :
Information Technology
Effective Date :
08/01/2014
Revised Date :
_______________________

Purpose

·       The objective of this Information Security Policies is to secure PMU's Information Assets and staff. Each policy statement in this policy wherever required is supported by standards, procedures  to achieve a complete security framework in the PMU

Statement :

·       It is each user’s responsibility and obligation to ensure that all resources are used only for its intended business purpose and that information contained or transmitted via these resources are protected from unauthorized use, appropriation, or corruption. This FP Intends to Clarify to all users on PMU infrastructure, what their responsibilities are; define what the potential risks and dangers are for PMU in the event of misappropriation and abuse of Infrastructure users; and regulate the professional and effective use of Infrastructure within PMU as well as between PMU and external entities.

Procedure :

·       Scope

●     All Information Assets

●     All software assets

●     All physical assets, such as computer and network equipment

●     All supporting services, such as power and network link

●     All of the above are either owned or leased by the PMU and under the PMU possession, custody, or control.

 

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy, and any further Policies and Procedures that may be added in due course of time.

 

Governing Policy

The following Executive Policy Statements govern the General Security Guidelines:

 

●     Responsibilities for the protection of individual assets and for carrying out specific security processes must be clearly defined;

●     A management authorisation process for new information processing facilities must be established;

●     Advice on information security provided by in‑ house or specialist advisors

must be sought and communicated throughout the organisation;

●     Arrangements involving access to organisational information processing facilities by an organisation handling the outsourcing must be based on a formal contract containing all necessary security requirements;

●     An inventory of all-important assets must be drawn up and maintained;

●     Owners must be identified for all major assets and the responsibility for the maintenance of appropriate controls must be assigned.

●     A regular inventory of assets must be performed. It’s a  necessary security requirements;

●     Classifications and associated protective controls for information must be suited to business needs for sharing or restricting information and the business impacts associated with such needs;

●     A set of operational and security procedures must be defined for information labelling and handling in accordance with the classification scheme adopted by the PMU

●     An information classification scheme must be implemented

●     Aspects related to information security must be addressed in an employee’s terms and conditions of employment and for third parties, with a formal contract with PMU;

●     Any security related incidents must be reported immediately through the established channels after the incident is discovered;

●     Users of information services must be required to note and report any observed or suspected security weaknesses in or threats to systems or services;

●     Mechanisms must be in place to enable the types, volumes and costs of incidents and malfunctions to be quantified and monitored;

●     The violation of organisational security policies, functional policies and procedures by employees must be dealt with through a formal disciplinary process;

●     Physical security perimeters must exist for all areas housing relevant information processing facilities;

●     Secure areas must be protected by appropriate entry controls to ensure that only authorized personnel are allowed access;

●     Secure areas must be created in order to protect offices, rooms and facilities having special security requirements;

●     Additional controls and guidelines for working in secure areas must be used to enhance the security provided by the physical controls protecting the secure areas;

●     Delivery and loading areas must be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access;

●     Access to the machine rooms must be restricted to only those people who are permitted to use the machines;

●     Access to the machine rooms must be monitored for illegal access attempts;

Any information processing equipment, used for information processing on PMU’s systems, but situated outside PMU’s secure perimeters, must be secured in a way equivalent to PMU’s on-site equipment;

●     Information must be erased from equipment prior to disposal or re‑ use;

●     No employee must be allowed to remove property from the PMU premises unless they have obtained authority to do so from an approving manager;

●     PMU must have and implement a clear desk and a clear screen policy in order to reduce the risks of unauthorized access, loss of, and damage to information;

●     Removal of any equipment, information or information facilities that belong to PMU, from the premises must be strictly monitored and controlled;

●     Incident management responsibilities and procedures must be established to ensure a quick, effective and orderly response to security incidents;

●     Duties and areas of responsibility must be segregated in order to reduce opportunities for unauthorized modification or misuse of information or services;

●     Detection and preventive controls to protect information and information processing facilities against malicious software and appropriate user awareness procedures must be implemented;

●     Back‑ up copies of essential business information and software must be

taken regularly;

●     Systems and applications backup documentation must include the following information:

○     Ownership;

○     Procedures;

○     System dependencies;

○     Data validation results; and

○     Source code.

●     Operational staff must maintain a log of their systems operation activities;

●     Faults must be reported immediately and corrective action taken;

●     Regular inventory of backup media must be performed;

●     The management of removable computer media, such as tapes, disks, cassettes and printed reports must be protected and controlled according to its classification;

●     Media must be disposed of securely and safely when no longer required;

●     Procedures for the handling and storage of information must be established in order to protect such information from unauthorized disclosure or misuse;

●     Controls to prevent unauthorized access to system documentation must be developed;

●     Content scanning must only be enforced in checking for malicious software, viruses or violations;

●     The allocation of passwords must be controlled through a formal management process;

●     A formal process must be conducted at regular intervals to review users' access rights;

●     Operating systems and applications must include as a minimum, adequate user access controls, password controls and monitoring controls;

●     PMU must enforce all users to follow good security practices in the selection and use of passwords;

●     Users must be required to ensure that unattended equipment has appropriate protection;

●     Procedures for monitoring use of information processing facilities must be established and the result of the monitoring activities reviewed regularly;

●     Users must not install modems in office PC's and dial in to those PC's;

●     Functional policies and procedures on the use of cryptographic controls for the protection of information must be developed and followed;

●     Encryption must be applied to protect the confidentiality of sensitive or critical information;

●     Digital signatures must be applied to protect the authenticity and integrity of critical electronic information, where necessary;

●     Non‑ repudiation services must be used to resolve disputes about

occurrence or non‑ occurrence of an event or action;

●     Modifications to software packages must be discouraged and essential changes strictly controlled;

●     The purchase, use and modification of software must be controlled and checked to protect against possible covert channels and Trojan code;

●     Controls must be applied to secure outsourced software development.

 

 

General Security Functional

Desktop Confidentiality

●     To promote desktop confidentiality the following must be adhered to:

●     In an open plan office users must be aware of unauthorized users reading information displayed on their screen.

●     Users must switch off their computer when it will be left unattended for an extended period of time,

●     No obvious links or shortcuts to sensitive documentation must be created,

e.g. shortcut for “Marketing Information.doc” on the Windows desktop.

●     All Windows desktop backgrounds must be in accordance with PMU Policy

●     No proprietary information must be posted on the computer screen, i.e. with post-it stickers.

●     Clear Screen

●     The controls pertaining to a clear screen include:

 

Screen Savers

A password protected screen saver will obscure the content of your computer screen after a period of no activity.  Use of screen savers must be used in accordance with the following:

 

●     User must enable screen savers on their computers, which will require input of a password if inactive for more than 15 minutes.

●     Users must use screen savers, which promotes PMU business and does not offend, intimidate or disparage others.

●       Users must change their screen saver password regularly,.

●     Users are not allowed to disclose their screen saver password to any personnel without authorization from their direct manager at PMU.

●     When entering passwords users must prevent unauthorized observation by any third party, e.g. shoulder surfing.

Computer lockout

Computer lockout must be in accordance with the following:

●     Users must lock out of their workstation(s) and any active applications or log out when leaving their computers unattended.

●     Users must not disclose their passwords to any personnel who want to unlock their workstation without authorization.

●     A user must ensure they have logged out of all systems, including the network, after hours.

Passwords

●     Creating Passwords: Creation of passwords must be in accordance with the following:

 

○     Passwords must be a minimum of six (6) characters in length for regular users, eight (8) characters in length for managers and other privileged users, and must comprise of letters, numbers, and special characters to the extent possible.

○     Passwords must not be easily associated with PMU or the user (i.e. identification number, employee number, address, numerical equivalent of name, family names, birthdate, spouse name, pet names etc.).

○     Passwords must not contain:

○     Words from a dictionary, movie or geographical location;and

○     Common character sequences such as “123456”.

○     Passwords should not be based upon month/year combinations such as "jan01" or "april2001".  ‘Hackers’ use these types of words in attempts to guess passwords.

○     Users will not use cyclical passwords.  For example, users cannot add a numeric at the end of the password in sequence.

○     Passwords must not consist of identical all numeric or all alphabetic characters, for example 1111111 or aaaaaaa.

 

●     Safeguarding Passwords:  For effective safeguarding of password, users must adhere to the following:

 

○     A password must be known only to the user who creates it. Passwords must not be shared with others.

○     A password must not be shared except in a temporary emergency situation. If a situation requires a password to be revealed to a second person, the owner of the password must change the

password as soon as possible after the emergency situation has passed.

○     Passwords must not be stored in readable form (i.e. writing down passwords).

○     Passwords should be changed:

○     Every 45 days or less for supervisors and other privileged users and every 90 days or less for regular users; or

○     Whenever there is any indication that the user’s password has been compromised, passwords must be changed immediately.

○     As an exception, password for application user ID may be set to “never expires”, provided the password is encrypted.

○     Temporary passwords assigned to users must be changed at first log-on.

 

●     Handling of Privileged Passwords:  Privileged passwords, such as root or super user, are powerful passwords. As such, the custodians of these passwords must properly handle them by adhering to the following:

○     A privileged password must be known only to the Administrator responsible for the system. The backup administrator should have no knowledge of it.

○     In case of emergency and in the absence of the Administrator, the backup Administrator should be given access to the password with the proper approval from his Dept. Manager. The Emergency Password form should be filled up by the requester and signed by the Dept. Manager.

○     The custodian of the privileged password must use his own account to log into the system. He should then switch from his own account to the privileged account.

○     After using the password, the backup Administrator should change the password,

○     When the Administrator returns, he should get the new password from the backup Administrator & change it.

 

 

Virus and Malicious Software Protection

 

●     Virus Detection Programs

○     ITD should ensure that the latest version is installed on all computers.

○     Users are not allowed to remove or de-activate virus detection programs installed on their computers, without approval from ITD.

 

●     Preventing Viruses

○     Externally supplied floppy disks, CD-ROMs, and other removable storage media must not be used unless they have first been checked for viruses.

○     Externally supplied computer-readable files (software programs, databases, word processing documents, spreadsheets, etc.) must be unzipped prior to being subjected to an approved virus checking process.

○     If the files have been encrypted, they must be decrypted before running a virus detection program.  Many virus detection programs cannot detect viruses in a zipped or encrypted file.

 

●     Eradicating Viruses

 

○     Because viruses can be complex and sophisticated, users must not attempt to eradicate them without expert assistance.

○     If users suspect infection by a virus, they must immediately stop using the involved computer, disconnect from all networks, and call the Helpdesk.

○     If the suspected virus appears to be damaging information or software, users must turn  the computer off immediately.

 

●     Playing with Viruses

 

Users must not intentionally write, compile, copy, propagate, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of any PMU computer system. Such software may be called a virus, bacteria, worm, Trojan horse, etc.

 

●     Related Functional policies

 

Users must adhere to the Protection against Malicious Software and Viruses Functional Policy in particular the following:

○     Users must not open e-mail attachments from unknown sources. All e-mail attachments received from known sources must be scanned for viruses.

○     Executable attachments (i.e. .exe) must not be launched and should be deleted immediately.

○     All software and/or freeware downloaded from the Internet or attachments from mail programs used on the Internet must be scanned for viruses.

Intellectual Property Rights Protection

General

 

●     All personal computing device software must be obtained from approved sources, as defined by PMU.

●     Software not supplied by PMU or at PMU direction must not be loaded or used on PMU personal computing devices.

●     Obtaining or downloading of public domain and/or evaluation copies of software from other than PMU sources is permitted only under the following conditions:

●     The software must be required for a legitimate business purpose and approved by management;

●     Use of the software must comply with all applicable copyright and license agreements;

●     At a minimum the person obtaining the software must perform an evaluation, as to the safety and reliability of the vendor or provider of the software; and

●     The software should be checked for viruses and other malicious code. This evaluation should be done on a single system before deploying the software to others.

 

 

Copyright Protection: PMU strongly supports strict adherence to software vendors’ license agreements and copyright holders’ notices.  Users must therefore strictly adhere to the following conditions:

 

●     Making unauthorized copies of licensed and copyrighted software, even if only for “evaluation” purposes, is strictly forbidden.

●     Reproduction of copyrighted materials may only be allowed with the permission of the author/owner or a court of competent jurisdiction.

●     If users have any questions about the relevance of copyright laws, they should contact PMU IT Department.

●     Unless they receive information to the contrary, users should assume that software and other materials are copyrighted.

●     It is the responsibility of each employee to protect PMU interests as they perform their duties. This includes responsibility for assuring that commercial software, acquired by PMU, is used only in accordance with licensing agreements.

Back-up Protection of Information

Periodic Back-up

●     All proprietary and/or valuable information resident on PMU computer systems must be periodically backed-up.

●     Unless automatic back-up systems are known to be operational, all end-users are responsible for making back-up copies of sensitive, critical, or valuable files. These separate back-up copies should be made each time that a significant number of changes are saved.

●     Users must ensure the back-up process was successful by restoring selected files from back-ups made.

●     Access to back-up copies should be properly restricted; e.g. storage media such as disks, etc. should be locked-up and access to back- up drives should be set up with user profile access control links.

 

Destruction of Information

Deletion of Information

●     Users are required to delete information from their computers if it is clearly no longer needed or potentially useful.

●     Use of an “erase” feature (e.g. putting a document in a trash can icon) is not sufficient for proprietary information because the information may still be recoverable.

●     All disks and CDs must be formatted before given to any third party or employee of PMU not authorized to see content.  Users should contact the Helpdesk for assistance on formatting disk and CDs after authorization has been obtained from the owner of the information.

 

Destruction of Information

●     Electronic Media: Prior to disposal, defective or damaged disks containing proprietary information must be destroyed using scissors or other methods approved

 

Asset Accountability

Information Assets

○     Users must not leave proprietary information unattended e.g. at a printer or on photocopy machines.

○     All users must protect information in any format (hard copy, disk, tape, etc) at the level commensurate with its classification.

Software Assets

○     Users must protect personal computing device software from theft, unauthorized use, and/or unauthorized copying.

○     Users are not allowed to install or remove any software from any of PMU computing equipment.

 

Hardware Assets

○     Computing Equipment: Users’ accountability for computing equipment must be in accordance with the following:

■     Users must not leave laptops unattended in an unsecured environment (on site or off-site).

■     Users must not leave laptops exposed in cars or hotel rooms.

■     User must never check-in a laptop as luggage when traveling. Always carry it on as hand luggage, in a briefcase or a laptop carry case. Airport X-ray machines do not damage data on a laptop or diskette.

■     Users must return any items issued to them (laptop computers, keys, ID cards, software, data, documentation, policys etc.) to their manager or the Human Resources (HR) Department upon resignation or termination.

■     Users are accountable for any damage to computers and related equipment in their work area.

■     Equipment and media taken off the premises should not be left unattended in public places.

■     Equipment must not be exposed to extreme heat or cold.

■     Avoid storing any devices (i.e. hard disks, etc) and equipment (i.e. laptops, desktops, etc) in automobiles.

■     Automobiles and hotel rooms are potential theft areas.  Store devices out of the view of others.

 

Use of Networking Facilities

Use of Modems

●     Modems for office computers are not permitted.  Mobile and telecommuting computers are an exception to this rule. The use of modems must be approved as per the policy.

●     Do not provide IP addresses or dial-up access phone numbers to vendors and/or unauthorized parties.

●     Any individual who requires an individual analog line for dial-in/dial-out must obtain approval from the IT Department.

●     Remote access software such as PC Anywhere or Carbon Copy is strictly prohibited from use on PMU computing resources without the expressed permission of the IT Department.

●     Persons using remote, e.g., in-dial, ISDN, wireless or Internet, access to an PMU information resource must be individually identified and authenticated by an independent dedicated device such as Firewall.

 

Unauthorized Browsing

●     Users must not browse through PMU computer systems or networks.  For example, curious searching for interesting files and/or programs in the directories of other users is prohibited.

●     Steps taken to legitimately locate information needed to perform one's job is not considered browsing.

 

Reporting and Responding to Security Incidents

 

Identification of Security Incidents

Methods by which suspicious activity can be identified by a user include, but is not limited to:

●     Unexpected account lockout;

●     Unusual last login time; and/or

●     Unknown files in their file areas.

 

Reporting Security Incidents

●     All PMU users must watch for any potential security incidents including:

○     Breaches of confidentiality;

○     Denial of service;

○     Errors resulting from incomplete or inaccurate business data; and

○     Information system failures and loss of service

●     Any such incidents must be promptly reported to the Helpdesk and/or their Information Security Officers thru phone call or e-mail.

●     Reporting of Weaknesses

○     Users are required to note and report any suspected security weaknesses in, or threats to, systems or services.

○     Users must not attempt to prove a suspected weakness as testing weaknesses might be interpreted as a potential misuse of the system.

●     Reporting of Software Malfunctions

○     Prior to reporting software malfunctions, the following should be considered by the user:

■     The symptoms of the problem should be noted;

■     Any messages appearing on the screen should be noted;

■     Use of the computer should be suspended and the computer isolated;

■     The computer should be disconnected from PMU network; and

■     Disks, which were used on the affected computer, should not be transferred to any other computer.

●     Users must not attempt to remove the suspected software, unless authorized by IT.

●     Disciplinary Action

○     Users must know and understand that in the event of an incident caused by user negligence, they will face disciplinary action.

○     All users who commit security breaches will be subjected to a formal disciplinary process.

 

Controlling Configuration Changes on Computers Changes to Software

PMU has a standard list of permissible software packages that users can run on their computers. Software package conditions that user must adhere to include:

●     Users must not install other software packages on their computers without obtaining advance permission from IT

●     Users must not permit automatic software installation routines to be run on PMU computers unless IT has first approved these routines.

●     Auto discovery license management software may be used to remotely determine which software packages are resident on users’ hard disks; unapproved software may be removed without giving user advance notice.

●     Users are not allowed to download and install software, games and/or freeware from the Internet.

 

Changes to Operating System Configurations

●     Users must not change their computer operating system configurations, including:

○     Upgrade existing operating systems; and/or

○     Installing new operating systems.

○     If such changes are required and authorized, they will be performed by IT

Changes to Hardware

·         Computer equipment supplied by PMU must not be altered or added to in any way (e.g. upgraded processor, expanded memory, or extra circuit boards) without the prior knowledge of and authorization from IT.

 

Prohibited Use of Information Resources

●     Any activity intended to degrade the performance of an PMU information resource, circumvent security controls, or misuse the resource in any way is prohibited.

●     Users are prohibited from attempting to access other user accounts and/or files to which access has not been expressly authorized.

●     All information resources, including all owned, leased and contracted services involving word processing, minicomputers, mainframes, public telephone network elements and service bureaus, must be used only as authorized by PMU

●     Unauthorized use of any PMU information resource may subject the user to disciplinary action, up to and including termination of employment, termination of a supplier, contractor or agency agreement,

 

Protection against Social Engineering

Social engineering is the practice of impersonating someone else to gain information or services in a fraudulent manner. Employees must take steps to avoid being the victims of social engineering.  Required steps include:

●     Know with whom you are communicating.

●     If you do not know the caller personally or suspect the caller may not be valid, insist on a callback number and before returning the call, verify that the caller is legitimate.

●     You can be “spoofed” via E-mail. The name and address you receive or send to via E-mail may not be the real name and address of the person. Do not send PMU or customer proprietary information or reply with PMU or customer proprietary information to E-mail addresses you do not know or cannot verify as correct.

●     Make sure that the caller has a business need to know the information they are requesting. Never furnish proprietary information until the caller's need to know has been established.

●     Users who become the victim of social engineering, or social engineering attempts must report the incident to IT immediately.

 

PMU Internal Network Security

●     When connected to and using PMU internal networks, including Local Area Networks (LANs):

○     Do not misrepresent yourself (i.e., masquerade) as someone else on the network.

○     Unauthorized individuals should not monitor network traffic (i.e., use a "sniffer" or similar device) without first obtaining explicit management approval and informing IT.

○     Do not add any network device which creates an external connection (e.g. a bridge, router, gateway, hub, modem) to your workstation without first obtaining permission from your Provider of Service.

○     Do not install file sharing or peer-to-peer software (e.g. "Napster") unless PMU provides it.

●     Sharing files on your own hard drive (via network connections) can pose the following threats:

○     Unauthorized access to data files

○     Damage to data/program files - either accidental or malicious

○     Damage caused by virus attacks

●     If you must allow other users to access or store files on your network connected workstation:

○     You must select either User ID access control or password access control when defining the share options for the workstation disk drives and files.

○     You must not allow ANONYMOUS FTP, TFTP, or other unauthenticated access to program or data files on your workstation.

 

 

Physical and Environmental Security

Policy Statement

This functional policy covers PMU’s Physical and Environmental Security. All information, systems and assets within PMU will enforce proper and strict physical access control. Physical security measures will be implemented to ensure the physical security and integrity of building facilities and computer

centers. Protection measures will be appropriate to the classification level of the assets and information processed, stored, and handled within.

 

Objective

The objective of this Information Security Policies is to secure PMU Information Assets and staff.  Each policy statement in this policy wherever required is supported by standards,  procedures                                                to achieve  a complete security framework in the PMU

 

Purpose and Scope

●     All Information Assets (Digital Media)

●     All software assets

●     All physical assets, such as computer and network equipment.

●     All supporting services, such as power and network link

●     All management information systems

●     All business activities supported by PMU

●     All of the above are either owned or leased by the PMU and under the PMU possession, custody, or control.

 

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy, and any further Policies and Procedures that may be added in due course of time.

 

Governing Policy Statements

The following Executive Policy Statements govern the Physical and Environmental Security Functional Policies listed in this document:

 

●     Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators must be maintained;

●     The risks associated with access to organisational information processing facilities by third parties must be assessed and appropriate security controls;

●     All risks resulting from third party access must be reassessed on a periodic basis, or whenever such risks change;

●     Arrangements involving third party access to organizational information processing facilities must be based on a formal contract that must contain all necessary security requirements accompanied with appropriate responsibility and confidentiality undertaking. Any violations thereto must be dealt with accordingly;

●     Arrangements involving access to organisational information processing facilities by an organisation handling the outsourcing must be based on a formal contract containing all necessary security requirements.

●     Physical security perimeters must exist for all areas housing relevant information processing facilities;

●     ITD must ensure that secure access areas be protected by appropriate entry controls to ensure that only authorized personnel are allowed access;

●     Secure areas must be created in order to protect offices, rooms and facilities having special security requirements;

●     Additional controls and guidelines for working in secure areas must be used to enhance the security provided by the physical controls protecting the secure areas;

●     Delivery and loading areas must be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

●     Access to the machine rooms must be restricted to only those people who are permitted to use the machines;

●     Access to the machine rooms must be monitored for illegal access attempts.

●     Equipment must be sited and protected to reduce risks from environmental hazards and opportunities for unauthorized access;

●     Equipment must be protected from power failures and electrical anomalies;

●     Power and telecommunications cabling carrying data or information services must be protected from interception or damage;

●     Any information processing equipment, used for information processing on PMU’s systems, but situated outside PMU’s secure perimeters, must be secured in a way equivalent to PMU’s on-site equipment;

●     All access requirements must be based on a need to know, need to do basis;

●     Procedures for monitoring use of information processing facilities must be established and the result of the monitoring activities reviewed regularly.

 

Physical and Environmental Security Functional Policies Access to PMU Premises

Physical Security Perimeter

 

●     Based on a risk assessment, all PMU buildings must be classified and separated into secure areas. Based on the classification of secure areas physical security measures must be implemented to provide adequate protection.

●     For all PMU facilities, a security perimeter must be established. The strength of the security perimeter will be determined by an assessment of the risks and threats to the physical environment. The security perimeter includes, but is not limited to:

○     Clearly defining the facility and security perimeter boundaries;

○     Ensuring all physical perimeter components (walls, doors, windows, etc.) are physically sound;

○     Effective access control 24 hours a day, seven days a week;

○     Implementing a manned reception area to control access to the main entry of the facility and appropriate controls to secondary entrances;

○     Implement alarmed fire control doors as per local safety requirements; and comply with all applicable safety regulations.

●     Any subdivision of the PMU facilities requiring enhanced physical security must have its own physical security perimeters. These areas are referred to as “secure areas”. These areas would include, but are not limited to:

○     Computer data centres;

○     Security control centres;

○     Any vault or valuable storage facility;

○     Production or processing control centres.

 

Physical Entry Controls

 

●     All PMU employees and visitors must be authorized by a PMU Head of Department/Business Unit and Security Department for physical entry into PMU facilities.

●     Access rights to all areas must be reviewed on an annual basis.

●     Access to areas deemed ”secure areas” (e.g. computer data centers, security control centers, valuable storage facilities or production processing centers), must be reviewed on a quarterly basis.

●     Physical access to all computer rooms must be tightly controlled.  Doors must be locked at all times with only authorized personnel having access.

●     Authorized personnel must not allow unknown or unauthorized individuals into restricted areas without escort.  Any unrecognized and unescorted personnel within a computer room must be immediately challenged to determine the reason for their presence.

●     Personnel without a valid reason for being in the computer room must be escorted out of the computer room immediately and the Security

Department must be contacted through the department head or his representatives.

●     It is the responsibility of each employee, vendor or visitor that has been issued an access card to immediately report lost or stolen badges.

 

Securing Offices, Rooms and Facilities

All Areas

All areas within PMU which need to be secured, due to the nature of the information or assets they contain, must adhere to the following controls:

 

●     All critical computer rooms and data centres will be monitored 24 hours a day. This monitoring can be by cameras, alarmed doors and windows, people manning the centres, or a combination of the above. This monitoring ensures that unauthorized physical access to critical resources and information does not occur.

●     Buildings that house the Bank’s computers or communications systems must be protected with physical security measures that prevent unauthorised persons from gaining access.

●     Computer room access must be limited to only those people with a valid business reason for access. Access must be reviewed quarterly and revoked immediately once it is no longer needed.

●     PMU computer and data centres are restricted areas. Programmers and users are not permitted unsupervised access to the computer centres.

●     Directories and internal books identifying locations of PMU information processing facilities or any other sensitive or secure area must not be readily available or accessible to the public.

●     Any hazardous or combustible materials must be stored at a safe distance from any secure area per local safety regulations and manufacturer specifications.

●     All doors and windows must be locked when unattended and comply with any local safety regulations.

●     Rooms containing wiring or communications equipment (wiring closets, PBX rooms, etc.) must be locked at all times with access restricted to authorized personnel only.  Signs are not to be posted on wiring closets, telephone rooms and other equipment components that would attract the attention of unauthorized individuals.

●     Computer facility rooms must be equipped with doors that automatically close immediately after they have been opened, and which set off an audible alarm when they have been kept open beyond a certain period of time.

●     To avoid unnecessary access and damages, computer facility rooms must not be used for printing, faxing, storage of computers, parts of computers or stationary.

●     Computer facility rooms must not be shared with third parties.

●     There must be no signs indicating the location of computer or communications centres.

●     Backup and recovery media and facilities must be located at a safe distance from main facilities.  The backup facilities must be at a distance that would protect it from damage from any incident at the main site.

 

Secure Areas

●     Any person working or having access to a “secure area” must be informed of the enhanced security requirements of the “secure area”, this includes:

○     The details of the security perimeter of that area; and

○     The associated responsibilities for the area.

●     Recording equipment, like photo, video, audio is not allowed unless specifically authorized by an appropriate Department/Business Unit.

●     Any third party access granted to a “secure area” must be strictly controlled and monitored. All parties with access to the area must be authorized and logged. This includes support services such as cleaning or waste removal.

●     Any area deemed a “secure area” must be locked when vacant and physically checked periodically.  The period of checks will be determined during the designation of the security requirements for that “secure area”' and creation of the security perimeter.

 

Equipment Security

Cabling Security

●     Ethernet ports or network cabling must not be left unprotected. Exposed Ethernet ports or cabling can be used as an entry point to the PMU network by unauthorized users.

●     All power and telecommunications equipment and cabling must be protected against deliberate or accidental interruption of service. This includes protecting control boxes, cables, wiring hubs and other equipment from fire, vandalism, interception of communications or disruption of service.

●     All PMU network connections must be removed and/or deactivated when a site is being vacated.  Unauthorized users can use Ethernet ports or cabling that are not removed or deactivated as an entry point to the PMU network.

Equipment Maintenance

●     All equipment shall be under support and/or maintenance contracts. The level of maintenance taken out is to be appropriate for the importance of the item of equipment.

●     All equipment must be maintained, monitored and inspected in accordance with the suppliers' recommended service intervals and specifications to provide availability and protect the integrity and confidentiality of information.

●     Only authorized maintenance personnel are allowed to perform repairs and all repairs or service work must be recorded to identify potential failure patterns.

●     If equipment must be sent offsite for repairs, the confidentiality and integrity of any information must be ensured.

 

Equipment Staging and Protection

●     The level of protection that must be provided for any information resource within PMU must be assigned and will be dependent on:

○     The criticality of the service/operation being provided by the resource. For example, Is the service provided to a single user or multiple users? Is the service critical to PMU;

○     Effect of loss on supported services/operations;

○     The monetary value of the information resource;

○     Risk of theft; and

○     Value of the resource.

●     A physical location must be determined for each information resource in accordance with its specified level of protection.

●     Equipment must only be sited in a physical location after due consideration of the following potential threats:

○     Theft of equipment or vandalism;

○     Vibration;

○     Impact of disasters happening in nearby premises;

○     Electrical supply interference;

○     Electromagnetic radiation; and

○     Environmental factors, such mentioned in section 3.4.

●     Computer equipment must be housed in an environment equipped with fire and water detection and prevention measures.

●     Rooms adjacent to the computer facility room must not be used for purposes that may involve high risks (i.e. storage space, electricity room).

●     Any equipment located in publicly accessible areas, or rooms that cannot be locked, is to be fastened down by some physical means such as a cable lock system or enclosed in a lockable computer equipment unit or case.

●     Clear identification of ownership should be clearly marked on all computer equipment, including the asset number.

 

Power Supplies

 

●     To avoid power failures, a suitable electrical power supply must be provided in such way that Single Points of Failure can be avoided.

●     Based on business criticality, the use of a back-up generator must be considered.

●     Recovery procedures must be documented to ensure proper fallback or fail over processes. These procedures should be part of the disaster recovery plan.

●     Uninterruptible Power Supplies (UPS) must be used for equipment supporting critical business operations to orderly close down or allow systems to continue running.

●     UPS and generator equipment will be checked on a quarterly basis to ensure it has adequate capacity and tested in accordance with the manufacturer's recommendations.

Secure Disposal or Re-use of Equipment

 

●     Any PMU information processing equipment that is to be disposed of, or reused, must undergo a cleansing process before release. The cleansing process must consist of:

○     Destruction of the information residing on equipment;

○     Validation of the process; and

○     Testing of the process to ensure no data is left on the equipment.

●     If the equipment stored information classified as “confidential” or “critical” the equipment must be physically destroyed beyond repair or restoration before being disposed of.

 

Environmental Control

●     Adequate environmental safeguards must be implemented to protect IT system resources as deemed appropriate for the sensitivity or criticality of the resource. At least the following environmental safeguards are to be assessed:

○     Fire prevention, detection, suppression and protection;

○     Water hazard prevention, detection and correction;

○     Electric power supply protection (an international guide on maximum reasonable expenditure on power protection suggests 4 percent of the value of the equipment being protected unless the mission critical nature of a particular system necessitates additional protection.);

■     Temperature control;

■     Humidity control;

■     Natural disaster protection (from lightning, etc.);

■     Magnetism protection; and

■     Good housekeeping procedures for protection against dust and dirt.

●     Environmental conditions should be periodically reviewed and monitored for conditions, which could affect PMU information processing facilities.

●     Fire walls surrounding computer facilities must be non-combustible and resistant to fire for at least one hour. All openings to these walls (doors, ventilation ducts, etc.) should be self-closing and likewise rated at least one hour.

●     To minimize theft and water damage, multi-user computers and communications facilities must be located above the first floor in buildings.

●     All computer equipment must operate in a climate-controlled atmosphere at all times. Backup ventilation plans must be provided in the event that air conditioning systems in computer rooms fail.

●     Facilities management must monitor and test fire suppression system test equipment at least every 6 months and document the test results.

●     All computer room personnel must be trained in the use of any automatic fire suppression systems, the use of portable fire extinguishers, and in the proper response to smoke and fire alarms.

●     Use of mobile phones must be restricted inside the computer rooms.

●     Fire drill for Computer Operations staff should be conducted quarterly.

 

Removal of Property

●     Equipment, information or software should not be taken off-site without written authorization. A copy of the authorization should be kept by the user and the manager. Written authorization should include, but is not limited to the following detail:

○     The date the removal is authorized for;

○     The name of the person that granted the authorization as well as his signature;

○     The name of the person the authorization is granted to as well as his ID and signature; and

○     The serial number(s) where applicable.

●     Where necessary and appropriate, equipment should be logged out and logged back in when returned (serial number(s) used, where possible).

●     Spot checks should be undertaken to detect unauthorized removal of property. Individuals should be made aware that spot checks will take place.

●     Computer media in transit must be protected from loss or misuse during transportation. Reliable transport or couriers should be used. Appropriate heat- resistant and water-resistant packaging should be used to protect the contents from heat, water and any physical damage likely to arise during transit, in accordance with manufacturers’ specifications.

Securing Communications Networks

●     Physical access to communications equipment and facilities must be restricted to authorized personnel.

●     Suppliers or service engineers must be supervised when they have access to communications equipment.

●     Critical areas, such as network operation centers, including those at remote sites, must be protected from power failure, such as by the use of uninterruptible power supplies (UPS).

●     Communications cables should be protected by use of the following:

○     Concealed installation;

○     Armored Conduit;

○     Locked inspection/termination points;

○     Alternative feeds or routing; and

○     Avoidance of routes through public areas.

●     Fiber optic cables should be used to reduce the risk of data in transit being intercepted.

Supplement on Virus Prevention, Detection, and Removal

Policy Statement

This functional policy covers PMU's Protection against Malicious Software and Viruses. Communications and operational management of information resources and systems are essential to maintaining a high level of service. Security requirements will be developed and implemented to maintain control over communications and operations

It is each user’s responsibility and obligation to ensure that all IT resources are used only for its intended business purpose and that information contained or

transmitted via these resources are protected from unauthorized use, appropriation, or corruption.

 

Objective

The objective of this Information Security Policies is to secure PMU ’s Information Assets and staff.

Each policy statement in this policy wherever required is supported by standards, procedures  to achieve a complete security framework in the PMU.

 

Purpose and Scope

This policy applies to ITD, Owners, their delegates and/or Custodians.  In the PMU context the term “Owner” covers any of the following: an information, application, installation, network, business and/or development owner:

 

●     All Information Assets

●     All software assets

●     All physical assets, such as computer and network equipment.

●     All supporting services, such as power and network link

●     All business activities supported by PMU.

●     All of the above are either owned or leased by PMU and under PMU possession, custody, or control.

 

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy, and any further Policies and Procedures that may be added in due course of time.

Governing Policy

The following Executive Policy statements govern the Protection Against Malicious Software and Viruses Functional Policies listed in this document.

 

●     Responsibilities for the protection of individual assets and for carrying out specific security processes must be clearly defined;

●     The risks associated with access to organizational information processing facilities by third parties must be assessed and appropriate security controls implemented;

●     Any security related incidents must be reported immediately through the established channels after the incident is discovered;

●     Detection and preventive controls to protect information and information processing facilities against malicious software and appropriate user awareness procedures must be implemented;

●     The management of removable computer media, such as tapes, disks, cassettes and printed reports must be protected and controlled according to its classification;

●     Back‑ up copies of essential business information and software must be

taken regularly;

●     Content scanning must only be enforced in checking for malicious software, viruses or violations;

●     Media being transported must be protected from unauthorized access, misuse or corruption;

●     The purchase, use and modification of software must be controlled and checked to protect against possible covert channels and Trojan code.

 

Protection against Malicious Software and Viruses

Malicious Software Delivery Mechanisms

Users should also be aware that malicious software is commonly delivered by one of the following methods:

●     Physical Transfer of Storage Data.

●     Computer systems may become infected by exposure to a contaminated source. Malicious software can infect any form of storage media, including hard drives, diskettes, CDs, magnetic tapes and cartridges, or optical media.

●     Some of the most frequent sources of contamination are:

○     Copying data from an infected diskette; and

○     Booting from an infected disk or CD.

○     Infected media may be received from another user within PMU, a vendor or even in commercial shrink-wrapped software.

Electronic Mail

●     Malicious code is often spread when documents and files are sent over e- mail.

●     Basic e-mail is pure text and cannot contain viruses or other malicious code.

●     However, most e-mail applications today allow file attachments. These attachments may contain executable macros or scripts. When the message is received, the attached macro or script may be activated by the user, giving the malicious software an opportunity to attack and spread.

 

Downloaded Software

●     Software downloaded from the Internet or an electronic bulletin board system may include malicious software and computer viruses.

●     Files exchanged in chat sessions are becoming a frequent method of propagating malicious software.

 

Mobile Code

●     Mobile code is software that will run on multiple platforms.

●     Mobile code is contained in small applications called applets, which are often used on Web pages to provide news tickers; front-end graphical user interfaces (GUIs) and video games.

●     Some examples of programming languages used in developing mobile code include Java, JavaScript, ActiveX, and Postscript.

●     Malicious code can be hidden within Java applets, ActiveX controls and plug-ins to steal information from a computer file or disable a system.

 

Preventing Malicious Software and Viruses

To protect PMU resources against the risk of physically transferred malicious code, the following protection measures must be adhered to:

 

Physical Transfer

●     Users should avoid booting or copying files from removable media such as USB drives or CD-ROM’s unless they have been obtained from a trusted source.

●     Users should avoid leaving removable media such as diskettes and CD- ROM’s in boot-able drives.

●     All storage media obtained from sources external to PMU must be scanned by an approved anti-virus software product with current signature files prior to use.

●     Prior to providing storage media to customers, vendors, or others outside PMU, the media must be scanned by an approved anti-virus software product with current signature files.

 

Electronic Mail

●     Users should be suspicious of all e-mail messages from people that they don't know.

●     All e-mail messages that include attachments should be viewed with suspicion.  Users should know the purpose of attachments before opening them.

●     Suspicious e-mail messages with executable attachments (e.g. com or exe) should not be opened, even if they appear to be from people known to the user (s).

●     Macro programs contained in Word or Excel files received by e-mail should not be executed until it has been determined that they are from a trusted source.

 

Downloaded Software

●     Software should not be downloaded from an unknown or un-trusted source.

●     Obtaining or downloading of public domain, shareware, or evaluation copies of software from other than PMU sources is permitted only under certain conditions.

●     Software downloaded from sources external to PMU must be scanned by an approved anti-virus software product with current signature files prior to being installed on an PMU information resource.

 

Mobile Code

●     In an interactive environment, a server is accessed across a network and an application (applet) is downloaded onto the computer that is then executed. The Users web browsers should be configured to prevent downloading of applets.

●     Java and ActiveX should only be enabled when they are needed to access a trusted Web site.

Application Software

●     Many software applications such as Internet Explorer, Mozilla Firefox and Google Chrome and the Microsoft Office Suite, contain features designed to alert the user before opening or activating files that could contain potentially dangerous software.

●     Users should carefully consider the source of files that are flagged in this manner.

●     Users should not configure the application software to disable these warnings.

 

Anti-Virus Software

Anti-Virus software is the main line of defense against computer viruses.

ITD responsibilities include:

●     Ensuring that current, University approved, anti-virus software is installed and activated on all computers issued to users.

●     Configuration of the software to scan all file types, not just executables.

User responsibilities include:

●     Software must not be written; generated, copied, propagated or executed that will damage or hinder the performance of any PMU information resource.

●     Users of any PMU PC must ensure that current; University approved, anti- virus software is activated on their PC. This software must be actively enabled at all times.

Detecting Malicious Software and Viruses

Identification of Malicious Software

 

●     Malicious software can be identified through observation, technical knowledge, or virus alerts.

●     Several factors can indicate that malicious code has infected a system. Below are some indicators to help confirm the presence of a virus:

●     File size increase;

●     Change in update timestamp;

●     Sudden decrease of free space;

●     Numerous unexpected disk accesses; and

●     Strange macros attached to files.

 

Further Guidelines

○     The anti-virus software should be used to perform a periodic scan of all files on the system. PMU ITD maintains a local signature server that contains the most recent updates. All University laptops and Desktops are configured to get their updates from this central server.

○     Any machine suspected to be infected by a virus is immediately disconnected from all networks. The machine must not be reconnected to the network until IT staff can verify that the virus has been removed.

Reporting Malicious Software and Viruses

 

●     Malicious software can spread quickly and needs to be eradicated as soon as possible to limit damage to PMU information resources.

●     Reporting actual attacks by viruses or other malicious software is important because it allows PMU to collect information regarding the magnitude and severity of the attack and to take appropriate steps to halt further contamination.

●     For assistance in removing a virus or other malicious software, if needed, or for help repairing any damage that resulted, users should contact the Help desk.

●     Any significant malicious software attacks must be reported to the Help desk for further investigation and assessment.  An attack should be considered "significant" if one or more of the following apply:

○     The infection has caused the loss or damage of PMU data;

○     The infection has impacted more than one computer or system; and/or

○     The infection is the result of a virus that has previously been assessed by PMU as a high risk.

●     Correcting Malicious Software and Viruses

●      Backup

○     The ability to recover from a malicious attack depends upon maintaining frequent backups.

●     Recovery

○     If it is not practical or feasible to obtain a new copy of the file  without the virus, when attempting recovery, anti-virus software may be used to remove the virus.

●     Virus Hoaxes

○     A virus hoax is the fraudulent report of a virus for the purpose of generating large amounts of network traffic about the non-existent virus.

○     While PMU will sometimes make use of established employee communications channels to distribute information regarding viruses, users must ignore and not forward e-mail or other messages originating from other sources regarding supposed viruses.

○     Passing on messages about hoaxes only serves to further propagate them and unnecessarily increase the utilization of PMU resources.

○     PMU security personnel regularly receive information from the major anti-virus software vendors and other sources. It is not necessary to pass information to them regarding possible viruses

Supplement on SPAM, Intrusion Prevention and Detection

Policy Statement

It is each user’s responsibility and obligation to ensure that all resources are used only for its intended business purpose and that information contained or transmitted via these resources are protected from unauthorized use, appropriation, or corruption. This FP Intends to Clarify to all users on PMU infrastructure, what their responsibilities are; Define what the potential risks and dangers are for PMU in the event of misappropriation and abuse of Infrastructure users; and regulate the professional and effective use of Infrastructure within PMU as well as between PMU and external entities.

Objective

The objective of this Information Security Policies is to secure PMU’s Information Assets and staff.  Each policy statement in this policy wherever required is supported by standards,  procedures to achieve  a complete security framework in the PMU

Purpose and Scope

 

●     All Information Assets (Digital Media)

●     All software assets

●     All physical assets, such as computer and network equipment.

●     All supporting services, such as power and network link

●     All management information systems

●     All business activities supported by PMU.

●     All of the above are either owned or leased by the PMU and under the PMU possession, custody, or control.

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy, and any further Policies and Procedures that may be added in due course of time.

Governing Policy

The following Executive Policy statements govern the Combating Cyber Crime Functional

 

Policies listed in this document:

 

●     Intrusion detection software which records attempted and successful access to your systems.

●     Access control lists and facilities, which record certain activities for specific files, such as: read, write, execute, and delete

●     Network usage analysis, which identifies application access and reports on user authorization levels

●     Network packet sniffing software to detect attack origins

●     Disable specific applications, for example, an e-mail system subjected to a SPAM attack

●     Ensure that all system and access events are logged

●     Gather evidence to prove malicious intent, especially if the suspects are organization staff

●     Access Controls should limit access to only those persons so authorized. Use a combination of policies and guidelines to promote both awareness and compliance

●     Implement strong authentication and appropriate access control measures.

●     Always perform rigorous System Testing before releasing into live 'production'

●     Restrict and control all software and utilities which could be used inappropriately

●     All software downloads must be virus-scanned

●     Deploy software scanning tools to detect the 'footprint' of malicious code, introduced via e-mail, Internet download or by other means, e.g. diskette or CD-ROM

●     Foster a sense of constant vigilance throughout the organization

●     Nominate a technically oriented member of staff as 'virus control officer' to be the first point of contact for all virus alert issues and who co-ordinates follow up actions

●     Advise staff of virus reports identified as hoaxes, in order to minimize disruption to business

●     Considering designating a specific telephone extension as the virus 'hotline', reserved for virus and other malicious code reports / warnings.

●     The Information Security Officer, the System Administrator, and the nominated virus control officer should collaborate to prepare a Virus Incident

Response Plan

●     Ensure that all PCs are protected, and that regular anti-virus updates are distributed

●     After a virus attack, consider regularly reviewing software and files used for critical business processes to identify and investigate unauthorized and

/ or suspicious changes

●     Promote awareness of the risks and encourage best practice regarding the receipt of e-mail attachments

●     Consider the optimum deployment: servers only, or servers and workstations. The latter is recommended

●     Ensuring that the license agreement includes updates of the anti-virus software and of the vaccine files

●     Choosing e a vendor who offers 'hotline' support to deal with newly released virus strains

 

Functional Policy

Combating Cyber Crime

 

Cyber Crime remains a major area of Information Security risk. The sophistication of these threats is consistently increasing and the methods employed to combat these threats must match this level of sophistication. As a result, it is necessary for all systems users to be especially vigilant at all times

Defending Against Premeditated Third Party Cyber Crime Attacks.

 

Criminals may target organization’s information systems, resulting in serious financial loss and embarrassment.

 

○     Security on the network is to be maintained at the highest level. Those responsible for the network and external communications are to receive proper training in risk assessment and how to build secure systems which minimize the threats from cybercrime.

 

Minimize the Impact of Cyber  Attacks.

 

Even the most Information Security conscious organizations can be attacked; this may be to 'prove a point' or for other malicious reasons

○     Plans are to be prepared, maintained and regularly tested to ensure that damage done by possible external cybercrime attacks can be minimized and that restoration takes place as quickly as possible

 

Collecting Evidence for Cyber Crime Prosecution

 

In order to prosecute Cyber Crime successfully you need proof. This can be difficult to provide, unless your organization’s information systems have adequate controls and audit capabilities.

 

○     Perpetrators of cyber-crime will be prosecuted by PMU . Suitable procedures are to be developed to ensure the appropriate collection and protection of evidence

 

Defending Against Premeditated Internal Attacks

 

Access to confidential data may be legitimized in employees' job descriptions. The act of copying sensitive data may not necessarily leave a 'footprint' on the system, and such copies can then be exported from your organization by e-mail or by removable media without leaving a trace. The effects of outright malicious data destruction are obvious, but the computer entry process of so doing may have seemed routine.

○     To reduce the incidence and possibility of internal attacks, access control standards and data classification standards are to be periodically reviewed whilst maintained at all times

.

Defending Against Opportunistic Cyber Crime Attacks

 

Opportunistic criminal attacks usually arise from chance discovery of a loophole in the system, which permits access to unauthorized information

○     It is a priority to minimize the opportunities for cyber crime attacks on PMU systems and information through a combination of technical access controls and robust procedures

 

Safeguarding against Malicious Denial of Service Attack.

 

Denial of Service (DoS) attacks have gained notoriety as being an effective way to disable Web based services. See DoS for an explanation of the techniques used and their consequences.

○     Contingency plans for a denial of service attack are to be maintained and periodically tested to ensure adequacy

 

Defending Against Hackers

 

Unlike other forms of Cyber Crime, these attacks take a 'scatter gun' approach, in that they do not target a specific organization. If you happen to be 'in the firing line', and your Information Security safeguards are poor, you are likely to be hit.

○     Threats to PMU-IT  systems and information are to be minimized by fostering staff awareness, encouraging staff vigilance, and deploying appropriate protective systems and devices

 

Handling Hoax Virus Warnings

 

Threats from viruses are well known throughout the IT community. Hoax threats - the spreading of rumors of fictitious viruses or other malicious code - can waste time, as staff attempt to locate a virus which does not exist

 

Vigilance and good virus intelligence warnings are the key to minimizing the impact of hoaxes.

 

Defending Against Virus Attacks

 

Virus infection can be minimized by deploying proven anti-virus software and regularly updating the associated vaccine files. Many anti-virus companies supply such updates from their Web sites.

○     Without exception, Anti Virus software is to be deployed across all PCs with regular virus definition updates and scanning across both servers, PCs and laptop computers

 

Responding to Virus Incidents

 

Despite general awareness and technical safeguards, some viruses nevertheless enter and infect the organization’s systems. Dealing with a virus in a professional

and planned way reduces both its impact and its spread throughout the organization and beyond.

 

●     The threat posed by the infiltration of a virus is high, as is the risk to PMU - IT systems and data files,  Formal procedures for responding to a virus incident are to be developed, tested and implemented.

●     Virus incident response must be regularly reviewed and tested

 

Virus Scanning Software

 

The development of anti-virus software is a highly technical and specialized area. Consequently, selection of the product should be  with utmost care.

 

●     Anti Virus software must be chosen from a proven leading supplier

 

 

Supplement on Authentication and Passwords

Objective

The objective of this Information Security Policies is to secure PMU’s Information Assets and staff.

 

Each policy statement in this policy wherever required is supported by standards, procedures  to achieve a complete security framework in the PMU

 

Purpose and Scope

●     All Information Assets (Digital Media)

●     All software assets

●     All physical assets, such as computer and network equipment.

●     All supporting services, such as power and network link

●     All management information systems

●     All business activities supported by PMU.

●     All of the above are either owned or leased by the PMU and under the PMU possession, custody, or control.

 

 

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy,

and any further Policies and Procedures that may be added in due course of time.

 

Governing Policy

The following Executive Policy Statements govern the Functional Policies on Log on and Authentication listed in this document:

●     Business requirements for access control must be defined and documented, and access must be restricted to what is defined in the access control policy.

●     All access requirements must be based on a need to know, need to do basis.

●     The allocation of passwords must be controlled through a formal management process.

●     Operating systems and applications must include as a minimum, adequate user access controls, password controls and monitoring controls.

●     Each System Owner at PMU must enforce all users to follow good security practices in the selection and use of passwords.

●     Access by remote users must be subject to authentication.

●     Connections to remote computer systems must be authenticated.

●     The procedure for logging onto computer systems must be designed to minimize the opportunity for unauthorized access.

●     User identification and authentication must be strictly enforced.

●     Access to information services must use a secure log‑ on process.

●     All users must have a unique identifier (user ID) for their personal and sole use so that activities can be traced to the responsible individual.

●     A password management system must be in place to provide an effective, interactive facility that ensures quality passwords.

●     Use of system utility programs must be restricted and tightly controlled.

●     Inactive terminals in high risk locations or serving high risk systems must shut down after a defined period of inactivity to prevent access by unauthorized persons.

●     Restrictions on connection times must be used to provide additional security for high‑ risk applications.

●     Audit logs recording exceptions and other security‑ relevant events must be produced and kept for an agreed period to assist in future investigations and access control monitoring.

●     Procedures for monitoring use of information processing facilities must be established and the result of the monitoring activities reviewed regularly.

●     Computer clocks must be synchronized for accurate recording.

Authentication Functional Policies

●     Log on

 

○     Pre-Log on Banner: All computer systems within PMU must contain a pre-log on warning banner to address the following:

■     Before being given the opportunity to log onto a computer facility, intended users will be presented with a login banner, where applicable.

■     This provides: Users with a chance to terminate the login before accessing a computer that they are not authorized to; Identification of PMU, the network, location, or host must not appear prior to a successful login.

■     Systems must be configured to not give any information on an unsuccessful login. This includes identifying which portion of login sequence (user ID or password) was incorrect.

 

●     Authentication

 

○     User Identification

■     All users must have their identity verified with a user ID and a secret password, or by other means that provide equal or greater security, prior to being permitted to use PMU information resources.

■     Unless prior permission from the ITD has been granted, all System Administrators must consistently observe the user-ID naming standards.

■     Each computer and communication system user-ID must be unique and forever connected solely with the user to whom it has been assigned.

■     After a worker leaves PMU, there should be no re-use of any user-IDs. Any exceptions should be authorized. This serves to minimize the risk of dormant access permissions being inherited by a new user.

■     Administrators with access to super user or privileged accounts must use their account to log into systems. They should then switch from their own accounts to the privileged account.

 

All Guest Accounts must be disabled on servers, desktops, databases and applications.

Assigning Passwords

Administrator’s responsibilities when assigning passwords include:

●     The initial temporary password assigned to users must be a minimum of six (6) characters in length and comprised of alphanumeric, non- alphanumeric and special characters.

○     Passwords assigned must be unique for each user.

○     Passwords must only be supplied to users in a secure manner e.g. not via a third party.

○     Initial passwords must not be easily associated with PMU or the user (i.e. identification number, employee number, address, numerical equivalent of name, etc.)

○     On initial log on, new users will be forced by the system they are accessing to change their initial password to one that meets the relevant password functional policies.

 

Safeguarding Passwords

 

Administrators must adhere to the following regarding safeguarding of passwords:

●     ITD must perform password testing on quarterly basis to ensure proper passwords are being used. This includes the use of password cracking tools.

●     This process must be controlled in the strictest manner and subject to explicit supervision.

●     Users whose password is cracked must be notified immediately, their account disabled, and a new password issued using the normal allocation methods.

●     Users must be forced to change passwords every Academic semester. System administrators shall enforce this through technical means by deploying password aging on systems.

●     Default passwords shipped with servers, operating systems software or applications must always be changed when the hardware or application is installed or implemented.

●     Where technically feasible, systems must use password history techniques to maintain a password history of users. This will ensure that users do not reuse passwords when forced to change the password.

●     All computers, databases or applications that store user account and password information must be secured in the strictest manner. Access to the user account base must be restricted to only authorize administrators.

●     This access must be reviewed at least twice a year along with a technical review of the host/server/user store.

System Account Controls

General Account Controls

 

General account controls include the following:

 

●     For high security environments it may be necessary to limit session initiation to specific terminals or locations. In this case, unique device identifiers must be associated with the approved connection points or direct connection to a server may be required.

●     Users given command line access to systems must, where feasible, be limited to the access or service needed. This may include restricted shells, application menu restrictions, and the like.

●     Unless authorized to the user, systems should not allow users to have multiple sessions on the same system.

 

 Account Lockout

 

●     Upon three consecutive authentication failures, users must be locked out of the resource in which they are attempting to gain access to and will have to have their account policy reset.

●     In the event that an account requires a new password, Help desk/System Administrator personnel must be contacted.

●     In the event that the account requires resetting without changing the password, the reset must only be executed after verification of the user’s identity.

 

Disabling Inactive Accounts

 

User accounts that have not been accessed for 90 days must automatically be disabled.

 

Automatic time-outs

 

Automatic time-outs must be in accordance with the following:

 

●     PC’s/laptops and Servers, when applicable, must be configured with a password-protected screen saver. The screen saver must require the entry of a password after a PC/laptop or Server console has been left idle for five (15) minutes.

●     Systems must force users off after 30 minutes of inactivity. The user should have to log back into the system.

●     System sessions that are not active for two (2) hours will be automatically terminated. For those systems that cannot automatically terminate connections, password protected screen savers or terminal locks must be activated.

 

Use of System Utilities

 

A number of utilities are available to enable system administrators to perform low- level maintenance tasks on a system. If inappropriate access is gained to these utilities they may be used to circumvent logical security controls. All utilities must:

 

●     Be stored off-line if not required on a daily basis;

●     Have access restricted to a very limited group of authorized users; and

●     Include logging facilities to record their use. Application Access Controls

All users must only be provided with the minimum level of access required to perform their duties. This should be achieved using a combination of:

 

●     Logical security within an application;

●     Hiding the availability of unauthorized options;

●     Limiting file permissions, e.g. read-only- Control of output distribution. Monitoring System Access and Use

For applications that will be initiated and developed from the publication date of this document, the application program should pass the user logon ID to the Oracle database for proper monitoring.

 

Clock Synchronization

 

System clocks must be synchronized to an agreed standard to ensure the accuracy of audit logs. For example, Greenwich Mean Time or Local time.

 

System Monitoring

 

System Administrators must ensure that monitoring tools are installed in order to log user access activity and security violations against critical production data.

 

Security Event Logs

 

●     Computer and communications systems handling sensitive, valuable, or critical PMU information must securely log all security relevant events.

●     Logs containing computer or communications system security relevant events must be retained for a period prescribed. During this period, logs must be secured such that they cannot be modified, and such that they can be read only by authorized persons.

●     ITD will review records reflecting security relevant events in conjunction with Computer Operations and Systems Administration staff. All potential security incidents must be reported immediately.

●     Security Administrator must ensure that monitoring tools are installed in order to log user access activity and security violations against critical production data.

 

Supplement on Incident Handling and Reporting

 

Policy Statement

This functional policy covers PMU’s Incident Handling and Reporting. In order to minimize the damage from security incidents and malfunctions within PMU, adequate security controls will be followed and security will be monitored to detect security breaches, incidents or areas of non-compliance with security policies, Functional Policies and procedures.

It is each user’s responsibility and obligation to ensure that all IT resources are used only for its intended business purpose and that information contained or transmitted via these resources are protected from unauthorized use, appropriation, or corruption.

 

Objective

The objective of this Information Security Policies is to secure PMU’s Information Assets and staff.

Each policy statement in this policy wherever required is supported by standards, procedures  to achieve a complete security framework in the PMU

 

Purpose and Scope

●     All Information Assets (Digital Media)

●     All software assets

●     All physical assets, such as computer and network equipment.

●     All supporting services, such as power and network link

●     All management information systems

●     All business activities supported by PMU.

●     All of the above are either owned or leased by the PMU and under the PMU possession, custody, or control.

 

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy, and any further Policies and Procedures that may be added in due course of time.

Governing Policy

The following Executive Policy statements govern the Incident Handling and Reporting Functional Policies listed in this document:

 

●     Training and orientation are provided to newly hired employees through the induction process;

●     Any security related incidents must be reported immediately through the established channels after the incident is discovered;

●     Procedures must be established and followed for reporting software malfunctions;

●     Users of information services are required to note and report any observed or suspected security weaknesses in or threats to systems or services;

●     Mechanisms must be in place to enable the types, volumes and costs of incidents and malfunctions to be quantified and monitored;

●     The violation of organisational policies, functional policies and procedures by employees must be dealt with through a formal disciplinary process;

●     Incident management responsibilities and procedures are established to ensure a quick, effective and orderly response to  incidents;

●     Faults must be reported immediately and corrective action taken;

●     An intrusion detection system is in place to detect unauthorized use of PMU networks;

●     Audit logs recording exceptions and other security‑ relevant events are

produced and kept for 3 months to assist in future investigations and access control monitoring.

 

Incident Handling and Reporting

Incident Levels

All incidents must be reported based on the severity of the incident and can be classified as one of the following:

 

Critical Alert

 

A critical alert is an event that is, or could become a serious and immediate threat to any of the devices on PMU network and requires immediate attention and action.

Threatened devices may include routers, networks, servers, firewalls, network management hosts, attached LAN's, or user hosts.

 

Major Alert

 

A major alert is an event that is, or could become, a future threat, but which has not been

determined as serious enough as of that time. Hence, it may or may not require an immediate response depending on the incident.

 

Minor Alert

 

A minor alert is an event that is, or could become, a minor annoyance or threat; or which has been determined to be a non-threat resulting from either authorized, or unauthorized network activity.

 

Minor alerts are informational in nature. Types of Incidents

The type of incidents which can be reported by users, include but is not limited to the following:

 

●     Accidental and/or negligent incidents, including:

●     Compromise of system integrity;

●     Denial of system resources;

●     Illegal access to a system (either a penetration or an intrusion);

●     Malicious use of system resources,

●     Any kind of damage to a system.

●     Power Outages

 

Reporting Security Incidents

Reporting Violations

●     All incidents will be reported to the IT Help Desk

●     Help Desk will escalate the incident for investigation to appropriate senior personnel.

●     All incidents will be investigated by ITD to determine the severity of the incident.

●     Investigative methods and procedures will be used based upon the Security Incident Level.

●     In cases where the violation is clearly illegal with intent, notification to the Higher Management shall be immediate.

●     In cases where the intent is not clear, the violator shall be advised to correct the violation. A repeat violation shall be reported immediately to management and the appropriate disciplinary action will be taken based on the severity of the incident.

●     In cases where the violation is either a support or resource-sharing issue, the violator will be informed of the violation and advised of possible corrective action. Records shall be kept of such violations.

●     If support teams determine that repeated violations of policies and functional policies are causing support or resource-sharing problems, they may contact ITD who may defer support and/or report the violation to ITD management.

●     No PMU employees are allowed to talk about any security incident in public or media.

 

Responding to Incidents

ITD Responsibilities

The ITD have the following responsibilities when responding to incidents:

 

●     Confirming that an intrusion has occurred (or is occurring).

●     Keeping records of work efforts.

●     Activating additional event logs immediately.

 

Initial Analysis

 

●     To be able to address incidents properly it might be necessary to collect evidence as soon as possible after the occurrence.

●     Regardless of how the suspicious activity is identified, the administrator must quickly perform an initial analysis to determine if the possible intrusion is the result of:

○     Hardware or software problems;

○     User error; or

○     An actual security intrusion.

●     The initial analysis must be performed immediately, so that innocent activities can be quickly eliminated, and intrusions can get prompt attention.

Taking Action

 

●     If PMU information resources are in danger of being irreparably harmed, the administrator of the system must take immediate action to protect these resources.

●     Examples of irreparable harm include, but are not limited to:

○     An intruder has entered a system and is in the process of destroying or damaging data that cannot be recovered;

○     An intruder is actively bringing systems down and impacting customer service; or

○     An intruder is actively engaged in other behavior that will cause unrecoverable loss or damage to PMU or PMU information resources.

●     Examples of protective actions to be taken could include, but are not limited to:

○     Disabling all system accounts and/or changing all system passwords and/or disabling access permissions;

○     Correcting the vulnerability that allowed the intruder to gain access in the first place;

○     Removing or shutting down the access method being used by the intruder;

○     Bringing the system down or disconnecting it from the network; and

○     Physically removing disk drives, tape files, or other system resources.

●     Where feasible, any action taken should be performed in a manner to prevent the intruder from being made aware that his actions have been noticed.

●     Security violations will be followed by corrective action by management and the users involved in the incident.

 

Learning from Incidents

 

●     All security violations and other incidents investigated must provide sufficient information so that management can take steps to ensure that:

○     Such incidents cannot reasonably take place again; and

○     Effective security measures have been re-established.

●     Information that should be collected by the investigating body during the investigation, include:

○     Time spent on incident;

○     The type of incident; and

○     Cost of incident or malfunction. Loss due to man-hours must be calculated for all incidents.

●     Summary reports of all incidents should be maintained by ITD for historical documentation.

 

Disciplinary Action

●     Users must know and understand that in the event of an incident caused by user negligence, they may face disciplinary action.

●     Disciplinary actions must be co-ordinate by the ITD through the Human Resource (HR) Department.

●     All users who commit security breaches may be subjected to a formal disciplinary process.