Skip to content
 

Information Security Policy Sample 2

Information Security Policy
Sample 2
Editor's Note: Rather than being a comprehensive Information Security Policy, the policy below is just one component of an information security program. It focuses primarily on end users of the bank's hardware and software. Among the components we liked were:

  • the clear delegation of responsibility;


  • the directive that the information systems department monitor and review end users' activities;


  • involvement of the internal audit department;


  • a procedure for acquisition of hardware and software. (Note, however, that the information security policy should specify that an analysis be made of the information security ramifications of each new hardware and/or software purchase.);


  • clear prohibition against the use of pirated software. (Not only is this important to avoid copyright violations, but pirated software or software brought in outside the normal procedures can also pose a higher degree of risk for virus infection and other threats to information security.);


  • physical safeguards are included;


  • access restrictions are dealt with;


  • it makes reference to other relevant bank policies;


  • it covers employee training (which is essential to avoid inadvertent loss or alteration of data) and virus protection. (The virus protection language should probably go further, however, to require that employees not interfere with or obstruct the virus detection software.)


Compare this policy, which touches on some facets of information security, with what is required by the Guidelines.

See also Internal Control Policy and Procedures, Information Security.

See also Internal Control Compliance Audit, Protection of Physical Assets.

POLICY STATEMENT

The Bank has implemented basic security policies and controls that govern end user computing operations, and management has the authority to evaluate the risks associated with end user computing. The purpose of this policy is to establish general guidelines for maintaining an end user computing environment within the bank that is controlled, consistent, and secure and that will enhance the productivity of end users. The board intends that the bank adhere to the guidelines set forth in the Joint Interagency Policy Statement on End User Computing Risks issued January 25, 1988. The board of directors adopts the following policies, standards, and controls as the bank?s end user computing policy.

END USER COMPUTING POLICY AND PROCEDURE RESPONSIBILITY

The board of directors delegates the day-to-day management of the use of microcomputers to the functional managers. They are responsible for ensuring that their employees adhere to the bank?s policies and procedures.

End User Computing Committee

The board appoints the following staff members to the end user computing committee. The purpose of this group is to assist bank management in developing and implementing policies and procedures for the end user computing environment and for reviewing these policies and procedures for feasibility, enforceability, and usability.

? __, President

? __, President

? __, Cashier & Compliance

? __, DP

Information Systems Department

The information systems department is responsible for supporting and coordinating the day-to-day operation of the end user computing environment in a manner that is consistent and in compliance with the approved policies and procedures. Additionally, the information systems department should monitor and review the activities of end users to ensure that they are adhering to the bank?s microcomputing policies and procedures.

Internal Audit Department

The internal audit department is responsible for conducting periodic reviews of the end user computing environment to ensure that policies and procedures are adequate to properly control the environment and that all end users consistently follow these policies and procedures.

The internal audit department also has the responsibility to evaluate the level of compliance with the bank?s end user computing standards, policies, and procedures and to report any discrepancies to the appropriate department manager for correction and enforcement and to the board of directors through the audit committee in their regularly scheduled reports.

The internal audit department will be available to management, users, and the end user computing committee to provide input and recommendations in certain circumstances, including, but not limited to, the following:

? Purchase of new software

? Automation of procedures

? Access control issues

? Termination of employees

? Development and testing of systems/procedures

? Suspicion of fraud or misuse of software and/or hardware

? Implementation of new controls and/or testing

ACQUISITION OF HARDWARE AND SOFTWARE

The acquisition of all hardware, software, and peripherals must be properly justified and must comply with the Bank?s capital expenditure policies.

? All acquisitions, installations, and implementations require review and coordination by the information systems department and approval by the appropriate department executive(s).

? Acquisitions of local area networks (LANs) or more complex systems may require a feasibility study or evaluation prior to the approval of the acquisition. The end user computing committee will determine any additional requirements needed for the acquisition of more complex systems.

? The purchasing department will acquire all approved microcomputer (PC) hardware and software.

? The information systems department will maintain a complete inventory of hardware, software, and peripherals.

? All department systems will be equipped with standardized hardware and software. The end user computing committee will be responsible for reviewing and determining appropriate standardized hardware and software to be used by bank personnel.

Licensed Use of Packaged Software

Bank employees are required to read and comply with commercial software license agreements. Managers must be certain that employees understand that modifying, selling, or duplicating commercial software packages is illegal and expressly against the Bank?s policy. The bank may be held liable for anyone illegally obtaining or copying commercial software. Civil damages for the unauthorized copying or use of software can be $50,000 or more, and criminal penalties can include fines and imprisonment. Duplicating software includes but may not be limited to the following:

? Making a copy of a software program from the employee?s hard drive or from a diskette

? Using the master diskette on an employee?s home computer when the software is already installed on one of the bank?s computers

? Installing software that currently resides on an employee?s home computer on a bank computer

? Receiving an upgrade for a software package and installing the version on a different computer

The information systems department must review and audit any public domain software (e.g., Internet software) prior to installation on any bank-owned microcomputer.

Physical Protection and Security of Hardware/Software

Managers in each user area are responsible for proper and adequate physical security and protection of the hardware and software assigned to their departments. Department managers are responsible for developing and implementing appropriate physical security controls and protection of hardware and software and for ensuring compliance with established physical security policies. In addition, department managers are responsible for the following:

? Ensuring sensitive reports and information are properly safeguarded and disposed of in a proper manner

? Assessing their department?s physical control needs and implementing controls necessary to ensure proper security and protection

? Monitoring and maintaining control over the use of laptop microcomputers

? Maintaining inventories of hardware and software and periodically auditing these inventories

? Securing the work areas housing microcomputers

? Assessing the need for locks and keys

? Establishing proper housekeeping rules

? Maintaining adequate environmental controls

? Training users on proper use and care of microcomputers

Although ultimate responsibility for the physical protection and security of hardware and software rests with the department manager, each user is responsible for the physical security and protection of his or her own microcomputer. In addition, end users are responsible for the following:

? Abiding by all housekeeping policies established by management

? Keeping a maintenance list identifying all maintenance done to their equipment

? Securing any laptop microcomputer while in their possession

? Being aware of and reporting any suspicious individuals or activity to management

? Ensuring that all software is backed up and maintained in a secure area

Restricted Access to Data and Software

It is the policy of the Bank to protect the processing, storage, and use of data on microcomputers, LANs or wide area network (WAN) systems based on the level of the data?s sensitivity and value to the bank. Each department manager will establish and implement proper and adequate access controls to restrict access to data and software. This is to prevent unauthorized access that could result in confidential data being accessed, improper loading of software posing the risk of viruses and use of unauthorized software, and improper downloading of programs and files that could result in unauthorized copying.

Misuse of corporate data will be reported to management and the board of directors through appropriate channels.

BACKUP, CONTINGENCY PLANNING, AND DISASTER RECOVERY PLAN

See Disaster Recovery Policy and Procedures.

See Disaster Recovery Compliance Audit.

Each department is responsible for identifying and establishing the proper procedures to ensure that hardware, software, and documentation is adequately backed up to ensure timely recovery in the event of a disaster. The department manager will perform a risk assessment of each department to determine the impact that loss of data would have on the bank due to the following reasons:

? Incorrect management decision

? Improper disclosure of information

? Fraud

? Financial loss

? Competitive disadvantage

Based on the results of the risk assessment, each department manager will be responsible for ensuring that appropriate microcomputer backup procedures are included in each department?s respective section of the disaster recovery plan for Farmers Exchange Bank.

DATA INTEGRITY

Each department manager is responsible for implementing security measures and controls to ensure that all data are adequately evaluated, tested, and validated prior to transfer or release. This includes, but is not limited to, data that:

? Reside on microcomputers, LANs, and WANs and are downloaded or uploaded to the mainframe or to another system

? Reside on a microcomputer from which critical business decisions are made and/or financial reporting for the bank is based.

Each department is responsible for developing and maintaining a list of all sensitive data and of programs used to process the data. The manager or supervisor of the department is responsible for updating the information and communicating the information to employees.

Virus detection software will be installed on each microcomputer in the bank to help ensure that no viruses are introduced into the bank?s systems.

Program Development, Documentation, and Testing

All developed software, applications, and programs must be fully tested and adequately documented before becoming part of a system that processes the bank?s data.

Prior to the development of any new software application or program, the end user computing committee will review the request for the new application or program and perform a cost/benefit analysis.

Managers are responsible for overseeing new projects and ensuring management control of the development process. Management control will encompass all phases including the initial development phase, development of appropriate data editing controls, proper input/output controls, report design, adequate testing, and documentation.

TRAINING AND SUPPORT

The board of directors understands that the increase in microcomputer use requires that employees are properly trained and informed on the policies and procedures endorsed by The Bank with regard to end user computing. The ability of employees to enter, move around, and leave the bank with ease increases the risk to the bank. Therefore, management and the board plan to address these issues through policies, education, and training of users on security and use of microcomputers.

The Bank will provide end user computer training to all employees. All users will be trained before they use bank-owned hardware and software. The training department of the bank is responsible for developing end user training materials and providing information and >

The board of directors approved and adopted this policy on (date) .


First published on BankersOnline.com 7/23/01

First published on 07/23/2001

Filed under: 
Technology
Filed under technology as: 
Audit
Compliance/Compliance Management
Fax/Fraud
Internet
IT
PC
Security
Training

Report a problem with this page

Search Topics