Академический Документы
Профессиональный Документы
Культура Документы
Agency
Any organization, department, agency, or establishment concerned with this code.
Asset
Anything that has value to the Agency.
Controls
Means of managing risk, including policies, procedures, guidelines, practices or
organizational structures, which can be of administrative, technical, management, or legal
nature NOTE Control is also used as a synonym for safeguard or countermeasure.
Guideline
A description that clarifies what should be done and how, to achieve the objectives set out in
policies
Information Security
Preservation of confidentiality, integrity and availability of information; in addition, other
properties, such as authenticity, accountability, non-repudiation, and reliability can also be
involved
Policy
Overall intention and direction as formally expressed by management
ISP
Information security policy
PropertyofMSADTopConfidential Page1
Risk
A combination of the probability of an event and its consequence
Risk Analysis
Systematic use of information to identify sources and to estimate the risk
Risk Assessment
Overall process of risk analysis and risk evaluation
Risk Evaluation
Process of comparing the estimated risk against given risk criteria to determine the significance of
the risk
Risk Management
coordinated activities to direct and control an organization with regard to risk
management typically includes risk assessment, risk treatment, risk acceptance and
communication.
Risk Treatment
Process of selection and implementation of measures to modify risk issue in question
Third party
That person or body that is recognized as being independent of the parties involved as concerns
the issue in question
Threat
A potential cause of an unwanted incident, which may result in harm to a system or organization
Vulnerability
A weakness of an asset or a group of assets that can be exploited by one or more threats
PropertyofMSADTopConfidential Page2
1. Scope
This code of information security defines the guide lines to be followed by any
governmental agency in the process of implementing its information security policy. It is
detailed to the extent that it forms the minimum requirement and compact enough to
allow any agency to tailor its policy according to the nature of its operation. This code
would form the base for security policy assessment at the minimal requirement level.
PropertyofMSADTopConfidential Page3
2. Introduction
It is a new world. It is the world of information and information technology. It is the world of
knowledge. It is the communication world. It is the cyber world. Whatever it is, and whatever
we call it there is one fact. It is a world that depends thoroughly on information and information
system. Establishment, organizations, Agencies, persons and government strength and stability
are very much affected by two points:
a. How much information they posses, and
b. How competent they are in processing this information to transfer it into knowledge
when it is needed.
This led the world to another definition, "The world of cyber crime". Nowadays, cyber criminal
does not have to come through physical doors, windows or doors. He does not have to carry his
theft or load it in a car or truck. He simply can let it fly in the cyber space part of the time and
kill it in its place most of the time. In the field of information technology crime can start at one
end by invading the information system to get a glance at some of the available information,
through the change in part or in full of the information content leaving it in its place as if not
touched, up to what is called denial of using this part of the information or information systems.
The effect of any of these actions can vary from simply putting funny face on a friend web site
up to the complete destruction a nations defense system and destroying economies.
The defense against such actions is what is called "Information Security", and the collection of
actions and routines to be implemented is called "Information Security Plan"
Accordingly, Information Security is concerned by securing the following thee aspects
irrespective of who designs it, who applies it and where:
a. Confidentiality: Insuring that information and information processing systems are only
accessible by authorized parties and within the limits of their authorization.
b. Integrity: Safeguard the accuracy and completeness of the information and processing
systems and methods.
c. Availability: Ensuring that authorized users has access to information and assets when
required.
The weight placed on each aspect may vary according to the nature of activity of the
organization and its sensitivity.
PropertyofMSADTopConfidential Page4
Whose responsibility?
For long time, the responsibility of protecting the organization assets was carried by book
keepers and stores keepers. Now, it is a little deferent. It is the responsibility of the TOP
MANAGEMNT carried by a team of IT specialists. The reason for this change is that
information security is a matter of joint responsibility between all members of the organization,
affiliated interties, third parties, contractors, temporary employees and guests.
Where to Start?
The best starting point always is by forming the Information Security Committee. This
committee includes all persons in the organization with authorization power in the area of
information processing and headed by a top management person. It may; at certain point of the
time, utilize external experts advice or consultancy.
The first task of the committee is to evaluate the IT security requirement of the organization. It is
essential that an organization identifies its security requirements. There are three main sources:
1. The first source is derived from assessing risks to the organization. Through risk
assessment threats to assets are identified, vulnerability to and likelihood of occurrence is
evaluated and potential impact is estimated. This is detailed in chapter four of this
document.
2. The second source is the legal, statutory, regulatory and contractual requirements that an
organization, its trading partners, contractors and service providers have to satisfy.
3. The third source is the particular set of principles, objectives and requirements for
information processing that an organization has developed to support its operations.
PropertyofMSADTopConfidential Page5
PropertyofMSADTopConfidential Page6
Some of these points may be omitted based on the clarity and nature of the subject. At
certain points also a statement to clarify the possible risk is added.
PropertyofMSADTopConfidential Page7
4. Controls
1. Each and Every Organization should maintain and develop continuously a formal Risk
Management Process to identify, quantify/qualify, monitor and mitigate Business and
Technical Risks affecting its objectives. Risk can be defined as the combination of the
probability of an event and its consequences.
a. The scope and depth of the review of information security risks are determined.
b. Identification, classification and listing of all the risks or vulnerabilities or threats
that may affect information assets.
c. Risks shall be profiled in regard to likelihood and consequences, and subsequently
their level shall be evaluated.
d. Estimated levels of risks should be evaluated against the pre-established criteria,
accepted and residual risks determined, priorities are set based on
threat/opportunities criteria.
e. A reporting and review structure should be in place to ensure that risks are
effectively identified and assessed and that appropriate controls and responses are
in place.
f. Consultation and communication should be a continued process involving the
project, business or function owner in all stages of risk management planning; all
actions should be comprehensively documented.
3. Each and every agency should development an Information Security Policy (ISP) that
provides a definitive and clear view about management direction and support for
information security. An Information Security Policy "ISP" should describe the IT
security policies, standards and responsibilities of an agency and set minimum
requirements, which will then feed into the development of Risk management plans. It
should also indicate clearly the management support and pack-up of the plan.
4. An Agency that does not have an ISP will not have risk assessment clearance certificate
and may be considered as a security threat and excluded from connection and /or provide
service to other agencies.
PropertyofMSADTopConfidential Page8
8. Each agency should put in place a clear and committed responsibility scheme within the
security management committee and across the agency including an authorization
management system with fallback plan for information processing facilities. This scheme
should be documented, accepted and declared beyond any doubt by and to the security
committee.
9. With respect to associated parties (those who may willingly receive a temporarily
authorization for usage and/or permit to access the agencies information and/or
information system); a clear system with fallback plan for handling authorizations with
associated parties should be in place, declared and accepted by them. This system should
clarify responsibilities and consequences and at least covers:
PropertyofMSADTopConfidential Page9
a. DefineanddocumenttheriskfromthirdpartyaccesstoInformationsystem.
b. Address all security requirements before allowing customer access to agency's
information or assets.
c. A comprehensive clear term contract with well defined security related contract
should be in place before allowing any access to information and information
systems.
11. Outsourcing arrangements should address the risks, security controls and procedures for
information systems, networks and/or desk top environments in the contract between the
parties and document the risk from access to Information system.
Assets Management
12. With respect to Agency assets, Each and every agency should:
13. An organization should follow the following guidelines to establish acceptable use rules
for information and assets:
PropertyofMSADTopConfidential Page10
15. Each Agency should have a documented set of procedures for employees, contractors and
third parties users addressing pre-employment, during employment and after employment
terminations addressing:
a. Prior to employment:
i. Job description with reference to security policy, screening procedures and
terms and conditions (including Managers responsibilities, NDA and
Confidentiality Agreements).
ii. Security roles and responsibilities of employees, contractors and third
party users in accordance with the organizations information security
policy.
iii. Background verification checks on all candidates for employment,
contractors, and third party users in accordance with relevant laws,
regulations and ethics, and proportional to the business requirements, the
classification of the information to be accessed, and the perceived risks.
iv. As part of their contractual obligation, employees, contractors and third
party users should agree and sign the terms and conditions of their
employment contract, which should state their and the organizations
responsibilities for information security.
b. During Employment:
i. Managers responsibilities, personnel awareness, education and training
requirements and disciplinary procedures.
ii. Requirement for employees, contractors and third party users to apply
security in accordance with established policies and procedures of the
organization.
iii. Providing appropriate awareness training and regular updates on
organizational policies and procedures, as relevant for the job function.
iv. Procedures for employees who have access to sensitive or critical
information or systems to have security clearance identification SCID
indicating level of clearance and expiry date.
v. A formal disciplinary process for employees who have committed a
security breach.
PropertyofMSADTopConfidential Page11
17. All high risk and secure areas and buildings throughout the agency that house critical ICT
facilities processing classified information should be physically protected against
unauthorized physical access, attack or accident. There should be documented
standards/procedures for the provision of physical protections in such areas.
18. Secure areas should be protected by appropriate entry controls to ensure that only
authorized personnel are allowed access.
19. Physical security for offices, rooms, and facilities should be designed and applied.
20. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest,
and other forms of natural or man-made disaster should be designed and applied.
21. Physical protection and guidelines for working in secure areas should be designed and
applied.
22. Access points such as delivery and loading areas and other points where unauthorized
persons may enter the premises should be controlled and, if possible, isolated from
information processing facilities to avoid unauthorized access.
PropertyofMSADTopConfidential Page12
24. Equipment should be sited or protected to reduce the risks from environmental threats and
hazards, and opportunities for unauthorized access.
25. Physical access to critical computer installation facilities should be restricted to authorized
individuals to prevent services being disrupted by loss of or damage to equipment or
facilities.
26. Documented procedures to ensure the above protection measures, including equipment
movement and disposal, will enhance the potential for physical security certification.
27. Equipment should be protected from power failures and other disruptions caused by
failures in supporting utilities.
28. Power and telecommunications cabling carrying data or supporting information services
should be protected from interception or damage.
29. Equipment should be correctly maintained to ensure its continued availability and
integrity.
30. Security should be applied to off-site equipment taking into account the different risks
working outside the organizations premises.
31. All items of equipment containing storage media should be checked to ensure that any
sensitive data and licensed software has been removed or securely overwritten prior to
disposal.
32. Equipment, information or software should not be taken off-site without prior authorization.
33. The organization is required to document, maintain and made available to all users the
operating procedures that identified as necessary in the security policy. Following areas
should be considered:
a. Operating procedures documentation.
b. Change management.
c. Segregation of duties and areas of responsibility.
d. Separation of development, test, operational facilities.
PropertyofMSADTopConfidential Page13
39. Back-up copies of information and software shall be taken and tested regularly in
accordance with the agreed backup policy.
40. Networks shall be adequately managed and controlled, in order to be protected from
threats, and to maintain security for the systems and applications using the network,
including information in transit.
41. Security features, service levels, and management requirements of all network services
shall be identified and included in any network.
42. There shall be procedures in place for the management of removable media.
PropertyofMSADTopConfidential Page14
44. Procedures for the handling and storage of information shall be established to protect this
information from unauthorized disclosure or misuse.
46. Formal exchange policies, procedures, and controls shall be in place to protect the
exchange of information through the use of all types of communication facilities including
information and software exchanged within an organization and with any external entity.
This should also includes loss, modification or misuse of information exchanged either
within or between organizations.
48. Policies and procedures shall be developed and implemented to protect information
associated with the interconnection of business information systems.
49. Information involved in electronic commerce passing over public networks shall be
protected from fraudulent activity, contract dispute, and unauthorized disclosure and
modification.
50. Information involved in on-line transactions shall be protected to prevent incomplete
transmission, misrouting, unauthorized message alteration, unauthorized disclosure,
unauthorized message duplication or replay.
51. The integrity of information being made available on a publicly available system shall be
protected to prevent unauthorized modification.
Access Control
PropertyofMSADTopConfidential Page15
54. There should be a formal procedure in place to control the allocation of access rights to
information systems and services including:
a. A formal user registration and de-registration procedure for granting and revoking
access to all information systems and services.
b. Prevention of unauthorized access.
c. Restrictions and controls on the allocation and use of privileges.
d. A secure log-on procedure for access to operating systems.
e. A formal management process for allocation of passwords.
f. Interactive systems for managing passwords and ensure its quality.
g. Restrictions on connection time.
h. Utility program that is capable of overriding system and application controls and
is restricted and tightly controlled.
i. A system to shut down inactive sessions after a defined period of inactivity.
j. A formal process for management to review users access rights at regular
intervals.
55. There should be formal instructions to users addressing their responsibilities for password,
terminals and desk security including:
a. User's requirement to follow good security practices in the selection and use of
passwords.
b. User's assurance that unattended equipment has appropriate protection.
c. A clear desk policy for papers and removable storage media and a clear screen
policy for information processing facilities.
56. There should be a documented and agreed upon rules and procedures specifying the
requirements for access to networks. These rules should ensure that:
a. Users are only provided with access to the services that they have been
specifically authorized to use.
b. Appropriate authentication methods are used to control access by remote users.
c. Automatic equipment identification should be considered as a means to
authenticate connections from specific locations and equipment.
d. Physical and logical access to diagnostic and configuration ports are controlled.
PropertyofMSADTopConfidential Page16
PropertyofMSADTopConfidential Page17
Compliance
65. It is the agency's responsibility to explicitly define, document and keep up to date all
relevant statuary, regulations, and contractual requirements and organizations approach to
meet these requirements for each information system and the agency. Agency should:
a. Design, implement, publish and raise awareness of procedures to ensure
compliance with legislative, regulatory, and contractual requirements of
Intellectual property rights (IPR).
b. Identify clearly elements, systems products subject to IPR.
c. Protect records from loss, deterioration, destruction and falsification
d. Implement appropriate technical and organizational measures to protect personal
information.
e. Inform all who have access to its information system that unauthorized use of
their information processing system is not allowed and subject the user to
undesirable consequences.
f. Take all required steps to prevent and control misuse including monitoring both
the users and used systems.
g. Use an expert legal advice before using encryption systems specially in case of
using cryptography over public data networks.
h. Verify that all cryptographic systems in use should satisfy all import, export and
IPR regulations.
i. Regularly review the security of information system against the Security policy
which by its turn should be reviewed against security standards
j. Planned carefully and agreed with auditor on audit requirements and activities
involving checks on operational system to minimize the risk of disruptions to
system operation or violation of system security.
k. Control access to audit tools to prevent any misuse or compromise.
PropertyofMSADTopConfidential Page18